2 Health Data Breaches Affect Total of 220,000Ransomware, Phishing Attacks Expose a Wealth of Data
A California-based medical supply firm and a medical center in Missouri have reported health data breaches that each affected more than 100,000 individuals.
Solara Medical Supplies recently reported a phishing incident affecting 114,000 individuals.
Meanwhile, St. Francis Medical Center reported a ransomware attack impacting more than 107,000, according to the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists health data breaches affecting 500 or more individuals.
Solara Phishing Incident
In its notification statement, Solara, a Chula Vista, Calif.-based provider of medical supplies for diabetic patients, says that on June 28, the company determined that "an unknown actor" gained access to a limited number of employees' Office 365 accounts from April 2 to June 20 as a result of a phishing email campaign.
"Solara undertook a comprehensive manual and programmatic review of the accounts to identify what personal information was stored within the accounts and to whom that information related," the statement says.
The phishing incident resulted in the potential access or acquisition by the attacker of current and former patient and employee information, Solara says.
Potentially exposed information includes names, addresses, dates of birth, Social Security numbers, employee identification numbers, medical information, health insurance information, financial information, payment card information, driver's license data, state ID data, passport information, password/PIN or account login information, billing and claims information, and Medicare and Medicaid IDs.
"Solara worked with third-party forensic experts to investigate and respond to this incident and confirm the security of relevant Solara systems," the statement says.
St. Francis Ransomware Attack
Cape Girardeau, Mo.-based St. Francis Medical Center, in a Nov. 20 breach notification statement, says that the computer network of Ferguson Medical Group - a physician practice that St. Francis acquired in January - experienced a ransomware attack on Sep. 20.
"As a result of that attack, all of the medical records for services provided at Ferguson prior to Jan. 1, 2019, were made inaccessible to St. Francis and they were asked to pay a ransom to regain access to the records. St. Francis took immediate steps to secure the network and worked with federal law enforcement throughout that process," the medical center says in its statement.
"St. Francis did not pay a ransom to the attacker, but instead restored access to the medical records through available backup files; however, St. Francis was not able to restore access to all of the impacted records," the statement says.
"Any records for services provided at Ferguson between Sept. 20, 2018, and Dec. 31, 2018, as well as any documentation that had been scanned into the Ferguson system, regardless of date, were unable to be restored."
St. Francis Medical Center says it does not believe the incident resulted in the disclosure of any patient information to any unauthorized third parties. But it's notifying affected individuals and offering prepaid credit monitoring services.
The medical center did not note the type of protected health information potentially exposed. The organization did not immediately respond to an Information Security Media Group request for additional information.
While St. Francis says it was able to recover a portion of the impacted data, Keith Fricke, principal consultant at tw-Security notes that in some instances, ransomware is designed to exfiltrate data, and other times its intention is to destroy data or encrypt it without the means to decrypt (see: Ransomware Attackers Leak Stolen Data).
"Generally though, criminals intend to provide the means to decrypt once the ransom is paid because this is a business model intended to make money," he says.
In another recent ransomware incident, New York-based The Brooklyn Hospital Center disclosed it, too, could not recover all affected data (see: Latest Ransomware Attacks Show Diversity of Victims).
Strong Backup Practices
These and other ransomware incidents point to the importance of strong data backup practices and testing of data recovery plans.
"Testing the recovery process has multiple benefits. First, if using physical media, it verifies that the backup media are good and have not become damaged or corrupted," notes Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Second, it verifies that the backup utilities are functioning and backing up all the desired data. Third, the process should uncover missing steps or software. Often, IT staff rely on recovery from unplanned system failures as their formal recovery test. But this may not be sufficient."
Jon Moore, chief risk officer at privacy and security consultancy Clearwater, notes that best practices call for securing backups so they are not accessible from the network being backed up.
"Of course, before an organization can restore from backup, they need to make sure that the ransomware is no longer present in their environment, and that requires a good response and remediation capability," he adds.
Most ransomware attacks begin with a phishing attack, Moore notes. "Educating staff with a phishing awareness program, deploying anti-malware detection and remediation tools, and regularly patching the organization's systems are all good practices in preventing a successful ransomware attack."
The St. Francis Medical Center incident points to the need to carefully vet the data security practices of organizations that are being acquired.
"Security vulnerabilities and resulting breaches can't be argued away with a 'we didn't know' defense," Borten says. "Every merger and acquisition plan should include a thorough security assessment and, as necessary, a remediation plan."
Moore offers a similar perspective. "While cybersecurity and HIPAA compliance due diligence is becoming more common, it is still missing or an afterthought in many organizations' due diligence process," he notes.
Cybersecurity due diligence should be "baked into the overall M&A process," Moore adds. "The collection of information about the target organization's cybersecurity practices and maturity should begin before the letter of intent is signed and continue through the traditional due diligence period and into remediation post acquisition."