[BreachExchange] Sutter Buttes Imaging PACS Vulnerability Causes 18 Month Data Breach

[Destry Winant]

https://healthitsecurity.com/news/sutter-buttes-imaging-vulnerability-hack-causes-18-month-data-breach

February 18, 2021 - Sutter Buttes Imaging (SBI) is notifying an
undisclosed number of patients that their data was compromised for 18
months, due to a leak caused by a vulnerability in its third-arty IT
software. The data breach impacted patients who received diagnostic
imaging services at SBI.

An exclusive HealthITSecurity.com report previously showed that SBI
was leaking patient data online through its vulnerable Picture
Archiving and Communication Systems (PACS).

PACS are critical to healthcare infrastructure but are highly
vulnerable platforms, given the tech stores massive troves of medical
images on those servers. The tool also allows health systems and
hospitals to share critical data with multiple providers.

However, the legecy tech has a number of flaws, which Dirk Schrader,
Global Vice President at New Net Technologies (NNT) has outlined in
great detail over the last few years.

His last report found SBI was the third-largest culprit for leaking
data through vulnerable PACS. Schrader found 580,000 patient exams
related to 14 million images tied to SBI, which officials learned
about on December 2020.

The flaws were disclosed to SBI via fax on January 25, 2020. According
to SBI, these hardware vulnerabilites allowed for unauthorized access
on its network between July 2019 and December 2020.

“With this 'vulnerability', which actually was an unchanged default
configuration plus some un-monitored firewall ports for such a long
time, the hard lesson for SBI is obvious: if you connect a device to
the Internet, it will be discovered,” Schrader shared with
HealthITSecurity.com.

“A simple network vulnerability scan and secure configuration
management would have detected and mitigated this in a matter of
minutes. Unfortunately, our research shows that there a still many
organizations out there, having to learn that same lesson,” he added.

SBI's investigation determined the vulnerability exploit allowed some
patient information to be accessed by unauthorized parties, including
study date, patient names, dates of birth, and type of imaging
procedures, as well as patient and study number internally created by
SBI.

No Social Security numbers, credit cards, diagnoses, medical images,
medical reports, or clinician notes were compromised during the
security incident.

SBI identified the IT vulnerabilities, which were quickly addressed to
prevent a future recurrence, and closed certain firewalls ports. SBI
also contracted with a third-party IT consultant to perform a thorough
analysis and improve its security controls.

TEXAS SPINE CONSULTANTS PACS LEAK IMPACTS 25,728 PATIENTS

Texas Spine Consultants recently began notifying 25,728 patients that
their data may have been compromised as a result of a security
incident in December 2020.

The notification letter does not provide insights into the direct
cause of the incident, but described it as an “inadvertent disclosure”
that does not appear to be the “result of hackers or criminal
activity.”

Schrader told HealthITSecurity.com that the breach was caused by an
exploit of a PACS vulnerability. Texas Spine was notified of the
vulnerability via email in mid-December 2019.

The investigation into the incident is ongoing. For now, officials
said they’ve determined the compromise may have included patient
identifiers like names, dates of birth, and image scans.

Officials from Texas Spine Consultants said they plan to implement
additional safeguards to strengthen its data security, as well as
assess its privacy and security controls to prevent a recurrence.

RANSOMWARE ATTACK ON GRANITE WELLNESS SPURS BREACH NOTICE

About 15,600 clients of Granite Wellness Centers in California have
been notified that their data was compromised due to a ransomware
attack in January.

The cyberattack impacted data stored on its computer servers, and the
encryption was in progress at the time of discovery. The affected
systems were immediately taken offline, and officials said they
quickly notified law enforcement.

An investigation was launched, and the security team took steps to
eliminate the ransomware from its systems. Granite Wellness was able
to fully restore its systems from back-up files, while fully
maintaining care for its clients.

The compromised data included full names, dates of birth, dates of
care, treatments, health information, provider names, and health
insurers.

Granite Wellness is currently taking steps to rebuild the impacted
systems and adding further safeguards to better secure the information
in its possession.

The notice does not explain that NetWalker ransomware actors leaked
data they allegedly stole from Granite Wellness in mid-January. The
screenshots shared with HealthITSecurity.com showed a range of
spreadsheets containing business information, management, and
consultation information.

EMPLOYEE EMAIL HACK ON GRAND RIVER MEDICAL GROUP

The hack of an employee email account at Iowa-based Grand River
Medical Group potentially led to a compromise of the data from 34,000
patients.

Upon discovery, the account access was blocked and all relevant
passwords were changed. The medical group contracted with an outside
incident response team to conduct a forensic analysis of the incident
to determine if any data was accessed or exfiltrated during the
incident.

The notice does not detail when the unauthorized access was first
discovered. But officials said the attacker gained access to the
employee account, which enabled them to view spreadsheets containing
personal information.

The investigation did not find evidence of access or data theft, but
officials said they also could not rule it out. The impacted data
varied by patient and could include names, SSNs, dates of birth,
contact details, account types and balances, claim accounts and status
codes, visit types, medications, and or guarantor’s names.

All impacted individuals will receive a year of free identity theft
protection services, including credit monitoring. Grand River Medical
has since implemented additional safeguards recommended by its
third-party consultants to prevent a similar attack in the future.