2 Healthcare Hacks Affect Nearly 300,000 PatientsA Substance Abuse Treatment Network and a Community Health Clinic Report Breaches
Two newly revealed hacking incidents - one reported by a Texas-based substance abuse treatment network that operates in several states and the other by a New Mexico community health center - have affected the sensitive medical information of nearly 300,000 individuals.
Both breaches follow an expanding pattern of hacking incidents targeting all types and sizes of medical entities, including community clinics and other specialty facilities that provide sensitive health services.
"The events appear to be consistent with the trend of criminal gangs moving downmarket and into adjacent spaces to hospitals," says Michael Hamilton, CISO of security firm Critical Insight.
"Because they are not likely to be as well resourced as hospitals and other covered entities, the assumption is that they are more vulnerable in terms of technical controls and user awareness."
The breaches include a December 2021 hacking incident involving a network server and affecting nearly 198,000 individuals that was reported to the U.S. Department of Health and Human Services on July 27 by Dallas, Texas-based BHG Holdings, LLC, which operates as Behavioral Health Group, or BHG.
The company's website boasts that BHG is "the largest network of Joint Commission-accredited outpatient opioid treatment and recovery centers" in the U.S., with about 80 facilities in 22 states and Washington, D.C.
The other breach, also a hacking incident involving a network server, was reported to HHS' Office for Civil Rights on Aug. 1 by Albuquerque, New Mexico-based First Choice Community Health as affecting more than 101,500 individuals.
First Choice, which operates nine clinics in three New Mexico counties, offers services ranging from dental, women's health, primary care, behavioral health and WIC programs, according to the organization's website.
In a notification statement posted on its website, BHG says it "recently" experienced a data security incident affecting certain personal and protected health information it maintains. The statement does not state the date when the incident was discovered.
BHG says its investigation determined that unauthorized individuals potentially removed various files and folders from portions of its network on Dec. 5, 2021.
"On June 22, following an extensive review and analysis of the data at issue, BHG determined that certain files and folders that may have been accessed or acquired contained identifiable personal and/or protected health information for individuals who received services from BHG," the statement says.
The affected information includes individuals' full name, Social Security number, driver's license or state identification number, financial account information, payment card information, passport, biometrics, health insurance information, medical information - including medical diagnosis and treatment, medication information, dates of service and medical record number, BHG says.
"BHG has no evidence to suggest that any information has been misused," the statement says.
In the aftermath of the incident, BHG says it has taken steps to enhance its data and network security.
That includes resetting account passwords and strengthening its password policies, deploying multifactor authentication for network access, upgrading its endpoint detection software, implementing a third-party security monitoring service and providing employee training related to network security and threat detection.
BHG did not immediately respond to Information Security Media Group's request for additional details about the incident, including the type of hacking incident involved and when it was discovered.
First Choice Breach
First Choice in an Aug. 1 notification statement posted on its website says it became aware of a possible data security incident event involving its IT environment on March 27.
The entity's investigation into the incident determined that certain personal and protected health information may have been accessed or acquired without authorization, First Choice says.
Affected information includes name, Social Security number, patient ID number, diagnosis and clinical treatment information, medications, dates of service, health insurance information, medical record number, patient account number, date of birth and provider information, First Choice says.
"First Choice is not aware of any evidence of the misuse of any information potentially involved in this incident," the statement says. The entity did not immediately respond to ISMG's request for additional details about the hacking incident.
As all types of healthcare sector entities and their business associates increasingly become targets of ransomware attacks, extortionists and other hacking incidents, it is critical for those organizations to take steps to strengthen their data security posture, Hamilton says.
"Especially for smaller entities that do not have security teams or service providers, a good strategy is to limit employee access to personal email and social media as much as possible and implement a policy of personal use on a personal device," he says.
"This is known to reduce compromised assets by about 40% and is an inexpensive, policy-based tool."