Approximately 115,448 patients of LifeLong Medical are just now being notified that their data was accessed and stolen during a series of ransomware-related intrusions at one of its third-party vendors, Netgain. However, the Netgain incident occurred in September 2020 and providers were notified in February, more than six months ago.
The Health Insurance Portability and Accountability Act requires covered entities and relevant business associates to begin notifying patients no later than 60 days after discovering a breach. A breach is determined discovered by a covered entity on the first day a breach is known, or would have been known, by the entity by exercising reasonable due diligence.
The clock begins ticking after an intrusion is known, not after the conclusion of an investigation. The concern is that LifeLong Medical’s notice states that Netgain informed the provider that certain files were accessed or exfiltrated on Feb. 25, during the vendor’s initial round of notifications.
At the time, Netgain reported that threat actors leveraged stolen credentials in September 2020 to access their system, which enabled the actor to proliferate to client environments connected to the vendor’s system and allowed the exfiltration of a massive amount of patient data.
The initial hack persisted, undetected, for two months, until it was discovered in November. While Netgain responded to and investigated the initial hacks, the attackers launched a ransomware attack on Dec. 3, 2020, and encrypted a subset of data belonging to Netgain and a number of clients.
The attackers demanded a ransom payment from Netgain, which it paid with “assurances the data was deleted or destroyed.” Coveware has repeatedly warned these claims cannot be trusted, as some groups will provide false evidence that data is destroyed, only to later publicly doxx victims, even when ransom demands are met.
The Netgain incident is among the 10 largest health care data breaches reported this year.
For Lifelong Medical, the impacted data could include full patient names in combination with one or more data elements, including Social Security numbers, dates of birth, patient cardholder numbers, and or treatment information.
The provider is currently working with third-party vendors to bolster its security and oversight, but provided no further details into the incident or the reason behind the delayed notification.
Threat actors hack, exfiltrate Wedge Recovery data
The data belonging to 29,000 patients of The Wedge Medical Center was accessed and exfiltrated after a computer network hack on June 25, according to a recent release. The Wedge is a substance abuse and mental health services provider based in Philadelphia.
The investigation is ongoing, but so far, officials have confirmed that an attacker gained access to certain data and downloaded it without authorization. The information include patient names, dates of birth, SSNs, contact details, treatment information, and health insurance data.
The Wedge is currently reviewing its existing policies and procedures and has already implemented additional security measures to prevent a recurrence.
Desert Wells Family Medicine ransomware attack corrupts patient data
A ransomware attack against Desert Wells Family Medicine on May 21, corrupted the data and electronic health records. As a result, all provider data prior to the attack were rendered unrecoverable, despite an exhaustive effort to restore the network. What’s worse, the provider’s backups were also corrupted by the attacker during the incident.
Desert Wells has been working alongside a third-party forensics firm since discovering the systems intrusion. They found no evidence the data was taken, but given the attack and corruption, all impacted patients are being notified.
The compromised information included a host of sensitive data, such as medical and clinical information, dates of birth, account numbers, health insurance details, medical record numbers, dates of service, provider names, and other patient-related data. The investigators have not found any evidence the corrupted data has been misused.
Since the incident, Desert Wells has been working to rebuild its electronic health records in a completely new EHR, which includes the painstaking process of compiling patient data from other sources like pharmacies, hospitals, imaging centers, labs, and previous medical providers.
Patients have also been asked to update necessary forms and will receive free credit monitoring services. The provider is continuing to enhance its security, including the implementation of endpoint detection and threat monitoring tools. The workforce will also receive further training and education.
RSS informs patients, employees of data theft and extortion attempt
Rehabilitation Support Services recently notified an undisclosed number of patients and employees that their data was stolen and leaked online after a systems hack on June 1. RSS provides mental health and substance abuse treatment in New York.
After detecting suspicious activity on its systems, RSS launched an investigation to assess the scope and found a hacker accessed the network and removed some sensitive information. The actor then published the exfiltrated data on the dark web in an attempt to extort RSS.
Upon discovery, the response team undertook a review of the systems to determine just what data was impacted and whether protected health information was involved. Officials said they concluded the data varied by patient and could include names, contact details, dates of birth, SSNs, health insurance information, diagnoses, and treatments.
RSS reported the incident to law enforcement and the FBI, which is continuing to investigate.
Family Medical Center of Michigan cyberattack
Nearly 22,000 Family Medical Center of Michigan patients were recently informed that their data was potentially exposed after a network cyberattack on July 23.
Working with assistance from an outside IT specialist, the investigation could not conclusively rule out the chance that data was exposed during the incident. The data included patient names, health information maintained by FMC, and mailing addresses, as well as some SSNs and dates of birth.
FMC has since enhanced its network security measures, including revising the security policies and procedures for its servers, systems, and life cycle management information. All affected patients will receive free identity theft and credit monitoring services. To date, FMC has not received any reports of related identity theft.
Barlow Respiratory Hospital reports ransomware attack, as data leaked online
Late last week, the Vice Society hacking group leaked data they claimed to have stolen from Barlow Respiratory Hospital, according to screenshots shared with SC Media. The hospital quickly responded to reports by confirming it fell victim to a ransomware attack on Aug. 27.
The care team relied on previously implemented processes and promptly activated protective systems to maintain hospital operations without interruptions. Barlow officials have not yet provided further information.
Barlow is among a number of other health care data leaks seen in the last several weeks. Further screenshots shared with SC Media show the Hive group leaked data allegedly stolen from the Missouri Delta Medical Center.
Emsisoft Threat Analyst Brett Callow remarks that Vice Society and Hive are behind some of the largest health care-related attacks seen over the summer, including the incident at the Waikato District Health.
Community Care Plan discovers insider wrongdoing
While reviewing an employee email account in June, Community Care Plan discovered the employee leveraged the account to send internal CCP documents to their personal account at various occasions for two months between Oct. 27, 2020, and Dec. 28, 2020. The information included health data tied to 38,344 patients.
The information varied by patient and could include names, contact information, member identification numbers, provider names, diagnoses, dates of birth, and procedure types and billing codes.
Upon discovering the wrongdoing, CCP reviewed the safety and security of its information systems and email accounts, blocked the employee’s email and login access at the time the employment concluded, recovered all CCP-issued equipment from the former employee, and audited the employee’s actions to ensure no further malfeasance occurred.
Although no SSNs were included in the data, CCP is providing complimentary credit monitoring to all impacted patients.