Healthcare cyberattack latest: NextGen EHR ransomwared by AlphV/BlackCat, back to normal – 93% of healthcare orgs had 1-5 ransomware incidents

Cyberattacks on healthcare continue their drip-drip-drip. The latest is on an EHR/practice management platform used by small to enterprise-sized specialty practices, NextGen Healthcare. The hacker group associated with the AlphV/BlackCat ransomware moved into the system on 17 January. For a short time, they reportedly exhibited NextGen information on their extortion site but later took it down. NextGen reported a short-term disruption to operations. A NextGen spokesperson stated that “We immediately contained the threat, secured our network, and have returned to normal operations,” the spokesperson said. “Our forensic review is ongoing and, to date, we have not uncovered any evidence of access to or exfiltration of client data. The privacy and security of our client information is of the utmost importance to us.”  NextGen has also stated to this Editor that no patient data was affected.

NextGen is used by about 2,500 practices in the US, UK, India, and Canada, including over 20 specialties.

The group behind AlphV/BlackCat ransomware has an infamous history. Reputedly, the gang has been kicking around since 2012 and was the same group of charmers that attacked the Colonial Pipeline in 2021, using the Darkside ransomware in May 2021 that dried out gas stations across the US East Coast. Their next ransomware edition, BlackMatter, targeted agriculture during fall 2021. Healthcare IT News, The Record/Recorded Future News

More severe attacks affecting 93% of healthcare organizations. While NextGen contained the attack quickly, both the Censinet/Ponemon Institute and Fortified Health Security’s 2023 Horizon Report tracked 2022 healthcare data breaches and concluded that while the number of incidents didn’t change much, their severity ramped up. More according to SC Media in these reports: 

  • Over a dozen of the biggest incidents in 2022 each impacted well over 1 million records
  • Nearly half of the respondents experienced a ransomware attack in the last two years
  • 93% faced between one to five ransomware-related incidents
  • Outages lasted upwards of 35 days

The common ground with NextGen is danger to patient safety, because electronic record damage can translate quickly into unavailable patient care.

Updated PharmaCare Services, a pharmacy management company based in Texas, is listed as a victim on BlackCat’s extortion site. They were exhibited with NextGen and remained when NextGen’s listing was challenged and then taken down. PharmaCare is staying mum on any ransomware disruptions, according to GovInfoSecurity.

One ray of hope is improved medical device security, included in the ‘omnibus’ budget package approved in late 2022. FDA will be required to enforce new standards for premarket device submissions. One is a software bill of materials, adequate evidence to demonstrate the product can be updated and patched, and a description of security testing and controls. This was before Congress in the Protecting and Transforming Cyber Health Care (PATCH) Act which didn’t go far, but elements of which found their way into the omnibus. A needed change for medical devices and long expected by manufacturers. SC Media

Mid-week news roundup (updated 18 Aug): CVS eyeing Signify Health for in-home/VBC; Babylon Health mixed pic of revenue and losses up; Geisinger doubles telemed specialties; connected IoT devices expand cyber-insecurity (more); Owlet layoffs

CVS has dropped another sandal as to their quest to add primary care and home health to their portfolio [TTA 5 Aug]. Reports indicates that CVS Health is bidding to acquire Signify Health, which is up for sale. Signify is best known as a major provider of in-home health care in both evaluations and community-based services, with users such as health plans, health systems, community groups, non-profits, and government. In March, they added provider value-based care with Caravan Health, a mid-sized Accountable Care Organization (ACO) management service organization (MSO), for $250 million.  This would give CVS both leverage in in-home care and access to value-based care models in health systems and practices, adding a network of jumbo (100,000 lives+) ACOs to Aetna’s 500 ACOs.

Signify did take a bit of a bath with its acquisition/merger of Remedy Partners in 2019 which marked their entry into the Federal shared savings programs around Episodes of Care. While it created a $600 million company. Remedy’s Episodes of Care in the CMS Bundled Payments for Care Improvement (BPCI) program was always problematic for Signify on multiple levels (Editor’s experience). Signify announced its exit from the successor BPCI-A (Advanced) model last month to concentrate on home care and the Caravan business. The wind-down, which will take some time as these are Federal programs through CMS, will save Signify about $115-120 million in costs, compared to their annual direct and shared costs of $145 million. Restructuring costs such as severance may be only $35 million. After IPO-ing in February 2021 at $24 per share, it has only recently climbed to $23, having recently hit a 52-week low of $10.70. FierceHealthcare, HealthcareFinanceNews

