Two healthcare organizations have begun sending out breach notification letters to thousands of people in California and Arizona after both revealed that sensitive information — including social security numbers, treatment information and diagnosis data — were accessed during recent cyberattacks.
LifeLong Medical Care, a California health center, is sending letters to about 115,000 people about a ransomware attack that took place on November 24, 2020.
The letter does not say which ransomware group was involved but said Netgain, a third-party vendor that provides services to LifeLong Medical Care, “discovered anomalous network activity” and only determined it was a ransomware attack by February 25, 2021.
It took until August 9, 2021 for Netgain and LifeLong Medical Care to complete their investigation, and the companies eventually found that full names, Social Security numbers, dates of birth, patient cardholder numbers, treatment and diagnosis information was “accessed and/or acquired” during the attacks.
LifeLong Medical Care urged those affected to enroll in credit monitoring services, place fraud alerts or security freezes on credit files, obtain credit reports and “remain vigilant” when it comes to “financial account statements, credit reports and explanation of benefits statements for fraudulent or irregular activity.”
A toll-free response line at (855) 851-1278 has been created for anyone with questions.
Arizona-based Desert Wells Family Medicine was forced to send out a similar letter to 35,000 patients after they too were hit by a ransomware attack that exposed sensitive patient information.
Desert Wells Family Medicine discovered it was suffering from a ransomware incident on May 21 and immediately hired an incident response team to help with recovery. Law enforcement was also notified of the attack, but the healthcare facility found that the ransomware group “corrupted the data and patient electronic health records in Desert Wells’ possession prior to May 21.”
The data held by the healthcare facility — as well as their backups — was unrecoverable after it was accessed by the threat actors.
“This information in the involved patient electronic health records may have included patients’ names in combination with their address, date of birth, Social Security number, driver’s license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information,” Desert Wells Family Medicine said in its letter.
The organizations said it is still in the process of rebuilding its patient electronic health record system and said it would also offer victims “complimentary credit monitoring and identity theft protection services.”
“Patients also are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see any medical services they did not receive,” the letter added.
Ransomware groups have shown no signs of slowing down in their attacks on healthcare facilities during the COVID-19 pandemic. With the Delta variant of the virus causing hospitals to fill up with patients, ransomware actors have stepped up their attacks, knowing the urgency of the situation will force hospitals to pay ransoms.
Sascha Fahrbach, cybersecurity evangelist at Fudo Security, said these latest attacks show that the healthcare industry, with its valuable personal information, continues to be a tempting and lucrative target for hackers and insiders.
“There were more than 600 healthcare data breaches last year, with more than 22 million people affected, and unfortunately this trend shows no sign of slowing down. Healthcare operators need to reassess their security posture, as well as shifting their mindset, when it comes to safeguarding their data,” Fahrbach said.
“In particular, third parties remain a security liability which needs to be urgently addressed. Many in the healthcare industry are not taking the proper steps to mitigate third-party remote access and third-party vendor risk.”
The FBI released an alert about the Hive ransomware two weeks ago after the group took down a hospital system in Ohio and West Virginia last month, noting that they typically corrupt backups as well.
Hive has so far attacked at least 28 organizations, including Memorial Health System, which was hit with a ransomware attack on August 15.
“Unfortunately, many health care organizations are confronting the impacts of an evolving cyber threat landscape,” Memorial Health System CEO Scott Cantley said.