Supply Chain Ransomware Breach Affects 1.2 MillionPracticefirst Apparently Paid a Ransom
A supply chain ransomware attack affecting more than 1.2 million individuals is among the largest health data breaches reported to federal regulators so far this year.
Practicefirst, an Amherst, New York-based medical management services provider, on July 1 reported to federal regulators a breach that occurred late last year.
The company's breach notification statement appears to indicate that the firm paid a ransom in exchange for promises that the attackers would destroy and not further disclose files stolen in the incident.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that Practicefirst reported the incident as affecting the information of more than 1.2 million.
As of Tuesday, the Practicefirst incident was the sixth-largest health data breach posted on the HHS website so far in 2021.
In its breach notification statement, Practicefirst says that on Dec. 30, 2020, it "learned that an unauthorized actor who attempted to deploy ransomware to encrypt our systems copied some files from our system, including files that contain limited patient and employee personal information."
Upon learning of the situation, the company says it shut down its systems, changed passwords, alerted law enforcement agencies and retained privacy and security experts to assist.
"The information copied from our system by the unauthorized actor before it was permanently deleted, included … name, address, email address, date of birth, driver’s license number, Social Security number, diagnosis, laboratory and treatment information, patient identification number, medication information, health insurance identification and claims information, tax identification number, employee username with password, employee username with security questions and answers, and bank account and/or credit card/debit card information," Practicefirst says.
"We are not aware of any fraud or misuse of any of the information as a result of this incident," the company says. "The actor who took the copy has advised that the information is destroyed and was not shared."
Many security experts stress that such promises by hackers cannot be trusted.
"Cybercriminals who infiltrate information systems are not reputable or reliable. By their nature, they will lie, cheat and steal," says privacy attorney David Holtzman of consulting firm HITprivacy LLC.
"Vendors to healthcare organizations should be transparent to the public and to the organizations contracted with those providers to make clear statements as to what happened, what data may have been compromised and what steps they are taking to notify the organizations they serve of the data that was put at risk."
Practicefirst says it implemented measures "to further improve the security of our systems and practices." That includes additional security protocols designed to protect its network, email environment and systems.
The company did not immediately respond to Information Security Media Group's request for additional details about the incident, including the reason for the delay in reporting it and the number of healthcare provider clients affected.
Other recent incidents involving healthcare sector supply chain vendors include a hacking incident at San Antonio-based CaptureRx, which provides technology and administrative services to hundreds of U.S. hospitals and other healthcare entities, and a cyber incident at Dallas-based MedNetworx, which provides hosted medical software, including the Aprima electronic health record system from CompuGroup eMDs (see: More Healthcare Disruptions Tied to Vendor Incidents).
"It is a good practice for an organization to assume they have already been breached and that their vendors have already been breached," says Dustin Hutchison, CISO and vice president of services at consulting firm Pondurance.
"That thought practice requires vigilance and a heightened sense of awareness that should lead to better decisions from a security and risk management standpoint."
Healthcare entities should carefully reassess their vendor security risk management programs and practices to evaluate whether any changes are needed in light of the current surge of cyberattacks targeting the supply chain, some experts suggest.
"A deliberate risk assessment process including assessing any updates or changes to vendor configurations or processes is necessary," Hutchison says.
"Not understanding the full supply chain of the third parties used by vendors can also lead to a gap in understanding exposure for healthcare entities," he notes. "Also, organizations should ensure they understand and catalogue the data they are sharing with any third parties, which can help with quantification in a worst-case scenario."
Healthcare organizations should also review their vendor contracts "to ensure there are terms that specify the obligation of the vendor to provide timely notification and detailed reports of their investigations into security incidents that could pose a risk of compromise to the data they are tasked with creating or maintaining," Holtzman says.
When looking to outsource IT services in which healthcare data will be created or maintained, entities must carefully evaluate vendors for their information security and cybersecurity risk management programs, Holtzman adds.
"Review the risk assessment and risk management plans for each vendor so that you can know going into your vendor selection process which vendors have the information security strategy that best fits your needs and expectations," he says.
Hutchison adds: "Even with strong protection practices in place, organizations must plan to react to incidents and update their plans based on new attack trends. Access to a healthcare entity’s network and data needs to be under scrutiny constantly."