Updated Perhaps in preparation for acquisition, Signify Health is shedding 489 people starting 1 October, including 45 in Connecticut, with the remainder in Texas, South Dakota, and New York. The information comes from required notices to the Connecticut Department of Labor. The majority of employees affected are remote workers. It appears to be related to Signify’s winding up of BPCI and Episodes of Care activity which are likely on calendar year contracts. The legacy company, Remedy Partners, had been headquartered in Connecticut with staff in New York. Moving forward with layoffs now makes the company more attractive for sale, as the separation expenses will not be an acquiring company liability. The 1 October start date is also a tell.  CT Insider, Becker’s

A mixed picture for Babylon Health. Its Q2 results were up substantially in revenue–4.6x year-over-year from $57.5 million to $265.4 million–along with key indicators such as US members up 220% and a 7.5% improvement in medical margins over three quarters. The US has been very very good to Babylon with value-based care membership growing 3.2x year-on-year to a total of approximately 269,000 US VBC members with 40% of its VBC revenue from Medicare contracts. However, losses are up along with growth–$157.1 million compared to $64.9 million loss PY. Babylon at end of July announced worldwide layoffs of at least 100 people of its current 2,500 in their bid to save $100 million in Q3. Babylon release, Mobihealthnews

Geisinger Health was one of the pioneers in telehealth and remote patient monitoring, from ur-days in the early 2010s to today. Much of its patient base in Pennsylvania is rural or semi-rural, living well away from care centers, with a clinician base equally scattered. They went with a single system–Teladoc–integrated into Epic. By the early days of the pandemic, Geisinger was able to expand their telehealth coverage from 20 to more than 70 specialties, 200 providers to more than 2,000 providers, and over two years (2020-2022) completing over 784,000 telehealth visits to homes, local clinics, or local hospitals. Case study in HealthcareITNews

If you’re a health system CIO managing lots of connected devices, you may need to go to a psychiatrist with your feelings of insecurity. That’s the gist of a new report, the Insecurity of Connected Devices in Healthcare 2022. A new-to-this-Editor cybersecurity firm, Cynerio, partnered with researchers at the Ponemon Institute to survey 517 executives at US health systems to find that their Internet of Medical Things (IoMT)/Internet of Things (IoT) vulnerabilities haven’t changed much since this Editor banged the gong about them well before the pandemic:

  • Cyberattacks–frequent: 56% of respondents experienced 1+ cyberattacks in the past 24 months involving IoMT/IoT devices; 58% averaged 9+ cyberattacks. Adverse impacts on patient care were reported by 45% and 53% of those resulted in increased mortality rates. 24% of hospitals noted an impact on their mortality rates.
  • Data breaches are routine: 43% of hospitals had one in the past two years
  • Risks may be high, but the reaction is sluggish: 71% rated security risks as high or very high, but only 21% report a mature stage of proactive security actions. 46% performed accepted procedures such as scanning for devices, but only 33% keep inventory.
  • Ka-ching! Goes the ransomware! When attacked, 47% paid the ransom, and 32% were in the $250-500,000 range.

The full report is available for download here. Those who prefer a webinar must wait till 17 August at 2pm (EDT)–registration hereCynerio release, HealthcareITNews

Updated. Having sat in on the webinar, some further information points from the Ponemon survey deepen the ‘gravity of the risk’:

  • IoT is different because a hack or cyberransoming prevents the device from working. It isn’t fixed by backup as data can be.
  • Health systems are still using IoT computer systems running Windows XT/95–and earlier (!)
  • The average total cost of the largest data breaches is $13 million–the most common cost is in the $1-5 million range. 
  • 88% of these data breaches involved at least one IoT/MT device
  • Risks are known, but action is lagging. 72% of health organizations report a high level of urgency in securing devices–yet 67% of organizations do not keep an inventory of IoT/IoMT devices that they scan
  • 79% don’t consider their activities to be ‘mature’
  • Security investment doesn’t reflect the gravity of the risk–only 3.4% of IT budgets focus on IoT/MT device security.

And in sad layoff news, Owlet Baby Care is shedding an unknown number of employees. Here is the notice on LinkedIn. We noted their FDA problems and a fast pivot last in February, but their going public via a SPAC has been rocky at best with shares lingering at $2 from the IPO at $8. Marketing a pricey baby monitor direct to consumer is expensive, even if it meets a need, and this is likely a cash crunch. At least the ‘leader of people & culture’ is giving them a proper sendoff of thanks–and more usefully, providing their contact information for potential job openings with other companies.

