Business Associate Ransomware Attack Impacts 115K in CA

September 09, 2021 - California health center LifeLong Medical Care began notifying over 115,000 individuals of a business associate ransomware attack that may have exposed protected health information (PHI) and personally identifiable information (PII) late last year.

The business associate, cloud IT provider Netgain Technologies, discovered a breach in November 2020 that impacted numerous healthcare organizations. LifeLong Medical Care learned about the breach in late February and learned in August that its patient data had been compromised.

After an investigation and document review, LifeLong discovered that names, Social Security numbers, birthdates, patient cardholder numbers, and treatment and diagnosis information were compromised.

LifeLong said that it had no evidence of data misuse as a result of the incident.

“At LifeLong Medical Care, protecting the privacy of personal information is a top priority,” the provider’s statement explained.

“As part of LifeLong Medical Care’s ongoing commitment to the security of information, we are working with our third-party vendors to enhance security and oversight.”

Netgain is a company that specializes in cloud solutions surrounding HIPAA compliance, cybersecurity, cloud migration, and other services for the healthcare, accounting, and legal sectors.

The vendor paid a ransom to the attackers in exchange for assurances that the bad actor would not release the data publicly and would delete all copies. However, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have urged organizations to never pay the ransom, as it does not guarantee the safe return of data and may encourage attackers to strike again.  

LifeLong is the latest health center in a long list of providers impacted by the Netgain ransomware attack. Over 158,000 patients at Allina Health’s Apple Valley Clinic in Minnesota were notified of the breach.

In June, health insurance broker Caravus announced that patient data had been jeopardized through the Netgain breach. Netgain initially told Caravus in an official statement that its data was not impacted by the security incident. But further investigation revealed that Netgain failed to destroy legacy data on an old server after a 2015 data migration, and pre-2016 Caravus patients were subsequently impacted by the breach.

The Netgain breach also impacted SAC Health Systems, San Diego Family Care, Woodcreek Provider Services, and Elara Caring. Another 293,516 patients from Health Center Partners of Southern California also fell victim to the ransomware attack.

Reports have shown that paying the ransom does not guarantee that the victim will fully recover data or that it will not be misused and sold on the dark web despite the hacker’s assurances. Coveware’s November 2020 ransomware report emphasized the importance of considering all options and consequences before deciding to pay a ransom.

“The data will not be credibly deleted. Victims should assume it will be traded to other threat actors, sold, or held for a second, future extortion attempt. Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” the report suggested.

“Stolen data custody was held by multiple parties and not secured. Even if the threat actor deletes a volume of data following a payment, other parties that had access to it may have made copies so that they can extort the victim in the future,” they added. “The data may get posted anyway by mistake or on purpose before a victim can even respond to an extortion attempt.”