Ransomware Gangs Claim Three Healthcare Victims
There has been a growing breach notification trend where the exact nature of a cyberattack is not disclosed in breach notification letters, including whether there has been confirmed theft of patient data. The failure to provide this information makes it difficult for victims of data breaches to assess the level of risk they face. That appears to be the case with two recent cyberattacks, neither of which mention ransomware or confirm that data theft occurred.
Albany ENT & Allergy Services
Earlier this month, two ransomware groups – BianLian and RansomHouse – added Albany ENT & Allergy Services (AENT) to their data leak sites, along with claims that 1TB of data was stolen from its network before files were encrypted. Evidence of data theft was published on the RansomHouse data leak site.
Albany ENT & Allergy Services has now confirmed in a notification to the Maine Attorney General that unauthorized individuals gained access to its network, which contained the protected health information of 224,486 individuals, including 61 Maine residents. AENT explained in the letters that suspicious activity was detected within its computer network on March 27, 2023, and a third-party forensic investigation was conducted to determine the nature and scope of the incident. AENT said it was able to determine that “an unauthorized actor may have had access to certain systems that stored personal and protected health information,” between March 23, 2023, and April 4, 2023. A review of those files confirmed they contained employee and patient information such as names and Social Security numbers.
Notifications started to be sent to affected individuals on March 25, 2023, and 12 months of complimentary credit monitoring services have been offered. Since it appears from the claims of the ransomware groups that data has been stolen, affected individuals should ensure they take advantage of those complimentary services. AENT said it is reviewing its policies and procedures, will provide additional training to employees, and will be implementing additional safeguards to further secure information in its systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Vascular Center of Intervention, Inc.
The Vascular Center of Intervention, Inc. (VCI) a surgical center in Fresno, CA, has recently notified patients about a security breach detected on March 29, 2023. The HIPAA notification letters state that the forensic investigation of unusual network activity “determined that certain documents stored within VCI’s environment may have been copied from or viewed on the system by an unauthorized person(s) between February 25, 2023, and March 29, 2023.”
The review of the files was completed on May 17, 2023, and confirmed that names were compromised along with one or more of the following: medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, date of birth, health insurance information, Social Security Number and/or Driver’s license information. VCI said existing safeguards have been strengthened to further enhance security, and the notification to the California Attorney General indicates California residents at least will be provided with 12 months of complimentary credit monitoring and identity theft protection services.
No mention was made in the notification letters that the BianLian group claimed responsibility for the attack. The group claimed on its data leak site that 200 GB of data was exfiltrated from its systems. The BianLian group conducts ransomware attacks, although this year has largely switched to extortion-only attacks.
The incident has been reported to the HHS’ Office for Civil Rights as affecting 3,833 individuals.
Ohio Business Associate Suffers Ransomware Attack
In contrast, the notification letters from Marshall Information Services (doing business as Primary Solutions Inc.) provide more information. Primary Solutions, an Ohio-based provider of billing solutions to healthcare organizations, recently notified 7,456 individuals about an August 2022 ransomware attack that prevented access to its systems. The forensic investigation confirmed that the attackers had access to parts of the network that contained documents that included the protected health information of some of its covered entity clients, and those documents may have been accessed or acquired in the attack.
The notices explain that the documents contained first and last names combined with some or all of the following data elements: address, date of birth, Social Security number, health information such as diagnosis, condition, or treatment, medical record number, Medicare or Medicaid number, individual health insurance policy number, and in very limited cases, payment card information.
A third-party vendor was used to review all the affected files to identify the impacted individuals and that review determined on February 22, 2023, that protected health information had been exposed. It is unclear why that process took so long. Each covered entity was then notified, and Primary Solutions said it then worked with those clients to notify the affected individuals. Primary Solutions said complimentary credit monitoring and identity restoration services are being offered through IDX, and it encourages impacted individuals to enroll in these services.
In response to the incident, Primary Solutions has ensured multifactor authentication is implemented for remote access, configurations have been updated to ensure employees must access systems through a virtual private network (VPN) with multifactor authentication, and a new endpoint detection and response (EDR) solution has been implemented.
