Ransomware Attack on Mental Health Provider Affects 172,000Deer Oaks Behavioral Health Says Incident Contained to 'Single Segment' of Network
A Texas-based mental healthcare provider is notifying nearly 172,000 patients that their information was potentially compromised in a ransomware incident, even though the attack was apparently detected and contained quickly.
Deer Oaks Behavioral Health, which is based in San Antonio and provides psychological and psychiatric services to residents of more than 1,500 long-term care and assisted living facilities across several states, said in a breach report submitted to Maine's attorney general Tuesday that it had become aware of potential unauthorized activity within its computer network on Sept. 1.
"The unauthorized activity was immediately detected and isolated by Sophos antivirus software limiting the incident to one segment of Deer Oaks' network," Deer Oaks said in its breach notice.
Upon discovery of the incident, Deer Oaks engaged a third-party vendor to secure its network and conduct a forensic investigation to determine the nature and scope of the unauthorized activity, the entity said.
An attorney representing Deer Oaks for the company's breach response told Information Security Media Group that the incident had been limited to a "single segment" of the entity's network. He did not immediately respond to Information Security Media Group's inquiry about whether ransomware had encrypted any data contained in that part of Deer Oaks' environment, or if any data had been stolen.
"While Deer Oaks is continuing to conduct a forensic investigation, it has elected to proceed with notifying state regulators as well as those individuals whose information may have been impacted by the incident with an offer of free credit monitoring and identity theft protection services," Deer Oaks' attorney said.
Deer Oaks in its report to Maine's attorney general said the incident had affected 171,871 individuals including 460 Maine residents. The incident as of Wednesday was not yet posted to the U.S. Department of Health and Human Service' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
The entity's breach notice indicates that patient information potentially compromised in the incident includes names, addresses, birthdates, Social Security numbers, diagnosis codes, insurance information and treatment service types.
In responding to the incident, Deer Oaks' attorney said the entity had immediately conducted a systemwide password reset and strengthened its password requirement policies. "Deer Oaks also implemented new technical and nontechnical safeguards along with periodic technical as well as nontechnical evaluations of such safeguards. In addition, Deer Oaks updated its policies and procedures relating to data privacy and security as well its HIPAA security rule risk management plan," he said.
An annual study released on Wednesday by security firm Sophos found that 75% of healthcare sector entities hit with ransomware attacks end up having their data encrypted by the malware (see: Healthcare's Ransomware Attackers Are Addicted to Encryption).
That's a higher percent than the 61% of healthcare entities that reported having their data encrypted in last year's Sophos study.
The Sophos report cited the increasing sophistication of cybercriminals as a prime factor impeding many healthcare sector organizations from quickly detecting and containing potential ransomware attacks.
"The healthcare ecosystem is vast and complex, and most entities struggle to implement reasonable and appropriate controls to effectively protect their data throughout their span of control within that ecosystem, including vendor risk, supply chain, payers, providers and other partners," said Dave Bailey, vice president of consulting services at security and privacy consultancy Clearwater.
Many phases of the attack chain make up a ransomware attack, and it is critical to implement effective controls that can prevent and detect the attack before the threat actor ransoms the data, both for exfiltration and file encryption, Bailey said.
"It is critical, at a minimum, to have a trained workforce to minimize the likelihood of clicking a malicious link or opening a malicious file, have effective and continuous monitoring to detect cyber incidents, and robust network/endpoint detection and response," Bailey said.
"With any security incident, time is always of the essence, and a rapid response can greatly diminish the negative impacts resulting from a successful cyberattack," said Fred Langston, chief product officer of security firm Critical Insight.
In the standard risk model, Langston said, "your probability of a negative outcome resulting from a successful cyberattack goes down rapidly if you stop the attack in its earliest stages." Organizations that invest in 24-hour security monitoring programs can stop attacks before any negative impacts are incurred "if you can see the attack in near real time and respond immediately," he said.
Meanwhile, nation-state actors and well-funded cybercriminal gangs are exploiting zero-day vulnerabilities the bad actors have discovered or purchased from other criminals on the dark web, he said.
"This allows these cyber gangs to launch multiple - hundreds or thousands - of attacks against any entity that has the technology that bears the zero-day vulnerability," Langston said.
Most healthcare sector entities have little ability to detect this initial zero-day activity, only finding it after the attackers have exfiltrated data or executed the ransomware payloads across networks and systems, he said.
"More commonly, the vast majority of attacks are crimes of opportunity where known vulnerabilities are not patched or not patched rapidly enough, which allows cybercriminals the opportunity to attack and compromise these systems."