[author: Jane Anderson]

Report on Patient Privacy 24, no. 3 (March, 2024)

◆ Research from Guidepoint Security found that 2023 saw an 80% increase in ransomware activity year-over-year, driven in part by multiple mass exploitation campaigns impacting hundreds of organizations. In total, the report said, 63 distinct ransomware groups were operating to leverage encryption, data exfiltration, data extortion and other tactics to compromise and publicly post 4,519 victims across 30 tracked industries in 120 countries. The top three most prolific established groups—LockBit, Alphv and Clop—continue to account for “not just the lion’s share of victims but also much of the innovation and tactical changes across the ransomware ecosystem,” the report said. The researchers said they expect ransomware impacts to “continue on an upward trajectory in 2024 based on established groups continuing to leverage high-severity and zero-day vulnerabilities as a reliable means of exploiting victims at scale.”[1]

◆ Data from HHS Office for Civil Rights (ORC) shows that the total number of reported health care breaches declined by 9% in 2023; however, the number of patient records exposed rose sharply to 116 million, a 108% year-over-year increase, according to an analysis from health care cybersecurity company Fortified Health Security. Business associates (BAs) were responsible for an increasing share of breaches, according to the report: between 2013 and 2023, the number of BAs reporting a health care data breach increased by 143%. In addition, breaches directly involving BAs and breaches where BAs were present have increased by more than 217% over the past decade, the report said. Between 2022 and 2023, BA breaches increased by 22%, and breaches where BAs were present increased by 3%, the report said. “Connected technologies are now the primary locations where patient records are compromised,” the researchers wrote. “For example, attacks on network servers (+1,272%), electronic medical records (+29%), and email (+457%) all rose sharply compared to 2013.” OCR data from 2023 indicated that only 3% of breaches were located on electronic medical record (EMR) systems, “indicating that the majority originated from data stored on other network connected technologies waiting to be collected and exfiltrated,” the report said. “Health care organizations hold vast amounts of patient data beyond their EMR systems, and much of it remains alarmingly unguarded.”[2]

◆ Atlanta Women’s Health Group is notifying approximately 30,000 patients that their data was compromised in a cyberattack on April 12, 2023. The provider organization identified “anomalous activity on its computer system” and took steps to isolate its networks, the health group said in a statement. Following a forensic investigation, the provider group said it determined that the hackers accessed patients’ names, dates of birth, patient ID numbers, and other information from medical records. The medical group said it has implemented additional cybersecurity measures.[3]

◆ The Cybersecurity & Infrastructure Security Agency (CISA) said that its Pre-Ransomware Notification Initiative—which reduces risk by warning organizations of early-stage ransomware activity—notified 154 health care organizations in 2023 that activity was occurring on their sites. The warnings enabled the targeted organizations to take steps to mitigate their risk, CISA said. In total, CISA issued more than 1,200 pre-ransomware notifications in 2023 to entities in health care, transportation, emergency services, water and wastewater, education and government, CISA said in its report on 2023 activities. To identify and alert entities about suspicious activity, CISA relies on tips from the cybersecurity research community, infrastructure providers and cyber threat intelligence companies about potential early-stage ransomware activity. In addition, through CISA’s separate Ransomware Vulnerability Warning Pilot, the agency conducted more than 1,700 notifications to organizations such as hospitals, water utilities, K-12 school districts, and election jurisdictions about open vulnerabilities on their networks that are specifically exploited by ransomware actors, enabling timely mitigation before intrusions occurred.[4]

◆ The parent company of a now-defunct Massachusetts-based ambulance company has reported a data breach involving the personal and health information of 911,757 patients. Fallon Ambulance, which ceased operations in 2022, maintained an archived copy of its emergency patients’ data on the computer systems of its parent company, Transformative Healthcare. According to Transformative Healthcare, an unauthorized party accessed Fallon’s data storage archives sometime between Feb. 17 and April 22, 2023. Data that may have been taken included medical reports, paramedic reports, names, addresses, Social Security numbers and other medical information. The ransomware group known as Alphv/BlackCat claimed credit for the data breach.[5]

◆ A bipartisan group of senators has introduced a bill intended to help protect government health care systems from hackers and other bad actors. The Strengthening Cybersecurity in Health Care Act, sponsored by Sens. Angus King, I-ME, and Marco Rubio, R-Fla., would require HHS to perform consistent evaluations of its cybersecurity systems, using “penetration tests and other testing procedures to determine how systems processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of the Department is currently, or could be compromised and (1) expose patient data, including Medicare numbers of individuals; or (2) impact patient safety.” The legislation also would require HHS to provide biannual reports on its current practices and progress on future safety procedures the agency is working to implement.[6]

