[BreachExchange] ‘Security Threat’ Forces Hendrick Health to EHR Downtime Procedures

[Destry Winant]

https://healthitsecurity.com/news/security-threat-forces-hendrick-health-to-ehr-downtime-procedures

November 11, 2020 - Texas-based Hendrick Health is operating under EHR
downtime procedures after discovering a network ‘security threat’ at
the main campus's medical center and some of its clinics on November
9. The IT networks have been shut down across the enterprise to fully
address the issue.

Hendrick Medical Center Brownwood and Hendrick Medical Center South
have not affected by the incident.

Officials are fully focused on maintaining patient safety, while
administering downtime procedures. Texas has been the hardest hit by
the coronavirus, with more than 1 million reported cases across the
state since the start of the pandemic.

The medical center’s inpatient services remain open, but patients are
being directed to “the most appropriate campus for their care.” Some
outpatient services, including therapies or doctors' visits, are also
being rescheduled, officials said.

Hendrick Health is continuing to work around the clock to address and
resolve the issue, while coordinating with outside security leaders
and law enforcement to get its networks back online.

Hendrick Health becomes the latest covered entity impacted by the
ransomware wave targeting the US healthcare sector, which has already
claimed Universal Health Services, Dickinson County Healthcare System,
Sonoma Valley Hospital, Sky Lakes Medical Center, the University of
Vermont Health Network, St. Lawrence Health System, Valley Health
System in Las Vegas, Ashtabula County Medical Center, and Nebraska
Medicine in the last two months.

SONOMA VALLEY HOSPITAL REMAINS OFFLINE 1 MONTH AFTER CYBERATTACK

Sonoma Valley Hospital in California is continuing to operate under
EHR downtime procedures one month after a ransomware attack infected
its entire network. According to local news outlet Sonoma-Index
Tribute, hospital officials believe the recovery efforts still have a
long way to go.

The ransomware payload was deployed on October 11, prompting the IT
team to turn off the network to stop the attack from further
proliferating across the network. The hospital employed its practiced
business continuity plan, which has allowed patient care to continue
with minimal disruptions.

While the latest update reported that Ryuk was behind the attack, it
was Mount Locker threat actors that leaked data they claim to have
stolen from the hospital during the week of November 2.

The hospital confirmed early on that they were aware some patient data
was stolen prior to the ransomware deployment, but officials said that
outside of the initial attack, the hackers have had minimal
communication with the hospital.

Mount Locker hackers published 75GB of data, but officials said much
of the posted data were images from 2009 and that they’ll “know more
for sure what they have soon.” Likely, given that double extortion
threat actors publish stolen data in waves to pressure victims into
paying a ransom.

Sonoma Valley has no intention of paying the ransom demand, officials confirmed.

The hospital has had to completely rebuild the network to remove the
virus, including replacing 50 computers and restoring access to 75
different systems and 215 workstations. The team is continuing to
investigate the scope of the incident, which has proved challenging
and is working with an outside cybersecurity team on its recovery
efforts.

116K INDIVIDUALS IMPACTED BY TIMBERLINE BILLING RANSOMWARE ATTACK

About 116,131 individuals are being notified that their data was
compromised after a ransomware attack on Medicaid service vendor
Timberline Billing Service, according to the the Department of Health
and Human Services breach reporting tool.

The threat actors gained access to Iowa vendor's systems for several
weeks beginning on February 12 until March 4, when the ransomware was
deployed. Hackers exfiltrated data prior to deploying the ransomware
payload.

Reports show the vendor provides services for nearly 200 schools in
the state but it’s unclear whether the attack was limited to its Iowa
clients. The compromised data includes names, dates of birth, billing
information, and Medicaid identification numbers. Some Social Security
numbers were also stolen during the attack.

FLORIDA’S ADVANCED URGENT CARE RANSOMWARE ATTACK

Advanced Urgent Care of the Florida Keys is notifying an undisclosed
number of patients that their data was compromised following a
ransomware attack that resulted in data exfiltration in March.

On March 1, hackers deployed the ransomware payload, which encrypted
the files stored on its backup drive. Officials said they launched an
investigation with assistance from and outside cybersecurity firm,
which included a manual document review.

