3 Weeks After Ransomware Attack, All 400 UHS Systems Back Online
The UHS IT team brough all 400 US health system sites back online, following a massive ransomware attack; a phishing attack, an email hack, and another ransomware attack complete this week’s breach roundup.
By - Universal Health Services announced its IT team has brought all of the 400 US health system sites back online, three weeks after a massive ransomware attack drove clinicians to EHR downtime procedures.
The news comes on the heels of an inquiry launched by Sen. Mark Warner, D-Viriginia, into the health system’s cybersecurity policies and the scope of the cyberattack.
An anonymous UHS staff member took to Reddit on September 27 to determine if any other health system sites were experiencing IT issues, which began a massive thread of workforce members detailing phone, internet, data center, and computer outages across the country.
Some sites diverted ambulances during the initial attack stages, while others experienced delays with lab test results. Ryuk ransomware was suspected but it's not yet been confirmed.
UHS officials did not report what they initially called an IT disruption until the following day, later acknowledging all 400 US facilities were operating under EHR downtime procedures, while the IT team worked to recover from the ransomware attack.
READ MORE: DHS CISA Shares Best Practice Ransomware Guide, Telework Toolkit
As of October 12, all sites have returned to normal operations – three weeks after the attack began. Notably, the outage lasted more than a week than the recently reported average of 15 days. It’s unclear how much the hackers demanded in ransom, nor whether the health system paid the demand.
Officials confirm the IT network as been restored at the corporate level and across its acute care hospitals, which has reinstated connections to all major systems and applications, including laboratory, pharmacy, and electronic medical record.
“With back-loading of data substantially complete at this point, hospitals are resuming normal operations,” officials said in a statement. “The wide area networks at the majority of our Behavioral Health facilities are back online as well, with the remaining to follow shortly.”
“While the Network was offline, patient care was delivered safely and effectively at our facilities across the country using established back-up processes, including offline documentation methods,” they added.
228K Patients Affected by Legacy Community Health Phishing Attack
Texas-based Legacy Community Health Services recently notified 228,009 patients that their data was potentially breached after a successful phishing attack in July.
READ MORE: UPDATE: UHS Health System Confirms All US Sites Affected by Ransomware Attack
On July 29, officials said they discovered an employee responded to a phishing email the previous day. The account was immediately secured, and an investigation was launched.
The review found the impacted account contained patient names, dates of service, and health information related to care received at Legacy. For some patients, Social Security numbers were included in the compromised data. The account did not contain any financial account or payment data.
Legacy is currently implementing security enhancements to its email platform and reinforcing phishing education with its workforce.
AAA Ambulance Services Reports Ransomware Attack
AAA Ambulance Services in Missouri fell victim to a ransomware attack in July, which compromised the data of an undisclosed number of patients.
On July 1, hackers attempted to launch a ransomware attack on AAA, which prompted the IT team to take steps to prevent full encryption of its systems. Officials said they launched an investigation with help from a third-party forensics firm, which concluded on August 26.
READ MORE: Ransomware Reigns, as Cyberattacks Increase in Sophistication, Frequency
The investigation revealed patient information was accessed or exfiltrated during the incident.
The notice does not explain, however, that the data was previously posted by REvil ransomware hackers, who first attempted to extort the provider on the dark web and later released the data when no bids were made on the data set, according to screenshots of the dark web posting shared with HealthITSecurity.com.
The post reads: “No one paid for this lot in time, so the data is published.”
The proofs posted by the hackers show they were able to exfiltrate more than 24 GB of scanned documents, driver’s licenses, signed forms with patient data, such as Social Security numbers, and reports with private information, like contact details.
The AAA notification further details the breach may have also included dates of birth, medical treatment information, financial account numbers, diagnoses, patient account numbers, prescriptions, medical record numbers and or health insurance information.
What’s notable, is that despite the release of data on the dark web, the AA notice stressed more than once that there is "no evidence to suggest that any personally identifiable information or personal health information has been actually misused.”
AAA will provide patients with a year of free credit monitoring services and has since added further security measures.
Piedmont Cancer Institute Reports Monthlong Email Hack
About 5,226 patients of Piedmont Cancer Institute (PCI) were recently notified that their data was possibly compromised during a monthlong hack of an employee email account between April 5 and May 8.
An investigation led with assistance from an outside cybersecurity firm determined the compromised email account contained a range of data that varied by patient, including names, dates of birth, financial account information, credit or debit cards, and or medical information, such as diagnoses or treatments.
The notice does not report when the incident was first discovered, just that the investigation concluded on August 10. Under HIPAA, covered entities are required to report breaches within 60 days of discovery not at the close of an investigation.
PCI is currently implementing multi-factor authentication across its email platform in response to the incident and has since conducted further security training awareness for its workforce.
