Patient Privacy Report, Volume 21, Number 9. Privacy Notes: September 2021 | Healthcare Compliance Association (HCCA)
[author: Jane Anderson]
Patient Confidentiality Report 21 no. 9 (September 2021)
◆ DuPage Medical Group in Chicago said the personal information of more than 600,000 patients could have been compromised in a cyber attack in July. The medical group, which is Illinois’ largest group of independent physicians, suffered a computer and phone outage that lasted nearly a week in mid-July. When the group worked with digital forensic scientists to investigate the incident, they discovered the outage was caused by “unauthorized actors” who accessed their network between July 12 and July 13. Investigators determined on August 17 that some files with patient information may have been exposed. The compromised information can include names, addresses, dates of birth, diagnostic codes, codes identifying medical procedures and dates of treatment. For a small number of people, social security numbers may have been compromised, the medical group said.
◆ Hundreds of thousands of health records in a Texas county that included details of the COVID-19 vaccination were exposed in a data breach involving an app, officials said. Although the first estimates of the Denton County public health violation put the number of exposed files at 1.2 million, county officials said many files were duplicates. An issue with third-party software exposed the contact and credentials. Letters have been sent to those affected, county officials said. The breach was discovered in July and at that time, vaccination clinics stopped using the involved app while the issue was resolved. The app is being used again, the county said.
◆ A class action lawsuit has been filed against Sturdy Memorial Hospital in Attleboro, Massachusetts, alleging that the hospital failed to properly protect patient personal information that was stolen in a ransomware attack earlier this year. year. The lawsuit was filed Aug. 26 in Plymouth Superior Court by lawyers for Barbara Ragan Bennett, a Plymouth County resident, and on behalf of “everyone else in the same situation.” Some 35,272 people in total could have been affected by the breach of the ransomware attack, which took place on February 9, according to the lawsuit. The lawsuit seeks an unspecified amount of damages, including prolonged credit monitoring, “actual damages, compensatory damages, statutory damages and statutory penalties, punitive damages and damages. attorney fees and expenses ”. The Sturdy Memorial Hospital paid the hacker an undisclosed ransom to recover his information and offered everyone involved two years of free credit monitoring, according to the lawsuit. However, Bennett’s lawyers said Sturdy should have prevented the information from being stolen. “The defendant carelessly stored and secured the PII (Personally Identifiable Information) by failing to protect against ransomware attacks,” the complaint states. “If Sturdy had properly maintained his computer systems (information technology), it could have prevented the data breach. Although a ransom was paid, the complaint alleges that payment does not guarantee that personal information will be protected. “The defendant cannot reasonably claim that the data thieves destroyed the information they obtained, or more generally, that the harm caused to the victims was repaired,” the lawsuit said. Some of the information stolen included names, contact details, dates of birth, social security numbers, health insurance claim numbers, driver’s license numbers and medical history. In addition, lawyers argued that the two free years of a credit monitoring service are insufficient “because the misuse of the information gathered in the breach is likely to last for more than two years, and furthermore, that credit monitoring alone does not compensate victims for the consequences of the breach. Court documents indicated that the damages exceeded $ 50,000. The hospital notified the data breach on May 28.
◆ The FBI is warning organizations that Hive ransomware, which uses mechanisms such as phishing emails with malicious attachments and a remote desktop protocol to access and roam victims’ networks, exfiltrate and encrypt files, is increasing. This variant of ransomware creates significant challenges for defense and mitigation, according to the FBI. Hive ransomware scans for processes related to backups, anti-virus / anti-spyware, and file copying and stops them to facilitate file encryption. Encrypted files usually end with a “.hive” extension. After compromising a victim’s network, exfiltrating data, and encrypting files, actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to disclose data of victims exfiltrated on the Tor site “HiveLeaks”. The memo contains a “commercial service” link, accessible through a Tor browser, which allows victims to contact the actors via live chat. Some victims said they received phone calls from Hive actors asking for payment for their files, the FBI said. The initial payment deadline ranges from two to six days, but the FBI has reported that actors have extended the deadline in response to contacting the victim company. John Riggi, the American Hospital Association’s (AHA) senior advisor for cybersecurity and risk, said the Hive ransomware is problematic. “This new strain of ransomware may be of particular concern to healthcare and uses the ‘double extortion’ method – ransom demand for decryption key to access encrypted data onsite as well as ransom demand for prevent public disclosure of stolen patient information. The FBI and AHA strongly discourage payment of ransom whenever possible. Whether you or your organization decides to pay the ransom, the FBI urges you to report ransomware incidents at your local office.
