Ransomware Attack Impacts Medical Debt Collections Firm R1 RCM
R1 RCM, one of the largest US medical debt collections firms, recently took down its systems in response to a ransomware attack; an email hack, ransomware, malware, and COVID-19 patient data complete this week’s breach roundup.
By - Medical debt collections firm R1 RCM recently confirmed its systems were taken down in response to a ransomware attack that lasted for at least a week, according to KrebsOnSecurity.
R1 RCM was formerly known as Accretive Health and is one of the largest medical debt collections firms in the US. The company has partnered with over 750 healthcare companies. In 2019, the vendor reported revenues totaling $1.18 billion.
The vendor has yet to comment on what systems were impacted during the attack, but the vendors has access to patient registration information, billing and collections data, and medical diagnostics data, among other sensitive patient information.
R1 RCM declined to name the type of ransomware used in the attack, but reports point to the variant known as Defray. First detected in the wild in 2017, Defray was seen targeting the healthcare and education sectors by Proofpoint.
The ransomware commonly spreads via malicious Microsoft Word documents in emails sent through small phishing campaigns. The lures were tailored to potential victims, with narrow and selective targeting.
READ MORE: Blackbaud Ransomware Hack Affects 657K Maine Health System Donors
“Defray Ransomware is somewhat unusual in its use in small, targeted attacks,” researchers explained. “Although we are beginning to see a trend of more frequent targeting in ransomware attacks, it still remains less common than large-scale “spray and pray” campaigns.”
“It is also likely that Defray is not for sale, either as a service or as a licensed application like many ransomware strains,” they added.
This is the second major security incident on a medical debt collections firm in the last year. The American Medical Collection Agency hack was the largest healthcare data breach of 2019, impacting millions of patient records from Quest Diagnostics, LabCorp, and others. The breach prompted several regulatory investigations and forced the company to file for bankruptcy.
Mental Health Partners March 2020 Email Hack
Patients and some employees of Colorado-based Mental Health Partners (MHP) are being notified that their data was potentially breached after a hack on an employee email account in March 2020.
In March, officials said they first discovered unusual activity in one employee email account and took steps to secure all email accounts.
READ MORE: COVID-19 Impact on Ransomware, Threats, Healthcare Cybersecurity
An investigation launched with assistance from an independent forensics firm determined the hacker potentially accessed the data contained in the account during the hack. Under HIPAA, providers are required to report data breaches within 60 days of discovery – not at the conclusion of the investigation.
The compromised data belonged to some MHP clients, as well as current and former employees, and included dates of birth, Social Security numbers, driver’s licenses, state ID card numbers, passports, financial account information, medical record numbers, treatment data, provider information, and or health insurance information.
The impacted individuals will receive a year of free credit monitoring services. MHP is working with a third-party cybersecurity firm to bolster the security of its digital environment.
“BlueLeaks” Data Breach Impacts COVID-19 Patient Data
The massive “BlueLeaks” data breach that compromised the data of hundreds of thousands of US law enforcement officers in June, potentially breached the compromised the data of individuals who tested positive for COVID-19 in South Dakota, according to local news outlet KELOLAND.
The BlueLeaks incident involved the theft and posting of data from more than 700,000 police officers from 251 law enforcement websites by the hacktivist group known as Anonymous.
READ MORE: Top Risks of 1H 2020: Ransomware, Mobile, Health Infrastructure
Chloé Messdaghi, VP of Strategy, Point3 Security explained that it's still unclear how the attacker was able to gain access or through which vulnerability, "but it appears that resources and information that were easy to find online and that could've been tagged by anti virus software as malicious were used, so at least some of the websites were possibly out of date."
On June 19, the South Dakota Department of Public Safety’s Fusion Center began notifying an undisclosed number of individuals that its vendor Netsential experienced a breach involving a “substantial amount of data” from a number of its clients, including the Fusion Center tied to the BlueLeaks hack.
Netsential assisted the center in the development of a secure online portal to help first responders identify individuals who had tested positive for COVID-19, which was provided via the dispatcher. The data was maintained by Netsential’s servers, with access restricted to “a select number of individuals” who had received training on how to handle the sensitive information,
However, Netsential labeled those files in a way that would allow an unauthorized individual to identify individuals and their COVID-19 status, as well as their birthdates and addresses. The company’s security failure also allowed unauthorized access to its system by a third party.
Further, the information “may continue to be available on various internet sites that link to files from the Netsential breach.” The breach is currently being investigated by the FBI.
"This serves as yet another reminder that local and state websites – even if maintained by third parties – are often out of date and their software isn’t patched on time," Messdaghi said in an emailed statement. "Never use the oldest versions of anything, whether it's Windows Operating Systems or website infrastructure, because the majority of times that a technology vendor releases an update, it has patches to vulnerabilities intended to protect us and our sensitive data."
"Patient status data is particularly sensitive," she added. "There are good reasons why public health records are sealed shut and even family members can’t access them without permission. In these times of heightened tensions due to the pandemic, the last thing we want is for anyone to shun vulnerable members of the community."
Pysa Ransomware Actors Post Data from Piedmont Orthopedics
In yet another incidence of ransomware actors posting data from its victims, the Pysa ransomware hacking group leaked about 3.5 GB of patient information from Piedmont Orthopedics/OrthoAtlanta on its dark web blog, first reported by DataBreaches.net.
The data leak includes highly detailed medical records and other protected health information, such as laboratory tests, diagnoses, and insurance information.
Double extortion ransomware has grown rampant in the healthcare sector, first made popular by Maze hackers. The most recent incidents involved NetWalker and DoppelPayer threat actors, which posted the data from three healthcare entities: The Center for Fertility and Gynecology in Los Angeles, Olympia House, and device manufacturer Boyce Technologies.
Samaritan Medical Center Recovers from Malware Attack
A malware attack on Samaritan Medical Center took its computer system offline for three weeks, driving the New York-based provider to downtime procedures as they worked to recover.
The attack occurred on July 25, which forced the provider to employ paper records and postpone some patient services. Samaritan Medical Center prioritized restoring patient care applications, including primary EHR applications, drug delivery, radiation therapy, medical imaging, and communications.
The main system was brought back online on August 19, once it had resolved all attack-related issues. The IT team continues to work with an outside security firm to restore the remaining computer functions.
