[author: Jane Anderson]

Report on Patient Privacy 22, no. 3 (March, 2022)

◆ HHS said in early March that it was not aware of any specific threat to U.S. health care organizations stemming from the Russian invasion of Ukraine. “However, in the interest of being proactive and vigilant, we are briefly reviewing the cyber capabilities of Russia and its allies and specifically two malware variants most likely to be utilized in any collateral attacks which may impact [the U.S. Healthcare and Public Health Sector] in this campaign,” the HHS Cybersecurity Program Office of Information Security said in a March 1 analyst note.^[1] There are three potential threat groups, the note said: organizations that are part of the Russian government, cybercriminal groups based in Russia and neighboring states, and organizations that are part of the Belarussian government. In addition, there are two malware variants that have been observed in significant use against Ukraine in the last two months: HermeticWiper and WhisperGate, the note said. HermeticWiper comes in the form of an executable file that will damage the master boot record of the infected computer, rendering it inoperable, the analysis said. WhisperGate is a new form of disk-wiping malware that is believed to operate in three stages: a bootloader that corrupts detected local disks, a Discord-based downloader and a file wiper, the note said. HHS recommended that health care entities become familiar with these malware variants and that organizations review guidance from the Cybersecurity and Infrastructure Security Agency on defense and mitigation.

◆ Significant security incidents continue to plague health care organizations of all types and sizes, according to the 2021 Healthcare Information and Management Systems Society (HIMSS) Healthcare Cybersecurity Survey.^[2] Phishing remains the most common health care sector security incident, with 45% of respondents saying a phishing attack was involved in their most serious security incident in 2021. Ransomware attacks represented the most serious incidents for 17% of survey respondents. Still, it’s possible that insider threats were underreported, because many health care organizations do not have robust insider threat management programs, HIMSS noted. Financial information was the main target of hackers in 52% of the attacks, the survey revealed. Hackers targeted employee information and patient information in 43% and 39% of the most serious incidents, respectively, HIMSS said. Intellectual property, confidential business information and biometric information also were targets, according to the survey. The most typical impact of an incident is disruption, with 32% of those surveyed saying that their most serious incident resulted in disruption of systems and/or devices impacting business operations. Still, 44% of those surveyed reported that their incident had no impact or negligible impact on the organization, the survey found. Cybersecurity budgets are still tight, with 6% or less of the information technology budget typically allocated for cybersecurity, the survey found. In addition, many basic security controls are not fully implemented, although some organizations are implementing advanced security controls. The survey reflects the responses of 167 health care cybersecurity professionals, the majority of whom had primary responsibility over health care cybersecurity programs at their organizations.

◆ A company in Saginaw, Michigan, that serves business clients, including some health plans, said it experienced a data breach that affected more than 521,000 people.^[3] Morley Companies Inc. said that the incident began on Aug. 1, 2021, “when Morley’s data became unavailable.” An investigation began following the August incident, which revealed that the attackers may have been able to access both client and employee data, including personal and protected health information. Potentially stolen information includes names, home addresses, Social Security numbers, birth dates, client information numbers, health insurance information, medical diagnostics and medical treatment information.

◆ Personal information for nearly 6,260 Memorial Hermann Health System patients was leaked after a contracted vendor had a security breach, according to the health system.^[4] The vendor, Advent Health Partners, experienced a security incident in September 2021, the health system said in February. In a statement, Memorial Hermann said that “Advent Health Partners became aware of suspicious activity on employee email accounts involving data provided by Memorial Hermann. Advent Health Partners said they immediately launched an investigation into the incident. While the investigation is ongoing, Advent Health Partners determined that certain files were potentially accessed by an unauthorized third party,” including files containing names, dates of birth, Social Security numbers, driver’s license numbers, financial information, health insurance information and treatment information. Advent Health Partners is providing free access to a credit monitoring service for those who were affected.

