Minnesota’s Lake Region Healthcare Recovering From Ransomware Attack

January 07, 2021 - Lake Region Healthcare (LRH) was hit with a ransomware attack a few days before Christmas, resulting in some computer system outages and disrupting certain operations. The Minnesota health system is continuing its recovery efforts, while investigating the scope of the incident.

First reported on December 22, the security team first detected unidentified activities on certain computer systems. In response, officials said they launched EHR downtime procedures to ensure continuity of care.

The outage impacted LRH locations in Fergus Falls, Battle Lake, Ashby, and Barnesville. LRH had previously established downtime protocols ahead of the attack, which enabled the care team to continue providing patient services.

However, some patient care and business service systems were left without full functions in the immediate wake of the attack. Officials said staff worked closely with computer specialists to determine the cause of the disruption, examine the scope of the incident, and restore downed systems.

“Our efforts are focused on providing safe patient care while working to ensure data and information is safeguarded,” LRH CEO Kent Mattson, said in a statement. "We have substantial internal and external resources dedicated to restoring systems, and our investigation will be ongoing until it is resolved." 

READ MORE: COVID-19, Ransomware, Breaches Led 2020 Health IT Security Trends

“We are dedicated to serving our patients and business partners,” he continued. “Patients are encouraged to call their provider’s office prior to confirm [their] scheduled appointments or with any questions or concerns, and to bring any current medications with them to their appointment.”

The latest update confirmed the LRH outage was caused by a sophisticated ransomware attack, which prompted officials to contact federal and local law enforcement. The health system is also working with a team of third-party security leaders to help with the investigation.

The scope of the incident has yet to be established, and so far, there's no evidence of data exfiltration.

LRH is continuing to restore many of its impacted systems, providing most services “as usual by operating largely off alternative systems.” Officials said they’re evaluating patient care on a case-by-case basis to ensure care quality.

Patients are still being asked to confirm appointments before visiting the health system. LRH will make an announcement once systems have been restored to ensure patients that need to make payments or access other services will know when LRH is back online.

READ MORE: Biggest Healthcare Security Threats, Ransomware Trends into 2021

The LRH attack joins nearly a dozen providers impacted by ransomware during the last quarter of 2020. As previously reported, hackers have been targeting the sector with ransomware through a coordinated effort. 

Universal Health Services was one of the first providers targeted in the massive ransomware wave, followed by a host of other providers that were also driven to EHR downtime procedures, including the University of Vermont Health Network, Sky Lakes Medical Center, and GBMC HealthCare in Maryland, just to name a few.

Recent Check Point research found that attacks on healthcare increased by 45 percent from November, driven by Ryuk ransomware threat actors.

“Activist” Group Known as DDoSecrets Leaks Mined Health Data

The “activist” group known as DDoSecrets recently posted a trove of sensitive data online, which they gathered by mining data previously leaked on dark web markets, first reported by Wired.

According to the report, the “data activists” leaked 1TB of data mined from previous dark web leaks. The data includes over 750,000 emails, photos, and other information from about five different companies.

READ MORE: ASPR Warns Ransomware Threat is Persistent, as Actors Leak More Data

The group offered to share another 1.9TB of data from more than 12 other companies with selected researchers or journalists. The mined data set stems from pharmaceutical, retail, finance, manufacturing, real estate, and oil industries.

DDoSecrets intends to continue leaking even more data in the coming weeks and months. For ethical reasons, HealthITSecurity.com will not share the link to the data sets, nor will it provide a platform for the group.

The screenshots of the data shared with HealthITSecurity.com show the group has leaked about 200,000 emails and other files from ExecuPharm, a pharmaceutical company used for outsourced medical trials.

As previously reported, ExecuPharm was hit with a ransomware attack in March. The hackers exfiltrated a subset of data and published it online in an attempt to extort the provider, when they refused to pay the ransom demand.

The hackers first gained access through a successful phishing campaign sent to the company’s workforce. Officials determined the hackers indeed accessed and exfiltrated corporate and personnel data, as well as personnel information from Parexel, ExecuPharm’s parent company.

The stolen data included Social Security numbers, national IDs, credit card numbers, and financial information, among other sensitive information. The pharma company was also forced to rebuild its impacted servers from backup data, as a direct result of the hack.

Coveware found that data exfiltration and subsequent extortion attempts occur in nearly half of all ransomware attacks, and it's not always caused by poor security practices.

DDoSecrets appear to be adding to the security burden and ransomware fallout already facing the healthcare sector. Notably, the Department of Homeland Security’s Office of Intelligence and Analysis designated DDoSecrets as a criminal hacking group in June, after they published 296 gigabytes of law enforcement data.

Prestera Center Email Hack

West Virginia-based Prestera Center recently began notifying a small percentage of its patients that their data was potentially compromised after a hack on its business email environment.

The notice does not detail when the security incident was first discovered, nor how the unauthorized email access occurred. Instead, officials explained that after discovering the unauthorized access to both current and former patient data, a thorough review was launched with assistance from an outside vendor.

The review determined the compromised data included names, dates of birth, medical record and or patient account numbers, diagnostic details, provider information, prescriptions, and treatments.

For some patients, contact details, SSNs, and Medicare or Medicaid numbers were exposed. The compromised data varied by patient, and all will receive free identity theft and credit monitoring services.

Prestera has since strengthened its cybersecurity infrastructure, including revising its policies and procedures, implementing multi-factor authentication for all accounts, replacing and strengthening the firewall, and enacting an intensive employee security training program.

Mattapan Community Health Center Reports Monthslong Email Hack

Mattapan Community Health Center (MCHC) in Massachusetts recently disclosed that a monthslong email hack potentially compromised the data of an undisclosed number of patients.

MCHC discovered suspicious activity in an employee email account on October 16 and immediately launched an investigation with help from a third-party computer forensic investigator.

On October 29, officials determined a hacker first gained access to the employee email account nearly three months earlier on July 28, 2020. 

The security team manually and programmatically reviewed the account to determine just what data may have been accessible to the hacker during the incident. The compromised data varied by individual but could include names, SSNs, diagnoses and treatments, provider information, health insurance details, and or medical record numbers.

MCHC has since implemented additional security measures to prevent a recurrence.