Exfiltration Breach, Ransomware Attack Affect 800,000Lessons Learned From 2 Recent Health Data Hacking Incidents
Two recent hacking incidents - one involving ransomware and the other involving the exfiltration of sensitive data for hundreds of thousands of individuals - are among the latest examples of the serious cybersecurity threats and risks facing healthcare organizations and their patients' information.
The data exfiltration incident, which was the larger of the two, was reported last month by Seattle, Washington-based Sea Mar Community Health Centers, which operates dozens of medical, behavioral health and dental clinics, and social service programs in the region.
The ransomware incident was first reported to regulators in July by the North Oklahoma County Mental Health Center, which operates under the NorthCare name, but details about the compromise were recently updated. Oklahoma City, Oklahoma-based NorthCare offers a variety of services for children, adults, and families recovering from mental illness, substance abuse, trauma and other crises.
Sea Mar Breach
Sea Mar on Oct. 30 reported to the U.S. Department of Health and Human Services a hacking IT incident affecting 688,000 individuals, which as of Wednesday was the 13th-largest health data breach posted so far in 2021 on the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website.
Commonly called the wall of shame, the HHS OCR website lists health data breaches affecting 500 or more individuals.
According to Sea Mar's Oct. 29 breach notification statement, its investigation found that the attackers had "copied" and removed information from the organization's IT environment over several months.
Sea Mar says that on June 24, it was informed that "certain" Sea Mar data had been copied from its IT environment by an unauthorized actor. The organization says it immediately took steps to secure its environment and began an investigation.
"As a result, Sea Mar learned that additional data may have been removed from its digital environment between December 2020 and March 2021."
Affected information of current and past patients includes name, address, Social Security number, date of birth, client identification number, medical/vision/dental/orthodontic diagnostic and treatment information, insurance information, claims information and images associated with dental treatment, Sea Mar says.
DataBreaches.net on Oct. 30 reported that the hackers who gained access to Sea Mar’s network claimed to have exfiltrated 3 terabytes of data. The incident was posted on darknet data leak site Marketo in June, DataBreaches.net says.
"Marketo claimed to have 201 bids for Sea Mar’s data in July. As they did with all of their listings, Marketo uploaded a small proof of claims archive of files," DataBreaches.net says. "It contained a few photos of identified pediatric dental patients. Each one held a sign with their name, date of birth, and date of photo."
Sea Mar did not immediately respond to Information Security Media Group's request for comment.
NorthCare reported to the Maine attorney general's office on Tuesday that a ransomware incident discovered on June 1 affected sensitive information of nearly 128,000 individuals, including one Maine resident.
In July, NorthCare reported the hacking/IT incident to HHS as affecting 105,000 individuals. The breach notification report it filed to Maine authorities Tuesday indicates that "additional information on the scope" of the incident "was found" in September 2021.
Affected personal information involved in the NorthCare incident included patients’ full names, Social Security numbers, addresses, dates of birth and medical diagnoses, the notification statement says.
"The investigation revealed that the attackers had obtained access to NorthCare’s computer network beginning on May 29, at which time they attempted to encrypt data," NorthCare says.
According to the notification statement, as soon as NorthCare became aware of the attack, it took steps to contain the incident and was able to restore its systems "and limit access to its computer network."
No Ransom Paid
NorthCare notes that it was able to recover from its ransomware attack using backups and that it did not pay a ransom to the attackers.
But, "because the attackers had access to unsecured data on NorthCare’s computer network, NorthCare has concluded that the attackers may have gained unauthorized access to the personal health information of past and current patients," the statement says.
NorthCare did not immediately respond to ISMG's request for additional details about the incident.
Experts say the two incidents are among the latest illustrating the serious cyberthreats facing healthcare entities and the related risks to the sensitive patient information they handle.
"Data breaches in the healthcare sector represent a well of private data pollution that can manifest as costly identity theft, fraud and scams in the financial services and government sector," says Jim Van Dyke, a senior vice president at security firm Sontiq, which analyzes the type of information that gets exposed in breaches.
In the case involving Sea Mar, Van Dyke says, the number of individuals affected - 688,000 - "is a lot of identity holders at risk, and with the exposed data including Social Security numbers, medical information and contact data, the risks raised by this breach are significant."
"Of meaningful concern is the [apparent] unusual time delay - as long as eight months - between when hackers gained access and when Sea Mar patients, both current and former, learned of the incident," he notes.
Risks raised by this breach include fraudulent establishment of new credit and financial accounts, existing financial account takeover, medical identity theft and more, Van Dyke says.
"Because research has proven that identity holders play a meaningful role in mitigating the risk of identity fraud, this delay is expected to have exacerbated the risks to affected consumers."
Mac McMillan, CEO of privacy and security consultancy CynergisTek, says that the Sea Mar incident in particular spotlights why many healthcare sector organizations need to change their posture from being reactive to becoming more proactive.
"A compromise assessment, for instance, does not have to be performed after you know you’ve been hit, but can be performed proactively to identify areas of weakness or potential unknown breaches," he says.
McMillan also says it's critical to validate controls to ensure they are configured properly, enabled and active.
That includes using the enforcement capabilities in data loss prevention solutions to stop exfiltration of sensitive information and implementing stronger email controls, he says.
And using multifactor authentication and privileged access management solutions internally can help limit attackers' options, while endpoint detection and response tools help detect suspicious activity or connections, before the damage of a major data breach starts, according to McMillan.
Although NorthCare still ended up reporting a significant data breach, the fact that the entity says it recovered from its ransomware attack using backups offers important lessons to others about preparedness and resilience, he says.
McMillan calls resilience "the ability to recognize, respond and withstand an adverse event without allowing it to disrupt operations or affect patient care. No one likes a breach or unauthorized access, but what is really becoming important in this new normal of aggressive attacks is how resilient you are."