Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Reporting Entities Represent Another Diverse Mix of Healthcare Sector Targets
Marianne Kolbasuk McGee (HealthInfoSec) •
April 8, 2022
Five recently reported breaches involving cyberattacks on a mix of healthcare entities – including an in-home respiratory care provider, medical laboratory, multispecialty clinic, community hospital and public health department – have affected a total of more than 1.2 million individuals.
The organizations reporting the large breaches illustrate, once again, the diversity of healthcare sector entities getting hit by hacking incidents, ranging from ransomware attacks to other unauthorized data access compromises. The entities recently reporting the incidents include:
SuperCare, a California-based provider of post-acute, in-home respiratory care in the western US, on March 28 reported to the Department of Health and Human Services’ Office for Civil Rights a network server hacking incident affecting nearly 318,400 individuals.
In its breach notification statement, SuperCare says that on July 27, 2021, it discovered unauthorized activity on its systems. The forensic investigation revealed that an unknown party had access to certain systems on its network from July 23 through July 27, 2021.
On Feb. 4, 2022, SuperCare determined that the potentially affected files contained some information relating to certain patients. In some cases, that information included Social Security numbers. SuperCare did not immediately respond to Information Security Media Group’s request for additional details about the incident.
CSI Laboratories Hack
Georgia-based medical testing laboratory CSI Laboratories on March 25 reported to HHS OCR a network server hacking/IT incident involving affecting 312,000 individuals. CSI Labs in its breach notification says that on Feb. 12 it learned of a cyberattack that “partially disrupted CSI’s information systems.”
Upon learning of the incident, CSI says it immediately took steps to isolate and secure its systems. As part of the investigation, on Feb. 25, CSI determined that an unauthorized intruder had acquired certain files from its systems, including documents that may have contained patient information.
Media site Databreaches.net reports that the CSI incident involved the Conti ransomware group, and that Conti threat actors had added CSI to the gang’s dedicated data leak site. CSI did not immediately respond to ISMG’s request for comment on the incident.
The Clinic of North Texas Attack
The Clinic of North Texas, a Texas-based multispecialty clinic, reported to HHS OCR on March 18 a hacking/IT incident involving a network server that affected nearly 244,200 individuals.
In its breach notification statement, the clinic says that on or about Nov. 9, 2021, it discovered that it had been the victim of a cyberattack involving potential unauthorized access to patient information stored on its systems.
On Jan. 24, the clinic determined the incident involved personal and protected health information. But the affected data did not include Social Security numbers or financial information, the clinic says, adding that it has no evidence indicating misuse of the affected information. The clinic did not immediately respond to ISMG’s request for comment.
Taylor Regional Hospital Incident
Taylor Regional Hospital, a 90-bed hospital in Kentucky, on March 21 reported to HHS OCR a hacking incident discovered on Jan. 20 involving a network server and affecting more than 190,200 individuals.
The entity’s breach notification statement says affected patient information includes patients’ names, addresses, birthdates, social security numbers, insurance information, medical record numbers and/or clinical information related to care received at TRH.
The incident disrupted TRH’s phone lines and IT systems for weeks. As of Friday, TRH’s voice mail system appeared to still be affected by the incident. TRH did not immediately respond to ISMG’s request for additional information about its security incident.
Chelan Douglas Health District Breach
Chelan Douglas Health District, a public health department in Washington state, reported to HHS OCR on March 15 a hacking incident involving a network server that affected more than 188,200 individuals.
CDHD reported the incident on March 25 to the Washington state’s attorney general as only affecting about 109,000 individuals.
Regarding the discrepancy in the number of affected individuals reported to federal and state regulators, an attorney representing CDHD says it provided written notification of the incident to all those affected for whom it had a last known home address, some of whom live outside the state of Washington.
“Since notifying the affected residents, the district has remained on standby to respond to any inquiries concerning the incident and steps the affected individuals may take to safeguard their personal and protected health information,” he says.
CDHD says in its breach notification statement that the incident involved unauthorized access to its network between July 2 and July 4, 2021. Based on an investigation and document review into the incident, CDHD says it discovered on Feb. 12 that certain identifiable personal information had been “removed” from its network (see: 2 Latest Data Hacks Affect Over 200,000).
Potentially affected information includes full names, social security numbers, dates of birth/death, financial account information and medical information, including treatment/diagnosis information, medical record or patient number, and/or health insurance policy information.
These five data breaches are the latest examples of major hacking incidents targeting a varied range of healthcare entities, highlighting the persistent and advancing threats facing the overall sector, some experts say.
“There is a war in progress, and that is part of the context,” says Michael Hamilton, CISO at security firm Critical Insight and former CISO of the city of Seattle.
“It’s been reported that ransomware events have increased in frequency since the start of the war in Ukraine, and this may be an all-hands effort by Russia to counter whatever losses they can from the economic sanctions by extorting US companies,” he says.
Hamilton also says cybercriminals seeking to monetize stolen records sometimes try to reuse the information later to “remonetize” it, perhaps for identity theft and fraud crimes, such as during tax return season.
In light of the constantly evolving threat landscape, healthcare sector entities should take a more proactive security stance, some experts say.
“The days of assuming that security is only the job of the IT department are over. Organizations need to implement a robust cybersecurity program that begins with setting the tone from the top and adopting a culture of security,” says Blaise Wabo, healthcare and financial services knowledge leader at cybersecurity and compliance services firm A-LIGN.
“Business objectives need to be defined with governance and security compliance in mind for every single department. A security officer and privacy officer need to be appointed along with a security committee which comprises stakeholders from all departments across the organization, and an organizational-level risk assessment needs to be performed,” Wabo says.