Ransomware: Home Health Firm Reports 2nd Cloud Vendor IncidentLatest Attack Affected 753,000 Patients, Employees
A home healthcare company says a data breach affecting more than 753,000 patients, employees and former workers stems from a ransomware attack on its private cloud hosted by managed service providers. The company reported a similar incident 15 months ago.
Lake Success, New York-based Personal Touch Holding Corp., which operates about 30 Personal Touch Home Care subsidiaries in about a dozen states, says it discovered on Jan. 27 that "it experienced a cybersecurity attack on the private cloud hosted by its managed service providers."
The notification statement does not name the vendors involved.
A breach notification report filed with the Maine attorney general's office notes that the incident involved ransomware and affected 753,107 individuals, including 93 residents of that state.
PTHC declined to provide additional information about the incident to Information Security Media Group.
In January 2020, PTHC submitted 16 breach reports on behalf of its subsidiaries in six states to the Department of Health and Human Services. Those involved a ransomware attack on Wyomissing, Pennsylvania-based Crossroads Technologies, which hosted the home healthcare provider’s cloud-based electronic health records (see: Ransomware Attack on EHR Vendor Impacts Home Health Chain).
Patient, Employee Data Compromised
In a statement on its website, PTHC says the most recent cyber incident compromised private cloud-stored business records of the company and its "direct and indirect subsidiaries."
Patient information exposed includes health plan benefit numbers, medical record numbers, names, addresses, telephone numbers, dates of birth, Social Security numbers and financial information, including check copies, credit card numbers and bank account information.
Affected information of current and former employees may include names, addresses, telephone numbers, dates of birth, Social Security numbers - including dependent and spouse Social Security numbers - driver’s license numbers, passport numbers, birth certificates, background and credit reports and demographic information, PTHC says.
Also potentially compromised were employee usernames and passwords, personal email addresses, fingerprints, insurance card and health and welfare plan benefit numbers, retirement benefits information, medical treatment information, check copies and other financial information necessary for payroll, PTHC says.
"Upon discovery, PTHC retained outside counsel and independent forensic experts to begin an investigation," the company says in its statement.
"While the investigation is still ongoing, and we cannot confirm the extent to which employee and patient data was compromised, we are notifying our community that the breach occurred, in our effort to comply with the applicable state data breach notification laws."
The company says it also reported the incident to the FBI and has implemented "enhanced monitoring and alerting software."
The healthcare sector has seen a surge in ransomware attacks in recent months.
"The supply chain represents a relatively easy attack vector for malicious actors," says Ian Walters, principal of healthcare cyber risk services at security consultancy Coalfire. "The further down the supply chain you go, the greater the likelihood that a vendor doesn’t fully understand the implications of their security posture to the bigger picture."
By compromising one vendor, the malicious activity could be spread to multiple targets, he adds.
"Ransomware is one of those issues that divides opinion: Do you pay the ransom and get back to normal operations as quickly as possible, or do you take a lot of time and money to try and recover? If you pay, you run the risk of being subjected to further attacks because the bad guys know your MO for these incidents and may have even left a backdoor Trojan for ease of access next time."
Cathie Brown, vice president of consulting at security and privacy consulting firm Clearwater, notes: "As entities have worked to secure their environments and protect their data, migrating to the cloud has provided a false sense of security in many cases. Hackers have also migrated to the cloud. Lessons that those in the healthcare sector should learn from the current environment is that healthcare is the number one target for ransomware."
Among other recent vendor ransomware incidents in the healthcare sector was an attack on PeakTPA, a third-party claims administrator of health and social services programs for the elderly. The company apparently paid a ransom to Netwalker attackers about a month before global law enforcement officials disrupted the gang in January (see: Ransom Paid Just Before Netwalker Gang Disrupted).
"The healthcare ecosystem more complex than ever," Brown says, with organizations relying more heavily on vendors' services. "More vendors expand the attack surface and provide any number of ways to penetrate an organization. Another reality is that vendor risk management is relatively immature to most healthcare entities."
Walters says it is more essential than ever for healthcare entities to have in place an effective third-party risk management program.
"Don’t let the program become shelf-ware," he says. "Actively validate your vendors’ security program through a series of profiling, questionnaires and reviewing of certificates and certifications."
High-risk, high volume vendors should be periodically audited, he says. Plus, he advises organizations to ensure that vendors' remote sessions are terminated when not needed – for example, after a vendor has had access for support or patching.