484K Aetna ACE Plan Members Impacted by EyeMed Email Hack

December 29, 2020 - The number of victims impacted by the email hack on EyeMed reported earlier this month has drastically increased, as the Department of Health and Human Services breach reporting tool shows 484,157 Aetna ACE plan members were included in the compromised data.

With its notification, the incident becomes the sixth largest healthcare data breach of 2020.

On July 1, a hacker gained access to an email account and sent phishing emails to contacts from the account’s address book on the same day. The security team discovered the breach on the same day and quickly secured the account.

An investigation determined the hacked account contained information from EyeMed’s current and former vision benefits’ members. The data included member names, contact details, dates of birth, health insurance account and identification numbers, Medicaid or Medicare numbers, driver’s driver’s licenses and other government identification numbers.

EyeMed notified Aetna about the security incident in September. The impacted data included names, dates of birth, and vision insurance details, as well as the medical diagnoses, birth or marriage certificates, financial data, treatment information, and full or partial Social Security numbers for some patients.

READ MORE: Biggest Healthcare Security Threats, Ransomware Trends into 2021

As previously reported, 60,545 Tufts Health Plan members were also affected by the EyeMed security incident.

Conti, Avaddon Ransomware Actors Post More Health Data

Ransomware threat actors continue to show no mercy to healthcare providers during the national crisis, with the Conti and Avaddon ransomware threat actors posting more data allegedly stolen from three separate healthcare providers.

Avaddon was first detected in the wild in the spring, primarily through phishing attacks. Proofpoint previously noted that the variant is particularly notable given its use of large-scale campaigns and its own branding. It’s also a ransomware-as-service campaign, much like e, and is relatively new to the extortion racket.

The group recently posted data they claim to have stolen from Intensive Care Online Network (ICON), a vendor that provides clinician support services, among other services tied to the implementation of ICR therapies and technologies.

Meanwhile, Conti threat actors leaked data allegedly stolen from Miami-based Leon Medical Center on December 21 and Oregon-based Gastroenterology Consultants on December 23.

READ MORE: FBI: Ragnar Locker Ransomware Attacks Increase With Data Theft Risk

For Leon Medical, the hackers claim to have stolen a mass amount of employee and patient data, including SSNs, contact details, insurance data, diagnoses and treatments, and photographs.

The hacking group also posted data that appears to be tied to the radiology department of Gastroenterology Consultants. The screenshots shared with HealthITSecurity.com show more than 25 MB of data, which the actors claim is about 5 percent of the overall data stolen from the provider.

Ransomware Attack on Agency for Community Treatment Services

Florida-based Agency for Community Treatment Services (ACTS) recently began notifying patients who received care with the provider from 2000 to 2013 that their data was potentially breached during a ransomware attack in October.

On October 23, ACTS discovered a security incident on portions of its server and data infrastructure that included ransomware deployment. The systems were immediately take offline, and the security team began restoration efforts with additional security measures and monitoring.

An investigation later revealed the initial systems’ access began two days prior to discovery, as the hackers took steps to conceal their cyber activities.

READ MORE: ASPR Warns Ransomware Threat is Persistent, as Actors Leak More Data

Further, the attack may have resulted in the theft or unauthorized access to personal data, such as names, SSNs, dates of birth, protected health information, medical records, treatment information, and health insurance details related to services received at ACTS from 2000 until 2013. Patients will receive free credit monitoring and identity theft protection services.

“Backups and other information maintained by ACTS were used to enable near seamless restoration of security and services,” officials said in a statement. “ACTS is continuing to work closely with leading security experts to identify and implement measures to further strengthen the security of their systems and prevent this from happening in the future.”

Business Associate MEDNAX Phishing Incident

MEDNAX recently began sending breach notifications after a phishing incident in June potentially compromised the data of an undisclosed number of patients. MEDNAX is a healthcare business associate that provides revenue cycle management and administrative services to physician practice groups.

On June 19, the vendor discovered that a hacker gained access to certain Microsoft Office 365-hosted business email accounts through a successful phishing attack. The investigation that followed found the attacker had access to the impacted accounts for five days before it was discovered. No MEDNAX network or systems were impacted during the incident.

The impacted accounts contained a trove of personal information that varied by patient, including contact details, dates of birth, SSNs, driver’s license number, state identification numbers, financial account details, health insurance information, Medicare or Medicaid numbers, medical information, treatments, procedures, and a host of other sensitive data.

The investigation could not conclusively determine whether personal information was accessed by the hacker. All patients will receive free identity monitoring services for one year.

The review ended in November, which accounts for the delayed notifications. However, under HIPAA, providers and business associates are required to report data breaches impacting more than 500 patients within 60 days of discovery.

MEDNAX has since reset user passwords for business email accounts where the unauthorized activity was detected, as well as enhanced its security controls.