[BreachExchange] Trillium, SIU Medicine Added to Tally of Accellion FTA Breach Victims

[Destry Winant]

https://healthitsecurity.com/news/trillium-siu-medicine-added-to-tally-of-accellion-fta-breach-victims

March 11, 2021 - Trillium Community Health Plan and the Southern
Illinois University School of Medicine recently reported some of their
patient data was involved in the exploit of Accellion’s File Transfer
Appliance (FTA), which has already claimed a long list of victims,
including Centene and Kroger.

Attackers successfully exploited several zero-day vulnerabilities in
the FTA platform in combination with a new webshell, which allowed the
hackers to gain access to at least 100 companies and to steal data.

The Clop ransomware threat actors appear to be behind the attack,
posting troves of data from victims in a large extortion effort.

On January 25, Accellion notified Trillium that their data was
impacted by the exploit. The attacker was able to view or save the
health plan’s files stored by Accellion between January 7 and January
25, 2021.

The compromised data included contact information, insurance ID
numbers, dates of birth, and health information, such as medical
conditions and treatments.

Trillium has stopped using Accellion’s services and removed all of the
data from its system. Officials said they’ve also reviewed data
sharing processes to ensure they’re protected against similar attacks.

For SIU, the hackers accessed the vulnerable FTA containing the School
of Medicine’s data for short periods of time on December 24, January
20, and January 21. Upon discovery, officials said they closed off
access to the service, contacted law enforcement, and launched a
review.

The investigation was supported by an outside forensic security firm,
which confirmed access did occur.  A review found the documents
contained personal data and PHI that varied by patient, but could
include names, dates of birth, Social Security Numbers, driver’s
licenses, treatments, and insurance information.

SIU has also since terminated use of the vulnerable FTA service. Those
individuals whose SSNs and or driver’s licenses were exposed will
receive complimentary identity theft protection services.

The Accellion incident is just one of several massive supply-chain
attacks reported in the last few months. Hackers have exploited
vulnerabilities in Verkada security cameras and Microsoft Exchange, as
well the massive SolarWinds exploit that resulted in a trojanized
software update.

SANDHILLS MEDICAL DATA IMPACTED BY VENDOR RANSOMWARE ATTACK

Sandhills Medical Foundation is notifying an undisclosed number of
patients that their data was stolen prior to a ransomware attack on
its third-party vendor, which provides Sandhills with electronic data
storage for some of its scheduling, billing, and reporting systems.

The vendor first notified Sandhills of the ransomware attack on
January 8, which impacted the provider’s systems and the stored data.
The vendor’s investigation determined the hackers used compromised
credentials to access the system on September 23, 2020.

Access to Sandhills’ system began on November 15, and the hackers
exfiltrated Sandhills’ data prior to the ransomware deployment on
December 3.

The stolen data included patient names, SSNs, dates of birth, contact
information, driver’s licenses, and claims data that could be used to
determine patient diagnoses and conditions. Patient medical records,
lab results, medications, credit cards, and bank account details were
not impacted.

The vendor paid the hackers’ ransom demand to return the stolen data
and “received assurances that the data was deleted or destroyed.
However, reports show that it’s getting difficult to trust these
assurances, as hackers may falsify this information.

READ MORE: Healthcare Cyberattacks Doubled in 2020, with 28% Tied to Ransomware

The vendor has since bolstered its security measures. Sandhills
reported the breach to the Office for Civil Rights, state regulatory
agencies, and the national credit reporting agencies.

The notice bears similarities and timeframes to the Netgain ransomware
attack, which impacted individuals from Ramsey County, Minnesota and
Woodcreek Provider Services.

NEW LONDON HOSPITAL REPORTS BREACH FROM JULY 2020

About 34,878 patients of New London Hospital in New Hampshire are
being notified their data was potentially compromised by a breach that
occurred more than six months ago in July 2020.

It’s unclear when the security incident was first discovered, but the
notice explained that an unauthorized party gained access to a file on
the NLH network “for a short period of time” on July 30, 2020.

The investigation concluded on February 16, which confirmed the
compromised file contained patient information, such as names,
demographic details, and SSNs. The file did not include diagnoses,
treatments, medications, or hospitalization information.

Under HIPAA, healthcare entities are required to report breaches of
protected health information within 60 days of discovery—not at the
close of an investigation.

The breached network system is no longer in use at the hospital. The
notice provides scarce details on just how the intruder broke into the
network and just how long the unauthorized access occurred.

PROPATH REPORTS EMPLOYEE EMAIL HACK

The hack of two employee email accounts belonging to ProPath led to
the compromise of some patient data for more than four months in 2020.

The impacted accounts were secured and mandatory password resets were
enforced, upon discovery. The notice does not disclose when the hack
was first discovered, just that the investigation determined the
extent of the hack on January 28, 2021.

An investigation, led with assistance from a third-party cybersecurity
team, found the accounts contained both personal data and protected
health information of patients who received laboratory or pathology
testing services from ProPath.

This data could include names, dates of birth, test orders, diagnoses,
clinical treatments, medical procedures, and provider names. A limited
number of SSNs, financial account information, driver’s license
numbers, health insurance details, and passports were also
compromised. Patients whose SSNs were exposed will receive free credit
monitoring.

ProPath has since bolstered its technical safeguards, including
implementing further security measures on its email system and
strengthening its email security training with employees.

EMAIL HACK IMPACTS SAINT AGNES, SAINT ALPHONSUS HOSPITALS

California-based Saint Agnes Medical Center, a member of Trinity
Health, and its sister health system, Saint Alphonsus Health System in
Idaho, were recently impacted by an email hack, which potentially
breached the data of an undisclosed number of patients.

On February 5, Saint Agnes was notified by Saint Alphonsus of an
employee email compromise, which led to the account sending phishing
emails between January 4 and 6. The hacker was attempting to obtain
login credentials.

It first appeared that the incident only impacted Saint Alphonsus. But
the investigation later determined some of the compromised data
belonged to Saint Agnes. Saint Alphonsus handles the billing for the
hospital’s western region.

The hack was discovered on January 6, and the account was quickly secured.

A review of the account determined some patient information may have
been accessible during the incident, including names, dates of birth,
contact details, email, and medical information, such as treatments,
billing data, and record numbers. All patients will receive a year of
free credit monitoring.

65K PATIENTS IMPACTED BY INSIDER WRONGDOING AT HUMANA

Humana is notifying 65,000 individuals of an insider wrongdoing
incident at one of its vendors, which led to the exposure of their
personal and health information. The vendor, Cotiviti, supports Humana
with medical records requests to verify data reported to CMS.

Cotiviti uses a subcontractor to review collected medical records. The
incident was caused by a subcontractor’s employee, who inappropriately
disclosed patient data to unapproved individuals for unauthorized
training purposes between October 12 and December 16, 2020.

The information included patient names, dates of birth, SSNs, contact
information, insurance identification numbers, dates of service,
medical records numbers, treatment information, and medical images.

Upon discovery, the employee’s access to the medical records was
disabled. The employee is no longer employed by the subcontractor.
Cotiviti and the subcontractor have since implemented a “broad
strategy” to prevent further unauthorized disclosure of information.

Humana was notified of the incident on December 22. The notice does
not explain the reason for delayed reporting. The insurer worked with
Cotiviti to ensure it bolstered protections and security of personal
information, while reviewing the physical and technical safeguards of
Cotiviti and its subcontractor.