Medical Center Ransomware Attack Affects 700,000Incident Is Latest on Growing List of Recent Major Healthcare Data Hacks
An Arizona medical center that suffered a ransomware attack in April has begun notifying 700,000 individuals of a data breach compromising sensitive medical and personal information.
The incident is the latest among an ever-growing list of healthcare sector entities reporting major health data breaches in recent weeks and months involving ransomware and other hacking attacks.
"The healthcare industry is always going to be a target from certain actors due to the type of data that they intrinsically gather and process," says Tony Cook, head of threat intelligence at security firm GuidePoint Security. The key to stopping attacks is to deploy controls for catching intrusions early on before attackers spread laterally into the network, he adds.
In a statement posted on its website, Yuma, Arizona-based Yuma Regional Medical Center says that on April 25, it identified a ransomware incident affecting internal systems.
The center says it took immediate action by taking systems offline and notifying law enforcement officials and third-party forensics experts.
An investigation into the incident determined that there was unauthorized access to its network for several days, between April 21 and April 25. During that time, a "subset of files" was removed from YRMC's systems.
Those compromised files contained patient information, including names, Social Security numbers, health insurance information and limited medical information relating to care, the notice says.
The organization's electronic medical record system was not affected by the incident, YRMC says.
In a statement posted on the center's website during the time it was dealing with the ransomware attack, the organization said that most of its facilities would remain open.
Patient care, for the most part, continued using the center's "established back-up processes and other downtime procedures."
The center did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether a ransom was demanded or paid.
As of Tuesday, the YRMC incident had not yet been posted to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
The incident would rank as the fourth-largest health data breach so far in 2022, according to data on HHS' Office for Civil Rights HIPAA breach reporting website.
The largest health data breach so far this year has been a hacking incident affecting 2 million individuals reported on May 27 by Massachusetts-based medical imaging services provider Shields Health Care Group.
Shields has not disclosed whether its hacking incident involved ransomware. The other two largest health data breaches posted on the HHS OCR website so far in 2022 both involved ransomware and data exfiltration.
Those include a health data breach reported on Jan. 2 by Fort Lauderdale, Florida-based Broward Health as affecting 1.3 million individuals, and a breach reported on May 18 by Fairfield, California-based managed care provider Partnership HealthPlan of California as affecting nearly 855,000 individuals.
Mike Hamilton, CISO at security firm Critical Insight, says the information released publicly so far by YRMC describes the incident as involving ransomware but that the center hasn't disclosed whether it received an extortion demand.
"This may indicate that the focus of the actors was limited to records theft to sell, or a state actor that continues to collect information on U.S. persons - this is a tactic of China," says Hamilton, the former CISO of the city of Seattle.
China has been implicated in some of the largest U.S. data breaches, including the 2014 cyberattack on health insurer Anthem, which affected nearly 79 million individuals and ranks as the largest health data breach reported to date.
"Limiting these acts to records theft and not extortion through ransomware is a trend that will likely continue, but global geopolitical events can swing that pendulum either way at this point," he adds.
In its notice about its ransomware breach, YRMC says it is taking action to prevent future similar incidents, including strengthening the security of its systems and continuing to enhance protocols to safeguard information.
For many of the organizations falling victim to ransomware attacks, commitment to preventative measures comes too late, many experts say.
"After a ransomware attack, organizations frequently state that they'll be taking steps to strengthen security," says Brett Callow, a threat analyst at security firm Emisoft.
"Post-incident investments often represent catch-up spending to address whatever long-standing weakness enabled an attack to succeed. Obviously, it’d be better if organizations were to be making these investments prior to incidents happening, not after," he says.
"The reality is that many incidents are preventable and the steps needed to prevent them, such as using multifactor authentication, are often quite basic," he adds.
GuidePoint's Cook recommends that healthcare organizations "get back to the basics, similar to the CISA Shields Up recommendations, and understand their environment to defend it properly."
In order to best defend critical data in healthcare institutes, it is imperative to first understand where data lives and what defenses are in place, Cook says.
Organizations should take proactive steps to ensure that they are prepared in case they are affected by an intrusion, including having updated incident response plans, playbooks and tabletop exercises, he says.
Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek offers a similar assessment.
"Organizations need to do a better job of understanding what the true threat landscape looks like and how it applies to their assets. Validating that controls in place are working as designed goes a long way in helping prepare for future attack," he says.
"Routinely testing for various scenarios helps ensure everyone knows what to do and will also allow for weaknesses to be spotted prior to an actual incident."