Attacks on 2 Specialty Care Providers Affect Nearly 600,000Both Ransomware Incidents Occurred in 2022
Two specialty medical care firms - a Texas-based home healthcare agency and a Pennsylvania-based women's and family health clinic - are reporting separate ransomware breaches that in total affect nearly 600,000 individuals.
Dallas-based Home Care Providers of Texas reported its incident to the Texas attorney general's office on Jan. 13 as affecting about 124,000 residents of the Lone Star State. The company's breach notification statement indicates that an undisclosed number of North Carolina residents are also affected.
Meanwhile, Wilkes-Barre, Pennsylvania-based nonprofit Maternal and Family Health Services reported a ransomware incident on Jan. 10 to the Maine attorney general's office as affecting nearly 461,200 individuals, including 68 Maine residents. MFHS supports a network of health and nutrition centers in 17 Pennsylvania counties.
The incidents follow a growing trend of ransomware criminals hitting a widening range of different types of healthcare providers and their vendors, including smaller and specialty entities.
"Healthcare data is very lucrative right now and the criminals know that small to medium-sized companies tend to have less security than larger companies," says Jerry Caponera, general manager of cyber risk at security firm ThreatConnect.
Michael Hamilton, CISO of security firm Critical Insights, says that cybercriminals also appear to be picking potential healthcare victims more selectively.
"The choice of targets is also criminal risk minimization at work. Organizations that do not provide acute care services are less likely to have patient outcomes that may include loss of life during a disruption event like ransomware," he says. "This keeps the criminals at arm's length of the 'terrorist' moniker, as has been applied by the Biden administration."
Home Health Care Incident
HCPT says it became aware last June of its ransomware attack. "In addition, an unauthorized party removed a limited number of files from our systems," the company says in its breach notification statement.
The company alerted law enforcement and engaged a third-party cybersecurity firm. It completed a forensics investigation and a comprehensive review of all affected data on Nov. 15, determining that an unauthorized party had accessed HCPT systems between June 15 and June 29, 2022.
Affected information includes individual names, addresses, birthdates, Social Security numbers, certain treatment or diagnosis information, and medication information.
HCPT did not immediately respond to Information Security Media Group's request for comment and additional details about its incident.
Maternal and Family Health Services Breach
MFHS says it started on Jan. 3 the work of notifying affected individuals - including current and former employees, patients and vendors - of its April 4, 2022 ransomware incident.
The organization says an investigation into the incident determined that unauthorized access to MFHS systems occurred between Aug. 21, 2021 and April 4, 2022.
Affected information includes names, addresses, birthdates, Social Security numbers, driver's license numbers, financial information, usernames and passwords, medical information and health insurance information. MFHS says it does not have any evidence that any information has been misused as a result of the breach.
The organization says it is offering individuals 12 months of complimentary credit and identity monitoring and is "strengthening" its security to prevent similar future incidents.
MFHS did not immediately respond to ISMG's request for additional details about its incident.
Healthcare sector organizations across the board are facing a range of pressures that can ultimately affect their cybersecurity. "The challenges healthcare companies face are the squeeze on costs with rising inflation, decreasing payments from insurers, and increasing health care costs," Caponera says. "IT - and by extension, cybersecurity - tends to get squeezed in that mix," he says.
Smaller healthcare sector organizations that are especially pinched for cybersecurity resources should "pull the lever that's least expensive and moves the security needle the most: Create a policy of all personal use to be conducted on a personal device," Hamilton says.
"Those that don't need external email should not get it, and social media and other sources of 'bait' should be blocked," he says.