Hospital Recovers from Ransomware; Vendor Incidents Hit Kroger, Provider

February 22, 2021 - In the last few days, three healthcare-related entities reported data breaches or system outages due to ransomware. Kroger informed patients it was part of the massive Accellion data breach, and Harvard Eye Associates was also affected by a third-party vendor incident.

But the most concerning incident is the current EHR downtime at Rehoboth McKinley Christian Hospital in Gallup, New Mexico, brought on by a cyberattack. The nonprofit hospital serves the Navajo nation, which has been ravaged by the COVID-19 pandemic.

The attack was confirmed on February 18, just several days after Conti ransomware threat actors posted a trove of data allegedly stolen from Rehoboth McKinley Christian Health Care Services.

As previously reported, the Conti group’s dark web posting includes files labeled passports, driver’s licenses, and bill of sale, among others in a listing that includes more than 10,000 files. 

HealthITSecurity.com reviewed those files and found scanned patient identification cards, prescriptions, and patient and provider names, as well as completed patient assessments for underage patients.

READ MORE: Patients Sue Wilmington Surgical For Netwalker Ransomware Data Leak

Complete scans of patient treatments, diagnoses, and similarly sensitive information, such as echocardiogram reports, were also listed. At the time of publication, Conti hackers posted just 2 percent of the data they claim to have stolen from the provider. 

The impact of the security incident is particularly alarming combined with the reported cyberattack, which resulted in a lack of online access to patient records and further system outages. Officials said certain systems have been taken offline, but patient care has continued without disruption.

Third-party investigators have been hired to determine the scope and extent of the hack. This story will be updated as more information becomes available.

Accellion Breach Hits Kroger

In mid-December, attackers exploited several zero-day vulnerabilities in combination with a new web-shell to successfully gain access to at least 100 companies through Accellion’s legacy FTA platform and steal victims’ data.

An investigation into the incident revealed on February 22 that the attack was led by the Clop ransomware hacking group. Multiple customers have since reported the hackers have sent impacted Accellion clients emails threatening to post data they stole during the attack.

READ MORE: US Fertility Sued Over Ransomware Attack, Health Data Exfiltration

“Some of the published victim data appears to have been stolen using the DEWMODE web shell,” officials explained in a statement. “[The third-party investigator] Mandiant is tracking the subsequent extortion activity under a separate threat cluster, UNC2582.”

“These exploits apply exclusively to Accellion FTA clients: neither kiteworks nor Accellion the company were subject to these attacks,” they added. “Accellion has patched all known FTA vulnerabilities exploited by the threat actors and has added new monitoring and alerting capabilities to flag anomalies associated with these attack vectors.”

Among the known victims is Kroger, which used Accellion’s services for third-party secure file transfers. The attackers gained access to certain Kroger files through a flaw in the file transfer service, which has impacted about 1 percent of Kroger Health and Money Services’ customers, including its pharmacy and health clinic customers.

The attack also appears to have impacted the HR records of some current and former employees.

Kroger has since discontinued use of Accellion’s services and reported the incident to law enforcement. Officials said they’re also conducting their own investigation into the scope of the incident.

Harvard Eye Associates’ Reports Third-Party Ransomware Incident

The third-party online storage vendor of Harvard Eye Associates recently reported that hackers gained access to its computer system and stole patient data belonging to the specialist.

READ MORE: 70% Ransomware Attacks Cause Data Exfiltration; Phishing Top Entry Point

The hackers demanded a ransom payment for the return of the data, which the vendor paid, before the actors allegedly returned the data. The payment was made in consultation with cybersecurity experts and the FBI.

Further, the attackers said they did not keep copies of the stolen data or disclose it to outside parties. Reports have previously shown that often these claims cannot be validated.

“The vendor’s cybersecurity experts have been monitoring the internet and have not found any evidence that the hackers used or disclosed any of the data,” officials said in a statement.

An investigation into the incident determined the attackers first gained access to Harvard Eye data as early as October 24, 2020. The vendor did not disclose the breach to the provider until January 15, and the notice does not detail when the attack was first discovered.

The compromised data included names, contact details, dates of birth, medical history, insurance information, medications, and treatment information. The hack also involved patients of Alicia Surgery Center, including medical information related to surgeries.

The hackers may have also exfiltrated data on former and current employees, as well as some of their family members and beneficiaries. Social Security numbers, government IDs, driver’s licenses, and or financial card information was not involved in the incident.

Harvard Eye is continuing to investigate the incident and bolster its security program.

Extortion occurs in 70 percent of all ransomware incidents, which is predicted to increase this year as the world continues to respond to the pandemic. CTIL data shows that healthcare is a prime target given its vulnerable state brought on by COVID-19.

In fact, backdoor access sales has drastically increased in the last year. These backdoors provide an easy foothold for ransomware attackers to proliferate across victims’ networks to exfiltrated data, before dropping the ransomware payload.