[BreachExchange] UHS Health System Confirms All US Sites Affected by Ransomware Attack

[Destry Winant]

https://healthitsecurity.com/news/uhs-health-system-confirms-all-us-sites-affected-by-ransomware-attack

October 05, 2020 - Universal Health Services, one of the largest US
health systems, confirmed on October 3 that the ransomware attack
reported last week has affected all of its US care sites and
hospitals, spurring clinicians into EHR downtime procedures.

Hackers launched the cyberattack around 2AM Sunday, September 27,
which prompted a number of staff members and clinicians from around
the country to take to Reddit to determine the scope of the attack.
The thread detailed outages to computer systems, phone services, the
internet, and data centers.

Some hospitals diverted ambulances during the initial stages of the
attack, and some lab test results were delayed. According to staff,
the attack began shutting down systems in the emergency department and
proliferating across the network. Staff took screenshots of the
incident and confirmed it was ransomware. The notorious Ryuk variant
is suspected.

UHS officials reported the incident as an IT disruption the following
day and has since update the notification to confirm it was a malware
cyberattack.

“All systems were quickly disconnected, and the network was shut down
in order to prevent further propagation,” officials explained in the
statement. “The UHS IT Network is in the process of being restored and
applications are being reconnected.”

“The recovery process has been completed for all servers at the
corporate data center. All US-based inpatient facilities have
connectivity established back to the corporate data center and are in
process of securely connecting to those systems,” they added.

Officials also noted that the electronic medical record was not
directly impacted by the ransomware, nor were the UK-based sites. The
restoration efforts are focused on the connections to the EMR system.
Clinicians are continuing to operate under back-up processes,
including offline documentation methods.

Patient care is safely and effectively continuing amid the recovery
efforts, officials added. The notification did not detail the
ransomware variant, nor when the recovery efforts would conclude. A
Coveware report showed ransomware attacks spur 15 days of EHR
downtime, on average.

For the second time in just a year, the University of Missouri Health
Care reported that a phishing attack has caused a data breach,
impacting 189,736 patients.

In 2019, MU Health Care reported two employee email accounts were
hacked for more than a week between April 23 and May 1, 2019, which
compromised the data of 14,000 patients. The hacker was able to gain
access to a trove of data, including health insurance details,
clinical and treatment information, and some Social Security numbers.
The breach victims soon filed a lawsuit.

The latest breach was caused by a successful phishing attack, which
occurred between May 4 and May 6. And much like its last breach
notification, the provider is yet again notifying patients far beyond
the HIPAA-required timeframe of 60 days between the discovery of the
breach and patient notifications.

The investigation into the cyberattack concluded on August 28 and
found the hacker could have potentially accessed the data contained in
the accounts, including names, dates of birth, medical record or
patient account numbers, health insurance information, and or limited
clinical or treatment data, such as diagnostics, prescriptions, and
procedure information.

Some Social Security numbers were also compromised. Those patients
will receive free credit monitoring and identity protection services.

In response to this latest breach, MU Health Care has implemented
additional security enhancements to its email environment and
reinforced staff security training. Notably, the notification does not
specify whether it will update its email policies in regard to storing
patient data in its email accounts.

OAKLAWN HOSPITAL PHISHING ATTACK IMPACTS 27K PATIENTS

Michigan-based Oaklawn Hospital recently notified 26,861 patients that
their data was potentially breached after a two-day phishing attack in
April. The provider did not disclose when the attack was first
discovered.

The investigation concluded on July 28, finding the attackers gained
access to multiple email accounts after employees responded to
phishing emails with their credentials.

The review found the accounts contained a range of patient
information, including medical data, health insurance details, and
dates of birth. For a limited number of patients, Social Security
numbers, driver’s licenses, and financial account information was
compromised.

Further, the provider explained the delay in notification was caused
by the extensive manual document review of each impacted email
account. Oaklawn has since implemented multi-factor authentication,
among other cybersecurity measures.

RANSOMWARE HACKERS HIT ERESEARCHTECHNOLOGY

Cybercriminals have successfully launched a ransomware attack against
eResearchTechnology, a health tech firm working on COVID-19 clinical
trials, according to an exclusive New York Times report.

First discovered by employees who were locked out of their data, the
attack lasted for about two weeks and slowed some of those trials.
Officials stressed the clinical trial patients were not at risk, but
trial researchers were forced to track data with pen and paper as the
IT team worked to recover the systems.

The attack impacted some clinical trials, including IQVIA, the
contract research firm managing the AstraZeneca COVID-19 vaccine trial
and Bristol Myers Squibb, the drug manufacturer leading several
companies in the development of a faster COVID-19 test.

ERT did not disclose how many trials were affected by the event. On
Friday, some systems were back online, and officials said they predict
the remaining systems will be brought online within the next few days.

Federal agencies and security researchers have repeatedly warned that
hackers are targeting COVID-19 data. Threat actors have launched
attacks against the World Health Organization and have successfully
attacked several COVID-19 research firms in recent months.

A July report from BitSight found many biomedical, healthcare,
pharmaceutical, and other academic research firms publicly working on
the development of a COVID-19 vaccine are operating on systems with
known security issues and other vulnerabilities.

NETWALKER RANSOMWARE ACTORS POST DATA FROM MEDICAL MANUFACTURER

The hackers behind the NetWalker ransomware variant have again posted
data allegedly stolen from a healthcare entity. The latest dark web
posting shows data from Sientra, a medical manufacturer of breast
implants.

In screenshots shared with HealthITSecurity.com, the proofs show a
host of files allegedly stolen from Sientra, such as analytics data,
clinical operations information, customer service details, finance
documents, business agreements, and a host of other files.

The proofs also contain test order information for employees,
including names, contact details, collection sites, and sensitive
testing results, including drug use.

A range of ransomware actors have taken to these double extortion
methods, with the frequency of attacks on healthcare rapidly
increasing during the summer. Just last month, NetWalker, REvil,
SunCrypt, and Pysa, or Mespinoza hackers posted data allegedly stolen
during five separate attacks on healthcare entities.