Sutter Buttes Imaging PACS Vulnerability Causes 18 Month Data Breach

February 18, 2021 - Sutter Buttes Imaging (SBI) is notifying an undisclosed number of patients that their data was compromised for 18 months, due to a leak caused by a vulnerability in its third-party IT software. The data breach impacted patients who received diagnostic imaging services at SBI.

An exclusive HealthITSecurity.com report previously showed that SBI was leaking patient data online through its vulnerable Picture Archiving and Communication Systems (PACS).

PACS are critical to healthcare infrastructure but are highly vulnerable platforms, given the tech stores massive troves of medical images on those servers. The tool also allows health systems and hospitals to share critical data with multiple providers.

However, the legecy tech has a number of flaws, which Dirk Schrader, Global Vice President at New Net Technologies (NNT) has outlined in great detail over the last few years.

His last report found SBI was the third-largest culprit for leaking data through vulnerable PACS. Schrader found 580,000 patient exams related to 14 million images tied to SBI, which officials learned about on December 2020.

READ MORE: Ransomware Actors Leak Data From 3 More Healthcare-Related Entities

The flaws were disclosed to SBI via fax on January 25, 2020. According to SBI, these hardware vulnerabilites allowed for unauthorized access on its network between July 2019 and December 2020.

"With this 'vulnerability', which actually was an unchanged default configuration plus some un-monitored firewall ports for such a long time, the hard lesson for SBI is obvious: if you connect a device to the Internet, it will be discovered," Schrader shared with HealthITSecurity.com. 

"A simple network vulnerability scan and secure configuration management would have detected and mitigated this in a matter of minutes. Unfortunately, our research shows that there a still many organizations out there, having to learn that same lesson," he added.

SBI's investigation determined the vulnerability exploit allowed some patient information to be accessed by unauthorized parties, including study date, patient names, dates of birth, and type of imaging procedures, as well as patient and study number internally created by SBI.

No Social Security numbers, credit cards, diagnoses, medical images, medical reports, or clinician notes were compromised during the security incident.

READ MORE: 219K Nebraska Medicine Patients Affected by Fall Ransomware Attack

SBI identified the IT vulnerabilities, which were quickly addressed to prevent a future recurrence, and closed certain firewalls ports. SBI also contracted with a third-party IT consultant to perform a thorough analysis and improve its security controls.

Texas Spine Consultants PACS Leak Impacts 25,728 Patients

Texas Spine Consultants recently began notifying 25,728 patients that their data may have been compromised as a result of a security incident in December 2020.

The notification letter does not provide insights into the direct cause of the incident, but described it as an “inadvertent disclosure” that does not appear to be the “result of hackers or criminal activity.”

Schrader told HealthITSecurity.com that the breach was caused by an exploit of a PACS vulnerability. Texas Spine was notified of the vulnerability via email in mid-December 2019.

The investigation into the incident is ongoing. For now, officials said they’ve determined the compromise may have included patient identifiers like names, dates of birth, and image scans.

READ MORE: Judge Dismisses Brandywine Urology Breach Lawsuit, Citing Lack of Harm

Officials from Texas Spine Consultants said they plan to implement additional safeguards to strengthen its data security, as well as assess its privacy and security controls to prevent a recurrence.

Ransomware Attack on Granite Wellness Spurs Breach Notice

About 15,600 clients of Granite Wellness Centers in California have been notified that their data was compromised due to a ransomware attack in January.

The cyberattack impacted data stored on its computer servers, and the encryption was in progress at the time of discovery. The affected systems were immediately taken offline, and officials said they quickly notified law enforcement.

An investigation was launched, and the security team took steps to eliminate the ransomware from its systems. Granite Wellness was able to fully restore its systems from back-up files, while fully maintaining care for its clients.

The compromised data included full names, dates of birth, dates of care, treatments, health information, provider names, and health insurers.

Granite Wellness is currently taking steps to rebuild the impacted systems and adding further safeguards to better secure the information in its possession.

The notice does not explain that NetWalker ransomware actors leaked data they allegedly stole from Granite Wellness in mid-January. The screenshots shared with HealthITSecurity.com showed a range of spreadsheets containing business information, management, and consultation information.

Employee Email Hack on Grand River Medical Group

The hack of an employee email account at Iowa-based Grand River Medical Group potentially led to a compromise of the data from 34,000 patients.

Upon discovery, the account access was blocked and all relevant passwords were changed. The medical group contracted with an outside incident response team to conduct a forensic analysis of the incident to determine if any data was accessed or exfiltrated during the incident.

The notice does not detail when the unauthorized access was first discovered. But officials said the attacker gained access to the employee account, which enabled them to view spreadsheets containing personal information.

The investigation did not find evidence of access or data theft, but officials said they also could not rule it out. The impacted data varied by patient and could include names, SSNs, dates of birth, contact details, account types and balances, claim accounts and status codes, visit types, medications, and or guarantor’s names.

All impacted individuals will receive a year of free identity theft protection services, including credit monitoring. Grand River Medical has since implemented additional safeguards recommended by its third-party consultants to prevent a similar attack in the future.