[BreachExchange] Minnesota’s Lake Region Healthcare Recovering From Ransomware Attack

[Destry Winant]

https://healthitsecurity.com/news/minnesotas-lake-region-healthcare-recovering-from-ransomware-attack

January 07, 2021 - Lake Region Healthcare (LRH) was hit with a
ransomware attack a few days before Christmas, resulting in some
computer system outages and disrupting certain operations. The
Minnesota health system is continuing its recovery efforts, while
investigating the scope of the incident.

First reported on December 22, the security team first detected
unidentified activities on certain computer systems. In response,
officials said they launched EHR downtime procedures to ensure
continuity of care.

The outage impacted LRH locations in Fergus Falls, Battle Lake, Ashby,
and Barnesville. LRH had previously established downtime protocols
ahead of the attack, which enabled the care team to continue providing
patient services.

However, some patient care and business service systems were left
without full functions in the immediate wake of the attack. Officials
said staff worked closely with computer specialists to determine the
cause of the disruption, examine the scope of the incident, and
restore downed systems.

“Our efforts are focused on providing safe patient care while working
to ensure data and information is safeguarded,” LRH CEO Kent Mattson,
said in a statement. “We have substantial internal and external
resources dedicated to restoring systems, and our investigation will
be ongoing until it is resolved.”

“We are dedicated to serving our patients and business partners,” he
continued. “Patients are encouraged to call their provider’s office
prior to confirm [their] scheduled appointments or with any questions
or concerns, and to bring any current medications with them to their
appointment.”

The latest update confirmed the LRH outage was caused by a
sophisticated ransomware attack, which prompted officials to contact
federal and local law enforcement. The health system is also working
with a team of third-party security leaders to help with the
investigation.

The scope of the incident has yet to be established, and so far,
there's no evidence of data exfiltration.

LRH is continuing to restore many of its impacted systems, providing
most services “as usual by operating largely off alternative systems.”
Officials said they’re evaluating patient care on a case-by-case basis
to ensure care quality.

Patients are still being asked to confirm appointments before visiting
the health system. LRH will make an announcement once systems have
been restored to ensure patients that need to make payments or access
other services will know when LRH is back online.

The LRH attack joins nearly a dozen providers impacted by ransomware
during the last quarter of 2020. As previously reported, hackers have
been targeting the sector with ransomware through a coordinated
effort.

Universal Health Services was one of the first providers targeted in
the massive ransomware wave, followed by a host of other providers
that were also driven to EHR downtime procedures, including the
University of Vermont Health Network, Sky Lakes Medical Center, and
GBMC HealthCare in Maryland, just to name a few.

Recent Check Point research found that attacks on healthcare increased
by 45 percent from November, driven by Ryuk ransomware threat actors.

“ACTIVIST” GROUP KNOWN AS DDOSECRETS LEAKS MINED HEALTH DATA

The “activist” group known as DDoSecrets recently posted a trove of
sensitive data online, which they gathered by mining data previously
leaked on dark web markets, first reported by Wired.

According to the report, the “data activists” leaked 1TB of data mined
from previous dark web leaks. The data includes over 750,000 emails,
photos, and other information from about five different companies.

The group offered to share another 1.9TB of data from more than 12
other companies with selected researchers or journalists. The mined
data set stems from pharmaceutical, retail, finance, manufacturing,
real estate, and oil industries.

DDoSecrets intends to continue leaking even more data in the coming
weeks and months. For ethical reasons, HealthITSecurity.com will not
share the link to the data sets, nor will it provide a platform for
the group.

The screenshots of the data shared with HealthITSecurity.com show the
group has leaked about 200,000 emails and other files from ExecuPharm,
a pharmaceutical company used for outsourced medical trials.

As previously reported, ExecuPharm was hit with a ransomware attack in
March. The hackers exfiltrated a subset of data and published it
online in an attempt to extort the provider, when they refused to pay
the ransom demand.

The hackers first gained access through a successful phishing campaign
sent to the company’s workforce. Officials determined the hackers
indeed accessed and exfiltrated corporate and personnel data, as well
as personnel information from Parexel, ExecuPharm’s parent company.

The stolen data included Social Security numbers, national IDs, credit
card numbers, and financial information, among other sensitive
information. The pharma company was also forced to rebuild its
impacted servers from backup data, as a direct result of the hack.

Coveware found that data exfiltration and subsequent extortion
attempts occur in nearly half of all ransomware attacks, and it's not
always caused by poor security practices.

DDoSecrets appear to be adding to the security burden and ransomware
fallout already facing the healthcare sector. Notably, the Department
of Homeland Security’s Office of Intelligence and Analysis designated
DDoSecrets as a criminal hacking group in June, after they published
296 gigabytes of law enforcement data.

PRESTERA CENTER EMAIL HACK

West Virginia-based Prestera Center recently began notifying a small
percentage of its patients that their data was potentially compromised
after a hack on its business email environment.

The notice does not detail when the security incident was first
discovered, nor how the unauthorized email access occurred. Instead,
officials explained that after discovering the unauthorized access to
both current and former patient data, a thorough review was launched
with assistance from an outside vendor.

The review determined the compromised data included names, dates of
birth, medical record and or patient account numbers, diagnostic
details, provider information, prescriptions, and treatments.

For some patients, contact details, SSNs, and Medicare or Medicaid
numbers were exposed. The compromised data varied by patient, and all
will receive free identity theft and credit monitoring services.

Prestera has since strengthened its cybersecurity infrastructure,
including revising its policies and procedures, implementing
multi-factor authentication for all accounts, replacing and
strengthening the firewall, and enacting an intensive employee
security training program.

MATTAPAN COMMUNITY HEALTH CENTER REPORTS MONTHSLONG EMAIL HACK

Mattapan Community Health Center (MCHC) in Massachusetts recently
disclosed that a monthslong email hack potentially compromised the
data of an undisclosed number of patients.

MCHC discovered suspicious activity in an employee email account on
October 16 and immediately launched an investigation with help from a
third-party computer forensic investigator.

On October 29, officials determined a hacker first gained access to
the employee email account nearly three months earlier on July 28,
2020.

The security team manually and programmatically reviewed the account
to determine just what data may have been accessible to the hacker
during the incident. The compromised data varied by individual but
could include names, SSNs, diagnoses and treatments, provider
information, health insurance details, and or medical record numbers.

MCHC has since implemented additional security measures to prevent a recurrence.