Ransomware Roundup: Healthcare Sector's Latest VictimsEntities Report Large PHI Breaches; Vendors, Others Face Service Disruptions
An Oregon-based anesthesiology practice and an Illinois-based accounting firm are among the latest organizations reporting ransomware-related breaches affecting the protected health information of tens of thousands of individuals. Meanwhile, other entities and vendors that serve the healthcare sector are dealing with their own challenges and fallout involving recent ransomware incidents.
Organizations reporting major breaches over the last week or so involving ransomware incidents include Oregon Anesthesiology Group, based in Portland, Oregon, and Bansley and Kiener LLP, a Chicago-based certified public accountant firm whose services include payroll compliance work for employee benefits and health plans. The Oregon incident was reported as affecting the PHI of 750,000 individuals, and the Bansley and Kiener incident reportedly affected the PHI of nearly 71,000 individuals.
Separately, nonprofit reproductive healthcare services provider Planned Parenthood Los Angeles and its parent entity are now facing at least one proposed class action lawsuit filed in a California federal court in the wake of a recent hacking incident that reportedly involved ransomware and resulted in a health data breach affecting nearly 411,000.
On Tuesday, Ultimate Kronos Group, or UKG, a U.S.-based multinational vendor that provides workforce management and human resource management services, was still dealing with a ransomware attack that occurred last weekend. That ongoing incident is affecting a variety of UKG's private cloud services, including "Healthcare Extension" staff scheduling services, which are offered to healthcare industry clients.
Oregon Anesthesiology Group Breach
OAG in a Dec. 6 data breach notice says that on July 11, it suffered a cyberattack resulting in the practice being "briefly locked out" of it servers.
The group says it was able to respond quickly to restore its systems from off-site backups, and then began the process of "rebuilding its IT infrastructure from the ground up."
On Oct. 21, however, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files.
"The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network," OAG says in its notice. "According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data mine the administrator’s credentials and access OAG’s encrypted data."
The incident potentially affected about 750,000 patients as well as 522 current and former OAG employees, the company says.
Patient information potentially compromised includes names, addresses, dates of service, diagnosis and procedure codes with descriptions, medical record numbers, insurance provider names and insurance ID numbers, the notice says.
For current and former OAG employees, potentially affected data includes names, addresses, Social Security numbers and other details from W-2 forms on file.
OAG says it has no evidence to suggest misuse of information as a result of the incident. But the group is offering affected individuals access to 12 months of complimentary identity and credit monitoring, it says.
Also, OAG says that following the July attack, but before it was notified about the account seizure by the FBI, it reevaluated and updated its network access control policies, replaced its third-party firewall and expanded the use of multifactor authentication.
OAG says it also contracted with a third-party vendor for 24/7 real-time security monitoring with live response, security system architecture advising, additional compartmentalization of sensitive data and increased use of cloud-based infrastructure.
Bansley and Kiener Breach
Accounting firm Bansley and Kiener, also known as B&K, on Dec. 3 filed to the Department of Health and Human Services' Office for Civil Rights four separate HIPAA breach reports for its hacking/IT incident, which in total affected nearly 71,000 individuals.
B&K's breach notification statement indicates the incident occurred about a year ago, in December 2020.
In its statement, B&K says that on Dec. 10, 2020, it identified a data security incident that resulted in the encryption of certain systems within its environment.
"B&K addressed the incident, made upgrades to certain aspects of our computer security, restored the impacted systems from recent backups, and resumed normal operation," the statement says. "We believed at the time that the incident was fully contained and did not find any evidence that information had been exfiltrated from our environment."
But, OAG says, on May 24 it learned that certain information had been exfiltrated from its environment. On Aug. 24, the company's investigation confirmed that the information contained on its systems at the time of the incident included names and Social Security numbers.
In the wake of the incident, B&K says it has taken steps to strengthen the security of its systems and continues to educate its employees on cybersecurity best practices.
