Breach, Ransomware, Incident Response

After Hive cyberattack, Partnership HealthPlan confirms data theft affecting 855K

Processed medications await pick up at the pharmacy on Ellsworth Air Force Base, S.D., Oct. 25, 2011. (Airman 1st Class Zachary Hada/Air Force)

Following reports of network downtime after a cyberattack in March, Partnership HealthPlan of California has since confirmed the Hive ransomware group stole a trove of health information ahead of the ransomware deployment. Reports show 854,913 patients were impacted.

As previously reported, PHC faced a long period of computer system disruptions immediately following the attack and were working with third-party working forensic specialists to recover the network. The incident also disrupted PHC’s ability to receive or process treatment authorization requests, the forms used to gain pre-approved funding for treatment.

At the time, multiple reports claimed Hive was behind the attack, after a dark web posting of data proofs allegedly exfiltrated from PHC. The listing was soon removed, but screenshots showed proofs containing approximately 850,000 unique records, or about 400GB of data. 

The official breach notice from PHC confirms the attack was deployed on March 19 and that its investigation found evidence the hacker accessed or stolen patient data from the network on the same day.

The stolen data could include patient names, Social Security numbers, driver’s licenses, Tribal IDs, medical record numbers, treatments, diagnoses, prescriptions, medical data, health insurance details, patient portal credentials, and other sensitive information.

PHC is still working to identify the information contained in the stolen files and just what patients were involved. All impacted patients will receive two years of credit monitoring services.

Unfortunately, PHC is included in the spate of healthcare data breach lawsuits filed within the last six months. For the California health plan, a law firm filed a lawsuit on behalf of patient “John Joe” on May 17.

The lawsuit is currently soliciting other patients to join the suit. As noted in an earlier SC Media report, these advertisements are increasingly common but are ethically questionable given the Supreme Court ruling on actual harm and the highly targeted nature of the sector that puts the majority of providers at risk of a breach.

Cooper University Health reports breach from December

Cooper University Health Care is just now informing an undisclosed number of current and former patients that their data was accessed or likely stolen after an email hack in December 2021. Cooper is a health system with sites across south New Jersey and the Delaware Valley.

The almost six-month delay in notification should serve as a reminder that the Health Insurance Portability and Accountability Act requires patients to be notified of breaches to their health information within 60 days of discovery and without undue delay — not at the close of a lengthy forensic analysis.

Cooper first “learned of unusual activity” within an employee's email account on Dec. 13, 2021. The accounts were quickly secured and an investigation was launched with support from an outside cybersecurity team.

The investigation confirmed an employee email account was hacked on Nov. 24, 2021, several weeks before it was discovered. The potentially stolen data could include names,dates of birth, provider names, diagnoses, treatment information, billing and claims data, and medical record numbers.

Hack, data theft at Val Verde medical center impacts 87K patients

The personal and protected health information tied to 86,562 patients of Val Verde Regional Medical Center in Texas was stolen after a “network disruption” on March 10.

Upon discovery, VVRMC secured the network and launched an investigation with support from third-party digital forensics experts. The post-mortem determined that a threat actor was able to access or acquire “certain files” during the security incident. The medical center also contacted the FBI and is cooperating with their investigation.

The impacted data included patient names, Social Security numbers, dates of birth, medical information, health insurance details, and other data. All patients will receive free identity monitoring services.

Notably, VVRMC apologized for the timing of the notification: “While the extensive data identification and processing was lengthy and time-consuming, it was a necessary process that helped us thoroughly identify the impacted individuals.” But the notice appears to have been sent within the 60-day HIPAA requirement.

VVRMC has since bolstered its security measures to prevent a recurrence.

Email hack impacts 90K Alameda Health patients

California-based Alameda Health System recently notified the Department of Health and Human Services that an email hack compromised the data belonging to 90,000 patients.

There are currently no public breach notices detailing the incident. However, the notice comes less than two years after the health system reported another email hack that wasn’t discovered for nearly two months. It should serve as a reminder for provider organizations to learn from past mistakes to avoid regulatory issues and protect patient privacy.

SAC Health reports paper records theft affecting 150K

In one of the largest thefts of paper records reported in recent years, Social Action Community Health System recently notified 149,940 patients that their information was stolen after a break-in at its off-site storage facility. The notice comes after SAC Health sent notice to 28,000 patients following the hack of its vendor, Netgain, in 2020.

SAC Health was notified of the incident on March 4, where a burglar stole six boxes of paper documents from the facility. The provider has been working with local law enforcement with its investigation, alongside its own. It’s since been confirmed the theft included data tied to patients who visited SAC in 1997 and between 2006 and 2020.

The information stored in the stolen containers could include contact details, dates of birth, and diagnosis codes. All patients will receive complimentary credit monitoring services. SAC Health is currently assessing its policies and procedures for paper document storage.

Allwell Behavioral hack impacts 30K patients

A “data security incident” at Allwell Behavioral Health in Georgia likely led to the theft of protected health information tied to 29,972 patients.

The subsequent investigation found that an attacker first gained access to a computer system used to store quality assurance information on March 2. The incident was detected three days later. During that time, the actor was able to take “an undetermined number of files containing client information.”

The stolen data was related to treatments and could include patient names, dates of birth, SSNs, contact information, treatment activity and dates, locations, and payer details. All impacted patients will receive free identity theft protection services.

Allwell has since upgraded its IT and computer systems to bolster security and prevent further unauthorized access.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds