[BreachExchange] 528K Patients Impacted by Months-Long North Florida OB-GYN Hack

[Nora Butkovich]

https://healthitsecurity.com/news/528k-patients-impacted-by-months-long-womans-care-florida-hack

The North Florida OB-GYN <https://nfobgyn.com/uploads/WCF-WebsiteNotice.pdf> in
Jacksonville, part of Woman’s Care Florida, recently began notifying
528,188 patients of a months-long cyber incident that potentially breached
their health information.

First discovered on July 27, officials said they determined certain parts
of their computer systems were impacted by a cyber incident that began on
or before April 29, nearly two months earlier. A preliminary assessment
determined “improper access” occurred on some portions of the networked
computer systems.

The virus encrypted certain files, but officials did not share whether the
virus was ransomware. The computer systems were promptly shut down and
incident response and recover procedures were launched. The FBI was
contacted and North Florida OB-GYN began its own forensic investigation.

The impacted data included patient names, demographic details, dates of
birth, Social Security numbers, driver’s licenses or identification card
numbers, employment information, health insurance data, and health
information, such as treatments, diagnoses, medical images, and related
information.

All patients will receive complimentary identity theft protection services.

The Florida provider decrypted the impacted files or recovered nearly all
affected files. Officials said they’ve also taken steps to bolster security
safeguards for the affected systems to prevent a recurrence. North Florida
OB-GYN has also strengthened its virus detection and other systems, along
with other security measures.
PHISHING INCIDENT AT THE METHODIST HOSPITALS

Two employees
<https://www.methodisthospitals.org/wp-content/uploads/2019/10/Methodist-Hospitals-Website-Notice.pdf>
of
the Methodist Hospitals fell victim to phishing scams, which potentially
compromised the data of about 68,039 patients.

In June, officials said they detected unusual activity in an employee’s
email account. An investigation determined that one employee email account
was breached on June 12, and again for a week between July 1 and July 8.

The other account was compromised for about three months between March 13
and June 12. The investigation could not rule out the possibility of access
to the data in the accounts.

The compromised data varied by patient, but could include names, contact
information, health insurance subscriber, group, and or plan numbers,
Social Security numbers, driver’s license or state identification numbers,
passport details, financial account numbers, payment card information,
electronic signatures, usernames and passwords, dates of birth, medical
record numbers, and even medical diagnoses, among other identifiable
information.

“While we have security measures in place to protect data in our systems,
we are reviewing our existing policies and procedures and implementing
additional safeguards to further protect information,” officials said in a
statement.

The incident has been reported to the Department of Health and Human
Services Office for Civil Rights and other relevant regulators.
UAB MEDICINE PHISHING ATTACK

The University of Alabama (UAB) Medicine
<https://www.uab.edu/news/health/item/10813-uab-medicine-notifies-patients-of-data-breach>
is
notifying 19,557 patients that their data was potentially compromised after
a phishing incident.

According to officials, hackers gained access to several employee email
accounts containing patient information. The phishing scam was crafted to
look like an authentic request from an executive asking employees to
complete a business survey.

While employees do receive education and training to recognize phishing
attacks, “a number of employees accessed the survey and provided their
username and password to the hackers.” As a result, the cybercriminals were
able to access the employees’ email accounts, as well as the payroll system.

The UAB Medicine EHR and billing systems were not impacted by the hack.

The investigation determined the phishing attack and compromise began on
August 7. Upon discovery, the accounts were secured and passwords were
reset. Officials said the investigation determined the hackers were
attempting to divert employees’ automatic payroll deposits to an account
controlled by the hackers.

UAB Medicine was able to prevent all attempts by the hackers to redirect
the payroll deposits. While officials said there’s no evidence the patient
data was what the hackers were seeking out, limited protected health data
could have been viewed by the hackers while they accessed the employee
email accounts.

The impacted data varied by patient, but could include names, medical
record numbers, birth dates, dates and location of service, diagnoses, and
treatments. Some Social Security numbers were included for a small subset
of patients.

“UAB Medicine continually trains employees regarding these types of
cyberattacks and is increasing its efforts to educate employees about email
and data security,” officials said in a statement. “The additional security
protection of multifactor authentication also has been implemented for all
employee emails.”
CAMPBELL COUNTY HEALTH RANSOMWARE UPDATE

Campbell County Health was forced into downtime procedures at the end of
September
<https://healthitsecurity.com/news/campbell-county-health-ransomware-attack-disrupting-patient-care>
after
a ransomware attack crippled its computer system. Patient care was
disrupted, outpatient labs were unable to operate, and some surgeries were
canceled.

What’s more, CCH stopped accepting new patients and others were diverted
into area hospitals. By October 7
<https://www.cchwyo.org/News/Press_Center/Health_News/2019/Service_Disruptions_at_CCH_no_ETA.aspx?furl=sd>,
all CCH providers, clinics, lab, and radiology were back to fully
functioning. The clinics and other care areas were calling patients who
needed to reschedule appointments.

However, CCH respiratory therapy and its Sleep Center remain closed more
than two weeks after the intial cyberattack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191010/8df90829/attachment.html>