Wednesday, June 19, 2024

Data of 380K patients compromised in hack of 13 anesthesia practices

The Department of Health and Human Services breach reporting tool recently added 13 separate filings from anesthesia practices across the U.S., stemming from a “data security incident” at the covered entities’ management company. In total, the compromise involved the protected health information of 380,104 patients.

The HHS tool appears to center on entities tied to New York-based Resource Anesthesiology Associates and Anesthesia Associates, including sites in El Paso, California, Washington, Palm Springs, Lynbrook, Hazleton, Fredericksburg, Bronx, San Joaquin, and Maryland. Upstate Anesthesia Services is also listed.

It’s currently unclear the name of the management company. A dive into how, or whether, these providers are connected found just one breach notice from Anesthesia Associates of El Paso PA, “an anesthesia provider to a local healthcare facility.”

The breach notification shows the incident occurred on July 15, 2022 at “its management company.” No further details are shared as to the entity behind the incident, or the threat behind the compromise.

However the incident occurred, it appears that protected health information stored in the management company’s system was impacted during the event, which included patient names, contact details, health insurance policy numbers, Social Security numbers, payment data, and health information, such as treatments and diagnoses. 

The entities involved have since improved security controls to better “secure the system and protect patient information.”

OakBend Medical patients targeted by email schemes after ransomware attack

Three weeks after falling victim to a ransomware attack and data exfiltration incident, OakBend Medical Center reported the recovery team restored its network and clinical systems brought offline in the wake of the attack.

OakBend brought the systems back online on Sept. 30, with some replacement processes being utilized as it finished recovering the impacted systems. One week later, the Texas provider began warning patients that third-party actors were targeting individuals with email schemes, with themes tied to the ransomware incident.

As SC Media previously reported, OakBend Medical took its network offline and launched electronic health record downtime procedures in response to a ransomware incident deployed on Sept. 1. Two weeks later, the systems remained down as the team worked to rebuild the affected systems. 

Recommended:  Android Security Tool APKLeaks releases patch for RCE critical vulnerability

Officials quickly confirmed that the Daixin threat group claimed responsibility for the attack, posting data proofs on the dark web that contained more than 1 million records allegedly stolen from the hospital prior to the ransomware deployment.

But now patients are facing further risks, as an Oct. 7 notice shows patients are receiving emails designed to appear as if sent from OakBend in regards to the data and system impacts. Hospital officials are warning patients that “all verified information regarding system updates, investigative findings, and next steps will continue to come directly from the office through email updates and website postings.”

On Oct. 11, officials added that the forensic investigation is ongoing and has not determined the extent of the data theft, nor who was affected. Patients have been asked to send the hospital the fraudulent emails for analysis. OakBend is offering all patients 18 months of credit monitoring to support fraud prevention.

6 months after data theft, CSI Labs reports another PHI breach

Nearly 245,000 patients with ties to CSI Laboratories were recently notified that their data was compromised after a phishing incident gave a threat actor access to a single employee email account.

The notice comes just six months after the Georgia-based cancer testing and diagnostics laboratory reported falling victim to a February cyberattack that led to IT disruptions and the exfiltration of data tied to 312,000 patients, such as names, patient case numbers, dates of birth, addresses, medical record numbers, and health insurance information.

The latest security incident was discovered on July 8, which led the security team to promptly isolate the affected email account and launch an investigation. The forensic evidence shows the phishing attack appeared designed to commit financial fraud on other entities by redirecting customer payments from health providers to an account controlled by the actors using a fictitious email address.

“The invoices were not directly billed to patients. Thus, we believe that the malicious actor was seeking to divert invoice payments,” rather than to access patient data, according to the notice.

However, the investigation determined on July 15 that the hacker indeed acquired “certain files from the affected employee mailbox, including documents that may have contained patient information.” The discovery prompted a new analysis to determine the scope and impact on patient information.

