112K Patients Impacted by Utah Pathology Services Email Hack

August 31, 2020 - Utah Pathology Services is notifying 112,000 patients that their data was potentially affected after the hack of an employee email account in June. 

Discovered on June 30, a hacker attempted to redirect funds from the specialist after gaining control of an employee email account. Officials said the attempt was not successful, and patient information was not directly involved in the suspicious activity. 

The account was secured and an investigation was launched with assistance from an outside IT security and forensics firm. The investigation is ongoing, but officials discovered some patient information was accessible to the hacker during the hack. 

The compromised data varied by patient but could include names, contact information, insurance details such as ID and group numbers, medical and health information like internal records numbers and clinical and diagnostic information, and some Social Security numbers. 

Utah Pathology is currently implementing additional safeguards and security measures to strengthen the privacy and security of its network and has reported the incident to law enforcement. 

Maze and REvil Ransomware Hackers Leak More Health Data 

The Maze ransomware threat actors and the REvil hacking group have again posted data they claim to have stolen from healthcare providers in two separate incidents. 

Screenshots shared with HealthITSecurity.com contained “proofs” of data allegedly stolen by Maze hackers from the Houston-based United Memorial Medical Center, along with “proofs” of alleged data stolen by REvil threat actors from Valley Health System in West Virginia. 

Both providers are currently responding to the COVID-19 pandemic. In July, UMMC reported some of the largest numbers of COVID-19 deaths experience so far during the pandemic. Simultaneously, the health system was dealing with the aftermath of a ransomware attack. 

The proofs posted by Maze show 5 percent of the data the hackers claim to have stolen from UMMC prior to the cyberattack. The zip file posted by the hacking group contained general files from the provider, but also some identifiable patient information. Currently, it’s unclear the extent of the attack and its impact. 

For Valley Health System, the screenshot of proofs shared with HealthITSecurity.com include detailed prescription information on patients and contact details, as well as obstetrics reports, patients files, provider reports, calendars, new employee folders, and other information. 

DataBreaches.net was able to confirm with Valley Health that the health system did indeed fall victim to ransomware on August 22. Officials said emergency procedures were deployed to ensure patient care could continue with minimal disruption. 

The health system confirmed REvil hackers did leak some patient data from Valley Health, and officials are continuing to investigate the incident. Officials said they notified the FBI, as they work on a forensics review.

A host of ransomware threat actors have taken to exfiltrating data from victims before launching a final ransomware payload. The double extortion method was first made popular by Maze hackers and has since been duplicated by REvil, also known as Sodinokibi, DoppelPaymer, and Netwalker. 

Reports show that about one in 10 ransomware attacks result in data theft, and the healthcare sector has remained the leading target for these disruptive attacks. 

Dynasplint Systems Ransomware Attack Affects 103K Patients 

About 103,000 patients have been notified that their data was potentially compromised after a ransomware attack on Dynasplint Systems, a healthcare manufacturer.

According to its notice, the cyberattack occurred on May 16 and prevented employees from accessing Dynasplint computer systems. An investigation that found personal and protected health information may have been accessed or stolen during the incident, including names, contact details, Social Security numbers, medical information, and dates of birth. 

All patients will receive a year of free identity monitoring and recovery services. Dynasplint is continuing to work with an outside cybersecurity firm to bolster its systems and has since reported the incident to the FBI.