Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

In Healthcare, Ransomware Hitting Diverse Targets

Organizations of All Sizes, Types Are Being Hit
In Healthcare, Ransomware Hitting Diverse Targets

Several recent ransomware attacks in the healthcare sector – including those targeting a Navajo Nation hospital, an Arizona-based eye care practice and a Virginia-based health plan - illustrate that the victims are diverse.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

"I predict that the ransomware problem is going to get worse long before it gets better," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.

"Ransomware gangs are making millions of dollars exploiting these types of cyberattacks against unprepared victims. Healthcare entities are clearly the main target of these attacks because their data is not only critical, and therefore valuable, but healthcare facilities deal with life-and-death matters every day, and they have to do everything they can to get their systems back up or patients could literally die. Unless and until healthcare facilities can harden their networks, train their employees and prevent these attacks from starting, they are only going to continue to get worse."

Rehoboth McKinley Christian Health Care Services

Among those reportedly hit by a ransomware attack is Rehoboth McKinley Christian Health Care Services based in Gallup, New Mexico, which includes a hospital and several clinics in the Navajo Nation region within rural northwestern New Mexico and eastern Arizona.

NBC News reported Wednesday that the organization was struck by a ransomware attack in February, forcing the entity to revert to paper records.

The hackers also posted online sensitive employee files - including job applications, background checks and Social Security numbers, NBC reports.

The provider organization did not immediately respond to an Information Security Media Group request for comment, and as of Thursday the incident was not posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

And several other recent ransomware incidents have been added to that tally.

Cochise Eye and Laser

For example, Sierra Vista, Arizona-based Cochise Eye and Laser recently reported that an incident affected 100,000 individuals.

In a statement posted on the practice's website, Cochise Eye and Laser says a data breach occurred on Jan. 13 when it was "attacked by a ransomware virus."

The incident involved the encryption of the practice's patient scheduling and billing software, the practice says.

"There is no evidence that the data was taken, only that it was encrypted, and in some cases deleted, making it impossible for us to access anything in our scheduling system," the practice says.

In a Feb. 17 statement, Cochise Eye and Laser noted that its office was operating with paper charts.

"We have been working on implementing increased security measures, recovering data and a new offsite backup," the statement notes.

Although there is no evidence the data was taken, patient names, dates of birth, addresses, phone numbers and in some cases Social Security numbers were stored in the practice's billing software that was affected by the incident, the practice says.

In a statement provided to ISMG on Thursday, a Cochise Eye and Laser spokeswoman says the practice is still in the recovery stage. "We are operating on paper for scheduling at this time, but our practice management software is finally scheduled to be installed tomorrow."

Also, while the practice reported to HHS that the breach affected 100,000 individuals, that figure was "a gross overestimation we gave at the time based on account numbers in our software system." The number of individuals now estimated as being affected by the incident is "a maximum of 60,000," she says.

AllyAlign Health Plan

Also among recent apparent ransomware attacks posted on the HHS OCR website is a hacking incident reported by Virginia-based AllyAlign Health Plan, an administrator of Medicare Advantage plans.

The Maine attorney general's office says a breach report filed by AllyAlign Health says the incident, which occurred on Nov. 13, 2020, was discovered Feb. 2 and involved "external system hacking" that affected more than 76,000 individuals, including residents of Maine.

The company did not immediately respond to ISMG's request for additional information.

A sample breach notification letter from AllyAlign provided to Maine's attorney general dated Feb. 26 notes that on Nov. 14, 2020, AAH detected that it was the target of a cybersecurity attack.

"An unauthorized third party attempted to infiltrate the AAH’s computer network, lock-out AAH, and then demand a ransom payment," the letter states.

AAH adds that it is possible that the following information was exposed: patient name, mailing address, date of birth, Social Security number, Medicare health insurance claim number, Medicare beneficiary identifier, Medicaid recipient identification number, medical claims history, health insurance policy number and other medical information.

AAH has not received any reports of related identity theft since the date of the incident, the letter notes.

Taking Action

In light of the surge in ransomware and other attacks, healthcare needs to adopt a two-pronged defensive strategy, Weiss says.

"First, harden your IT and operational technology networks before the cyberthreat actors find a weakness and exploit it." A critical step is keeping patches up to date.

Healthcare entities also should conduct employee awareness training, he says. "It is critical they learn how to identify and defeat social engineering attacks designed to get these employees to inadvertently introduce malware from phishing emails and other cyberattacks into the victim network. Vigilance is the key to defense."

As a precaution, healthcare organizations also should expand their operations to include incident response and an extension of their security team that includes managed detection and response to provide 24/7 coverage, suggests Monique Becenti, product manager at security firm Pondurance.

"Bad actors are becoming more sophisticated in attacks and focus on compromising user and administrative credentials, which will continue to be a common attack vector that allows bad actors to gain remote access to your domain controller," she says.

What's Next?

So with the healthcare sector being in the crosshairs of ransomware gangs and other hackers, what's next?

"Healthcare will be the most-targeted industry for the next five years," predicts Fleming Shi, chief technology officer at Barracuda Networks.

The logistics involved in delivery of vaccines will also be a target, he predicts. "Attackers are now using the vaccine as an opportunity to conduct targeted spear-phishing attacks," he says.

Medical devices also could be targeted, he adds. "Bad actors may try to hold a patient’s diabetes insulin pump ransom or try to hit a wider audience via a supply chain attack on the manufacturer that pushes malware to a multitude of devices."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.