Ohio Medicaid Reports Provider Data Leak, Other Health Data Breaches

June 22, 2021 - Data breaches and ransomware attacks have been wreaking havoc on the healthcare sector in recent months. In the hands of bad actors, millions of patients have received notice from their healthcare providers that their personal data has been exposed.

Recent guidance from the National Institute of Standards and Technology (NIST) aims to help healthcare providers mitigate cybersecurity risks with its draft of the “Cybersecurity Framework Profile for Ransomware Risk Management.” Despite the growing amount of government guidance, cyberattacks are steadily increasing.

A recent Wall Street Journal article stated that Ryuk, an Eastern European hacking organization, has attacked at least 235 healthcare facilities, simultaneously earning them over $100 million and causing EHR downtime and delays in patient care.  

Other recent healthcare data breaches include the exposure of over 1 billion CVS Health search records, and a ransomware attack on St. Joseph’s/Candler in Georgia that led to significant EHR downtime.

OHIO MEDICAID PROVIDERS’ PERSONAL DATA LEAKED

Ohio Medicaid said Monday that its data manager, Maximus, had a cybersecurity incident sometime between May 17th and 19th that may have exposed names, Social Security numbers, and addresses of providers, according to local news outlet Dayton Daily News.

READ MORE: Insight Global Calls on Former Employees to Secure PII Data Breach

An application containing Ohio Medicaid credential and licensing data was accessed without authorization by an unknown party. Medicaid participants were not impacted by the breach, and it did not affect any other Maximus customers or servers. There is no sign that the information was misused, according to the report.

Maximus sent letters to impacted providers on June 18th. According to Dayton Daily News, Maximus said in a statement that it “promptly took the impacted application offline, launched an investigation with a leading cybersecurity firm, activated response protocols, and notified law enforcement.”

“Because the unauthorized activity was detected at a very early stage, Maximus believes our quick response limited potentially adverse impacts.”

Maximus, one of the world’s largest government health data services contractors, stated that providers whose data may have been exposed will receive two years of credit monitoring services.

CATHOLIC HEALTH SYSTEM PART OF CAPTURERX BREACH

A recently reported CaptureRx ransomware attack impacted at least 17 healthcare organizations and counting through unauthorized file access in February. The company helps hospitals manage their 340B drug program, allowing patients to get prescriptions at a lower cost. Patient files containing birthdates, names, and prescription information were accessed.

READ MORE: CVS Health Faces Data Breach,1B Search Records Exposed

Most recently, Catholic Health in Buffalo, New York was notified that patients from Mount St. Mary’s and Sisters of Charity hospitals were impacted by the CaptureRx breach. Catholic Health stated that demographics, bank account information, and Social Security numbers were not included in the breach, according to local news outlet WKBW.

"We go to great lengths to protect the privacy of our patients and any information related to their care," Kimberly Whistler, corporate compliance & privacy officer at Catholic Health, told WXBW.

"All patients whose names and information were affected will be notified next week by CaptureRx. Because the breach did not include any financial information, we believe it poses little risk to patients, however, as a precaution, it's always wise to monitor your accounts and credit information and report any suspicious activity or suspected identify theft to the proper authorities."

GEORGIA FERTILITY CLINIC FACES RANSOMWARE ATTACK, SSNS AND MEDICAL INFO LEAKED

Georgia fertility clinic Reproductive Biology Associates, along with affiliate My Egg Bank North America, disclosed that approximately 38,000 patients were impacted by a ransomware attack in April.

In a notice from its general counsel Matthew Maruca, Reproductive Biology Associates and My Egg Bank North America stated: “We first became aware of a potential data incident on April 16, 2021 when we discovered that a file server containing embryology data was encrypted and therefore inaccessible.”

READ MORE: St. Joseph’s/Candler Suffers Ransomware Attack, EHR Downtime

After determining that the breach was the result of ransomware, the server was shut down on the same day. The notice said that the actor gained access to the system on April 7th, 2021, and again on April 10th.

By June 7th, the organization pinpointed the individuals who were impacted and regained access to encrypted files. In addition, it received confirmation from the actor that all data has been deleted. The investigation is still ongoing, but legal counsel said in the notice that lab results, full names, addresses, Social Security numbers, and human tissue information may have been exposed.

“As a result of this incident, we have initiated an investigation through a leading professional IT services firm to conduct interviews and analyze forensic data related to the incident. Specifically, we have deployed device tracking and monitoring to help contain and investigate the scope of the incident, as well as performed forensic analyses to understand the scope of the incident,” the notice stated.

In addition, the clinic has conducted cybersecurity training with staff and added internal controls to prevent future attacks, including “working with a cybersecurity service provider to remediate actions taken by the actor and restore our systems, updating, patching, and in some cases replacing infrastructure to the latest versions, deploying password resets to appropriate users, rebuilding impacted systems, and deploying advanced antivirus and malware protection.”