Ransomware Attack on Maryland’s GBMC Health Spurs EHR Downtime

December 09, 2020 - GBMC HealthCare in Maryland is currently operating under planned EHR downtime procedures, after falling victim to a ransomware attack on Sunday, December 6.

The malware infected its IT systems, forcing many GBMC systems offline. Officials said GBMC is maintaining safe and effective patient care, as it had robust processes in place prior to the cyberattack. However, some elective procedures scheduled for the day after the attack were postponed.

“We are collectively responding in accordance with our well-planned process and policies for this type of event,” officials said in a statement. “We regret any inconvenience to our patients, doctors and healthcare partners.”

Screenshots of the ransom note shows the attack was likely launched by Egregor, which is reportedly the follow-up hacking group to Maze: the group that popularized data exortion attempts partnered with ransomware.

The investigation into the incident is ongoing, while GBMC is working with outside experts and law enforcement in response to the event.

READ MORE: FBI: Ragnar Locker Ransomware Attacks Increase With Data Theft Risk

GBMC joins a host of other healthcare delivery organizations impacted by a wave of targeted cyberattacks impacting the sector. Universal Health Services, Valley Health System in Las Vegas, Cleveland Clinic-affiliate Ashtabula County Medical Center, and Nebraska Medicine all fell victim around the same timeframe in September.

A month later, Sonoma Valley Hospital joined the growing list, followed by a joint federal alert detailing the targeted ransomware attack-methods. Further ransomware victims in healthcare include the University of Vermont Health Network, New York-based St. Lawrence Health System, Sky Lakes Medical Center in Oregon, and Hendrick Health in Texas.

Galstan & Ward Family and Cosmetic Dentistry Ransomware Attack

About 10,759 patients of Galstan and Ward Family and Cosmetic Dentistry were recently notified that their health information was compromised after a ransomware attack earlier this year.

What’s notable about the incident is that Galston and Ward first discovered the attack when the threat actors called the provider’s office, claiming they had infected the computer system with ransomware and demanded a ransom to release the encrypted files.

“Prior to the call from the group seeking the ransom, Galstan and Ward noticed some anomalies with its computer system and engaged its outside IT vendor to wipe the server and reinstall the data from a backup,” officials said in a statement.

READ MORE: ASPR Warns Ransomware Threat is Persistent, as Actors Leak More Data

“There was no significant disruption of service or loss of data. No ransom was paid,” they added.

An investigation into the incident determined the hackers first gained access to the system between August 31 and September 1, 2020. At that time, officials said they learned several files taken from the dental office’s servers were posted on the dark web for sale.

Fortunately, none of those files contained any patient-related information.

Galston and Ward worked with outside counsel, who engaged with a third-party security firm to conduct a forensic examination and provide remediation services. The firm was able to confirm that the impacted server was free from malware.

The analysis and a further investigation could also find no evidence that any patient data stored within the dental practice software system was accessed or acquired.

READ MORE: Required Actions to Prevent Common Ransomware Exploits, Access Points

However, the ransomware did impact Galston and Ward’s dental practice software, and as such, the impacted patients have been notified of the security intrusion. The impacted server contained patient data, such as names, Social Security numbers, dates of birth, addresses, and dental records.

“The dental practice software uses a data making technique using cryptographic technology to protect the data,” officials concluded. “We have also implemented and are taking additional safeguards to improve data security on our web server infrastructure.”

Ransomware Attack on Golden Gate Regional Center

A ransomware attack on California-based Golden Gate Regional Center (GGRC) led to the exfiltration of both protected health information and the personal data of 11,315 patients.

On September 23, GGRC officials detected abnormal activity on its computer systems and launched an investigation with assistance from a third-party computer forensics specialists to determine the scope of the incident.

The investigation revealed a hacker accessed the network and removed some information in connection to a ransomware attack. Officials said they undertook a comprehensive review of all potentially impacted PHI and other patient data and determined the compromised data included names, GGRC’s unique client identifiers, service descriptions or codes, service provider or vendor names or numbers, dates of services, and or the costs related to services.

Business Associate Breach Impacts 60K Tufts Health Plan Members

Tufts Health Plan recently notified 60,545 patients that their data was potentially compromised after a security incident at EyeMed, a business associate that provides vision benefits on behalf of Tufts Health Plan members.

According to EyeMed’s notification, a hacker gained access to an email mailbox and sent phishing emails to contacts found in the account’s address book on July 1. Account access was blocked and the mailbox was secured on the same day.

An investigation launched with assistance from an outside cybersecurity firm found the impacted email account contained information on current and former vision benefits’ members, including full names, contact information, dates of birth, vision insurance account and identification numbers, health insurance account and identification numbers, Medicaid or Medicare numbers, driver’s licenses and other government identification numbers, and birth or marriage certificates.

For some plan members, partial or full SSNs and or financial data were also compromised, as well as some medical diagnoses, health conditions, treatment information, and or passport numbers. All impacted patients will receive two years of free credit monitoring and identity protection services.

EyeMed has since bolstered its security protections, including adding further measures for authorized network access providing employees with additional security awareness training.

Notably, EyeMed is owned by Italy-based Luxottica, a global eyewear conglomerate. Luxottica reported a four-day hack on its web-based appointment scheduling application in August, which compromised the data of 829,454 patients.

Luxottica also experienced a ransomware attack this fall that led to the exfiltration of company data by Nefilim ransomware threat actors.

600K Allegheny, AMITA Health Patients Added to Blackbaud Breach Tally

About 299,507 patients of Allegheny Health Network and 261,054 patients of AMITA Health were recently added to the massive Blackbaud breach tally, which has already claimed about 10 million patients from more than two dozen healthcare-related organizations.

In mid-August, reports showed Blackbaud, a cloud-computing vendor for a range of nonprofits, foundations, corporations, education institutions, healthcare entities, and change agents, was hit with a ransomware attack in May.

The cybersecurity team was able to stop the attackers from fully encrypting its network. However, the hackers first gained access to Blackbaud’s self-hosted environment on February 7, before the intrusion was discovered more than three months later.

Further, the attackers exfiltrated a subset of data prior to launching the ransomware payload. Officials said they paid the ransom demand “with confirmation that the copy they removed had been destroyed.” Blackbaud later confirmed some SSNs were also taken during the attack.

Northern Light Health Foundation in Maine and Children’s Hospital of Pittsburgh Foundation were among the first healthcare-related organizations to report their organizations were included in the breached data.

The entities were soon joined by a host of others, including Inova Health System, Saint Luke’s Foundation, MultiCare Foundation, Spectrum Health, Northwestern Memorial HealthCare, and Main Line Health.

For Allegheny, Blackbaud maintains the health network’s fundraising records and donor database. The hackers did not access any credit card information, bank account information, or SSNs related to AHN patients or donors. The provider is continuing to monitor the situation.

Meanwhile, AMITA officials said Blackbaud provides support for multiple foundations operated by the health network, including the Alexian Brothers Foundation (including Presence Health Foundation), Midwest Health Foundation (including Bolingbrook Hospital Foundation, GlenOaks Hospital Foundation, La Grange Memorial Hospital Foundation), and Hinsdale Hospital Foundation.

As a result of the hack, the threat actors were able to access AMITA’s donor database, which included names, contact details, dates of birth, personal notes based on conversations between the individual and AMITA, some donor research, wealth screening, actions or proposals, and giving history. No SSNs, financial accounts, or credit cards were impacted.

Blackbaud is currently facing more than a dozen breach-related lawsuits as a result of the ransomware attack. The latest filing by a breach victim seeks to classify the lawsuits as class-action.