"The OAG and B&K attacks exemplify new double-barreled ransomware strains that cripple organizations by encrypting their data and also steal the data for use in other criminal schemes," says regulatory attorney Paul Hales of Hales Law Group.
Victimized organization statements commonly downplay the impact of the data theft by saying no actual or attempted misuse of the stolen information is known, he says. "However, a person’s health information in the hands of criminals raises the serious threat of medical identity theft and risks to patient safety and financial well-being," he says.
"Identifying information of more than 800,000 persons is reported to be in the hands of criminals because of the OAG and B&K attacks - a staggering number."
As for the apparent monthslong delay of breach notification in the OAG and B&K incidents, Hales says that a covered entity or business associate must delay breach notification when a law enforcement official states it would impede a criminal investigation or cause damage to national security.
Covered entities and business associates must also document a law enforcement agency’s request for delayed notification, he says.
Aside from circumstances in which a law enforcement agency has requested a delay, it is very risky for an organization to delay breach notification until a forensic analysis can determine with certainty or precision the specific files that were compromised, according to privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
"OCR has guided that a cybersecurity incident or ransomware event is presumed to have been an unauthorized use or disclosure of PHI. In the case of a healthcare provider whose entire system is 'locked up' in a ransomware attack, they should reasonably know that all the PHI has been compromised," he says.
Planned Parenthood Lawsuit
In the proposed class action lawsuit filed against PPLA and its parent entity, Planned Parenthood Federation of America, Inc., in a California federal court on Friday, four former patients - on behalf of others similarly affected - allege that the organizations' "egregious handling" of their highly confidential and sensitive electronic PHI has resulted in "an extreme invasion of privacy."
PPLA earlier this month began notifying nearly 410,000 individuals of an apparent ransomware attack in October that involved exfiltration of files containing health information, including patients' diagnoses and medical procedures.
"Plaintiffs and Class members are now at an immediate risk of online and even physical harassment, threats, intimidation, and retribution for visiting a Planned Parenthood clinic, especially as their home addresses were disclosed in connection with their sensitive medical information," the lawsuit alleges, among a list of other claims.
"As a result of the data breach, they are constantly in a state of fear and/or distress that this information may be made publicly available or extorted against them," the lawsuit alleges.
Among other allegations, the lawsuit claims PPLA and its parent organization were negligent in the handling of individuals' sensitive health data and are in violation of federal and state laws, including HIPAA, the FTC Act, and the California Confidentiality of Medical Information Act.
Among other relief, the lawsuit is seeking damages, as well as an injunction requiring Planned Parenthood to employ adequate security protocols consistent with law and industry standards to protect patients’ highly sensitive and confidential e-PHI.
UKG Ransomware Attack
UKG in an updated statement on Tuesday said that due to the nature of its weekend ransomware incident, it may take up to several weeks to fully restore system availability.
UKG says it became aware of unauthorized activity affecting UKG solutions using Kronos Private Cloud on Dec. 11.
The company says the ransomware incident affects the Kronos Private Cloud - "the environment where some of our UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed."
In a statement provided to Information Security Media Group, UKG says it took immediate action to investigate and mitigate the issue, has alerted its affected customers and informed authorities, and is working with cybersecurity experts. "We recognize the seriousness of the issue and have mobilized all available resources to support our customers and are working diligently to restore the affected services," the statement says.
UKG declined ISMG's request for comment on the effect the ransomware incident was having on the company's Healthcare Extensions clients and other healthcare sector customers' or their employees' health-related information.
Some experts say that it is too soon to surmise from the outside whether UKG provides any services to HIPAA-covered entities as a business associate or subcontractor involving protected health information.
But Kronos operates an HR management platform that collects information for employer payroll operations, Holtzman says.
"Every state has adopted its own requirements defining what personally identifiable information is protected, when a breach must be reported, and procedures for notification of individuals or regulators," he says.
"Most states require that workforce members be notified when their Social Security number, credit card or banking information is compromised. Some states require organizations to begin notifying affected individuals in as few as 15 days after discovery of the breach while others have open-ended requirements for communicating news about incidents."