Breach notification, security operations
Incidents reported by pediatric hospital, managed care plan, government contractor
Marianne Kolbasuk McGee (HealthInfoSec) •
May 24, 2022
Hacking incidents recently reported as major data breaches by three different types of health sector entities – a children’s hospital, a managed care plan and a government contractor – have altogether compromised the sensitive information of more than 1.4 million people.
See also: On demand | Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents
Some experts say the incidents reflect continuing worrying trends in cyberattacks in the healthcare industry.
“Most concerning in all three cases is the vulnerability of our healthcare facilities and providers to organized criminal gangs using ransomware attacks for significant financial gain,” said the former deputy commander of the National Security Agency. . Tim Kosiba, CEO of bracket f, a wholly owned subsidiary of cloud security company Redacted.
The three entities that have recently reported external hacking violations to the Maine Attorney General’s office include East Tennessee Children’s Hospital, or ETCH; Partnership HealthPlan of California, or PHC, and the Comprehensive Health Services subsidiary of Acuity International.
The cyber incidents at ETCH and PHC both occurred in March and each involved various computer system disruptions, suggesting possible ransomware attacks.
Neither entity has yet publicly confirmed the involvement of ransomware in their incidents (see: Tennessee Children’s Hospital responds to cyber incident and 2 health plans report major violations following attacks).
PHC is also the defendant in at least one class action lawsuit filed so far as a result of its breach. This lawsuit alleges that sensitive patient data was stolen and leaked in the incident by ransomware group Hive (see: HealthPlan Partnership California Systems Still Down).
ETCH reported its incident to the Maine Attorney General as affecting nearly 423,000 people, including six Maine residents, and PHC reported its violation to the state as affecting nearly 855,000 people, including 84 Maine residents.
But on April 7, ETCH reported its hacking incident to federal regulators as affecting only 501 people, according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 people. or more.
As of Tuesday, the PHC incident had yet to appear on the HHS website, but when published, the incident will likely rank as the second-largest health data breach reported to federal regulators so far. present in 2022. PHC reported to the Maine General Office attorney that its data breach involving the hacking incident affected nearly 855,000 people.
Acuity International, in a report delivered to the Maine Attorney General, described its hacking incident – which affected nearly 123,000 people, including 679 Maine residents – as involving the detection in September 2020 of unusual activity in its environment. digital following the discovery of multiple fraudulent wire transfers.
East Tennessee Children’s Violation Details
In a breach notification statement, ETCH says that on March 13, it identified unusual activity on its network. “We quickly began taking steps to secure our systems and have launched a thorough investigation into the incident,” the notice said.
The entity’s investigation determined on March 18 that certain documents stored in the ETCH environment may have been copied or viewed by an unauthorized actor between March 11 and March 14.
The hospital’s Facebook page said that at the time the incident happened, various services, including emergency care X-ray procedures and the organization’s access to email, had been affected. .
ETCH in its notification statement says the data involved varies by individual, but may include name, contact information, date of birth, medical record number, medical history information, and social security number.
“ETCH is reviewing and strengthening existing policies, procedures and safeguards related to cybersecurity and has already taken additional steps to further improve the security of its systems,” its statement said. ETCH says it has notified federal law enforcement authorities of the incident.
ETCH did not immediately respond to Information Security Media Group’s request for comment and additional details on the incident.
Regulatory attorney Rachel Rose says any data security incident involving children’s personal information is particularly disconcerting for several reasons.
These include the risk of children’s information falling into the hands of sexual predators and of sensitive information of minors being used for a longer period of time for identity theft and other crimes before they are revealed to have been stolen.
Attacks on children’s hospitals also have “a heightened sensitivity and an emotional component”, she says. “Cybercriminals are putting more emphasis on hospitals to get quick payment because of adverse patient outcomes and potentially death,” she says.
In its breach statement, PHC says it “has evidence that an unauthorized party accessed or took certain information from PHC’s network on or about March 19.” The investigation process is ongoing, PHC says.
Information potentially subject to unauthorized access includes name, social security number, date of birth, driver’s license number, tribal ID number, medical record number, health insurance information , member portal username and password, email address, and medical information, including treatment, diagnosis, and prescriptions.
PHC did not immediately respond to ISMG’s request for comment on the incident or the related lawsuit filed in California state court in April against the entity.
Violation of acuity
Acuity International, a government contractor, in a sample breach notification letter provided to the Maine Attorney General as part of its May 10 report, indicates that its incident involved its subsidiary Comprehensive Health Services, or CHS.
The letter states that on September 30, 2020, Acuity detected unusual activity in its digital environment following the discovery of several fraudulent wire transfers.
After discovering this activity, Acuity hired a team of cybersecurity experts to secure its digital environment and conduct a forensic investigation, the letter said.
“After reviewing and analyzing information impacted by the incident, and further to the investigation, Acuity determined on April 4 that the personal information of a limited number of individuals employed by one of its subsidiaries may have been viewed or acquired by a malicious actor,” according to the letter.
Acuity did not immediately respond to ISMG’s request for additional details about the incident.
In an unrelated case, Acuity’s subsidiary CHS agreed in March to pay a $933,000 settlement in a federal whistleblower case involving the entity’s alleged misrepresentations regarding the security of electronic medical records containing patient information. military personnel, diplomats and contractors (see: CHS Pays False Claims Act Settlement).
The settlement was the first under the Justice Department’s civil cyber-fraud initiative launched last year.
Incidents involving Children’s Hospital of East Tennessee, Partnership HealthPlan of California, and Acuity International Comprehensive Health Services are among worrying trends in cyberattacks involving healthcare industry players, according to some experts.
These offenses remain below the threshold for “armed attacks” and are therefore criminal in nature and treated as such, Kosiba says. “There must come a time when we, as a nation, will no longer accept these violations as criminal, but as attacks on our freedoms as citizens,” he said.
“Without knowing the specifics of the network defenses that were breached, the onus is on all victims to defend themselves against a money-driven, nation-state-sponsored adversary,” Kosiba says. In the meantime, he adds, state and federal governments are making “small strides” in advancing legislation that will help protect the healthcare industry from such attacks.
“More and more is being done to share information with defenders to protect networks from ransomware attacks, but the trend continues to rise. We support the continued emphasis on public/private partnerships, but we must go further while collectively protecting our critical infrastructure, including healthcare, and inflicting consequences on these adversaries,” Kosiba said.
Rose predicts that organizations that handle protected health information will remain a prime target for cybercriminals.
“It is imperative that HIPAA-covered entities and business associates, including government contractors, do not condone the technical, administrative, and physical safeguard requirements required by HIPAA, the HITECH Act, and the federal procurement regulations, just to name a few,” she says.