Fraud Management & Cybercrime , Healthcare , Incident & Breach Response
Emerging Risk Management Issue: Vendors Hit by RansomwareWhen a Vendor Gets Hit, Many Customers Can Be Affected
Two recent ransomware incidents that targeted companies serving healthcare organizations highlight an emerging vendor risk management challenge in the sector.
Blackbaud, which sells cloud-based marketing, fundraising and customer relationship management software, was recently hit by ransomware, and some of its affected clients are now being revealed. Meanwhile, medical debt collector firm R1 RCM, formerly known as Accretive Health, also has been hit by ransomware, according to the KrebsonSecurity blog.
The Chicago-based R1 RCM security incident is reminiscent of one revealed last year by another medical bill collector – American Medical Collection Agency. That incident, which affected more than two dozen health sector entities and more than 20 million individuals – was collectively the largest U.S. health data breach reported to regulators in 2019.
“The types of incidents that involve vendors, providing financial and fundraising services to a broad swath of leading healthcare organizations, really are the scariest of incidents because of the breadth and sheer volume of the data they could be handling,” says privacy attorney David Holtzman of consulting firm HITprivacy.
“We should take this as an opportunity to prepare for the eventuality that one of our vendors is going to suffer a cybersecurity incident.”
—David Holtzman, HITprivacy
"’Nichey’ third party vendors are a considerable risk to covered entities because they are typically ‘off the radar’ and unseen, but process enormous amounts of information,” adds Adam Nunn, senior principal consultant at Clearwater, a privacy and security consulting firm.
Blackbaud Breach Impact
South Carolina-based Blackbaud last month revealed that it was hit by a ransomware attack in May. The company has not disclosed the identities of clients affected. But some customers have issued notifications, including Northern Light Health, a Maine-based healthcare delivery system.
Northern Light reported that the hacking incident affected more than 657,000 individuals it serves, which makes the breach the second largest reported to the Department of Health and Human Services so far this year.
In a notification statement, Northern Light Health Foundation says it recently learned “that it is one of thousands of hospitals, healthcare systems, and other nonprofit organizations, including several in Maine, to be affected by a security event at Blackbaud, the company that hosts our fundraising databases.”
The organization says the affected databases “include information about donors, potential donors, those who may have attended a fundraising event, patients who we believe may want to support our healthcare mission, and others in the community with whom we have relationships.”
"According to Blackbaud, the cybercriminals were not successful at gaining access to Blackbaud’s encrypted files, but they were able to access backup files that contained fundraising information," Northern Light Health notes in its statement.
The organization adds that Blackbaud said its teams "were able to quickly identify the vulnerability associated with this incident, including the tactics used by the cybercriminal, and took swift action to fix it."
In a statement provided to Information Security Media Group, Blackbaud says that to respect the privacy of its customers, “we cannot provide the names of those who were part of this incident nor can we discuss any customer specifically. Those customers which were part of this incident have been notified."
The incident "was limited to a subset of our self-hosted (or co-located) environment. No entire product line was part of this incident," Blackbaud adds. "This incident did not reach solutions to the public cloud environment – i.e. Microsoft Azure, Amazon Web Services - nor did it reach the majority of our self-hosted environment."
R1 RCM Incident
In the other recent ransomware incident targeting a vendor, R1 RCM acknowledged taking down its systems in response to the recent attack, but otherwise declined to comment, according to KrebsOnSecurity.
R1 RCM did not respond to multiple requests from ISMG for comment.
KrebsOnSecurity reports that it appears R1 RCM was hit by ransomware in early August and that the incident, according to sources, involves malware known as Defray, which is usually spread “via booby-trapped Microsoft Office documents sent via email.”
The cyberattack on another medical debt collection firm – AMCA – last year impacted more than two dozen healthcare sector entities and millions of their patients. The New York-based company later filed for bankruptcy and faces class action lawsuits related to the incident.
A Wake-Up Call
The recent incidents involving Blackbaud and R1 RCM should serve as a wake-up call for all healthcare organizations, Holtzman says.
“We should take this as an opportunity to prepare for the eventuality that one of our vendors is going to suffer a cybersecurity incident,” he says.