Breach Notification , Healthcare , Industry Specific
Medical Specialty Groups: Why Cybercriminals are After Them
Hacks on 2 Specialty Practices Are Latest on Increasingly Targeted Types of GroupsAn Illinois gastroenterology practice and a California pulmonary practice are among the latest medical specialty groups targeted by cybercriminals who claim to have their patients' sensitive health information.
See Also: Using the Netskope HIPAA Mapping Guide
The two incidents involve Rockford Gastroenterology Associates, a practice with about 148 employees and more than two dozen physicians and other clinicians based in Rockford, Illinois, specializing in digestive and related medical issues; and Pacific Pulmonary Medical Group, a Riverside, Calif.-based practice specializing in respiratory and sleep disorders.
These incidents are among dozens of similar attacks on other medical specialty practices so far in 2024.
"Specialty medical practices are prime targets for ransomware attacks, with recent data indicating that 46% of such incidents between August and October were directed at these organizations," said Jaime Cifuentes, director of consulting services for the physician practice management team at privacy and security firm Clearwater.
"The high value of medical records makes specialty medical practices attractive targets for cybercriminals. Smaller practices may lack robust cybersecurity defenses, increasing the risk of data breaches and the potential for successful attacks."
Rockford reported the hacking incident to federal regulators on Oct. 30. The incident occurred in December 2023, involving a network server affecting more than 147,000 patients. Rockford's report was just posted last week on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool public website listing major breaches affecting 500 or more individuals.
Ransomware group RA Group, also known as RA World, on its dark web site claims to have leaked about 56 gigabytes of Rockford's patient data stolen nearly a year ago in the attack after the medical practice allegedly refused to pay a ransom.
Rockford in its breach notice said a portion of its network environment was affected by a cyberattack in December 2023.
The investigation into the incident determined that while Rockford's electronic health records system was not compromised in the incident, the unauthorized party on or around Dec. 16, 2023, accessed some files and folders of unstructured data within other affected systems.
Rockford's breach notice does not mention the ransomware group or its claims. Rockford in a statement to Information Security Media Group said the medical group was able to contain the incident before ransomware encrypted its systems and data, and that the attack did not disrupt Rockford's normal business operations.
"RGA determined on Sept. 4, that the compromised files contained personal information of a limited amount of individuals. Thereafter, RGA posted notice of the incident on our website and worked to provide notice to impacted individuals as quickly as possible," the statement said.
Rockford has no evidence of identity theft or fraud occurring as a result of the incident, the statement said. "The steps taken to prevent a similar breach from occurring in the future include, but are not limited to, implementing managed detection and response to our existing security operations center platform, password changes, adopting encryption technologies, implementing new technical safeguards, revising policies and procedures, and furthering workforce member training," the statement said.
As of Monday, several law firms were already circling Rockford for possible litigation by issuing public notices that they are investigating the incident for potential class action lawsuits.
"Our data breach lawyers are eager to speak to victims of the Rockford Gastroenterology Associates data breach to determine what damages they sustained and what compensation may be available to them," said a notice issued by law firm Console & Associates.
While Rockford deals with its hacking breach, another ransomware group Everest, listed another medical specialty group - Pacific Pulmonary - on its data leak website as one of the gang's most recent data theft victims.
Other Attacks
Databreaches.net reported Everest added Pacific Pulmonary to its dark web site on Oct. 25, following an attack earlier in October. The leaked data includes an assortment of patient information dating between 2021 and 2024, including images of insurance cards and drivers' licenses, as well as files containing demographic and related information.
As of Monday, Pacific Pulmonary did not appear to have reported a data security incident to regulators, nor did it post a breach notice on its website. Pacific Pulmonary did not immediately respond to ISMG's request for comment on Everest's claims and details about the apparent data security incident.
The HHS' Office for Civil Rights breach reporting website is littered with hundreds of major hacking incidents involving medical special groups, including dozens reported so far in 2024 by medical specialty practices, such as oncology, orthopedic eye care, reproductive health, and many other specialists.
Medical specialty practices are often attractive, low-hanging targets for cybercriminals, some experts said. The combination of many such medical practices handling and holding highly sensitive patient information - combined with a lack of in-house cybersecurity expertise, often makes them vulnerable victims, said Kate Borten, president of privacy and security consultancy, The Marblehead Group.
These practices often have highly specialized data - and less robust security and privacy programs, she said. "Many of these attacks start with phishing, and someone inside taking the bait," she said. "Workforce training is not only required by HIPAA, but also an essential factor in thwarting attacks."
Other experts agree. "Like others across the healthcare ecosystem, medical practices are embracing digital transformation, shifting more data to the cloud and sharing data with others to improve continuity of care," Cifuentes said.
"These innovations improve service delivery, but they also introduce new cybersecurity risks. Many smaller practices don’t have the skilled staff, tools or resources to track and manage all of their assets, understand where and how data is used, and what’s most critical to operations and they struggle to identify all potential security issues and fix the ones that matter most," he said.
Meanwhile, rivalries among cybercriminal gangs are also fueling such attacks, said Mike Hamilton, field CISO at security firm Lumifi.
"It seems that some of the ransomware groups are going 'down market,' and attacking specialty medical practices," he said. "Being smaller and less able to resource security controls, these are likely softer targets. It could also be competition and between the criminal organizations - a differentiation of victims that is not unlike an ICP - ideal customer profile."
These gangs have also been known to contact patients whose records were stolen and extort them directly, "and this may be another shoe to drop," Hamilton said. "These criminals will monetize their activities however they can, and direct contact is still possible."
But of course, it is not just smaller specialty medical practices that are at risk for such attacks. "Security gaps exist in larger practices as well. While cybersecurity funding and tools may exist, finding and retaining skilled security professionals, especially those knowledgeable about increased cloud security risks, is an ongoing struggle," Cifuentes said.
Complicating matters is also heavy merger and acquisition activity that is happening in the medical specialty provider space, Cifuentes said.
"Mergers and acquisitions can create cracks where vulnerabilities can hide, waiting for an attacker to exploit them. Some of these cracks form from the challenges of adding new practices, often with multiple locations and various information systems, programs and digital assets," he said. "It’s common for these systems to lack foundational cybersecurity controls and create unknown risks."