[This is in contrast to the gone-viral spectacle of the CEO of something called HyperSocial posting on LinkedIn his angst about laying off staff–along with a selfie of him weeping. Not exactly confidence-making and All About Him. This Editor’s comment is one of 6,000-odd posts which are largely doubtful to negative.]

Data breach cost crests $4 million: Ponemon Institute

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]The average fully allocated cost of a data breach, according to the 2016 Ponemon Institute study (sponsored by IBM) is now over $4 million. The average global cost of every lost or stolen record is $158, but for healthcare organizations, that average cost is $355 per record, which reflects the higher street value of healthcare information. Healthcare was the second most ‘churned’ type of organization, surpassed only by financial services. Across the industries surveyed, hacking and ‘inside jobs’ caused the most data breaches overall–48 percent. (Hackermania does really run wild!) Healthcare organizations can mitigate costs by being proactive in detecting breaches early, having a CISO (chief information security officer), instituting employee training and awareness programs, deploying encryption and endpoint security plus a business continuity management plan. Ponemon/IBM website. Healthcare IT News

Threat hunting is also emphasized in a second Ponemon study sponsored by Raytheon, which recommended offensively hunting down threats to data security, and defensively setting up a security barrier to protect patient data and care systems. With nation-state attacks (think China and Russia), ransomware, compromises due to IoT (add outdated software), and physical data theft, the game is now complete control rather than plain ol’ disruption. After the attack, when most healthcare organizations finally get into gear on cyberthreats, is far too late. Ponemon/Raytheon ‘Don’t Wait’. Healthcare IT News

90% of industries have had PHI data breach: Verizon (HIMSS Connected Health)

Reporting from the HIMSS Connected Health Conference (CHC)

Cybersecurity is one of the three central themes of this year’s HIMSS CHC, and excellent timing for releasing the highlights of Verizon’s first ever PHI (Protected Health Information) Data Breach Report. This is a spinoff of their extensive, eight years running international Data Breach Investigations Report (DBIR). 

It’s not just your doctor’s office, hospital or payer. It will be no surprise to our Readers that the healthcare sector is #7 in breaches–but that a PHI breach may come from non-healthcare (in US, HIPAA-covered) sources. This Editor spoke with Suzanne Widup, the lead author of the PHI Report and an info security/forensics expert, and included in that 90 percent are workers’ compensation programs, self-insured companies, the public sector, financial/insurance companies and–as a damper on this highly competitive (but hard to gauge results) area–wellness programs. Most organizations, according to Ms Widup, aren’t even conscious that they are holding this information and need to specially protect it from intrusion, as “PHI is like gold for today’s cybercriminal.”

Consistent with other authoritative tracking studies like Ponemon Institute’s and ID Experts’, the threat is from within: physical theft and loss, insider misuse and ‘miscellaneous’ account for 77 percent of theft. And as Bryan Sartin, managing director of Verizon’s RISK team noted in his keynote today, attacks take over a seven-month period on average to even be noticed. The breaches are long term, start small and sneaky. 2/3 of organizations don’t find out on their own, only when it starts to affect other partners. (Surprise!) Despite the proven Chinese and Black Vine involvement in several high profile, high-volume data hacks (Anthem), and ‘brute force’ hacks that make headlines (iCloud last year), the average breach is an inside job where “assets grow legs and walk off” in Dr Widup’s words, or privilege misuse.

When I asked Ms Widup about the Internet of Things (which is moving high on the hype curve, from what your Editor has experienced to the nth degree at this conference), she confirmed that this is an area that needs extra cybersecurity protection. (more…)

Extent, cost of health ID theft exposed in Wall Street Journal

Confirmation that your Editors (including Founder Steve) are no longer Voices Crying In The Wilderness on health data insecurity came this weekend on the front page (print) of The Wall Street Journal. It concentrated less on the profit of stolen PHI–$50 per record on average versus $7 for a credit card, according to Ponemon Institute–than on the horror of the 2.3 million individuals suddenly finding out that hospitalizations, procedures and prescriptions in their name were being used by others, leaving them with the bill and unable to clear both their financials and their health records.

EHRs are treasure troves of health and financial information. Unlike credit card theft, there’s no warning–and no limits. Providers and insurance companies put the onus on the person with the stolen data. There is no healthcare equivalent of the Fair Credit Billing Act (FCBA) and the Fair Credit Reporting Act (FCRA), which since 1974 and 1970 respectively have limited the individual impact of fraudulent credit card charges.

Consumer security programs like LifeLock are not particularly effective in proactive notification. In other words, you’re stuck. You may run through your benefits and then be responsible for the bills. Second, you may never get the bad information and diagnoses out of the supposedly accessible health record because of privacy laws, especially if you are a caregiver.

