[BreachExchange] 1.2 Million People Affected by Practicefirst's Supply Chain Ransomware Breach

[Sophia Kingsbury]

https://www.ehackingnews.com/2021/07/12-million-people-affected-by.html

One of the largest health data breaches disclosed to federal regulators so
far this year is a supply chain ransomware attack that affected over 1.2
million people. Practicefirst, a medical management services company
situated in Amherst, New York, disclosed a data breach to federal officials
on July 1. According to the company's breach notification statement, the
company paid a ransom in exchange for the attackers promising to destroy
and not further expose files seized in the incident.

The HIPAA Breach Reporting Tool, a website run by the Department of Health
and Human Services that lists health data breaches impacting 500 or more
people, says that Practicefirst reported the event affecting more than 1.2
million people. The Practicefirst hack was the sixth-largest health data
breach reported on the HHS website so far in 2021 as of Tuesday.

According to Practicefirst's breach notification statement, on December 30,
2020, "an unauthorized actor who attempted to deploy ransomware to encrypt
our systems copied several files from our system, including files that
include limited patient and employee personal information." When the
corporation learned of the situation, it says it shut down its systems,
changed passwords, notified law enforcement, and hired privacy and security
specialists to help.

"The information copied from our system by the unauthorized actor before it
was permanently deleted, included name, address, email address, date of
birth, driver’s license number, Social Security number, diagnosis,
laboratory and treatment information, patient identification number,
medication information, health insurance identification and claims
information, tax identification number, employee username with password,
employee username with security questions and answers, and bank account
and/or credit card/debit card information," Practicefirst says.

"We are not aware of any fraud or misuse of any of the information as a
result of this incident," the company says. "The actor who took the copy
has advised that the information is destroyed and was not shared." Many
security experts believe that such promises made by hackers are
untrustworthy. "Cybercriminals who infiltrate information systems are not
reputable or reliable. By their nature, they will lie, cheat and steal,"
says privacy attorney David Holtzman of consulting firm HITprivacy LLC.

"Vendors to healthcare organizations should be transparent to the public
and to the organizations contracted with those providers to make clear
statements as to what happened, what data may have been compromised and
what steps they are taking to notify the organizations they serve of the
data that was put at risk."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210716/66c3ff38/attachment.html>