Latest Attacks Target Entities Handling Sensitive DataCommunity Health Center, Social Services Agency Among Recent Victims
Recent incidents affecting the sensitive information of tens of thousands of individuals underscore the ongoing threats and risks facing organizations - including medical care providers and social services agencies - that handle health and other delicate personal information.
Augusta, Arkansas-based ARcare, a community health center that provides services including chronic disease management, behavioral health and HIV treatment, on Monday reported to the U.S. Department of Health and Human Services a hacking incident involving a network server and affecting more than 345,000 individuals.
A statement ARcare posted on its website Monday says that on Feb. 24, it experienced a data security incident that affected its computer systems and caused a temporary disruption to services.
ARcare immediately worked to secure its systems and commenced an investigation to confirm the nature and scope of the incident, the statement says. On March 14, ARcare's investigation determined that an unauthorized actor may have accessed and/or acquired sensitive data on the organization's computer systems between Jan. 18 and Feb. 24.
ARcare on April 4 concluded a review of affected data and determined that personal information relating to individuals was in affected files, the statement says.
Affected information varies by individual, but includes names, Social Security numbers, driver's license or state identification numbers, dates of birth, financial account information, medical treatment information, prescription information, medical diagnosis or condition information, and health insurance information, ARcare says.
"At this time, ARcare is unaware of any or actual or attempted misuse of the affected information as a result of this incident," the organization says.
ARcare did not immediately respond to Information Security Media Group's request for additional details about the incident, including whether ransomware was involved.
Social Services Agency Hit
Another of the entities recently hit with hacking incidents is Corning, California-based Tehama County Social Services, which provides an array of social services for adults and children, including protective services for individuals dealing with abuse and neglect.
Tehama County Social Services, in a statement reported last week by local news site Corning Observer, says it is investigating a "technical disruption" discovered on April 9.
"Upon learning of the disruption, Tehama County officials secured the county Social Services Department's IT systems and took them offline out of an abundance of caution, launched an investigation with the assistance of a third-party forensic firm, and state, local and federal law enforcement agencies have been notified," the statement says.
Allegedly, the ransomware group Quantum on its dark web leak site earlier this week claimed to have been behind the attack, stealing 32GBs of data from the agency. Tehama County Social Services did not immediately respond to ISMG's request for additional details and comment about the incident.
#Quantum ransomware group claims responsibility for the cyberattack against Tehama County Social Services in California, US. They claim to have stolen 32 GB, including PII and ePHI...#Ransomware #RansomwareGroup #databreach #HIPAA https://t.co/aBwOKs2Dmz pic.twitter.com/XZycpjm01R— BetterCyber (@_bettercyber_) April 28, 2022
Other municipal social services and related agencies also have been the victims of ransomware and similar cyberattacks. For instance, in February 2021, Chatham County in North Carolina said that an October 2020 attack by ransomware group DoppelPaymer involved the acquisition of data from a number of county systems. Forensic analysis revealed that the ransomware had entered the county network through a phishing email with a malicious attachment
As a result of the incident, the county also lost the use of its computers, internet access, office phones and voicemail.
The local news site Chatham News Record reported at the time that compromised files in that incident included personnel records of some county employees, medical evaluations of children who are the subjects of neglect cases, eviction notices and documents related to ongoing investigations within the Chatham County Sheriff's Office.
"Data breaches involving social service records are, in some ways, the very worst kind due to the sensitivity of the information," says Brett Callow, a threat analyst at security firm Emsisoft. "Unfortunately, it's impossible to fix the situation post-breach. Once the info is out there, it's out there and there's no way of knowing who may have had access to it, where or when it may appear or how it may be misused."
The HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website shows at least 15 major protected health information breaches reported since 2009 by various state social services agencies.
The largest was a hacking incident reported last September by the Alaska Department of Health and Social Services as affecting 500,000 individuals.
That incident affected a variety of the department's IT systems and services, including a background check system, the state of Alaska's vital records system, Alaska's behavioral health and substance abuse management system and the state's system for schools to report vaccine data to public health.
Certainly, data breaches involving especially sensitive health information are not only a major challenge for U.S.-based entities.
For instance, the French data protection authority CNIL on April 21 said it had fined a medical software vendor, Dedalus Biology, 1.5 million euros for a February 2021 data leak incident that violated three provisions of the General Data Protection Regulation.
Dedalus Biology, which provides services to medical laboratories in France, was fined for exposing on the internet sensitive records of nearly 500,000 patients from 28 laboratories, including individuals' names and medical information pertaining to cancer, genetic diseases, HIV, pregnancies and other conditions, CNIL said.
Meanwhile, back in the U.S., other healthcare sector entities still dealing with recent cyber incidents include the American Dental Association and Tenet Health (see: American Dental Association Hit by Disruptive Cyber Incident).
"Any organization that controls and processes sensitive health-related information is under immense pressure to maintain the confidentiality of those patients' records," says Ray Walsh, a digital privacy expert at security and privacy services firm ProPrivacy. "Unfortunately, cybercriminals understand this and often seek to target these organizations due to the fact that they may more easily cave and pay a ransom to prevent data being made public."
Ransomware actors and other cybercriminals will continue to focus their efforts on obtaining sensitive personally identifiable information and healthcare data "simply because it’s very lucrative to them on the black market," says Tim Kosiba, a former National Security Agency deputy commander who is now CEO of bracket f, a wholly owned subsidiary of cloud security firm Redacted.
"Our response to this problem needs to be continued focus on this threat and maintaining our vigilance to deter these threats by imposing costs, outing their efforts and disclosing their identities when possible," he says.
"This can all be part of the public/private partnerships with our law enforcement partners and other government entities that firmly support legal consequences for these heinous acts."