Victims sometimes only find out when they get a bill or a call from a debt collector. They can wind up with the thief’s health data folded into their own medical charts. A patient’s record may show she has diabetes when she doesn’t, say, or list a blood type that isn’t hers—errors that can lead to dangerous diagnoses or treatments.

Adding insult to injury, a victim often can’t fully examine his own records because the thief’s health data, now folded into his, are protected by medical-privacy laws. And hospitals sometimes continue to hound victims for payments they didn’t incur.

According to Ponemon, “65% of victims reported they spent an average of $13,500 to restore credit, pay health-care providers for fraudulent claims and correct inaccuracies in their health records.”

Very rarely does this Editor look for a Federal remedy to a problem, (more…)

Healthcare vulnerability in a concatenation of data breaches

Concatenation is one of those lovely English words that express far more than its simpler synonyms: sequence, series or chain of events. Perhaps we have experienced that concatenation of data breaches which connect and demonstrate a critical mass that motivate healthcare organizations, including insurers, to ensure that data security and privacy gets primacy in HIT. Our Readers know we’ve been on the case since 2010; we’ve been noting Ponemon Institute and ID Experts studies since then.

While simple, straightforward theft can be the cause of smaller breaches and not part of a Big Hack, it’s not as Three Stooges or Benny Hill-esque as perhaps the JAMA study earlier this year made it out to be, especially if it’s your personal record, or your patient’s, which is breached, identity and financials damaged. (See this Security Intelligence article on a minor health breach and how it affected an individual who happens to be in IBM’s security arm.)

Just in the past few weeks, in the US we have experienced the following major and minor breaches:

  • CareFirst BlueCross BlueShield in Maryland–an insurer, not a hospital or practice–had a Big Hack of 1.1 million health records, with names, birth dates, email addresses and insurance identification numbers (but not SSI or credit card numbers) revealed.
  • Beacon Health Systems (Indiana) had a phishing attack into employee email boxes dating back to 2013. This was a Medium Hack that affected about 220,000 patients. Data taken included SSI and driver’s license. Health Data Management today.
  • Advantage Dental in Redmond, Washington had a 152,000 patient hack during three days in February.
  • Also in February, a New York City Health and Hospitals Corporation employee transferred patient files to her personal and new work email. 90,000 patients may have compromised data as a result. Becker’s

More breaches are listed today in iHealthBeat and the ever-growing list on Privacy Rights Clearinghouse.

Ponemon Institute’s 2015 Cost of a Data Breach Study: Global Analysis, with IBM, was published last week. (more…)

Hackermania running wild, 2015 edition

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”300″ /]

Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.

Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)

The sheer screaming attractiveness of medical ID theft

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/10/screenshot-med-25.jpg” thumb_width=”170″ /]Harry Lime Lives!  It’s the 1949 Vienna of ‘The Third Man’ when it comes to the black market of medical identity theft. Data breaches are easier than heisting penicillin off an Army Medical Corps truck and far less noticeable–there’s always a lag time in discovery as more than one health system (Community Health System) found. And protected health information (PHI) has value down the line. According to a report cited by FierceHealthIT:

  • Simple data comes cheap: names, birth dates and health insurance contract with group numbers fetch a pedestrian $20.
  • Add Social Security (SSI) numbers, banking and credit card information, and these ‘kits’ fetch $1,500. These can be used for financial fraud of multiple types or alternate identities.
  • Add medical data, and direct marketing data brokers and pharmacy benefit companies are willing to pay. They use it for legitimate (but annoying) purposes, such as targeting those with specific diseases.
  • Add physical identification, and the value goes through the roof for fake passports, driver’s licenses and visas.

The ways PHI can be accessed are many: EHRs, paper records, stolen laptops, CDs, accounting systems, provider, insurer and supplier systems, and simple ‘friendly fraud’ (more…)

The drip of data breaches now a flood: 4.5 million records hacked–update

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2014/08/keep-calm-and-encrypt-your-data-5.png” thumb_width=”150″ /]Breaking News–updated at end  Earlier this year [TTA 23 Apr] this Editor commented on the fourth annual update from the Ponemon Institute plus a qualitative study from IS Solutions that contained mostly unwelcome news for healthcare IT departments in the US. Ponemon’s new estimate of data breaches’ cost per year: $5.6 billion. While making some progress in the existential threat that data breaches present to institutional and personal security, both reports also outlined the disconnect between HIT professionals busy dealing with and sealing off the mice of internal causes versus the looming, huge menace of the external criminal threat. We now know that Godzilla has arrived and he’s stomping ‘n’ chomping. Community Health Systems of Franklin, Tennessee claimed today as part of a SEC regulatory filing that hackers originating in China breached sensitive information in 4.5 million patient records accumulated over five years during April and June using cyberattacks and sophisticated malware.  (more…)

