Healthcare Organizations Continue to Be Under (Cyber) Attack

Ipro Tech
Contact

Ipro Tech

Blog hero image

[author: Doug Austin, Editor of eDiscovery Today]

Are the moles winning? A few months ago, I wrote how the job of protecting protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) is becoming more like a game of “Whac-a-Mole” because there are more places than ever where PHI can appear. As we can see from the latest batch of cyber attacks on healthcare organizations, the healthcare organizations may be losing the game.

Recent Healthcare Organization Cyber Attacks

It doesn’t take more than a few web searches to find several recent cyber attacks on healthcare organizations. Here are eight that were reported in just the past few weeks:

  • Newman Regional Health: They identified suspicious activity within an e-mail account and determined there was unauthorized access to a limited number of e-mail accounts between January 26, 2021, and November 23, 2021 – almost 10 months of exposed information that “may have included individuals’ names; dates of birth; medical record or other identification numbers; addresses, phone numbers, or e-mail addresses; limited heath, treatment or insurance information”. They also said: “a limited group of individuals may have social security number or financial information affected.”
  • Wellstar Health System: They also suffered a data breach through their email system over approximately one month. The information exposed included names, medical record numbers, unique Wellstar account numbers, and laboratory information.
  • Ballad Health: They determined that an employee’s email account was accessed without authorization “for a limited amount of time”. The types of personal information that may have been accessible to the unauthorized actor include name, address, date of birth, medical history, medical condition or treatment information, medical record number, diagnosis code, and patient account number.
  • Taylor Regional Hospital: On March 21, 2022, they notified the U.S. Department of Health and Human Services (‘HHS’) Office for Civil Rights (‘OCR’) of a data security incident affecting 190,209 individuals, stating that on January 20, 2021, they identified unauthorized activity on its computer systems. That’s 14 months after they first identified the activity!
  • Valley View Hospital: A phishing scam granted outside users access to four email accounts, potentially impacting the personal data of about 21,000 people, including hospital employees and patients.
  • LA County Department of Mental Health: On April 21, they disclosed that they had suffered a data breach in a phishing incident. The type of information that may have been affected included “name, address, date of birth, driver’s license, Social Security number, medical and/or health information, health insurance information, SSID student identifier, and/or financial account number.”
  • Tague Family Practice: They fell victim to a LockBit ransomware attack. On March 17, the threat actors added TFP to their leak site and subsequently dumped data that appears to be from the practice.
  • Partnership HealthPlan of California: A ransomware group called Hive claimed to have stolen private data for 850,000 members. A screenshot of the claim describes the “stolen data includes…850,000 unique records of name, SSN, date of birth, address, contact, etc.” It also states that 400 gigabytes of data were stolen from Partnership’s file server.

Those weren’t the only reported cyber attacks on healthcare organizations over the past few weeks, but it gives you a sense of how frequently they are occurring.

Lack of a Common Thread

What’s the common thread between these attacks? There isn’t one. Some involve phishing attacks, others involve ransomware. Points of entry vary – sometimes it’s one or more email accounts; other times, it’s direct access into their systems. Sometimes the access is limited and reported quickly; other times, notification doesn’t happen until months later.

Conclusion

With so many attacks, so many potential entry points, and so many patient records compromised – at least 1 million in the examples reported above – identifying where personally identifiable information (PII) and PHI exists in your organization is more important than ever. That takes a combination of Information Governance best practices and technology designed to detect and (where appropriate) remediate that personal data.

As the examples above illustrate, healthcare organizations continue to be under (cyber) attack! It’s time to strengthen defenses against that attack.

[View source.]

Written by:

Ipro Tech
Contact
more
less

Ipro Tech on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.