Breach Notification , Cybercrime , Fraud Management & Cybercrime
3 Longtime Health Centers Report Hacks Affecting 740,000
Data Thefts, Leaks Follow Continuing Trend in Healthcare: ExpertA network of family health centers, a public medical center and a plastic surgery practice with nearly 180 years of combined service to their communities are among the latest healthcare groups reporting major data theft incidents to regulators. The three hacks affected a total of nearly 740,000 patients and employees.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The trio of breach victims is Bakersfield, California-based Omni Family Health, a network of 40 community health centers that has been in business since 1978; Tri-City Medical Center, a public hospital that has been serving San Diego County's coastal communities for 60 years; and New York Plastic Surgery, which has been operating for 75 years and was until recently known as Long Island Plastic Surgery.
Omni Family Health Hack and Leak
Omni, which suffered the largest of the three beaches, reported its hacking incident on Oct. 4 to the U.S. Department of Health and Human Services, as affecting 468,344 individuals. Omni in its breach notice said that on Aug. 7 it became aware of claims that information was taken from its systems and posted on the dark web.
"Upon learning of these claims, we immediately initiated an investigation and engaged outside cybersecurity specialists to assist with our efforts. We also notified federal law enforcement," Omni said.
The investigation into the incident found that the data leaked on the dark web affected both current and former patients and employees.
For patients, the compromised information potentially includes name, address, Social Security number, date of birth, health insurance plan information and medical information.
For Omni employees, the leaked information includes name, address, Social Security number, date of birth, medical information, health insurance information and financial account information related to direct deposit.
"Additionally, if you provided Omni with information about your dependents and beneficiaries, their information might also be affected," Omni said.
Omni did not immediately respond to Information Security Media Group's request for additional details about the incident, including the identity of the cybercriminal group that leaked the data and whether the data theft was also part of a ransomware encryption attack.
Tri-City Medical Center Hack
Tri-City Medical Center, an acute care hospital administered by the Tri-City Healthcare District - one of California's public hospital districts - reported its hacking incident to Maine's attorney general on Oct. 12 as affecting 108,149 individuals.
Tri-City said the incident was discovered nearly a year ago, on Nov. 9, 2023, when the hospital detected suspicious activity on its network.
The hospital said it immediately began an investigation. With the assistance of third-party specialists the investigation determined that "an unknown party" accessed and obtained certain files within Tri-city's network on or around Nov 8, 2023.
After "a thorough review of the impacted data," Tri-City on Sept. 27 determined the individuals whose information was contained in the affected data set. Potentially compromised information included patient name, address, date of birth, Social Security number, medical treatment/diagnosis information, dates of service, health insurance provider name, health insurance claim information and/or treatment cost.
In response to this incident, Tri-City said it notified law enforcement and implemented additional security measures to help prevent the risk of a similar incident occurring in the future. Tri-City also said it has no evidence any of the information has been misused.
As of Thursday, the Tri-City hack was not yet posted on the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website listing major health data breaches affecting 500 or more individuals.
Nonetheless, by Thursday, several class action law firms had already issued public notices saying they are investigating the Tri-City incident for potential class action litigation.
Plastic Surgery Data Theft
New York Plastic Surgery, which reported its breach to federal regulators on Oct. 4 under its previous name, Long Island Plastic Surgery P.C., said its hack affected 161,707 people.
In a notice, the plastic surgery practice said it discovered unauthorized access to its network between Jan. 4 and Jan. 8, but it did not mention when the discovery was made or how.
"We immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations to evaluate the extent of any compromise of the information on our network," the notice said.
The investigation, which concluded on Sept. 15, determined information was removed from the practice's network. That included full names and one or more of the following: Social Security numbers, dates of birth, driver's license numbers or state identification numbers, passport numbers, financial account information, biometric information, medical information, clinical photographs and health insurance policy information.
Blog site Databreaches.net reported that three ransomware groups - AlphV, Radar-Dispossessor and Lockbit - previously claimed involvement in the New York Plastic Surgery hack and data leak, but that the practice's data has been deleted from the dark web.
New York Plastic Surgery declined ISMG's request for additional details and comment on the incident.
Developing Trends
In the first nine months of the year the top three ransomware groups impacting the healthcare industry by victim volume were LockBit, RansomHub and BianLian, said Grayson North, senior security consultant at GuidePoint Security, which Thursday released a threat intelligence report on ransomware trends in the third-quarter of 2024.
"Despite their disruption by law enforcement in early 2024, LockBit's operational tempo has remained sufficiently high to keep them in the 'top spot' for healthcare year-to-date," North said.
BianLian is attributable for 9% of the total healthcare victims year-to-date, and has historically disproportionately impacted healthcare and manufacturing organizations, potentially based on the belief that those in this vertical are more likely to pay a ransom, he said.
During the July to September period, GuidePoint Security's researchers identified about 90 ransomware attacks on the healthcare sector.
Across most sectors, GuidePoint Security is seeing a general upward trend in attacks that only involve data theft, which has been corroborated by other open-source reporting, North said.
"However, we lack sufficient visibility into the specifics of broader healthcare ransoms to speak to whether this is above or below average in frequency in the healthcare sector specifically," he said.
"While some ransomware actors would likely prefer the double extortion approach for the increased coercive leverage of encrypted data, the fact of the matter is that companies today are much more prepared for such attacks even when compared to a few years ago," he said.
Most notably, immutable offsite backup solutions, when properly implemented, greatly reduce the operational disruption caused by encryption attacks, and increase the likelihood that an organization can recover from ransomware without needing to pay for a decryptor, he said.
"On the other hand, healthcare data itself has become rapidly more abundant and accessible," he said.
"From a technical perspective it is much easier for an attacker to exfiltrate a cache of sensitive data than to launch an encryption attack at the scale needed to coerce a payment, especially given the 'alarm bells' that transfer and deployment of ransomware encryptors may set off in the process."