According to the notice, they determined protected health information
was stored on the impacted drive upon the close of the investigation
in September. Despite the length of the review, HIPAA covered entities
are required to report data breaches impacting more than 500 patients
within 60 days of discovering the incident.

Further, the notice fails to disclose that Maze ransomware threat
actors were behind the attack, and that the hackers posted patient
data they claim to have stolen from the provider as far back as March,
first reported by DataBreaches.net and Cyble.

Meaning, patients are just now learning their data was exposed and
stolen more than eight months ago.

The compromised information included patient names, health insurance
information, Social Security numbers, medical records numbers, bank
account details, military and or veteran's administration numbers,
driver’s licenses, lab results, and a host of other highly sensitive
medical information.

Advanced Urgent Care officials said they've since improved internal
procedures for identifying and remediating threats. Healthcare covered
entities should review HIPAA breach notification requirements to avoid
similar compliance mistakes.

DATA DESTROYED AMID CONE HEALTH RANSOMWARE ATTACK

Cone Health’s Alamance Skin Center in Burlington recently began
notifying patients that their data was permanently lost after a
ransomware attack in late July.

Officials said no data was taken during the attack, but they are
unable to recover the practice’s patient data following the incident.
Patients were told to call the specialist ahead of scheduled
appointments.

Only the Alamance Skin Center was affected by the ransomware, as its
electronic medical record system and servers are separate from the
main Cone Health system. Further, the investigation determined hackers
gained access either through a phishing attack or by brute-force
attempts.

“While this attack was limited to this single practice, we use this as
a learning opportunity,” Frank Riccardi, Cone Health vice president,
chief compliance and privacy officer, said in a statement. “I urge
everyone to learn from these instances as well.”

“If you get an email asking for information such as passwords or to
click to verify something, think twice,” he added. “These attacks are
getting extremely sophisticated. They are targeting families as well
as businesses.”

NORTHWEST EYE SURGEONS’ SERVER HACK IMPACTS 20K

Five months after discovering a security incident on its computer
system, Northwest Eye Surgeons, P.C. and Sight Partners (NES) began to
notify 20,838 that their protected health information was compromised
during the server hack.

On May 1, officials detected unusual activity on its systems and
launched an investigation, which found an unauthorized third-party
accessed the data stored on one NES server.

The exposed information included names, Social Security numbers,
driver’s license numbers, identification numbers, financial account
and credit card data, medical information, and insurance details.

The initial investigation concluded on July 31, and officials said
another third-party vendor was retained on August 7 to perform data
mining to determine the patients impacted by the event, as well as the
compromised data.

“This step was necessary so that NES could identify the affected
population in order to send out notice of the incident to these
individuals,” officials explained.

NORTH DAKOTA HEALTH DEPARTMENT PHISHING INCIDENT

About 35,416 individuals that used services from the North Dakota
Department of Human Services, North Dakota Department of Health, and
Cavalier County Health District are being notified that their data was
compromised during a phishing incident.

The attack was launched for a month between November 23 and December
23, 2019, which gave the hacker access to the impacted employee email
accounts during that time. However, the phishing incident was not
discovered until August 27, 2020.

An investigation determined personal and protected health information
was compromised during the incident, which included names, medical
diagnoses, treatment information, driver’s licenses, dates of birth,
contact details, and mothers’ maiden names.

Some financial data and Social Security numbers were also exposed
during the attack. The state has since taken steps to improve its
internal procedures for identifying and remediating threats, as well
as to reduce the risk of a recurrent event.

PEOPLE INCORPORATED MENTAL HEALTH SERVICES’ EMAIL HACK

People Incorporated Mental Health Services in Minnesota recently
notified 27,500 patients that their data was compromised during a
hacking incident on several employee email accounts.

The notice does not explain when the hack was first discovered, but
the investigation concluded on September 8 that hackers gained access
to certain employee email accounts for a week between April 28 and May
4.

Upon discovery, the account access was disabled, and the IT team
performed a mandatory password reset to prevent further access.

The investigation determined the accounts contained a range of patient
information, including personal and health information, such as names,
contact details, health data, insurance information, medical record
numbers, and treatments.

Some health insurance data, financial account details, Social Security
numbers, driver’s licenses, and state identification numbers were also
contained in the impacted accounts.

People Incorporated has since implemented additional technical
safeguards and provided its workforce with training and education on
how to identify and handle malicious emails.