◆ Pharmacies and military clinics faced ongoing delays providing prescriptions following a Feb. 21 cyberattack at health care software provider Change Healthcare.[7] The software company—part of UnitedHealth Group’s Optum Solutions arm—said in a Feb. 28 update that it was “working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online.”[8] Optum characterized the cyberattack as “a cyber security issue” and said it had disconnected Change Healthcare’s systems “to prevent further impact.” UnitedHealth said in a Feb. 21 filing with the U.S.Securities and Exchange Commission that it “identified a suspected nation-state associated cyber security threat actor” as being responsible for the attack.[9]

◆ The Centers for Medicare & Medicaid Services (CMS) has updated its guidance for hospitals and critical access hospitals to permit health care team members to share patient information and orders with each other through a HIPAA-compliant secure texting platform that complies with Medicare and Medicaid conditions of participation. CMS said that computerized provider order entry “continues to be the preferred method of order entry by a provider, but we recognize that alternatives also exist now, as well as significant improvements in the encryption and application interface capabilities of texting platforms to transfer data into electronic health records.”[10] CMS also noted that “providers should implement procedures/processes that routinely assess the security and integrity of the texting systems/platforms that are being utilized to avoid negative outcomes that could compromise the care of patients.”

◆ Attorney General Merrick Garland appointed Jonathan Mayer, a Princeton University Department of Computer Science and School of Public and International Affairs assistant professor with technology, policy and law expertise, as the Department of Justice’s (DOJ) first chief science and technology advisor and chief artificial intelligence (AI) officer. Mayer will advise the attorney general and DOJ leadership and collaborate on issues relating to cybersecurity, AI and other areas of emerging technology. Mayer will also spearhead DOJ’s technological capacity-building efforts by advising on recruiting technical talent to ensure DOJ has the expertise and is equipped to meet future technological challenges. Mayer will serve in DOJ’s Office of Legal Policy, developing a team of technical and policy experts in technology-related areas important to DOJ’s responsibilities, including cybersecurity and AI. This team will advise leadership and collaborate and coordinate with components across the department and federal partners on cutting-edge technological issues. In addition, in Mayer’s role as the chief AI officer, he will work on intradepartmental and cross-agency efforts on AI and adjacent issues. He also will lead DOJ’s newly established emerging technology board, which coordinates and governs AI and other emerging technologies across the department.[11]

1 Guidepoint Security, GRIT Ransomware Annual 2023 (Q1–Q4) Report, accessed March 4, 2024, https://bit.ly/3T5r0P4.

2 Fortified Health Security, 2024 Horizon Report: The State of Cybersecurity in Healthcare, January 2024, https://bit.ly/49ZInrq.

3 Atlanta Women’s Health Group, “Notice of Atlanta Women’s Health Group Cyberattack,” January 31, 2024, https://bit.ly/432ZTc8.

4 Cybersecurity & Infrastructure Security Agency, “2023 Year in Review,” report, January 2024, https://bit.ly/434GCqX.

5 Kathryn Williams, “Medical data breach could impact thousands from New Hampshire,” WMUR-9, January 15, 2024, https://bit.ly/4a0TbWv.

6 Sens. Angus King and Marco Rubio, “Strengthening Cybersecurity in Health Care Act,” February 2024, https://bit.ly/3TlVzS4.

7 Joey Solitro, “Pharmacy Disruptions Are Ongoing in Aftermath of UnitedHealth’s Cyberattack,” Kiplinger, February 27, 2024, https://bit.ly/3SWTgn4.

8 Optum, “Update: Some applications are experiencing connectivity issues,” Incident Report for Optum Solutions, February 28, 2024, https://bit.ly/49CREG7.

9 United States Securities and Exchange Commission, “Form 8-K: UnitedHealth Group Incorporated,” February 21, 2024, https://bit.ly/3T0TZUj.

10 Centers for Medicare & Medicaid Services, Center for Clinical Standards and Quality/Quality, Safety & Oversight Group, “Texting of Patient Information and Orders for Hospitals and CAHs,” memo, Ref: QSO-24-05-Hosptial/CAH, February 8, 2024, https://bit.ly/3OJpzEK.

11 U.S. Department of Justice, Office of Public Affairs, “Attorney General Merrick B. Garland Designates Jonathan Mayer to Serve as the Justice Department’s First Chief Science and Technology Advisor and Chief AI Officer,” news release, February 22, 2024, https://bit.ly/48Ey7Uz.

[View source.]