Hackers Leak COVID-19 Vaccine Data Stolen During EU Regulator Breach

January 13, 2021 - The European Medicines Agency discovered hackers have posted online the COVID-19 vaccine data exfiltrated during an earlier cyberattack on the EU regulator. As previously reported, the hacked server contained vaccine data from pharma giants Pfizer and BioNTech.

EMA is regulating the EU effort on vaccine assessments and approvals of COVID-19 research, treatments, and vaccines. Pfizer and BioNTech submitted their COVID-19 vaccine data to the regulator for approval prior of the attack. 

But hackers breached the server containing that data ahead of a meeting to determine the vaccine’s conditional approval in early December, EMA reported . The attack was highly targeted and compromised data on the first authorized COVID-19 vaccines.

EMA reported the hackers accessed certain documents related to those regulatory submissions, specifically for the companies’ BNT162b2 vaccine candidate. The breach was contained to just one IT application and the documents stored on the impacted server.

At the time, the regulator did not explain whether the data was exfiltrated during the attack. The latest update shows that the attackers indeed stole data from the server, which has now been leaked online.

READ MORE: Healthcare Accounts for 79% of All Reported Breaches, Attacks Rise 45%

EMA has been working with the UK National Cyber Security Centre and law enforcement, which is taking necessary steps to secure the data. All impacted parties have been notified of the incident and the efforts to track down the culprits.

“The agency continues to fully support the criminal investigation into the data breach and to notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access,” EMA officials said in a statement.

“The agency and the European medicines regulatory network remain fully functional and timelines related to the evaluation and approval of COVID-19 medicines and vaccines are not affected,” they added.

The report follows multiple federal agency alerts that warned nation-state hackers have been steadily targeting the healthcare sector and other entities working on the COVID-19 response. Hackers with ties to China, Russia, and North Korea have allegedly sent massive campaigns working to gain access and exfiltration vaccine and treatment data.

The actors have previously launched attacks on the World Health Organization, but the attackers were unsuccessful. However, cybercriminals successfully hacked a number of other healthcare organizations, including global biotech firm Milteny and Hammersmith Medicines Research.

READ MORE: COVID-19 Vaccine Distribution Spurs 51% Rise in Health Web App Attacks

A rare joint alert from US and UK federal agencies urged all healthcare entities working on the COVID-19 response to be on guard for an increase in targeted hacking attempts. Since the start of the global vaccine rollout, overall cyberattacks have increased by 45 percent and healthcare web app attacks rose by 51 percent.

67K Patients Impacted by South Country Health Phishing Attack

South Country Health Alliance recently began notifying 66,874 health plan members that their data was potentially compromised during a phishing attack more than six months ago in June. SCHA is a county-owned health plan based in Minnesota.

On September 14, officials said they first discovered unauthorized access on an employee email account. A review determined the access first began on June 25. The account was immediately secured, and SCHA contracted with a third-party cybersecurity firm to assist with the investigation.

The investigation ended on November 5, which included a review of the affected account’s contents. As notifications went out in late December, it’s important to note that HIPAA requires covered entities to report data breaches impacting more than 500 patients within 60 days of discovery and not at the conclusion of an investigation.

SCHA determined the compromised data belonged to community members, including names, Social Security numbers, Medicaid and Medicare numbers, health insurance information, diagnostic or treatment data, date of death, provider names, treatment costs, and contact details.

READ MORE: OCR Warns of Global Supply-Chain Cyberattacks Via SolarWinds Orion

All impacted individuals will receive free credit monitoring and identity protection services.

Jefferson Healthcare Reports Phishing-Related Breach

Washington-based Jefferson Healthcare is notifying about 2,550 individuals that their data may have been compromised during a period of unauthorized access brought on by a successful phishing attack.

Discovered on November 12, officials said they immediately took steps to secure the account and prevent continued access. Two forensics specialist firms were hired to investigate the scope of the breach and to determine whether personal data was involved.

Jefferson’s thorough notification reported that based on their previously implemented security practices and its investigation, it appears that “relatively few documents were likely viewed by the unauthorized parties during their brief access to the affected email account.”

However, investigators could not definitively conclude whether certain information and documents contained in the account were accessed during the attack. The potentially exposed data could include names, dates of birth, contact details, health insurance information, and dates of service, diagnoses and treatments.

For a small number of patients, SSNs and or financial data may have been compromised.

Further, it does not appear as if the hacker was able to access the EMR, billing, or other systems outside of the impacted email account during the attack.

“Jefferson Healthcare takes individual privacy, and the trust of our community, seriously and has taken immediate steps to enhance our information security systems,” Brandie Manuel, Chief Patient Safety and Quality Officer, said in a statement.

“We continue to be vigilant in resolving security threats as they are identified and educating our staff members,” they added. “We are committed to transparency and sincerely apologize to those who have been impacted by this breach.”

Jefferson has since implemented additional anti-fraud technology safeguards and other cybersecurity risk prevention measures, as well as reinforced education and training for all workforce members on phishing email schemes and properly securing login credentials.

The provider is also continuing to review its policies and procedures to ensure its network is fully secured.

LSU Health University Expands Previous Breach Tally

LSU Health New Orleans Health Care Services Division (LSU HCSD) has released an update to its previously disclosed breach notification, which reports patients from an additional hospital were also impacted by a September email hack.

LSU HCSD previously reported the security incident affected its Lallie Kemp Regional Medical Center; Leonard J. Chabert Medical Center; W.O. Moss Regional Medical Center; and the former Earl K. Long Medical Center; Bogalusa Medical Center; University Medical Center; and Interim LSU Hospital in New Orleans, facilities.

The tally has since been adjusted to include thousands of patients from LSU Health University Medical Center-New Orleans (UMC-NO).

According to officials, unauthorized email access began on September 15 and was discovered by administrators three days later. The account was immediately secured and an investigation was launched.

Access to the account information could not be ruled out, which included a range of patient data like names, contact information, medical record and account numbers, dates of birth, SSNs, types and dates of service, and insurance identification numbers.

Some bank account information and health data was also compromised for a smaller amount of patients.

LSU HCSD previously reported the investigation into the incident was ongoing, even after the initial disclosure was sent to patients. The review has since expanded the scope of the impacted data. UMC-NO is in the process of conducting its own investigation into the security incident.

“Although strict privacy and security policies were in place at the time of the intrusion, security practices and procedures as well as additional available methods for protecting the email system are being reviewed to determine if improvements can be made to further reduce the risk of such a breach in the future,” officials said in the release.

“Any changes will be included in the information security training that all employees are required to complete,” they added.