◆ Charlotte Radiology in North Carolina said it experienced a weeklong data breach in mid-December, and some patient information was stolen, “including a very limited number of patients’ Social Security numbers.”^[5] According to a report, “Charlotte Radiology officials said they found no evidence of ‘fraud or misuse’ as a result of the theft and are notifying each patient whose information was taken during the Dec. 17-24 breach.” The provider did not say how many people were affected by the breach, which was discovered on Dec. 24. At the time of discovery, the provider said, “we immediately initiated our incident response process, notified law enforcement, and began an investigation with the assistance of a forensic firm. Within days, we were able to quickly contain the incident and resume serving patients.” The investigation revealed that “an unauthorized party gained access to our network and took copies of some of the documents on our system,” the statement said. The documents included patient names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers, physician names, dates of service, and diagnosis and/or treatment information. The company is offering free credit monitoring for patients whose Social Security numbers were exposed.

◆ In Marietta, Georgia, personal information for 216,470 people may have been accessible during a cyberattack on Memorial Health System in July 2021, although officials said there is no indication any identity theft or unauthorized use of the data occurred.^[6] According to a report, “Patients from Memorial whose personal health information, Social Security number, account number or date of birth could have been accessed recently received letters notifying them of the situation. The letter says the recipient’s information was present in systems that were accessed by an ‘unauthorized actor’ around July 10 through Aug. 15.” Malware was identified on Aug. 14, and an investigation was launched. The health system was able to unlock its servers from the ransomware attack on Aug. 18 following an agreement reached with the help of the FBI and the system’s insurance carrier. “While the extensive investigation with the FBI and cybersecurity teams indicates no reason to suspect there has been any fraudulent use or public release of patient information associated with this incident, we are notifying patients whose information MAY have been accessible during the breach,” said Jennifer Offenberger, associate vice president for Memorial Health System.

◆ Three New Mexico residents filed a lawsuit against insurance firm True Health New Mexico over what they call a “targeted cyberattack.” They are seeking “to have their complaint declared a class action, representing around 63,000 patients whose personal information might have been stolen,” according to a report.^[7] The plaintiffs allege in the complaint that “the company failed to protect their information from the October data breach even though such an incident was foreseeable, due to the high value of medical records on the ‘dark web,’ where they sell for as much as $50. A Social Security number, in comparison, might be worth as little as $1.” True Health did not use best practices to safeguard against a cyberattack, according to the lawsuit, and it delayed notifying members after it learned their data had been compromised. The company learned of the data breach on Oct. 5, and notified HHS and affected individuals in mid-November, according to the lawsuit. True Health posted a notice on its website about the incident and said “it had no evidence any personal information had been misused.”

1 U.S. Department of Health & Human Services Office of Information Security, “The Russia-Ukraine Cyber Conflict and Potential Threats to the US Health Sector,” Report: 202203011700, March 1, 2022, https://bit.ly/37b72ON.
2 Healthcare Information and Management Systems Society, 2021 HIMSS Healthcare Cybersecurity Survey, January 28, 2022, https://bit.ly/3tk9Ccy.
3 Morley Companies Inc., “Morley Notifies Clients of Data Security Incident,” news release, February 2, 2022, https://bit.ly/36U7tgp.
4 Erica Ponder, “Over 6,000 Memorial Hermann patients’ information leaked in contractor’s data breach, vendor says,” Click2Houston.com, February 8, 2022, https://bit.ly/3hotPs3.
5 Joe Marusak, “Patient data stolen from prominent Charlotte medical services provider, firm says,” The Charlotte Observer, February 19, 2022, https://bit.ly/3ppeLz7.
6 Evan Bevins, “Memorial Health System alerts patients to possible data breach,” The Parkersburg News and Sentinel, January 21, 2022, https://bit.ly/3srFv3Q.
7 Phaedra Haywood, “N.M. health insurance company sued over data breach,” Santa Fe New Mexican, February 5, 2022, https://bit.ly/343oK5C.

[View source.]