Breach Notification , Cybercrime , Cybercrime as-a-service

California Clinic Network Cyber Incident Affects 656,000

A Nevada Cancer Center Is Also Dealing With the Aftermath of an Attack
California Clinic Network Cyber Incident Affects 656,000
Community Medical Centers took systems offline after a cyber incident last month that affected 656,000 people.

A recent cyberattack on Community Medical Centers, a network of nonprofit neighborhood health centers in Northern California, has potentially compromised the personally identifiable information and protected health information of more than 656,000 individuals.

See Also: Cyber Insurance Assessment Readiness Checklist

Meanwhile, Nevada-based Las Vegas Cancer Center is also reportedly notifying thousands of current and former patients that their data may have been compromised in a ransomware attack that happened during Labor Day weekend.

"As long as threat actors continue to be successful with these type of attacks, not only will they not end, but they will continue to grow and become more prominent, more serious and more intrusive," says retired FBI supervisory agent Jason G. Weiss, an attorney at Faegre Drinker Biddle & Reath.

"The time to act is now," he says.

CMC Breach Details

In a breach notification report provided to the Maine attorney general's office on Friday, Community Medical Centers says 656,047 individuals, including eight Maine residents, were affected by an "external hacking incident."

Neither that report nor a network security incident notice posted on CMC's website mention whether the incident involved ransomware.

A message posted by CMC on its website Tuesday says: "Our communications are down but our clinics remain open during regular hours."

CMC's website notes that the organization serves patients in San Joaquin, Solano and Yolo counties and is one of the region's largest safety net healthcare providers. The CMC network includes about two dozen clinics.

Largest Breaches

As of Tuesday, the CMC incident was not yet posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

The incident, however, would rank as the 12th-largest health data breach posted to the HHS website so far this year.

As of now, the largest health data breach involving ransomware posted to the HHS website was reported on July 8 by Wisconsin-based Forefront Dermatology S.C. as affecting more than 2.4 million individuals (see: Dermatology Clinic Chain Breach Affected 2.4 Million).

Compromised Data

CMC in its notification statement says that on Oct. 10, it shut down many of its systems "proactively" after detecting unusual activity on the network.

"Upon detection, we immediately took all systems offline and took steps to investigate and determine the nature of the incident. Based on the results of that assessment, there is evidence to suggest an unauthorized third party accessed CMC’s network," the statement says.

Personal information that could have been compromised includes first and last names, mailing addresses, Social Security numbers, dates of birth, demographic information, and medical information maintained by CMC, the statement says.

"While there is no evidence that any data has been misused, we are taking every step we can to prevent any misuse of patient information," the statement says. CMC says it is offering 12 months of complimentary credit and identity monitoring to affected individuals.

"We continue to make progress on restoring all systems safely and returning to normal operations," CMC says in its statement, which was last updated on its website on Oct. 27. It says it has taken steps to improve its network security to further secure sensitive data.

An attorney representing CMC did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether it involved ransomware.

Las Vegas Cancer Center Incident

Las Vegas Cancer Center is contacting about 3,000 current and former patients that their information was potentially exposed in an apparent ransomware attack on the Henderson, Nevada-based entity that occurred over Labor Day weekend, according to the local media site Las Vegas Review-Journal on Monday.

The incident - which involved attackers accessing a business server and encrypting data - was discovered when LVCC's office reopened on Sept. 7, following the long holiday weekend, according to the Review-Journal.

LVCC says it immediately notified law enforcement officials, fully participated in an investigation by the FBI, conducted its own internal investigation and contacted its electronic medical records vendor, which relies on the server data to build LVCC’s patient records database, the local media site reports.

Patient information potentially compromised in the LVCC incident includes patient names, dates of birth, Social Security numbers, medical records and insurance information.

LVCC says, however, that "all patient data was stored on the server in a format proprietary to LVCC’s electronic medical records system, and therefore likely not usable to the hackers," the Review-Journal reports.

"LVCC does not believe that any data was copied or transferred from its server, and has received no ransom demand from the hackers to unlock the data," according to the media site.

LVCC did not immediately respond to ISMG's request for comment.

Ransom Demands

Not all victims of ransomware attacks receive a ransom demand, some experts note.

"Ransom notes typically only contain URLs and access codes for ransomware gangs’ negotiation portals, and the demand is only delivered when victims access the portals," says Brett Callow, threat analyst at security vendor Emsisoft.

"Some victims choose not to access the portal - because, for example, they have working backups and no intention of paying - and therefore say they did not receive a ransom demand," he notes.

Attorney Weiss says "the lack of a 'ransom note' does not mean that there was no ransomware attack per se."

There are many cases in which victims inadvertently destroy a ransom note when trying to restore their system or do not find a ransom note because some type of automated software potentially removed or destroyed it, he says.

"In my experience, there is rarely a delay from a cyberthreat actor providing ransom details," he says. "They want to get paid as quickly as possible." And a ransom note could not be used to determine whether data was stolen or copied, unless it clearly said that was the case, as is usual in many ransomware cases, he says.

More to Come

In the meantime, attacks on the healthcare sector are not likely to wane anytime soon, some experts predict.

"Stealing data seems to be an effective strategy, with many organizations having chosen to pay demands in the hope that the attackers will destroy the stolen data," Callow says. "And because the strategy seems to be effective, it’s a tactic that’s likely to continue."

Weiss offers a similar assessment, saying, "It appears that the healthcare industry remains under constant assault from threat actors around the world. It is time for the healthcare industry to become far more proactive to the threat of cyberattack and realize it is not 'if' they will be attacked, but 'when.'"

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.