3 Health Data Hacks Affect 1.4 Million Individuals

Hacking incidents recently reported as major data breaches by three different types of health sector entities – a children’s hospital, a managed care plan and a government contractor – have in total compromised the sensitive information of more than 1.4 million individuals.

See Also: Live Panel Discussion I Security First: Cyber Readiness in a Changing World

Some experts say the incidents reflect a continuation of worrisome healthcare sector cyberattack trends.

“The most concerning in all three instances is how vulnerable our healthcare facilities and providers remain to organized criminal gangs using ransomware attacks for significant financial gain,” says former National Security Agency Deputy Cmdr. Tim Kosiba, CEO of bracket f, a wholly owned subsidiary of cloud security firm Redacted.

Big Breaches

The three entities recently reporting external hacking breaches to the Maine attorney general’s office include East Tennessee Children’s Hospital, or ETCH; Partnership HealthPlan of California, or PHC, and Acuity International’s Comprehensive Health Services subsidiary.

The cyber incidents at ETCH and PHC both occurred in March, and each involved various IT system disruptions, which suggests possible ransomware attacks.

Neither entity has yet to publicly confirm the involvement of ransomware in their incidents (see: Tennessee Pediatric Hospital Responding to Cyber Incident and 2 Health Plans Report Major Breaches Following Attacks).

PHC is also the defendant in at least one class action lawsuit filed so far in the wake of its breach. That lawsuit alleges that sensitive patient data was stolen and leaked in the incident by the ransomware group Hive (see: Partnership HealthPlan California Systems Still Down).

ETCH reported its incident to Maine’s attorney general as affecting nearly 423,000 individuals, including six Maine residents, and PHC reported its breach to the state as affecting nearly 855,000 individuals, including 84 Maine residents.

But on April 7, ETCH reported its hacking incident to federal regulators as only affecting 501 individuals, according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

As of Tuesday, the PHC incident had not yet appeared on the website, but when it is posted, the incident is likely to rank as the second-largest health data breach reported to federal regulators so far in 2022.

Acuity International in a report filled to the Maine attorney general described its hacking incident – which affected nearly 123,000 individuals, including 679 Maine residents – as involving the detection in September 2020 of unusual activity within its digital environment following discovery of multiple fraudulent wire transfers.

East Tennessee Children’s Breach Details

In a breach notification statement, ETCH says that on March 13, it identified unusual activity on its network. “We promptly began taking steps to secure our systems and commenced a comprehensive investigation into the incident,” the notice says.

The entity’s investigation determined on March 18 that certain documents stored within ETCH’s environment may have been copied or viewed by unauthorized actor between March 11 and March 14.

The hospital’s Facebook page indicated that at the time when the incident occurred, a variety of services, including urgent care X-ray procedures and the organization’s access to email, had been affected.

ETCH in its notification statement says affected data varies by individual but may include name, contact information, date of birth, medical record number, medical history information and Social Security number.

“ETCH is reviewing and strengthening existing policies, procedures, and safeguards related to cybersecurity and has already taken additional steps to further enhance the security of its systems,” its statement says. ETCH says it has notified federal law enforcement authorities of this incident.

ETCH did not immediately respond to Information Security Media Group’s request for comment and additional details about the incident.

Regulatory attorney Rachel Rose says that any data security incident involving the personal information of children is especially disconcerting for several reasons.

Those include the risk of children’s information falling into the hands of sexual predators and the sensitive information of minors being used for a longer period of time for identity fraud and other crimes before it is revealed as being stolen.

Attacks on children’s hospitals also have “a heightened sensitivity and emotional component,” she says. “Cybercriminals place more emphasis on hospitals in order to get a quick payment because of adverse patient outcomes and potentially death,” she says.

PHC Incident

In its breach statement, PHC says it “has evidence that an unauthorized party accessed or took certain information from PHC’s network on or about March 19.” The investigation process is ongoing, PHC says.

Information potentially subject to unauthorized access includes name, Social Security number, date of birth, driver’s license number, tribal ID number, medical record number, health insurance information, member portal username and password, email address, and medical information including treatment, diagnosis and prescriptions.

PHC did not immediately respond to ISMG’s request for comment on the incident or the related lawsuit filed in a California state court in April against the entity.

Acuity Breach

Acuity International, a government contractor, in a sample breach notification letter provided to the Maine attorney general as part of its May 10 report, says its incident involved its Comprehensive Health Services subsidiary, or CHS.

The letter says that on Sept. 30, 2020, Acuity detected unusual activity within its digital environment following discovery of multiple fraudulent wire transfers.

Upon discovering this activity, Acuity engaged a team of cybersecurity experts to secure its digital environment and conduct a forensic investigation, the letter says.

“Following review and analysis of the information impacted by the incident, and as a result of the investigation, Acuity determined on April 4, that personal information of a limited number of individuals employed by one of its subsidiaries may have been accessed or acquired by a malicious actor,” according to the letter.

Acuity did not immediately respond to ISMG’s request for additional details about the incident.

In an unrelated matter, Acuity’s CHS subsidiary in March agreed to pay a $933,000 settlement in a federal whistleblower case involving alleged false claims by the entity about the security of electronic medical records containing the information of military personnel, diplomats and contractors (see: CHS Pays False Claims Act Settlement).

That settlement was the first under the Department of Justice’s Civil Cyber-Fraud Initiative launched last year.

Disturbing Trends

The incidents involving East Tennessee Children’s Hospital, Partnership HealthPlan of California and Acuity International’s Comprehensive Health Services are part of worrisome cyberattack trends involving healthcare sector players, some experts say.

These breaches remain below the threshold of “armed attacks” and therefore are criminal in nature and treated as such, Kosiba says. “There must come a time when we as a nation no longer accept these breaches as criminal, but as attacks on our freedoms as citizens,” he says.

“Without knowing the specifics of the network defenses that were breached, it remains incumbent on all victims to defend themselves against an adversary that is motivated by money and sponsored by nation-states,” Kosiba says. In the meantime, he adds, state and federal governments are making “small strides” in advancing legislation that will assist with protecting the healthcare sector against such attacks.

“More is being done to share information with defenders to shield networks from ransomware attackers, but the trend continues upward. We support the continued focus around public/private partnerships, but we must go further while collectively shielding our critical infrastructure, including healthcare, and delivering consequences to these adversaries,” Kosiba says.

Rose predicts organizations handling protected health information will remain a top target of cybercriminals.

“It is imperative for HIPAA-covered entities and business associates, which includes government contractors, to not turn a blind eye to the requisite technical, administrative, and physical safeguard requirements of HIPAA, the HITECH Act, and the Federal Acquisition Regulations, just to name a few,” she says.