[BreachExchange] Ransomware: Home Health Firm Reports 2nd Cloud Vendor Incident

[Destry Winant]

https://www.inforisktoday.com/ransomware-home-health-firm-reports-2nd-cloud-vendor-incident-a-16291

A home healthcare company says a data breach affecting more than
753,000 patients, employees and former workers stems from a ransomware
attack on its private cloud hosted by managed service providers. The
company reported a similar incident 15 months ago.

See Also: Live Webinar | Mitigating the Risks Associated with Remote Work

Lake Success, New York-based Personal Touch Holding Corp., which
operates about 30 Personal Touch Home Care subsidiaries in about a
dozen states, says it discovered on Jan. 27 that "it experienced a
cybersecurity attack on the private cloud hosted by its managed
service providers."

The notification statement does not name the vendors involved.

A breach notification report filed with the Maine attorney general's
office notes that the incident involved ransomware and affected
753,107 individuals, including 93 residents of that state.

PTHC declined to provide additional information about the incident to
Information Security Media Group.

In January 2020, PTHC submitted 16 breach reports on behalf of its
subsidiaries in six states to the Department of Health and Human
Services. Those involved a ransomware attack on Wyomissing,
Pennsylvania-based Crossroads Technologies, which hosted the home
healthcare provider’s cloud-based electronic health records (see:
Ransomware Attack on EHR Vendor Impacts Home Health Chain).

Patient, Employee Data Compromised

In a statement on its website, PTHC says the most recent cyber
incident compromised private cloud-stored business records of the
company and its "direct and indirect subsidiaries."

Patient information exposed includes health plan benefit numbers,
medical record numbers, names, addresses, telephone numbers, dates of
birth, Social Security numbers and financial information, including
check copies, credit card numbers and bank account information.

Affected information of current and former employees may include
names, addresses, telephone numbers, dates of birth, Social Security
numbers - including dependent and spouse Social Security numbers -
driver’s license numbers, passport numbers, birth certificates,
background and credit reports and demographic information, PTHC says.

Also potentially compromised were employee usernames and passwords,
personal email addresses, fingerprints, insurance card and health and
welfare plan benefit numbers, retirement benefits information, medical
treatment information, check copies and other financial information
necessary for payroll, PTHC says.

"Upon discovery, PTHC retained outside counsel and independent
forensic experts to begin an investigation," the company says in its
statement.

"While the investigation is still ongoing, and we cannot confirm the
extent to which employee and patient data was compromised, we are
notifying our community that the breach occurred, in our effort to
comply with the applicable state data breach notification laws."

The company says it also reported the incident to the FBI and has
implemented "enhanced monitoring and alerting software."

Vendor Attacks

The healthcare sector has seen a surge in ransomware attacks in recent months.

"The supply chain represents a relatively easy attack vector for
malicious actors," says Ian Walters, principal of healthcare cyber
risk services at security consultancy Coalfire. "The further down the
supply chain you go, the greater the likelihood that a vendor doesn’t
fully understand the implications of their security posture to the
bigger picture."

By compromising one vendor, the malicious activity could be spread to
multiple targets, he adds.

"Ransomware is one of those issues that divides opinion: Do you pay
the ransom and get back to normal operations as quickly as possible,
or do you take a lot of time and money to try and recover? If you pay,
you run the risk of being subjected to further attacks because the bad
guys know your MO for these incidents and may have even left a
backdoor Trojan for ease of access next time."

Cathie Brown, vice president of consulting at security and privacy
consulting firm Clearwater, notes: "As entities have worked to secure
their environments and protect their data, migrating to the cloud has
provided a false sense of security in many cases. Hackers have also
migrated to the cloud. Lessons that those in the healthcare sector
should learn from the current environment is that healthcare is the
number one target for ransomware."

Among other recent vendor ransomware incidents in the healthcare
sector was an attack on PeakTPA, a third-party claims administrator of
health and social services programs for the elderly. The company
apparently paid a ransom to Netwalker attackers about a month before
global law enforcement officials disrupted the gang in January (see:
Ransom Paid Just Before Netwalker Gang Disrupted).

Taking Action

"The healthcare ecosystem more complex than ever," Brown says, with
organizations relying more heavily on vendors' services. "More vendors
expand the attack surface and provide any number of ways to penetrate
an organization. Another reality is that vendor risk management is
relatively immature to most healthcare entities."

Walters says it is more essential than ever for healthcare entities to
have in place an effective third-party risk management program.

"Don’t let the program become shelf-ware," he says. "Actively validate
your vendors’ security program through a series of profiling,
questionnaires and reviewing of certificates and certifications."

High-risk, high volume vendors should be periodically audited, he
says. Plus, he advises organizations to ensure that vendors' remote
sessions are terminated when not needed – for example, after a vendor
has had access for support or patching.