Vendor Ransomware Breach Affects 942,000 PatientsIncident Is Among Latest Fallout From Attacks on Healthcare Sector Entities
A New York-based practice management and billing vendor has notified 28 healthcare entity clients and more than 942,000 of their patients that sensitive information was compromised in a ransomware attack in April.
Other recent ransomware-related revelations involving healthcare sector organizations include:
- Ransomware group Karakurt this week claimed to have leaked 367 GB of data stolen from Texas-based Methodist McKinney Hospital on the dark web. The hospital on Aug. 3 issued an updated statement regarding the security incident discovered in July and said the attack involved unauthorized actors accessing certain systems between May 20 and July 7 and copying various files containing a yet-unspecified number of patients' protected health information. Methodist McKinney Hospital declined further comment to Information Security Media Group about the incident and Karakurt's claim of posting patient information.
- The Brazilian federal police on Tuesday publicly disclosed an investigation into a string of cyberattacks against government agencies last December, including the nation's Ministry of Health. While Brazilian authorities did not identify the cybercriminals under investigation, extortion group Lapsus$ last year claimed to be behind the attacks (see: How Lapsus$ Uses Stolen Source Code to Disguise Malware).
- A $4 million preliminary settlement was issued in a federal class action lawsuit filed against Tampa, Florida-based Musculoskeletal Institute, which does business as Florida Orthopaedic Institute, in the aftermath of an April 2020 ransomware attack that affected 640,000 individuals. Under the proposed settlement, class members can claim up to $15,000 for reimbursement of out-of-pocket expenses and are eligible to enroll in three years of credit and identity monitoring. A court hearing for final approval of the settlement is slated for Sept. 29 in a Florida federal court.
While the details of each of these incidents and their various forms of fallout differ, one common thread is the growing appeal of healthcare sector entities to cybercriminals, who continue to evolve their attack tactics and schemes, some experts say.
"Especially with respect to the Lapsus$ criminal gang, a newer tactic is bribing an insider to more efficiently gain access," says Mike Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle.
"As the [attack] on the Brazilian Ministry of Health is coupled with quite a few other agencies in the government, it’s reasonable to assume this tactic was employed here," he says.
Hamilton urges entities to stay proactive in their defenses against falling victim to attacks. "The best advice is to close off - as much as possible - the major initial compromise vectors," he says.
"While this is nominally user access to nonbusiness internet services such as personal email and social media, it should now include an analysis to identify users likely to be an attrition risk, which may be correlated with the likelihood of being bribed."
Threat analyst Nic Finn of security firm GuidePoint Security says while many threat groups prohibit service-disabling attacks against healthcare organizations, others have begun to promote these attacks, including data encryption and deletion.
"Hive is one such ransomware group that has no restrictions against encrypting data throughout a healthcare organization to pressure the victim to pay the ransom immediately," he says.
Hive, which was the subject of a recent federal advisory to the healthcare sector, has been implicated in several major attacks on healthcare sector entities, including Indiana-based Goodman Campbell Brain and Spine, which recently began notifying nearly 363,000 individuals of a ransomware incident affecting their PHI.
Because healthcare has steadily become a massive portion of most countries' economies, attackers know they can demand "sizable ransoms from victims along with publicity as a result of their attacks and publications on leak sites," Finn says.
"We've seen groups like Lapsus$ focus efforts against large organizations and governments because they think it will give them notoriety and reverence among the black hat community," he says. "It is likely that as groups like Lapsus$, LockBit and Hive set paths forward, other ransomware groups are likely to follow."
Healthcare is one of the most attractive industries for cyber attacks, due to the value of information and the high requirements for its protection. The Karakut team recommends that companies from the medical industry take their cyber security more seriously. #Karakurt #InfoSec https://t.co/FHWRmQyg23— Karakurt Team (@KarakurtTeam) August 16, 2022
Meanwhile, Practice Resources' ransomware breach, reported to the U.S. Department of Health and Human Services on Aug. 4, affected more than two dozen clients and 942,138 individuals. It follows a larger, growing trend plaguing the healthcare sector: cyberattacks on critical vendors that affect scores of their customers - including medical practices, hospitals and clinics - and cumulatively millions of patients (see: Latest US Health Data Breaches Follow Worrisome Trends).
A recent ISMG analysis of the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows third-party vendors at the center of about 40% of the major HIPAA breaches reported so far in 2022. Vendor-related incidents affected about 44% of all breached individuals.
"These trends indicate that this industry continues to struggle with adequate security programs and that hacking pays off," Kate Borten, president of privacy and security consultancy The Marblehead Group, tells ISMG.
"Hacking healthcare organizations is very cost-effective for the perpetrators,” she says. “Attacks are relatively inexpensive to launch and can bring big monetary rewards."
Regulatory attorney Rachel Rose offers a similar perspective. "State actors and known cybercriminals continue to be a focus. Organizations need to stay vigilant both internally and externally to prevent, detect and correct threats."