Breach Notification , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
Breach Reports Show Diversity of Healthcare Cyber Targets
Recent Major Hacking Incidents Affected a Wide Range of EntitiesRecent data breach reports filed by a law enforcement benefits health plan, a healthcare staffing firm and a rural medical center are the latest examples of the diverse range of healthcare sector entities being targeted by cyberattackers.
Entities recently reporting major health data breaches to state and federal regulators include Law Enforcement Health Benefits Inc., a Philadelphia, Pennsylvania-based health benefits company; Grandison Management Inc./Towne Homecare LLC, a New Jersey-based healthcare staffing firm and provider of home health and nursing home care; and Labette Health, a 99-bed regional medical center in Kansas.
See Also: Using the Netskope HIPAA Mapping Guide
Each of the hacking incidents affected the protected health information of tens of thousands of individuals.
"I think this is a very clear reminder that every organization that does business using technology and especially those that process personal information as part of that business are likely targets for cyberattacks," says Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
"In speaking with leaders at healthcare organizations across the U.S., I often hear leaders at smaller organizations say, 'Why would they target us? We are too small or low-profile.'" Moore says, adding that many leaders are "in denial" of what is going on right now involving cyberthreats.
"All organizations, particularly those in critical infrastructure industries and particularly healthcare, are targeted every day at an increasing rate. Unfortunately, an increasing number of them are suffering breaches as well."
LEHB's Ransomware Attack
Law Enforcement Health Benefits Inc., a nonprofit firm that provides health benefits to Philadelphia law enforcement employees, including members of the city's police department, reported to the U.S. Department of Health and Human Services on Monday a ransomware incident affecting nearly 85,300 individuals.
John Gaittens, CEO of LEHB, tells Information Security Media Group that the February 2022 attack involved the Conti ransomware group, which encrypted the company's systems, preventing access to all data.
After consulting with its cyber insurer and forensics experts, LEHB paid a $100,000 ransom, which was negotiated down from Conti's original $400,000 demand, in return for a decryptor, Gaittens says.
"We can't go days or weeks without access to our systems," he says about why LEHB ultimately decided to pay.
To date, there has been no evidence that any information affected by the incident has turned up on the dark web, Gaittens says.
He says that since the incident, LEHB has taken steps to enhance its security, including replacing all its servers, changing its email services vendor and implementing additional security protections.
LEHB's breach notification statement says that affected information includes names, dates of birth, Social Security numbers, driver’s license numbers, financial account numbers, health insurance information and medical information, such as medical record number, patient account number and diagnosis/treatment information.
LEHB is offering complimentary credit and identity monitoring to individuals whose Social Security numbers were affected.
Grandison Management/Towne Home Care Breach
Grandison Management, Inc./Towne Homecare LLC, a Howell, New Jersey-based healthcare staffing firm and provider of home health and nursing home care, on Feb. 28 reported to the state of Maine's attorney general a hacking incident affecting nearly 100,500 individuals, including patients and staff.
Breach notification statements provided by Grandison and Towne Homecare say a cyberattack detected on May 17, 2021, involved unauthorized actors "infiltrating" the company’s network.
Upon learning of the security incident, the entity says it immediately shut off access to the network and engaged computer forensic experts to determine if any information had been affected.
The investigation determined that potentially compromised information depends upon the individual affected by the Grandison/Towne Homecare.
For patients, the affected information included personal and medical information. For other individuals, it may have included financial account numbers, including credit or debit card numbers in combination with the security code, access code and password or PIN for the account, the company says in its breach report.
The organization is offering 12 months of complimentary identity and credit monitoring services to those affected. To date, the company has not received any reports of related identity theft since the date of the incident, it says in its notification statement.
An attorney representing Grandison/Towne Homecare did not immediately respond to ISMG's request for additional details about the incident.
Labette Health Incident
Labette Health, based in Independence, Kansas, on March 11 reported to HHS' Office for Civil Rights a 2021 hacking/IT incident involving a network server and affecting more than 85,600 individuals.
In its breach notification statement, Labette says it "recently" experienced a data security incident affecting patients and staff.
"Labette Health's investigation determined that unauthorized individuals potentially accessed and acquired information from portions of its network between Oct. 15 and Oct. 24, 2021," the statement says.
On Feb.11, 2022, following an extensive review and analysis of the data at issue, Labette Health says it determined that certain files and folders that may have been accessed or acquired contained identifiable personal and/or protected health information of employees and certain patients who received services from the organization.
Potentially affected information includes the individuals' full name and one or more of the following: Social Security number, medical treatment and diagnosis information, treatment costs, dates of service, prescription information, Medicare or Medicaid number and/or health insurance information.
"This incident does not affect all patients of Labette Health and Labette Health does not necessarily maintain all of the information listed above for all patients," the statement says.
Labette Health is offering complimentary credit and identity monitoring to individuals whose Social Security numbers were affected.
Also, in response to this incident, Labette Health says it has strengthened its network and implemented additional security improvements.
These include resetting account passwords and strengthening its password security policies, implementing multifactor authentication for network access, upgrading its endpoint detection software and coordinating additional employee training related to network security and threat detection, Labette says.
Labette Health did not immediately respond to ISMG's request for comment.
Taking Action
The variety of healthcare sector entities reporting recent major breaches involving hacking incidents highlights common challenges in the sector, some experts say.
"Healthcare has traditionally under-invested in security relative to other industries like finance," Moore says. "This is what makes healthcare a relatively easier target."
Every organization should have in place a critical security practice and controls, but "establishing that baseline is typically going to mean that small organizations will need to spend a higher percent of their budget on security than larger ones to establish the baseline safeguards.
"That said, it is unrealistic to expect a smaller organization to be able to afford the level of security a larger, better-funded, organization can," he adds.
Regulatory attorney Rachel Rose says that cybercriminals are targeting all type of entities within the healthcare sector, and the FBI and other government agencies have said that Conti and other ransomware cybercriminals "intend to put as much pressure as possible" on their victims.
Conti has been implicated in a range of ransomware attacks across the healthcare sector, both inside and outside the U.S. That includes an attack last May on Ireland's Health Service Executive, the nation's state-run health services provider, and San Diego, California-based Scripps Health.
"All entities in the healthcare sector need to adhere to the requisite HIPAA Security Rule and National Institute of Standards and Technology regulations in order to have the most up-to-date technical, administrative and physical safeguards in place to prevent the worst harm possible - patient deaths," she says, adding that in the meantime, cyberattacks are going to increase.
"As the Department of Justice has noted, this is an area of enforcement interest for them, as well as HHS OCR," Rose says.
"The Federal Trade Commission also has jurisdiction and with cyber insurance becoming more expensive and harder to get, verifying and attesting to having the requisite technical, administrative and physical safeguards in place is even more critical because falsifying this statement can lead to a policy not being valid."