Both ransomware incidents happened in 2022
Marianne Kolbasuk McGee (HealthInfoSec) •
January 16, 2023
Two specialized medical supply companies — a Texas-based home care agency and a Pennsylvania-based women’s and family health clinic — are reporting separate ransomware breaches that collectively affect nearly 600,000 people.
See also: Live Webinar | Navigating the difficulties of patching OT
Dallas-based Home Care Providers of Texas reported its incident to the Texas Attorney General’s office Jan. 13, saying it affected about 124,000 residents of the Lone Star State. The company’s security breach notification statement indicates that an undisclosed number of North Carolina residents have also been affected.
Meanwhile, the Wilkes-Barre, Pennsylvania-based nonprofit maternal and family health service reported a ransomware incident to the Maine Attorney General’s office on Jan. 10 that affected nearly 461,200 people, including 68 Maine residents. MFHS supports a network of health and nutrition centers in 17 counties in Pennsylvania.
The incidents follow a growing trend of ransomware criminals hitting a growing number of different types of healthcare providers and their providers, including smaller and more specialized businesses.
“Health data is very lucrative these days, and criminals know that small and medium-sized businesses tend to have less security than larger companies,” said Jerry Caponera, general manager of cyber risk at security firm ThreatConnect.
Michael Hamilton, CISO of security firm Critical Insights, says cybercriminals also seem to be more selective about potential healthcare victims.
“The choice of goals is also minimizing the criminal risk at work. Organizations that don’t provide acute care services are less likely to have outcomes for patients that can include death during a disruptive event like ransomware,” he says. “This keeps criminals away from the ‘terrorist’ moniker used by the Biden administration.”
Home health care incident
HCPT says it became aware of its ransomware attack last June. “In addition, an unauthorized party removed a limited number of files from our systems,” the company said in its security breach announcement.
The company alerted law enforcement and hired an outside cybersecurity firm. It completed a forensic investigation and comprehensive review of all affected data on November 15 and found that an unauthorized party had accessed HCPT systems between June 15 and June 29, 2022.
The information affected includes individual names, addresses, dates of birth, social security numbers, specific treatment or diagnostic information, and medication information.
HCPT did not immediately respond to Information Security Media Group’s request for comment and additional details on their incident.
Violation of maternal and family health services
MFHS says it began communicating on January 3 to affected individuals — including current and former employees, patients and vendors — about the April 4, 2022 ransomware incident.
The organization says an investigation into the incident found unauthorized access to MFHS systems occurred between August 21, 2021 and April 4, 2022.
The information affected includes names, addresses, dates of birth, social security numbers, driver’s license numbers, financial information, usernames and passwords, medical information, and health insurance information. MFHS says it has no evidence that information was misused as a result of the breach.
The organization says it offers individuals 12 months of free credit and identity monitoring and “bolsters” their security to prevent similar incidents in the future.
MFHS did not immediately respond to ISMG’s request for more details about its incident.
Healthcare organizations across the board face a number of pressures that can ultimately impact their cybersecurity. “The challenges for healthcare companies are cost pressures with rising inflation, falling payments from insurers and rising healthcare costs,” says Caponera. “IT — and by extension cybersecurity — tends to get squeezed into this mix,” he says.
Smaller healthcare organizations that are particularly tight on cybersecurity resources should “pull the lever that costs the least and moves the safety pin the most: Create a policy for all personal use to be performed on a personal device,” says Hamilton.
“Those who don’t need external email shouldn’t receive it, and social media and other sources of ‘bait’ should be blocked,” he says.