Accellion Breach Tally for Centene’s Subsidiaries: 1.3M Patients Impacted

April 06, 2021 - The Department of Health and Human Services’ breach reporting tool shows over 1.3 million patients of Centene subsidiaries were impacted by the massive Accellion File Transfer Appliance vulnerability hack and subsequent data exfiltration, first reported in early February.

The incident was reported to HHS in four separate filings, affecting 523,709 Health Net of California patients, 26,637 patients of Health Net Life Insurance Company, 686,556 patients of Health Net Community Solutions, and 80,138 California Health & Wellness (CHW) patients. All reported entities are subsidiaries of Centene.

The notices show the attackers had access to the entities’ information from January 7 until January 25. The impacted data included contact details, dates of birth, insurance ID numbers, and health information, such as treatments and medical conditions.

As previously reported, an SEC filing issued by Centene revealed Accellion notified the entity in January 2021 that an attacker exploited multiple, unpatched zero-days vulnerabilities in the FTA platform and combined the flaws with a new webshell called DEWMODE.

The exploit gave the hacker access for a number of days, which resulted in the theft of data from at least 100 Accellion clients, including Centene, Kroger, the Jones Day Law Firm, Trillium Community Health Plan, and the Southern Illinois University School of Medicine, among others.

READ MORE: Dark Web Analysis: Healthcare Risks Tied to Database Leaks, Credentials

According to an earlier Department of Homeland Security Cybersecurity and Infrastructure Security alert, FIN11 and Clop ransomware threat actors were behind the hack. It’s believed initial access began in mid-December. No ransomware was deployed in the incident.

At first, it was unclear the motive of the attack. But Clop actors have since posted troves of stolen data online in a mass extortion effort. A number of impacted entities have also received emails from the attackers, adding to the extortion attempts.

Further, media reports show hackers leaked data purportedly stolen from Stanford University School of Medicine during the Accellion incident. Screenshots shared with HealthITSecurity.com show that Clop ransomware actors have also posted data belonging to medical equipment manufacturer Nipro and multiple healthcare-related entities tied to the Accellion hack.

For example, the threat actors previously posted proofs data allegedly stolen from the University of Miami. Among the leaked data set are pages of documents from the Department of Veterans Affairs.

The case demonstrates the extent and reach of the initial Accellion hack, which may remain unclear for the foreseeable future. For now, the impacted entities are continuing to investigate the scope of the incident, as the number of victims continues to rise.

158K Apple Valley Clinic Patients Impacted by Netgain Cyberattack

READ MORE: 350M Voicemails, Health Details Exposed by Misconfigured Database

The number of patients affected by a 2020 cyberattack on Netgain is also on the rise. The latest breach notification from Allina Health’s Apple Valley Clinic shows that the data of 157,939 patients were compromised by the third-party vendor incident.

At the end of January, reports first revealed that a ransomware attack hit Netgain in September 2020. Attackers leveraged compromised credentials to access the vendor’s system, which then spread to a number of client systems. 

Access to clients’ systems began in November, before the attackers deployed the ransomware payload during the first week of December. Amid the initial attack stages, the hackers also managed to steal some patient data.

Netgain reportedly paid the attackers to recover the stolen data, after receiving “assurances that the attackers deleted the data and did not retain any copies.” It’s important to note researchers have observed hackers providing false evidence of data destruction to then publicly dox victims, even when the ransom is paid.

The vendor has continued to monitor for evidence the attackers may attempt to sell the stolen data. But so far, there’s been no evidence of data leakage. As of January 14, Netgain completely contained and eradicated the threat.

READ MORE: 41 States Settle with AMCA Over 2019 Data Breach Affecting 21M Patients

Apple Valley was notified of the initial cyberattack on December 2. After Netgain recovered from the attack on January 29, the clinic was informed that patient data may have been impacted.

The affected data included patient names, dates of birth, Social Security numbers, bank account and routing numbers, patient billing data, and medical information, like diagnoses and symptoms. The data only included Apple Valley Clinic patients.

In response to the attack, the clinic is enhancing its cybersecurity protocols and practices. The clinic implemented Allina Health’s EHR in February and also began migrating the clinic to a new IT system, used by Allina Health, as well.

Apple Valley continues to work with Netgain to ensure the vendor is taking appropriate steps properly secure the patient data in its possession. Netgain is also continuing to scan its environment to identify potential impacts of the attack and to promptly address newly identified vulnerabilities.

Other healthcare entities impacted by the incident include Sandhills Medical Foundation (39,602 patients), Woodcreek Provider Services (207,000 patients), Elara Caring (100,487 patients), and Minnesota’s Ramsey County Family Health Division (8,700 residents).

Vendor Incident Leads to Yearlong Breach of BeoTel Patient Data

BioTel Heart recently began notifying 38,575 patients that their data was potentially compromised for about one year, after a vendor inadvertently left personal information exposed online.

In January, BioTel discovered that a vendor failed to secure an online database between October 17, 2019 and August 9, 2020. The impacted information involved medical records collected by the vendor from providers who ordered remote cardiac monitoring services from BioTel.

The affected data included patient names, dates of birth, medical information tied to remote cardiac monitoring services, such as prescribing providers, diagnoses, diagnostic tests, health insurance details, and some SSNs. All patients will receive two years of free identity protection services.

While the notice is scarce on details regarding the leaky database, security researcher Bob Diachenko first discovered a database belonging to a medical software company left online without the need for a password or order authorization, in August 2020. 

The personal information of more than 3.1 million patients was contained in the database. Around the same time, DataBreaches.net reported that another researcher found a misconfigured Amazon S3 storage bucket leaking more than 60,000 patient records with PHI tied to the BioTel cardiac network, including scanned faxes of PHI requests from patients whose insurance claims reimbursements were denied. The requests appeared to be handled by SplashRx/HealthSplash.

BioTel has since confirmed that its vendor secured the data stored online and terminated the business arrangement with the vendor responsible for the breach. The entity will also require the vendor to securely delete all copies of BioTel records.

Advanced Orthopaedics Phishing Attack Impacts 125K Patient Records

The data of 125,291 patients, employees, and dependents was potentially compromised after the hack of multiple email accounts belonging to the Centers for Advanced Orthopaedics (CAO) in Bethesda, Maryland.

CAO first discovered unusual activity in its email environment on September 17, 2020 and launched an investigation with assistance from a third-party cybersecurity firm. Officials said they discovered multiple employee accounts were hacked for nearly a year between October 2019 and September 2020.

The investigation determined certain emails were accessible to the attackers during the incident. CAO performed an extensive review and data mining effort to identify the impacted individuals and data.

In January, CAO confirmed protected health information was contained in the accessible emails. Officials said they couldn’t confirm if the data was indeed accessed or acquired by the culprit.

The affected data varied by patient but could include medical diagnoses and treatment information, as well as some SSNs, driver’s license numbers, passports, financial account details, payment card data, and or emails, usernames, and passwords.

For impacted employees and dependents, the data could include dates of birth, medical diagnoses, treatments, SSNs, and driver’s licenses. A smaller subset of individuals may have had passports, financial account details, payment cards, or user credentials impacted, as well.

CAO is reviewing its security policies and procedures, as well as its security infrastructure to prevent a recurrence. Officials said they’ve also implemented additional safeguards.