Ransomware Shuts Down Colorado Hospital IT Network Amid COVID-19

April 28, 2020 - Colorado-based Parkview Medical Center’s technology infrastructure was hit with a ransomware attack a week ago on April 21, which caused a number of IT network outages, according to local news outlet KOAA. The hospital is currently serving patients during the COVID-19 pandemic, while they work to recover.

Upon discovering the cyberattack, officials said they engaged with a third-party forensic team to mitigate and investigate the incident. The notice does not detail what systems were affected, when the cyberattack started, nor if patient data was impacted.

The hospital is leveraging paper records to track and treat patients, as they work to restore the impacted systems.

“Patient care is always our first priority. Patients will not see any impact to the level or quality of care being delivered,” officials said in a statement. “As a regular course of business, Parkview Medical Center frequently trains and prepares for scenarios that result in IT system outages.”

“We are well-prepared, and our staff is trained to continue operations while we work to get our regular IT systems back online,” they added. “While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.”

Currently, the investigation is ongoing, and updates will be provided as more information comes to light from the forensics team. As of 12:00 PM ET, on April 28, their website hosts this message: “Parkview Medical Center is currently experiencing a network outage. More information to follow.”

Email Hack on Ambry Genetics Impacts 233K Patients

Ambry Genetics in California recently began notifying about 233,000 patients that their data was potentially breached after a two-day email hack in January. It’s one of the largest breaches reported to the Department of Health and Human Services in 2020.

The clinical genomic diagnostics vendor’s security team discovered a hacker gained access to an employee email account from January 22 to January 24. An investigation was launched with assistance from an outside security firm, but they were unable to determine whether the hacker was able to access or exfiltrate any data contained in the impacted account.

The compromised account contained patient names, medical data, and information related to the use of Ambry services. The Social Security numbers of a smaller number of patients were also impacted. Ambry will provide affected patients with identity monitoring services.

Ambry is continuing to review and enhance its security, while providing employees with additional security training.

Ransomware Hackers Publish Data Stolen from ExecuPharm

Pennsylvania-based ExecuPharm recently reported it fell victim to a ransomware attack earlier this year, and the hackers exfiltrated the data, then published the information online when the pharmaceutical company refused to pay the ransom.

The attack joins the rapidly expanding hacking trend of double-extortion made popular by the Maze hacking group. Check Point recently warned hackers are targeting hospitals by first by extracting large amounts of data, before installing ransomware to pressure victims into paying to decrypt files.

On March 13, hackers encrypted ExecuPharm servers and demanded a ransom to unlock both corporate and personnel information. The security incident also included a phishing campaign sent to the company’s workforce.

The investigation determined the hackers behind the ransomware and phishing attacks accessed and exfiltrated both personal personnel information, as well as information from some personnel from Parexel, ExecuPharm’s parent company, which was stored on the impacted data network.

The compromised data included employee Social Security numbers, taxpayer IDs and EINs, driver’s licenses, passports, bank account numbers, credit card numbers, national insurance numbers, national ID numbers, IBAN/SWIFT numbers, and beneficiary information, including SSNs. Impacted individuals will receive a year of identity monitoring.

ExecuPharm was forced to rebuild the impacted servers from backup servers, after fully restoring and securing the systems once it was confirmed they were secured. The restoration also included installing forensic tools on all systems and implementing improved countermeasures to block ransomware emails.

Further, officials said they’ve reset all passwords, implemented multi-factor authentication for remote access, and installed endpoint protection, detection, and response tools.