2 Health Data Hacks Affect More Than 1 Million IndividualsNew Jersey Healthcare System and Alabama Cardiac Care Clinic Are Notifying Patients
Two recent separate hacking incidents involving attackers stealing copies of protected health information have affected more than 1 million patients of a New Jersey healthcare system and an Alabama cardiovascular clinic.
Freehold, New Jersey-based nonprofit CentraState Healthcare System on Feb. 10 reported a breach affecting 617,000 individuals, and Birmingham, Alabama-based Cardiovascular Associates on Feb. 3 reported a breach affecting nearly 442,000 individuals. Both hacking incidents were discovered last December.
CentraState in a breach notification statement says that on Dec. 29, 2022, it detected "unusual activity" involving its computer systems. The entity says it took steps to contain the incident and initiated an investigation with assistance from a forensics firm. CentraState also says it reported the incident to law enforcement, including the FBI.
The investigation determined that on Dec. 29 an unauthorized party had obtained a copy of an archived database that stored patient information, CentraState says.
On Dec. 30, local media site Asbury Park Press reported that CentraState Medical Center for a while had been diverting ambulances and patients to other facilities as it dealt with a cybersecurity incident.
A CentraState spokeswoman declined Information Security Media Group's request for additional details, including the type of archived database affected, whether ransomware had been involved and if the incident had disrupted CentraState's IT systems.
CentraState says potentially compromised information includes names, addresses, birthdates, Social Security numbers, health insurance information, medical record numbers and patient account numbers. Information related to care received at CentraState, such as dates of service, physician names and departments, treatment plans, diagnoses, visit notes and prescription information also was accessed in the incident. No financial account or payment card information was involved, CentraState says.
For individuals whose Social Security numbers were compromised, CentraState is offering complimentary credit and identity monitoring. The organization says it is also enhancing the security of its electronic systems and patient data to help prevent similar incidents in the future.
Cardiovascular Associates Incident
Cardiovascular Associates in its breach statement says that on Dec. 5, 2022, it discovered "unauthorized activity" in certain systems within its network.
In response to this incident, CVA took steps to restrict further unauthorized activity, and investigation and remediation effort was launched, it says. The investigation determined that an unauthorized third party had accessed systems containing patient information and removed a copy of some data from CVA's network between Nov. 28 and Dec. 5, CVA says.
Information potentially compromised in the incident includes names birthdates, addresses, Social Security numbers, health insurance information, and medical and treatment information - including medical record number; dates of service; provider and facility names; other visit, procedure and diagnosis information; and possibly assessments, tests and imaging.
Also affected in the incident was billing and claims information - including account and/or claim status, billing and diagnostic codes, and payer information - including passport and driver's license numbers, credit and debit card information and financial account information, CVA says.
For a limited subset of individuals, the information compromised also may have included username and password, CVA says.
"In response to this incident, security and monitoring capabilities are being enhanced and systems are being hardened as appropriate to minimize the risk of any similar incident in the future," CVA says.
The entity is also offering free credit monitoring and identity restoration services to individuals whose Social Security number, credit card/debit card or financial account information, passport or driver's license number may have been compromised.
CVA did not immediately respond to ISMG's request for additional details about the incident, including whether involved ransomware.
Hacking incidents that focus primarily on data theft rather than encrypting IT systems and data with ransomware is an approach that some cybercriminals seem to prefer with healthcare sector targets because it presents less risk to the attackers, says Michael Hamilton, CISO and co-founder of security firm Critical Insight.
"Records theft used for extortion involves less risk for the criminals as the use of ransomware against critical infrastructure - like the healthcare sector - is now viewed as terrorism, not criminality," he says.
"Theft of information that is held in abeyance for the purpose of extortion creates the same outcome for the criminals without the threat of having their infrastructure melted by the Department of Justice or Department of Defense."
In the meantime, cybercriminals also continue to go downmarket in their targeting of victims, under the assumption that the records held by smaller healthcare entities that often have less robust security controls implemented still have the same value, Hamilton says, adding that business associates - service providers, tech vendors and others - are also being increasingly used as the "unlocked window" to get to the actual targets.
Recent analysis by Critical Insight found that in the second half of 2022, specialty clinics topped the list of organizations reporting health data hacking incidents to regulators, followed by hospital systems, services and supply firms, behavioral health and outpatient care.