◆ The largest health care system in Savannah, Ga., St. Joseph’s / Candler, returned to “fully operational” status in mid-August after suffering a cyberattack on its computer network earlier this year , hospital officials said. The ransomware attack was detected on June 17, but further investigations revealed that the unauthorized party gained access to the hospital system’s computer network between December 18, 2020 and June 17, 2021, according to a letter sent to patients. . Although the healthcare system did not cancel any surgeries or procedures, the attack temporarily disrupted telephone communications and accessible computer systems, rendering some files inaccessible. In addition, cancer patients were asked to check appointments for a period of time. “We are fully operational right now,” said CEO and Chairman Paul Hinchey. “There are a few hotspots where we need to change computers. But as far as the hospital is concerned … we’re back electronically which has been a big change for us as we’ve gone from a fully integrated system to a paper-based system and we don’t have it. been doing for 25 years. Hinchey said he was not ruling out the possibility that patients’ personal information was compromised in the attack, and the hospital system is offering a free year of identity theft monitoring. In a letter to patients, St. Joseph’s / Candler said possible information at risk includes “name associated with address, date of birth, social security number, driver’s license number, patient account, billing account number, financial information, health insurance plan member ID, medical record number, dates of service, provider names and medical treatment information and clinics regarding the care you received from SJ / C. Hinchey said the healthcare system is increasing its security to mitigate future risks. “These entities, they are reinventing themselves at breakneck speed,” he said. “So we hired several national companies, including one that does all security for Amazon, and we installed all of these firewalls to make sure we mitigate this as best we can so that it doesn’t happen again. Never again, because once is enough. “
◆ Indiana Attorney General Todd Rokita warns state residents to monitor their data after ransomware attack and breach at Eskenazi Health. It is not known how many patient charts may have been affected in the July attack, although some of the data has been released to the dark web. “As with any major breach, Hoosiers must protect and closely monitor their personal information,” Rokita said. “The confidentiality of our office data and [Identity] Theft Unit is ready to direct consumers to data theft resources to fight further damage and avoid further damage if they fall victim to scammers and fraud. Eskenazi Health said it had seen no evidence that the data breach resulted in bank or credit card fraud. “Through our investigation, we learned that some of the data we keep was obtained by bad actors and published online,” the organization said in a statement. “Our forensic experts are monitoring this, we have identified the files that the hackers obtained, and we have started the careful process of examining those files for personal information about patients or employees. If we find such information, we will notify those affected in accordance with the law and offer identity protection and credit monitoring services. The hospital said it had not paid the ransom demanded.
1 Lisa Schencker, “A DuPage Medical Group data breach could have affected 600,000 patients. Here’s what patients need to know. Chicago Tribune, August 30, 2021, https://bit.ly/2WJfgZ2.
2 WBAP, “Denton County Data Breach Exposes Health Records, Including COVID Vaccination Details,” August 31, 2021, https://bit.ly/3mVCqqi.
3 George W. Rhodes, “Rugged Attleboro Hospital Sued for Data Breach” Chronicle of the Sun, August 31, 2021, https://bit.ly/3t4HuK6.
4 Sturdy Memorial Hospital “Data Security Incident Notice,” press release, May 28, 2021, https://bit.ly/3BsVMae.
5 Federal Bureau of Investigation, Cyber Division, “Indicators of Compromise Associated with Hive Ransomware”, MU-000150-MW, FBI Flash, August 25, 2021, https://bit.ly/3DwMvzM.
6 “FBI Alerts Organizations of New Ransomware Threat,” American Hospital Association, August 25, 2021, https://bit.ly/3DE6ahb.
7 Nancy Guan, “St. Joseph’s / Candler Ransomware Investigation Underway, Patients Offered Identity Protection,” Morning news from the savannah, August 18, 2021, https://bit.ly/3zCkPHf.
8 WTHR.com Staff, “Indiana AG Issues Warning for Hoosiers After Hospital Data Breach,” WTHR, August 27, 2021, https://bit.ly/3gUE7R0.