The exfiltrated data was found to involve invoices sent to CSI healthcare provider customers, which varied by invoice. The information “generally” contained patient names and numbers, as well as dates of birth and health insurance information. No patient financial data was compromised.

Recommended:  UK: NHS cyber attack hits patient care with records left in ‘chaos’ three months on

CSI stressed that the incident was limited to a single email inbox, and its network and IT systems were not impacted by the event. Employees have since received additional phishing-related awareness and training, as CSI works to improve its enterprise security to prevent a recurrence.

Aesthetic Dermatology hack leads to data access for 34K patients

The personal and protected health information of 33,793 Aesthetic Dermatology Associates patients was accessed during a systems’ hack in August.

It should be noted that an industry advisory shows the BianLian threat group has posted a data listing allegedly tied to Aesthetic Dermatology Associates. However, the provider’s notice purports there’s been no evidence of data misuse.

The official notification shows that suspicious activity was discovered on Aug. 15, which prompted an investigation with support from a computer forensics specialist. The analysis discovered an attacker accessed its network systems, some of which contained personal information. 

A review of those files confirmed PHI was accessed during the hack, which included patient names, diagnosis codes, dates of birth, contact details, and health insurance information. SSNs were not involved.

Aesthetic Dermatology has since secured the affected systems and plan to implement additional safeguards to prevent another incident.

Magellan Rx Management reports third-party vendor incident

Magellan Rx Management recently informed 13,663 TennCare patients, who leverage MRx for pharmacy benefit services, that their data was compromised after the hack of an email account belonging to its former auditing vendor NorthStar. MRx provides healthcare delivery and pharmacy management services to managed care entities, health plans, and and other third-party administrators.

NorthStar previously disclosed its April email hack in early September, where a threat actor gained access to a single employee email account and accessed or stole Medicaid data tied to the Georgia Department of Community Health. About 18,354 members were affected by the incident.

The incident was first detected on April 20, but MRx was not notified by NorthStar until July 25. The investigation determined the attacker had access to the account for more than two months between February 5, 2022 and April 17, 2022. During the dwell time, the actor accessed the account, but the investigators could not verify what, if any, data was accessed or acquired.

Recommended:  Another set of Medibank customer data is exposed by hackers on the dark web.

For MRx, the account contained the personal data of patients enrolled in health plans serviced by MRx. The notice suggests NorthStar’s investigation is ongoing, which could account for the delay in notifying patients. And “although NorthStar is no longer an MRx vendor, MRx has processes in place to ensure that its vendors safeguard personal information within their possession.”

The incident joins an earlier email compromise reported by MRx’s parent company Magellan Health in the last three years. Several weeks ago, Magellan Health settled a breach lawsuit for $1.43 million with the 270,000 patients whose data was compromised during a months-long hack of an employee email account in the Spring of 2019.

Cardiac Imaging Associates reports email hack from April

An undisclosed number of patients tied to Cardiac Imaging Associates are just now learning that their data was compromised after the hack of an internal email account in April. CIA is a medical imaging services vendor for healthcare providers.

Under the Health Insurance Portability and Accountability Act, breach notices should be sent to patients within 60 days of discovery and not at the close of an investigation. According to its notice, it appears that CIA’s delay was due to its investigation only recently being closed.

Upon discovering the email intrusion, the account was secured. A subsequent investigation determined the threat actor had access to the account for a week between March 30 and April 6. The forensic analysis could not determine whether the actor viewed the emails or attachments within the accounts, which prompted a “thorough and time-intensive review of the contents of the email accounts.”

The compromised data varied by patient and could include names, SSNs, dates of birth, driver’s licenses, financial account and payment card information, medical diagnoses, conditions, lab results, treatments, and prescriptions. It’s possible the data was accessed or acquired. 

CIA has since enhanced its security, as it reviews its existing policies and procedures and implements internal training protocols to mitigate possible risks.

Suggest an edit to this article

Cybersecurity Knowledge Base

Latest Cybersecurity News

Cybersecurity Academy



Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates