Breach Victims Piling Up in Wake of Cloud Vendor AttackImpact of Apparent Ransomware Attack on Netgain Technology Continues to Grow
Months after an apparent ransomware attack against cloud hosting and managed service provider Netgain Technology, the list of healthcare sector entities reporting major health data breaches linked to the incident is growing.
So far, affected organizations that have filed breach reports with the Department of Health and Human Services' Office for Civil Rights tied to the December 2020 Netgain incident include:
- Woodcreek Provider Services LLC, based in Washington state, which reported 207,000 patients of its client MultiCare Health System were affected;
- Apple Valley Clinic/Allina Health, based in Apple Valley, Minnesota, which reported nearly 158,000 individuals were affected;
- Ramsey County, Minnesota, which reported nearly 8,700 individuals receiving services from its family health division had data exposed.
Also reportedly a victim of the Netgain Technology incident is Crystal Practice Management, a vendor that provides office management software solutions for optometrists and vision therapy professionals, according to news site Bleeping Computer.
Crystal Practice Management did not immediately respond to Information Security Media Group's request for comment about the incident.
In addition, Sandhills Medical Foundation, a medical practice based in Sumter, South Carolina, reported to HHS OCR on March 12 that nearly 40,000 patients were affected by a vendor ransomware attack. Based on the details provided, that vendor may be Netgain, the news blog DataBreaches.net reports.
In its breach notification statement, Sandhills says that on Jan. 8, a vendor that provides electronic data storage for some of its scheduling, billing and reporting systems experienced a ransomware attack that affected Sandhills’ systems and the data stored in them.
"The vendor’s investigation showed that the attackers used compromised credentials to access their system on Sept. 23," Sandhills notes. "The attackers accessed Sandhills’ systems on Nov.15, 2020, and exfiltrated Sandhills’ data before the ransomware attack was launched on Dec. 3, 2020."
Sandhills also notes in its statement that the vendor paid a ransom to attackers in exchange for returning data and receiving assurances that copies of the data were deleted or destroyed. Since the attack, the vendor says it has "implemented additional security measures," Sandhills notes.
DataBreaches.net reports that the dates and some other details described in Sandhills' breach notification statement match the timeline and description of the Netgain incident provided by some of the vendor's affected clients.
A Sandhills executive tells ISMG that due to "legal issues," the practice cannot confirm that Netgain is the vendor involved in its data breach.
Allina Health Provides Details
Allina Health, in its Apple Valley Clinic breach notification statement, notes: "Netgain provided written assurances that the threat to its systems has been contained and eliminated."
The notification also notes that Netgain says it is "continuing to scan its environment to identify potential impacts from the attack and will work promptly to address any new vulnerabilities that may be identified."
Netgain did not immediately respond to ISMG's requests for comment on the various health data breach reports.
Other Vendor Attacks
Several other cloud vendors have been targeted by ransomware and other attacks that have, in turn, affected healthcare organizations.
For instance, home healthcare company Personal Touch Holding Corp. reports that 753,000 patients, employees and former workers were affected by a ransomware attack on its private cloud hosted by managed service providers.
Cloud vendors appear to be an increasingly attractive target for cyberattacks, potentially putting scores of their clients at heightened risk.
"Cloud vendors are seen as holding high volumes of data - in particular, personal health data when the vendor serves the healthcare sector," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"The more such data, the more potential gain, in terms of both the size of the ransom to be paid and the value of the raw data. And every successful ransomware attack leads to more attacks on similar targets."
Cloud vendors may be succumbing to ransomware attacks because they underestimate the importance and complexity of a robust security program, Borten says.
"In addition, by outsourcing to cloud platforms, many healthcare organizations may feel relieved they have shifted that responsibility to an external party and focus only on their own security," she adds. "This is a flawed model."
Other experts offer a similar assessment.
"Unfortunately, many cloud services organizations … state their belief that they are not responsible for the data that their clients store within their cloud services … especially those whose business is solely data storage," says Rebecca Herold, CEO of consulting firm Privacy & Security Brainiacs.
"Many have told me that if their clients want the data encrypted, then it is their responsibility to do so."
Another contributing factor is subcontracting, she says. "Many cloud service providers subcontract activities that involve access to their clients’ data, and the subcontractors often do not have a strong - and often have no - security program in place," she says. "So, social engineering through the subcontractors leads to ransomware attacks on the cloud provider’s clients’ data."
Steps to Take
Covered entities, business associates and their subcontractors must take several critical steps to help avoid falling victim to attacks on cloud vendors, Herold says.
That includes requiring that cloud service vendors make frequent backups of data. But healthcare organizations also need to store their own local copy of data in a secured location, she says. "Don’t depend or rely solely upon third-party service providers to make the backups."
Organizations also should make sure their data is strongly encrypted when stored locally or by a cloud service provider, she says. "This way, if hackers get a copy of the covered entity's data, they will not be able to then take it and sell it to other crooks or use it themselves for other criminal activities."
As more cloud vendors emerge, more will be targeted for attacks, Herold predicts.
"As long as cloud service providers are lax in their security practices and cybercrooks keep making a lot of money from their crimes against them, the cyberattacks will continue to increase."