www.scmagazine.com Open in urlscan Pro
2606:4700:20::ac43:44ea  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Log inRegister
Topics
Industry
Events
Podcasts
Research
Recognition
Peer to Peer


COOKIES

This website uses cookies to improve your experience, provide social media
features and deliver advertising offers that are relevant to you.

If you continue without changing your settings, you consent to our use of
cookies in accordance with our privacy policy. You may disable cookies.

Accept cookies

ADVERTISEMENT



Breach
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to EmailEmailShare to
LinkedInLinkedIn


68K AFFECTED BY DATA THEFT, ‘SOPHISTICATED’ NETWORK HACK OF HEALTH NONPROFIT
ADVOCATES

Jessica DavisJanuary 28, 2022
A number of breaches were reported in the healthcare sector, though not all are
yet listed on the Department of Health and Human Services breach reporting
tool.(Photo by Alex Wong/Getty Images)

Approximately 68,000 individuals who’ve received services from Advocates are
being notified that their personal and protected health information was stolen
during a four-day hack in September 2021. Advocates also provided notice to
certain employees, whose data was exfiltrated during the hacking incident.

Advocates is a nonprofit organization based in Massachusetts that provides a
range of services for individuals requiring support with addiction, autism,
brain injury, mental health, addiction, and other health conditions.

First discovered on Oct. 1, the nonprofit was notified that its data had been
exfiltrated from its digital environment by a threat actor. Advocates took
action to secure the system and engaged with an outside cybersecurity firm to
investigate the scope of the incident.

ADVERTISEMENT



The investigation found that a hacker gained access to the network between Sept.
14 and Sept. 18, 2021 through a “sophisticated cyberattack” on its network.
During that time, the attacker gained access to and copied data tied to both
current and former individuals served by Advocates.

The stolen data included names, contacts, Social Security numbers, dates of
birth, client identification numbers, health insurance information, diagnoses,
and treatments.

Advocates is cooperating with the ongoing FBI investigation, while taking steps
to bolster its security to prevent a recurrence. All impacted individuals will
receive free credit monitoring and identity theft protection services.


ST. LUCIE COUNTY REPORTS 4-YEAR HACK OF DRUG SCREENING LAB

Over the course of four years, a misconfiguration error in the St. Lucie
County’s Drug Screening Lab’s web portal allowed for certain data to be
accessible by unauthorized parties. The breach is not yet listed on the HHS
reporting tool, so it’s not yet known how many individuals have been affected.

“After an extensive forensic investigation and thorough review of the data
impacted,” SLC discovered the unauthorized access to the portal data on Dec. 28.
The exposure occurred between June 2, 2017 and Oct. 13, 2021. It’s unclear when
or how the issue was first detected.

“SLC Lab devoted considerable time and effort to determine what information may
have been accessible to unauthorized users,” later confirming the compromised
data could include one or more data for each impacted individual.

The information could include SSNs, dates of birth, and limited information tied
to the type and result of lab tests. SLC is offering all impacted individuals
free credit monitoring 


MEDICAL HEALTHCARE SOLUTIONS REPORTS DATA THEFT, NETWORK HACK

Portland, Oregon-based Medical Healthcare Solutions recently began notifying an
undisclosed number of patients that their data was stolen during a network hack
in October. The breach has not yet been listed on the Department of Health and
Human Services breach reporting tool.

MHS is a medical billing, electronic health records, and practice management
vendor. On Nov. 19, MHS discovered its systems had been hacked for several days
between Oct. 1 and Oct. 4, where the attacker removed certain files from the
network. The network was immediately locked down. 

MHS launched an investigation, which determined the stolen information varied by
patient across a range of covered entities for which MHS provides services. The
impacted providers include Harvard Medical Faculty Physicians at Beth Israel
Deaconess Medical Center and Associated Physicians of Harvard Medical Faculty
Physicians at Beth Israel Deaconess Medical Center.

The data could include names, dates of birth, contact details, SSNs, financial
and credit card information, procedures, provider names, prescriptions, dates of
services, diagnosis codes, claims data, patient account numbers, and other
highly sensitive information.

MHS has since stabilized the network and implemented additional tools to bolster
its security.


