Cyber attacks continue to hit healthcare organizations already strained by resource constraints and the ongoing COVID-19 pandemic, as evidenced by two recently disclosed attacks targeting providers in California and Arizona.
As of August 24, 2021, California-based LifeLong Medical Care began notifying individuals that their data had been affected by a ransomware attack against Netgain, a third-party provider that provides services to healthcare providers. Throughout life reported to the Department of Health and Human Services that 115,448 people were affected by the attack.
Netgain first detected abnormal network activity on November 24, 2020, LifeLong reported in a letter revealing the breach to affected customers. On February 25, 2021, Netgain’s investigation revealed that “some files have been viewed and / or acquired without authorization”. LifeLong conducted a content review of the stolen files to determine if they contained sensitive data.
On August 9, LifeLong discovered that personally identifiable health and personal information had been accessed from Netgain’s network in connection with the attack. This data included full names and one or more of the following: social security numbers, dates of birth, patient cardholder numbers and / or treatment and diagnostic information, the letter indicates. Officials are not aware of any reports of identity fraud or inappropriate use of affected data directly related to the attack.
LifeLong advises data subjects to take steps to protect their data with actions such as placing a fraud alert or security freeze on their credit reports, receiving free credit reports, signing up for free credit monitoring whether their SSN has been affected and pay special attention during the financial review. statements, credit reports and explanation of benefit statements in case of suspicious activity.
In a separate attack, Arizona-based Desert Wells Family Medicine began notifying patients whose data may have been involved in a “recent ransomware and data loss incident” that took place on May 21, 2021 and has affected several of its computer systems.
Upon learning of suspicious activity on its network, Desert Wells hired security experts and an incident response team to assess and repair the damage. The healthcare provider also alerted federal law enforcement and opened an investigation with a third-party computer forensics company to determine the extent of information accessed and stolen by attackers.
Their investigation revealed no evidence that sensitive data was seized; however, the attacker who gained access to the network corrupted the data. As a result, electronic patient health records that Desert Wells possessed prior to May 21 cannot be retrieved “despite our extensive efforts to try to retrieve sensitive information from our patients,” officials said. written in his letter.
Data from affected patient records “may have included the names of patients in combination with their address, date of birth, social security number, driver’s license number, patient account number, medical account number. billing, health insurance plan member ID, medical record number, dates of service, vendor names, and medical and clinical treatment information, ”they report.
To date, companies investigating the attack have found no evidence that this information was misused.
Desert Wells says he will continue to try to reconstruct electronic patient health records into a “new and improved electronic medical record system,” a process that includes the compilation of patient data from other sources, such as as medical specialists, former healthcare providers, hospitals, pharmacies, imaging centers and laboratories, among others. The provider offers free credit monitoring and identity theft protection, and patients are urged to review reports from health care providers and insurers to monitor medical services they haven’t received.
The news of the attacks follows research that reveals that midsize healthcare organizations face higher costs after cyber attacks compared to large organizations. The average cost of a cyberattack outage is over $ 440,000 for small organizations and $ 130,000 for larger ones. Researchers say that while attacks on healthcare have increased, many victims – especially mid-sized hospitals – have not adapted to the change.