Hacking of Accounting Firm Affects Medical GroupApparent Ransomware Incident Exposes Patient Information
An apparent ransomware attack on an accounting firm in December exposed the patient data of Community Care Physicians, a large upstate New York medical group, as well as other clients of the firm.
Some of the data that was breached as a result of the attack on Albany, New York-based BST & Co. CPAs LLC has shown up on the publicly accessible website of ransomware gang Maze, which purportedly names and shames victims into paying ransoms, says Brett Callow, a threat analyst with the security firm Emsisoft.
"The data dump ... includes a complete list of BST's employees: names, addresses, Social Security numbers, dates of birth, phone numbers, pay rate, etc," Callow says. The data includes "everything someone would need to steal their identities."
In a statement, Albany, N.Y.-based BST says that it learned on Dec. 7 that part of its network "was infected with a virus" that prohibited access to its files.
"On this network was data for some of BST's local clients to whom the company provides accounting and tax services, including the medical group, Community Care Physicians," BST's statement says. "BST quickly restored its systems and engaged an industry-leading forensic investigation firm to determine the nature and scope of this incident."
An analysis of all available forensic evidence determined the virus was active on BST's network from Dec. 4 to Dec. 7, 2019, the statement notes. "The virus was introduced by an unknown individual or individuals outside of BST who gained access to part of the network where certain client files are stored, including files from CCP [Community Care Physicians]."
BST in its statement makes no mention of any data being exposed as part of a data dump. BST did not immediately respond to an Information Security Media Group request for comment.
Physician Practice Impacted
Community Care Physicians, in a statement, acknowledges that it was a victim of the BST incident and notes that the accounting firm was sending notification letters to individuals whose data "was part of the CCP file on the BST network."
"Luckily, BST was quickly able to restore all the files from its backups and maintained the integrity of the files," CCP says in the statement. "We want to stress that we have no evidence that any of this data was accessed or used by anybody."
"If people's personal information may have been exposed, they need to take steps to protect themselves, irrespective of whether the data is discovered on the dark web."
—Brett Callow, Emsisoft
On its website, CCP says it has 2,000 employees, including more than 420 practitioners, across 80 locations and 30 specialties in eight counties of the greater capital region of New York, providing care to "hundreds of thousands of patients every year."
BST in its statement says the investigation into the attack determined that "certain personal or protected health information for individuals may have been accessed or acquired without authorization, including individuals' names, dates of birth, medical record numbers, medical billing codes and insurance descriptions. Patient medical records and Social Security numbers were not impacted by this incident."
The accounting firm says it's providing those affected by the incident with one year of prepaid identity theft monitoring.
The accounting firm says its investigation "did not confirm" that an unauthorized individual obtained individuals' personal information. However, Callow, the security researcher at Emsisoft, says BST data apparently exfiltrated in the December attack was visible on a Maze ransomware gang website by January.
"Some of what's been posted is database backup files," Callow notes, including an image of a check made payable to a BST unit.
"In the past, it was often said that backups were the best protection against ransomware. However, the risk of data exfiltration means that is no longer the case," Callow says. "While backups remain critically important, it is also critically important that organizations focus on detection and prevention in order to prevent data leaks."
"The FBI and others have been alerting covered entities that hackers are shifting their attention to third-party vendors."
—Clyde Hewitt, CynergisTek
In the wake on a data breach, the researcher says, "dark web monitoring is hit-or-miss. The data may not be discovered, even if it is posted somewhere. ... If people's personal information may have been exposed, they need to take steps to protect themselves, irrespective of whether the data is discovered on the dark web."
In many recent Maze ransomware attacks, the posting of exfiltrated data appears to have come after the targeted organizations refused to pay a ransom, notes Clyde Hewitt, executive adviser at security consultancy CynergisTek.
As of Thursday, no breach reports involving CCP were listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
HHS previously issued guidance stating that in most cases, ransomware incidents result in breaches that must be reported to comply with HIPAA, unless there is a low probability that PHI was compromised.
"Ransomware incidents should be assumed to be data breaches until it is conclusively established that no data was breached," Callow says. "And, pending that being established, people need to be immediately notified that their data may have been breached so that they can take steps to protect themselves. A credit card can be opened within 14 days, so sending out breach notifications up to 60 days after an incident simply is not sufficient."
In Maze cases, the exfiltrated data is published on the web where it can be accessed by anybody with an internet connection, he notes. "Consequently, it's not the original criminals who may misuse people's data, but also anybody else who accesses the data. The threat landscape has fundamentally changed, and reporting and disclosure requirements need to change to reflect that."
Healthcare organizations need to be aware of the security risks posed by their service providers, including accountants, Callow says.
"Healthcare organizations cannot simply assume that service providers' security is as it should be; they need to ask questions and perhaps even require that providers have periodic security audits," he adds.
Vendors providing professional services have been implicated in other large health data breaches - including the largest incident in 2019 - a hack on American Medical Collection Agency, which affected more than two dozen of the firm's clients and 20 million individuals.
"The FBI and others have been alerting covered entities that hackers are shifting their attention to third-party vendors," CynergisTek's Hewitt notes. "This avenue allows hackers to leverage the one-to-many relationships and gather data / then extort many different companies."