The American Dental Association recently began informing state regulators that the “cybersecurity incident” it reported in April was actually a ransomware attack that resulted in the theft of member data.
On April 23, ADA first reported to its members that a cybersecurity incident was causing technical problems and other disruptions to some of its clients, including the Texas and New York Dental Associations. In response, the ADA shut down and isolated all of its systems, impacting members-only access to the ADA and Texas Dental Association websites.
TDA later confirmed that the incident was definitely caused by a cyberattack, which on the 21st ADA later stated that it is also working with third-party cybersecurity specialists.
At the time, ADA responded to rumors that data had been stolen by the Black Basta group prior to the hack, emphasizing that “no data breach occurred”.
However, the most recent notification confirms that the data breach did indeed take place and provides additional details about the attack. The “sophisticated” ransomware attack only disrupted certain systems. On April 27, the investigation confirmed that “certain information about ADA’s systems was accessed and/or acquired by an unauthorized party.”
The investigation into the extent of the violation was not completed until June 10. The notice does not state the exact dates involved, only that it was personal information linked to members’ names. Affected members receive free credit monitoring and identity protection services.
ADA has since assessed its system security and reset relevant account passwords while working to review and strengthen its existing policies and procedures.
Patients from two other providers added to the injury from Eye Care Leaders
The impact of data theft from Eye Care Leaders has now reached 3.03 million patients. Arkansas Retina recently reported that 57,394 of its patients were affected by the December incident, and doctors at Sight Partners in Washington notified 86,101 patients.
The ECL incident remains the largest healthcare data breach reported this year, affecting more than 35 ophthalmologists.
The latest notifications are similar to previously released notifications, including the fact that affected vendors were not notified of the December incident until April 15. Under the Health Insurance Portability and Accountability Act, business partners are required to notify affected companies of a compromise to protected health information within 60 days and without undue delay.
The cyberattack began “on or about” December 4th, 2021 on some ECL databases holding patient records. The subsequent investigation could not rule out whether the data had been accessed or stolen by the attacker.
The affected providers conducted reports on the practice management systems to identify the affected patient records, which included names, contact details, medical record numbers, treatments, diagnoses, prescriptions, and names of the providers, among other medical information.
In response to the incident, Sight Partners stopped using the ECL platforms, a response reflected by about half of the affected vendors. All affected patients receive free credit monitoring.
As widely reported, ECL is currently defending itself against a lawsuit from three vendors alleging that the vendor hid multiple ransomware attacks and lengthy unplanned downtime.
Kaiser Permanente’s device theft results in a data breach for 75,000 patients
An individual broke into a locked storage area at Kaiser Permanente Medical Center in Los Angeles on May 20 and stole an iPad and the password needed to access the device. As a result, 75,010 Kaiser Foundation Health Plan Southern California patients are being notified that their data may be compromised.
The stolen device was used by staff at a COVID-19 testing site and contained photos of COVID-19 lab sample labels that included patient names, dates of birth, medical record numbers, and the date and place of performance. The iPad contained no patient photos, lab results, social security numbers, or credit card numbers.
The investigation did not find any concrete evidence that the thief accessed or viewed the information, but informs all patients whose data was stored on the stolen device. And Kaiser remotely wiped all data from the stolen iPad, including photos.
Kaiser has since moved all of its equipment to a more secure location and strengthened its internal practices and procedures.
29,000 Benson Health patients were notified of a May 2021 cyberattack
Benson Health was hit by a cyber attack on its network on May 5, 2021, leading to access to patient records of 28,913 patients. The North Carolina provider began notifying patients of security breaches on July 15, 2022, more than a year after the initial attack began.
Following the discovery of the incident, Benson Health, with the assistance of an outside forensic specialist and a data mining firm, launched an investigation to “perform a comprehensive and comprehensive review of the record and identify individuals whose personally identifiable information was contained in that record.”
The investigation ended on June 7, 2022, which could explain the gap. But HIPAA recognizes that notifications to patients must be sent promptly and within 60 days of discovery of the violation — not at the end of an investigation.
Forensic scientists determined that the data retrieved included patient names, dates of birth, social security numbers, and health or treatment information. All affected patients will receive free credit monitoring services.
ATC Healthcare reports data was stolen from a cyber attack in December
In another apparently belated announcement, ATC Healthcare Services recently informed an undisclosed number of patients that their data was likely accessed or acquired during a cyber attack in December 2021. Notices were not sent out until July 1, more than six months later.
ATC first learned of the “criminal cyber attack” on December 22, 2021 and immediately worked to secure its systems. The notification shows the “email accounts” affected by the attack. The subsequent investigation could not definitively rule out access to or theft of patient data. ATC has since improved its system security.
The compromised information varied by patient and could include names, social security numbers, driver’s licenses, dates of birth, government-issued identification numbers, medical records, insurance information, employer-assigned identification numbers, and user details.
Associated Eye Care updates patients on the 2020 Netgain incident
Earlier this month, Associated Eye Care in Minnesota began notifying 40,793 patients that their data had been compromised back in September 2020 following the hack of its cloud IT hosting, services and solutions provider Netgain.
The Netgain incident was one of the largest healthcare data breaches reported in 2021 and involved the theft of patient data, which was later returned to the provider with “assurance that the data was erased and destroyed.” At this point, the number of security breaches reached more than 865,000 people from multiple provider organizations.
Companies first began notifying patients of multiple Netgain security incidents compromising patient data in the first half of 2021. In September last year, a hacker used stolen credentials to access the Netgain system and spread to a number of client environments connected to his system.
During the dwell period, the attacker was able to steal a significant amount of patient data. The first hack went undetected for several months before the attackers launched ransomware into the environment on December 3, 2020, which was discovered by Netgain soon after.
The investigation uncovered initial hacking and exfiltration of customer and related patient data, which could include patient names, social security numbers, dates of birth, contact details, driver’s licenses, and claims data that could reveal diagnoses and medical conditions. Back then, Netgain’s hackers demanded a ransom payment, which the provider paid to recover patient data.
The Associated Eye Care attributes the long gap in reporting to “an extensive data-mining project to identify all affected individuals,” which was completed on May 16, 2022.
AEC is currently reviewing and updating its server and system security policies and procedures in addition to its information lifecycle management services. The incident prompted AEC to replace Netgain as the provider and migrate the data and environment to another service provider.
Southwest Health notifies 46,000 patients 6 months after data breach
Earlier this month, Southwest Health Center in Wisconsin began notifying 46,142 patients that their data may have been accessed and stolen during a “data security incident discovered on January 11, 2022.
When the provider discovered the incident, they worked to secure the network and launched an investigation that confirmed the possible exfiltration. Southwest Health then began a “comprehensive review of the data,” which was completed on May 27. It’s unclear why the provider continued to delay the notifications.
The review determined that both personal and proprietary health information was likely stolen, including names, social security numbers, dates of birth, driver’s licenses, state ID numbers, financial account numbers, medical records, and/or health insurance information.
Southwest Health notified the FBI after the attack, who later informed the provider that the data servers involved in the incident had been identified and seized. All affected patients will receive identity protection services for one to two years.