320K Impacted in EHR Vendor Breach, Ransomware Hits Health Systems

November 09, 2021 - An EHR vendor began notifying its clients of a data breach that may have exposed the personally identifiable information (PII) and protected health information (PHI) of nearly 320,000 individuals. Other recent data breaches involved unauthorized email access and ransomware.

Ransomware continues to be one of healthcare’s biggest cyber threats to date. The US Department of State recently offered a reward of up to $10 million for information leading to the identification of key leadership in the DarkSide ransomware group. DarkSide claimed responsibility for the Colonial Pipeline attack in May, which pushed ransomware to the top of the White House’s priority list.

Healthcare organizations should remain vigilant as ransomware, phishing, DDoS attacks, and technical vulnerabilities continue to leave the sector open to cyber threats. 

EHR Vendor Breach Impacts 320K

EHR vendor QRS began notifying its clients of an August cyberattack that exposed the PII and PHI of nearly 320,000 individuals. The attack occurred between August 23 and August 26, 2021, when a hacker accessed one QRS dedicated patient portal server.

QRS said it immediately took the server offline, notified law enforcement, and engaged a forensic security firm to investigate the incident. During the three-day attack window, the hacker accessed and may have acquired files on the server containing PII and PHI.

READ MORE: 3 Barriers to Achieving Medical Device Security

The breached information may have included names, birth dates, addresses, Social Security numbers, portal usernames, medical treatment and diagnosis information, and patient identification numbers.

QRS began notifying impacted individuals on October 22 and arranged for complimentary identity theft protection services for those whose Social Security numbers may have been exposed.

“QRS deeply regrets any concern or inconvenience this incident may cause,” the statement explained. “QRS is taking steps to investigate the attack and assess and address the risk of a similar incident occurring in the future.”

Third-party vendor cyberattacks are becoming increasingly common as threat actors look for innovative ways to target healthcare organizations. PracticeMax, a billing and IT solutions vendor, recently experienced a ransomware attack that exposed the PHI of some Anthem and Humana members.

Unauthorized Account Access Exposes Patient PII at UNC Health

UNC Health in North Carolina faced a data security incident involving the PII of 946 patients. Within UNC Health’s EHR system, patients can use a billing field to identify an individual who is authorized to have access to their billing information.

READ MORE: Philips TASY EMR Vulnerabilities May Expose Patient Data

An internal review of the billing fields on September 9 was unable to conclusively determine, in 946 instances, whether the individual names in the patient’s account was actually authorized to access the patient’s billing information.

UNC Health said that while it believes that in most cases, the individual listed is someone who does have authorized access to the patient’s records, it is notifying patients as a precaution. Information accessed included names, addresses, information about charges and payments, and limited clinical information.

The incident did not include any bank account numbers or Social Security numbers.

“In response to this issue, UNC Health has cleared and reset this field in its electronic medical record system so that anyone who was previously authorized to access the patient’s billing information by being listed in this field will no longer have such access,” the announcement stated.

“Patients were also provided with instructions on how to re-establish access to their billing information for the named individual. Additionally, UNC Health has changed its electronic medical records system administration to limit the staff members who have access to update this field and have re-trained the staff members who will continue to have access to update this field.”

Nationwide Laboratory Services Suffers Ransomware Attack

READ MORE: Security Investments Are Increasing, But So Are Cyberattacks

Florida-based Nationwide Laboratory Services, which was recently acquired by Quest Diagnostics, announced that it fell victim to a ransomware attack in May 2021. Ransomware actors began encrypting files and may have removed a limited number of files from Nationwide’s network.

According to the Office for Civil Rights (OCR) data breach portal, the incident impacted 33,437 individuals.

Further investigation revealed that some of the encrypted files contained PHI, including names, lab results, medical record numbers, Medicare numbers, birth dates, and health insurance information. For some, Social Security numbers were also exposed.

“Nationwide has no evidence that any information was or will be used for any unintended purpose,” the announcement stated. “Notified individuals have been provided with best practices to protect their information and have been reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity.”

Nationwide said that it is working to evaluate and modify its security practices to further protect patient information.

SD Health System Experiences Network Disruptions Due to Cyberattack

South Dakota-based Prairie Lakes Healthcare System (PLHS) notified patients of an October 6 cyberattack that caused network disruptions and impacted some of the health system’s computer systems.

PLHS said it worked quickly to restore critical systems and that patient care was delivered effectively with “minimal impact” during the disruption.

“While the investigation is ongoing, it was determined the network disruption involved unauthorized third-party activity within a small number of PLHS IT systems,” the notice explained.

“Federal law enforcement was immediately notified. Currently, we have no evidence that there was any unauthorized access to personal or health information. If the investigation determines that personal or health information is involved, we will notify those individuals in accordance with applicable law.”

NY Mental Health Center Server Breach Exposes Internal Files

New York Psychotherapy and Counseling Center (NYPCC), a nonprofit community-oriented mental health provider, announced that it fell victim to a data security incident in September that may have exposed PHI.

NYPCC discovered on September 11, 2021, that an unauthorized third-party had accessed a computer server in its offices.

The server contained internal reports and files which may have contained some patient information, including names, dates of service, Medicaid IDs, addresses, and birth dates.

NYPCC said it notified HHS, law enforcement, and the New York state attorney general of the breach. It is unclear at this time how many individuals were impacted, but NYPCC said it will soon begin mailing notification letters to impacted individuals.

“Protecting the privacy of our clients is of the utmost importance to NYPCC,” the statement noted. “To help prevent any similar incident from occurring in the future, NYPCC remains committed to continually reviewing and enhancing our security protocols related to the personal information of all our patients.”

Medical Staffing Company Provides Notice of 2020 PHI Breach

Maxim Healthcare Group, which encompasses Maxim Healthcare Services and Maxim Healthcare Staffing, began notifying individuals of a data breach that may have exposed PHI. Maxim Healthcare first became aware of unusual activity on December 4, 2020 and later discovered that some employee email accounts were accessed between October 1 and December 4.

Maxim Healthcare was initially unable to determine which email messages or attachments may have been accessed.

“In an abundance of caution, a detailed and thorough programmatic and manual review of the contents of the email accounts was performed to determine whether sensitive information was contained in the email messages or attachments at the time of the event,” the announcement explained.

“Upon receiving the initial results of the review on August 24, 2021, Maxim Healthcare worked diligently to locate address information for the affected individuals and completed that effort on September 21, 2021.”

The unauthorized actor may have had access to names, birth dates, addresses, medical history, medical record numbers, diagnosis codes, patient account numbers, usernames and passwords, and Medicare and Medicaid numbers. For some, Social Security numbers may have been exposed.

Maxim Healthcare began notifying impacted individuals and regulatory authorities on November 4, 2021, almost a year after the initial breach was discovered.

“As an immediate response, Maxim Healthcare instituted additional security protocols, including implementation of Multi-Factor Authentication for all email accounts, and transitioned to a new Security Operations Center with advanced detection and response capabilities,” the announcement continued.

“Maxim Healthcare is further committed to integrating additional cybersecurity infrastructure and security measures without negatively impacting the healthcare populations it serves.”