Ransom Paid Just Before Netwalker Gang DisruptedClient Says Third-Party Administrator Paid for Promise to Destroy Exfiltrated Data
A third-party claims administrator of health and social services programs for the elderly apparently paid a ransom to Netwalker attackers about a month before global law enforcement officials disrupted the gang in January.
In a breach notification provided to the California attorney general's office, Los Angeles-based Brandman Centers for Senior Care says it was informed on Jan. 23 by its health plan management services vendor, PeakTPA, of a ransomware attack on Dec. 31 affecting data of Brandman program participants.
PeakTPA "paid a ransom on Jan. 2 and received evidence that all information obtained [by attackers] was destroyed on Jan. 3," the Brandman statement notes.
PeakTPA notes that on Jan. 27, "the criminal group behind the attack, Netwalker, was broken up by the FBI. Its leader was arrested, and its assets were seized. Still, PeakTPA has put in place more protections to prevent a theft like this from happening again."
The organization, however, makes no mention of having paid a ransom.
Exposed information may include full name, home address, date of birth, Social Security number, diagnosis and treatment information, PeakTPA says.
The company says it's offering individuals affected by the incident three years of prepaid credit and identity monitoring through Kroll.
PeakTPA did not immediately respond to an Information Security Media Group request for comment. The company provides claims management services for entities that offer comprehensive medical and social services under the Program of All-Inclusive Care for the Elderly, or PACE. Individuals' PACE program ID numbers were exposed in the breach.
Other Affected Clients
Among other PeakTPA clients issuing recent breach notification statements about the incident are Springfield, Massachusetts-based Mercy Life Inc., according to a sample notification letter provided to Massachusetts regulators, and Jonesboro, Arkansas-based St. Bernard's Healthcare.
A St. Bernard's Healthcare spokesman tells ISMG that about 500 individuals who participate in the organization's Total Life Healthcare PACE program were affected by the PeakTPA incident.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that PeakTPA reported the incident on March 2 as affecting 50,000 individuals.
It's unclear whether the figure reported to HHS represents all individuals affected at every PeakTPA client organization, or if additional data breaches related to the incident could be separately reported.
The U.S. Justice Department and Bulgarian authorities on Jan. 27 announced they hadseized servers and disrupted the infrastructure and darknet websites of the Netwalker ransomware gang and also made one arrest.
Netwalker ransomware has affected numerous victims, including companies, municipalities, hospitals, law enforcement agencies, emergency services, school districts, colleges and universities, the DOJ said.
"Attacks have specifically targeted the healthcare sector during the COVID-19 pandemic, taking advantage of the global crisis to extort victims," the DOJ noted.
Vendor Incidents Climb
The PeakTPA ransomware incident joins a long and growing list of cyberattacks so far this year on vendors and business associates serving the healthcare sector (see: Hacking Incidents, Vendor Breaches Keep Surging).
For instance, the tally of healthcare organizations affected by the recent cyberattack against Accellion continues to grow.
So far, the HHS breach website shows several Accellion-related health data breaches, the largest reported by supermarket and pharmacy chain Kroger, with 368,000 individuals' protected health information affected (see: More Health Data Breaches Tied to Vendor Incidents).
"Attacks in healthcare are only going to increase," says Ben Denkers, executive vice president of strategy and operations at security and privacy consultancy CynergisTek. "Organizations need to be diligent in understanding their threat landscape and must take into account the security posture of third-party organizations they may rely on."
With attacks on third parties surging, it's critical that healthcare organizations keep cybersecurity top of mind when giving vendors access to their systems and ensure the vendor has minimal access privileges to the administrative systems, says Monique Becenti, of security consulting firm Pondurance.
"It’s common for organizations to overlook the domain controller, which is why it is critical to keep your domain controller privileges separate from administrative privileges," she says. "That's because the domain controller has the most access to your network and user access privileges."
Despite PeakTPA paying a ransom, PACE program patients' data could still be at risk, security experts warn.
"Once the data has been exfiltrated, it becomes an impossible task to have a chain of custody," Denkers says. "There have been accounts of organizations who have paid the ransom and had expected the attackers to destroy the data, only to find out months later the data was still lurking on the dark web."
Becenti offers a similar warning. "Once an organization has been compromised, they are likely to face repeated attacks. In fact, it is common for bad actors to leave a back door easily accessible within the organization to deploy another ransomware attack in the future for an effortless monetary gain."
Healthcare providers need to understand that ransomware attacks can be a "major decoy into a much larger scheme," such as establishing remote access to medical records or sensitive patient data to sell on the dark web for a much larger payoff, she adds. "As hospitals require 24/7 patient care, it can make routine cybersecurity maintenance difficult."
Breaches compromising the data of elderly patients can be particularly damaging, Denkers notes.
"Attackers prey on the weak for a reason, as their ability to defend or even identify is often limited. Often the results of these crimes aren’t seen or felt for months."