Healthcare Data Breach Round-Up: November 16, 2023

Posted by Steve Alder

Medical Eye Services (CA), Prospect Medical Services (CA), McAlester Regional Health Center (OK), PeakMed (CO), Catholic Charities of Long Island (NY), & The Endocrine and Psychiatry Center (TX) have recently notified patients that their personal and health information has been exposed.

Medical Eye Services Says PHI of 370,000 Patients Stolen in MOVEit Transfer Hack

California-based Medical Eye Services, Inc. has recently confirmed that the protected health information of 346,828 individuals was stolen from the MOVEIt Transfer server used by the vision benefits management provider, MESVision, between May 28, 2023, and May 31, 2023. A zero-day vulnerability was exploited by the Clop cyber threat group, as part of a series of attacks on more than 2,300 organizations globally.

MESVision discovered it had been affected on August 23, 2023, and has since rebuilt its MOVEit server and implemented additional technical safeguards to prevent further breaches. The stolen data included names, dates of birth, Social Security numbers, subscriber/member IDs, policy numbers, group numbers, and claim numbers. Affected individuals have been offered complimentary credit monitoring and identity theft protection services through Kroll.

109,728 Connecticut Residents Impacted by Ransomware Attack on Prospect Medical Services

Between July 31, 2023, and August 1, 2023, the Rhysida ransomware group gained access to the network of Los Angeles, CA-based Prospect Medical Holdings. The breach was detected by Prospect Medical on August 1, 2023, and the breach was reported to the HHS’ Office for Civil Rights on September 29, 2023, as affecting 342,376 individuals, and individual notification letters were mailed the same day.

On November 13, 2023, additional notification letters were sent to 109,728 patients of the Eastern Connecticut Health Network (ECHN) Medical Group. The affected individuals had received healthcare services at Manchester Memorial Hospital, Rockville General Hospital, or Waterbury Hospital. Prospect Medical said the compromised information included names, addresses, dates of birth, diagnosis, lab results, medications, and other treatment information, and for some individuals, Social Security numbers and/or driver’s license numbers. Individuals who had their Social Security numbers or driver’s license numbers exposed have been offered 2 years of complimentary credit monitoring and identity theft protection services.

McAlester Regional Health Center Cyberattack Affects 38,000 Patients

McAlester Regional Health Center in Oklahoma has recently notified 37,731 patients about a security incident that was detected on May 8, 2023. Immediate action was taken to secure its network and a third-party cybersecurity firm was engaged to investigate to determine the nature and scope of the incident, which confirmed that files containing patient data had been exposed. A third-party vendor was engaged to review the affected files and the process was completed on October 23, 2023. Notification letters were mailed to the affected individuals on November 15, 2023. The exposed information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and other government ID numbers.

McAlester Regional Health Center has tightened firewall restrictions, rewritten and strengthened its password policy, implemented password changes across the organization for every account, and increased restrictions on file sharing. Affected individuals have been provided with complimentary single-bureau credit monitoring services at no cost.

Compromised Credentials Used to Access PeakMed Network

PeakMed, a Colorado primary care provider, has started notifying 27,800 patients about a security breach that was detected on August 30, 2023.  An investigation of suspicious network activity confirmed that an unauthorized individual had obtained an employee’s credentials and used them to access its network between July 24, 2023, and August 30, 2023.

The documents that were accessed, and potentially acquired, were found to contain patient names along with one or more of the following: address, Social Security number, driver’s license number, date of birth, medical record number, financial account information, payment card information, electronic signature, billing/claims information, medical provider’s name, Medicare/Medicaid identification, medication information, treatment information, and health insurance information. PeakMed said all system passwords were reset when the breach was discovered, and 2-factor authentication has been implemented for all employee accounts.

Catholic Charities of Long Island Cyberattack Affects 13,000 Patients

Catholic Charities of the Diocese of Rockville Centre, doing business as Catholic Charities of Long Island in New York, has notified 13,000 patients that some of their personal information was exposed and potentially acquired by unauthorized individuals. Access appears to have been gained to its network via the Cisco AnyConnect VPN.

