Actor Exploits Beaumont Health’s COVID-19 Vaccine Scheduling Tool

February 02, 2021 - Michigan-based Beaumont Health was forced to shut down its tool for scheduling COVID-19 vaccine appointments over the weekend, after an unauthorized actor exploited a flaw in the Epic platform.

The act allowed 2,700 people to cut in line and register for unauthorized appointments.

The IT team discovered the unusual activity related to online vaccination scheduling through Beaumont’s electronic medical record system on Saturday. Officials said they determined a user took advantage of a known flaw in the Epic tool and publicly shared the scheduling pathway.

The shared pathway was only designed for direct recipients, through “ticket scheduling,” Epic officials explained. Its scheduling tool also uses “open scheduling,” which opens appointments for a broader population.

The IT team immediately contacted Epic to ensure other health systems did not experience similar events.

READ MORE: Hackers Leak COVID-19 Vaccine Data Stolen During EU Regulator Breach

“Health systems that use open scheduling use other methods to verify eligibility, like having people attest to meeting the eligibility criteria such as age or occupation,” Epic officials said in a statement.

“We worked with Beaumont to address this situation, and this will not interfere with those who are currently eligible to schedule an appointment and receive a vaccine,” they added. “The sharing of this information did not compromise anyone’s medical record or any hospital records.”

Beaumont is cancelling all appointments created using the unauthorized “backdoor” pathway, and those individuals will be notified via email. The health system officials also contacted other state providers and the Michigan Hospital Association to communicate the issue.

It’s unclear by its notification whether the actor was from inside the organization, or an outside entity. Web scheduling apps are crucial for an effective vaccine rollout in the community, but attacks on healthcare apps have increased 51 percent since mid-December.

Patch Failure Leads to 7-Year Breach of Insurer

Florida Healthy Kids Corporation (FHKC) recently began notifying online applicants and enrollees of a serious data breach caused by its vendor failing to patch several website vulnerabilities. FHKC offers health and dental insurance for children throughout the state.

READ MORE: CISA: HPH Cyber Threat Insights, Ransomware Reduction Campaign

On December 9, FHKC was notified by it vendor, Jelly Beans Communications Design, that thousands of applicant addresses had been inappropriately accessed and tampered with through an FHKC website hosted by the vendor.

FHKC engaged a third-party cybersecurity firm to conduct a thorough review of the security incident, which found the website and subsequent databases held significant vulnerabilities that enabled the exploit.

“FHKC learned that its web hosting vendor had failed to apply security patches to its software, thereby exposing the website to vulnerabilities that were ultimately exploited by the hackers,” officials said in a statement.

Those flaws left the site vulnerable for seven years between November 2013 and when it was temporarily shut down by FHKC in December 2020.

As a result, a threat actor tampered with applicant addresses. The investigation could not rule out exposure of the other data included in the site, such as full names, dates of birth, contact details, Social Security numbers, financial information, family relationships, and secondary insurance information.

READ MORE: Key 2021 Insights: Proactive Security Needed for Ransomware, Phishing

FHKC is reviewing its current security practices and policies to determine the best next steps for its security program, as well as expediting efforts to transition to a new vendor and website.

Ramsey County Reports Second Health Data Breach in Two Years

A ransomware attack on Netgain, a third-party technology services vendor, potentially breached the data belonging to 8,700 residents of Ramsey County, Minnesota.

According to the notice, Ramsey County officials were made aware of Netgain’s security incident on December 2. A hacker attempted to extort a ransom demand from the vendor, which impacted data within an application used by the county’s Family Health Division to document home visits.

The compromised data included names, contact details, dates of birth, dates of service, account numbers, health insurance information, and medical data. A small number of SSNs were also compromised during the incident.

Upon discovering the incident, Ramsey County immediately stopped using Netgain’s services and switched to backup processes. Officials also contact the Office for Civil Rights and local law enforcement, while consulting with other local governments impacted by the Netgain incident.

This is the second healthcare data breach faced by Ramsey County in the last two years. The first incident was an email breach that occurred in December 2018, where a hacker took control of 26 employee email accounts, including those in the social services department.

Ransomware Attack Hits Crisp Regional Health Services

Georgia-based Crisp Regional Health Services was hit with a ransomware attack on January 27, which impacted some of its systems, encrypted certain data, and shut down its phone lines, according to local news outlet WALB News 10.

The nursing team was the first to detect the flaws, as it encrypted some patient files. Upon discovery, the hospital engaged with a outside data security team to assist with the recovery and investigation.

The hospital also worked to secure information and enhance the security in place to ensure the integrity of the network and data. The phone lines were down for several days before the team restored the system. Patient care continued without interruption.

Notably, the care team employed a system of radios throughout the hospital to maintain access between departments. 

For now, the hospital is investigating the scope of the incident alongside law enforcement and its contracted security vendor.