EMPLOYEE FIRED, INDICTED AFTER STEALING DATA OF 41K PATIENTS

An employee of South Georgia Medical Center was fired and recently indicted
after taking a USB drive containing the data belonging to 41,692 patients from
the hospital premises for personal use. 

SGMC supports public healthcare “for the benefit of the Hospital Authority of
Valdosta and Lowndes County Georgia, which is the covered entity listed on the
HHS reporting site.

On Nov. 12, an SGMC employee removed the electronic patient data without
authorization, which was detected by monitoring software employed by the
hospital that allowed for swift detection of the unauthorized disclosure. The
data was quickly recovered, and there’s been no evidence the data has been
misused.

Local news outlets shed further light on the incident and subsequent indictment.
The employee left employment with SGMC the day before the software alert found
an unauthorized download of patient data onto a USB.

The data was limited to patient names, dates of birth, and test results. SSNs,
medical records, and financial data were not included in the stolen data.
Officials say the files had not been erased from the hospital’s network.
Further, the employee had legitimate access to the files.

However, the employee has since been charged with felony computer theft and
invasion of privacy. The investigation has not determined the motive behind the
incident. SGMC is retraining employees and limiting the use of USBs.


UPDATE SHOWS MARYLAND HEALTH DEPARTMENT STILL NOT FULLY RECOVERED

A Jan. 27 update shows the Maryland Departments of Health and Information
Technology is still continuing its recovery efforts and investigation into what
has since been confirmed as a ransomware attack. Other county health
departments, including Garrett County and Wicomico County, have been
experiencing disruptions to its services due to the attack.

The initial cyberattack and network outages began nearly two months ago on Dec.
4, which was identified on an improperly functioning server. The virus was
quickly contained, but the outages impacted the COVID-19 reporting features for
several weeks, where staff had to manually report new cases. The reporting tool
has since been restored.

The latest update does not provide many new details, but confirms the health
department is still trying to bring systems back online as it works with law
enforcement on the investigation. There has still been no evidence of data
compromise.

The near-two month outage is one of the largest reported in the U.S. health
sector. The Ireland Health Service Executive faced a similar attack in the
summer of 2021, and its network outage lasted well over two months. The cost of
the recovery and lost services reached well over $600 million.


Jessica Davis


RELATED

Breach

BREACHES EXPOSED 45.67M PATIENT RECORDS IN 2021, LARGEST ANNUAL TOTAL SINCE 2015

Jessica DavisJanuary 31, 2022

A new Critical Insight report details ongoing healthcare data breach trends in
an effort to support provider organizations and business associates to stymy the
ongoing cybersecurity crisis.

Breach

THE HIGH COST OF MISHANDLING DATA BREACHES, SECURITY REPORTING FOR FINANCIAL
SERVICES

Karen HoffmanJanuary 26, 2022

Financial institutions over the last few years have paid multi-million dollar
penalties related to security mismanagement that led to breaches or a failure to
give appropriate notification to customers about compromises.


Breach

$4.35M EXCELLUS BREACH LAWSUIT SETTLEMENT REQUIRES DATA RETENTION, SECURITY
OVERHAUL

Jessica DavisJanuary 25, 2022

Excellus reported an 18-month systems’ hack in 2015, which impacted 10.5 million
people. A proposed settlement requires the insurance giant to overhaul its
security and data retention policies.


RELATED EVENTS

 * Webcast
   
   DETECTING THE NEXT BREACH: HOW TO WIN THE WAR WITH NSX NDR
   
   
   
   Mon Nov 15
   
   

ADVERTISEMENT



ADVERTISEMENT





--------------------------------------------------------------------------------

ABOUT US

SC MediaCyberRisk AllianceContact UsPrivacy

GET INVOLVED

SubscribeContribute/SpeakAttend an eventJoin a peer groupPartner With Us

EXPLORE

Product reviewsResearchWhite papersWebcastsPodcasts

Copyright © 2022 CyberRisk Alliance, LLC All Rights Reserved This material may
not be published, broadcast, rewritten or redistributed in any form without
prior authorization.

Your use of this website constitutes acceptance of CyberRisk Alliance Privacy
Policy and Terms & Conditions.