Data breaches may cost healthcare organizations $5.6 bn annually: Ponemon (US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2013/10/keep-calm-and-enter-at-own-risk-3.png” thumb_width=”150″ /]The PHI threat is within for HIT staff and CIOs, with no end in sight: Ponemon Institute and IS Decisions

The Ponemon Institute’s fourth annual benchmark report on patient privacy and data security was released last week and with a few exceptions, the news is worse than last year. Eight highlights in the study of 91 responding organizations (Ponemon admits results are skewed to larger sized respondents) for 2013 are:

  1. The average cost of data breaches in the study group was approximately $2 million over a two-year period. Extrapolated to the over 5,700 hospitals in the US, the annual cost is $5.6 billion, down from $7 billion in 2012.
  2. The number of data breaches decreased slightly. 38 percent report more than five in the 2013 report compared to 45 percent in 2012. The number of organizations reporting at least one data breach in the past two years was 90 percent versus 94 percent in 2012.
  3. Healthcare organizations improve ability to control data breach costs. The economic impact of data breaches for the healthcare organizations represented in this study over the past two years is $2.0 million–but it is 17 percent (nearly $400,000) less than 2012.
  4. ACA increases risk to patient privacy and information security. No surprises here for readers with insecure exchange of information between healthcare providers and government (75 percent ), patient data on insecure databases (65 percent) and patient registration on insecure websites (63 percent) leading the way. (more…)

US health data breaches hit record; Healthcare.gov backdoored?

Security firm Redspin reports a total of 7.1 million affected records in 2013, up from 3 million in 2012. The five largest breaches accounted for 85 percent of the total: Advocate Health, Horizon BCBSNJ, AHMC Healthcare, Texas Health Harris Methodist Hospital Fort Worth and Indiana Family & Social Services Administration. Hardware theft of unencrypted devices accounted for the first three; Texas Health was perhaps the most unique because it disposed of over 277,000 microfiche patient records in a city park, making it the winner of last May’s ‘It’s Just Mulch’ award in ‘The exploding black market in healthcare data’.  Not included in the Redspin report (free download here) was a mid-December breach of 405,000 records at Bryan, Texas-based St. Joseph Health System which would have put it fourth on the list. This took place in a two-day data security attack on their servers traced to China and reported to the FBI. While Redspin attributes only six percent of breaches to hacking, this is an amount sure to increase as more information is digitized. Health Data Management, iHealthBeat, FierceHealthIT  Security breaches, natural disasters and outages are events that cost US hospitals over $1.6 billion annually, and 82 percent of health IT executives surveyed by MeriTalk said that their technology infrastructure is “not fully prepared for a disaster recovery incident.” The $1.6 billion seems low in light of the Ponemon Institute’s 2012 health data breach estimate of $7 billion annually–and the $12 billion in victim costs [TTA 14 Sept 13]. FierceHealthIT

.…and wait till Healthcare.gov-related security breaches start. This Editor stopped beating the dead and quartered horse of Healthcare.gov last year, finding that what was suspected and detailed from the start was simply borne out by subsequent revelations. Another example: the recent revelation that US intelligence agencies are highly concerned that code in the website was produced by programmers in Belarus, a former Soviet republic closely allied to that hotbed of hacking, Russia. That means that ‘backdoors’ are right in the code, waiting to be opened. This affects more than the website–but through the hub, states, HHS, IRS and DHS. How did our Washington types find out about it? When a top Belarusian official bragged on state radio about it! Ace intelligence writer Bill Gertz in the Washington Times broke the story. (Want more on the website’s security problems? See here for more on the Gertz story plus the David Kennedy/TrustedSec testimony and more. But bring your preferred headache remedy!)

Medical identity theft hits new highs

August ended with the report of the second highest-ever identity breach traced to a healthcare provider–4 million patient names, addresses, dates of birth, Social Security numbers and clinical information, contained on four unencrypted Advocate Health System (Illinois) office computers. It was a ‘behemoth breach’ in Healthcare IT News‘ words and has led to the filing of a class-action lawsuit (Privacy Rights Clearinghouse). Now security consultant Ponemon Institute’s latest report, released yesterday, increases the breach anxiety level with its 2013 Survey on Medical Identity Theft: (more…)