[BreachExchange] REvil Target: University Medical Center of Southern Nevada

[Sophia Kingsbury]

https://www.healthcareinfosecurity.com/revil-target-university-medical-center-southern-nevada-a-16972

The University Medical Center of Southern Nevada acknowledged it had been
the victim of a cyberattack after a newspaper discovered stolen data had
been posted on the darknet site of the ransomware-as-a-service gang REvil,
also known as Sodinokibi and Sodin.

The Las Vegas Review-Journal reported that UMC issued a statement
acknowledging it had been the victim of a cyberattack after the newspaper
viewed images posted on the REvil website.

The newspaper reported that the images apparently stolen in the UMC
incident included Nevada driver’s licenses, passports and Social Security
cards of about a half-dozen apparent victims.

Brett Callow, a threat analyst at security firm Emsisoft, confirmed to
Information Security Media Group that REvil has listed UMC as a victim on
its darknet site, "posting screenshots of allegedly stolen data as
described by the Review-Journal. How much data was stolen and its nature is
something only REvil and, possibly, UMC will know."

REvil often posts samples of stolen data on its website to "name and shame"
its victims in hopes of getting them to pay a ransom to prevent the
publishing of more data.

UMC Statement

In a statement, UMC says its cybersecurity team in mid-June detected
"suspicious activity" on the hospital’s computer network and responded by
immediately restricting external access to UMC servers.

"While the hospital continues to work with law enforcement to fully
investigate this activity, UMC believes cybercriminals accessed a server
used to store data," UMC says in the statement.

"This type of attack has become increasingly common in the healthcare
industry, with hospitals across the world experiencing similar situations."

UMC says there is no evidence that any clinical systems were accessed
during the attack.

"UMC continues to work alongside the Las Vegas Metropolitan Police
Department, the FBI and cybersecurity experts to determine the exact origin
and scope of the attack. The investigation will provide valuable
information to help prevent similar security issues in the future."

UMC’s IT division acted swiftly to identify the suspicious activity and
secure the hospital’s network, the organization states. "This internal
response resulted in minor, intermittent computer login issues for some UMC
team members. While these login issues were certainly inconvenient, there
have been no disruptions to patient care or UMC’s clinical systems."

Although UMC says it "has no reason to believe cybercriminals accessed any
clinical systems," the hospital says it will notify patients and employees
that their personal information may be at risk.

The organization will provide affected patients and staff with access to
free identity protection and credit monitoring services.

A UMC spokesman tells ISMG that there have been no disruptions to patient
care or UMC’s clinical systems tied to the incident.

UMC did not respond to ISMG's request for additional details, such as
whether it paid a ransom to the attackers.

Earlier Breach

As of Thursday, UMC had not yet posted on its website a notification
statement about its recent cyberattack. The incident also was not yet
posted on the Department of Health and Human Services' HIPAA Breach
Reporting Tool website listing health data breaches affecting 500 or more
individuals.

But the Las Vegas healthcare organization's site provides a link to a
notification statement about an apparently separate data breach affecting
UMC data involving revenue cycle services vendor Med-Data.

The Med-Data incident, disclosed by the vendor in April, involved an
employee who sometime between December 2018 and September 2019 uploaded
files containing patient data to the public-facing, open-source software
development hosting website GitHub.

Med-Data reported the incident on April 1 to the HHS Office for Civil
Rights as a breach affecting nearly 136,000 individuals.

Several of Med-Data's healthcare clients - but apparently not UMC - have
issued their own individual breach notification statements about the
incident.

Other Healthcare Attacks

Among other recent ransomware attacks in the healthcare sector, San
Diego-based Scripps Health in early May suffered an attack that disrupted
access to patients' electronic medical records and other clinical systems
for several weeks.

At least four lawsuits seeking class action status have been filed against
Scripps Health so far in the aftermath by patients whose information or
care was allegedly affected (see: Lawsuits: Patients 'Harmed' by Scripps
Health Cyberattack).

Also, on June 25, Northwestern Memorial HealthCare in Chicago reported to
HHS a hacking incident affecting more than 201,000 individuals.

In a breach notification statement, the healthcare system said that
incident was tied to a recent cyberattack on Elekta, which provides a
cloud-based platform to facilitate legally required cancer reporting to
state regulators (see: Attack on Radiation Systems Vendor Affects Cancer
Treatments).

Sweden-based Elekta has not disclosed whether the incident involved
ransomware. Several of its U.S.-based healthcare clients, including Yale
New Haven Health in Connecticut, were affected by the incident.

"Attacks on healthcare and other critical infrastructure seem to be
continuing at much the same rate as ever, which really isn’t surprising,"
Callow says. "Ransomware is so profitable that solving the problem will not
be quick and easy."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210702/2dc106e1/attachment.html>