Unusual network activity was detected on September 3, 2023, and access to the network was immediately disconnected. A third-party cybersecurity firm was engaged to investigate the incident and determined that an unauthorized third party had accessed files that contained patient data, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, passports, and medical information.

The list of affected individuals was finalized on October 24, 2023, and notification letters were mailed on November 2, 2023. Catholic Charities has taken several steps to improve security, including installing threat hunting and endpoint detection and response solutions.

Endocrine and Psychiatry Center Discovers Theft of Historic Data

The Endocrine and Psychiatry Center in Texas has recently sent notifications to patients advising that some of their protected health information has been removed from its systems by an unauthorized individual. The theft occurred at some point prior to March 20, 2023, and involved data generated prior to 2017. A comprehensive review of the affected files was conducted and concluded on October 15, 2023, that the following information had potentially been compromised: full name, Social Security number, driver’s license number or other government identification number, date of birth, financial account information, credit or debit card information, treatment/diagnosis information, and/or health insurance information.

According to the notification sent to the Maine attorney General, 28,531 individuals were affected. The Endocrine and Psychiatry Center has offered those individuals a complimentary membership to the Equifax Credit Watch Gold service.

Bladen County, North Carolina Suffers Cyberattack

Bladen County in North Carolina is dealing with a cyberattack in which sensitive data was compromised. County officials said the attack impacted multiple server and internet-based systems, and the incident is being investigated by the North Carolina Joint Cybersecurity Task Force, which has helped to secure its servers. Rodney Hester, chairman of the Bladen County Board of Commissioners, confirmed that the county had emergency preparedness plans in place to deal with this kind of incident and confirmed that all emergency services remained operational throughout, although the county has been operating in a limited capacity since the attack.

The nature of the attack has not been disclosed, such as whether ransomware was involved. If ransomware was used, the ransom will not be paid as North Carolina prohibits ransom payments to ransomware gangs. It is currently unclear how many individuals have had their information stolen in the attack.

The post Healthcare Data Breach Round-Up: November 16, 2023 appeared first on HIPAA Journal.

Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) about Rhysida ransomware.

Rhysida ransomware is a ransomware-as-a-service (RaaS) operation that first emerged in May 2023. The group engages in double extortion tactics, involving data theft and encryption, with ransom payment required to obtain the keys to decrypt files and prevent the public release of stolen data. Researchers at Check Point identified significant similarities between Rhysida ransomware and Vice Society, one of the most prolific ransomware groups since 2021 that aggressively targeted the education and healthcare sectors.

In August 2023, the HHS’ Health Sector Cybersecurity Coordination Center (HC3) issued its own advisory about Rhysida ransomware following several attacks on the healthcare sector, including the attack on Prospect Medical Holdings, which affected 17 hospitals and 166 clinics across the United States. The latest cybersecurity advisory includes an update on the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IoCs) from malware analyses and recent incident response investigations to help network defenders and incident response teams detect and block attacks in progress.

Rhysida ransomware actors have been observed using a variety of techniques for gaining initial access to victims’ networks, including leveraging external-facing remote services such as virtual private networks (VPNs), commonly through the use of compromised credentials. These attacks have proven successful against organizations that have failed to implement multi-factor authentication for VPN connections. Rhysida ransomware actors have also exploited unpatched vulnerabilities, such as the Zerologon (CVE-2020-1472) vulnerability in Microsoft’s Netlogon Remote Protocol, and commonly use phishing emails. Once initial access has been achieved, the group often creates Remote Desktop Protocol (RDP) connections for lateral movement, establishes VPN access, and uses PowerShell and native network administration tools to perform operations, which helps them to evade detection by hiding their activity within normal Windows systems and network activities.

The FBI, CISA, and the MS-ISAC suggest several mitigations for hardening security, including steps that can be taken to block the main attack vectors, restrict lateral movement, and detect attacks in progress. These include enabling phishing-resistant multifactor authentication, especially for webmail, VPNs, and accounts that access critical systems; disabling command-line and scripting activities and permissions; restricting the use of PowerShell; enhancing PowerShell logging and logging within processes; restricting the use of RDP; and securing remote access through application controls.

The post Feds Issue Updated Mitigations for Blocking Rhysida Ransomware Attacks appeared first on HIPAA Journal.