Cybercrime as-a-service , Fraud Management & Cybercrime , Incident & Breach Response
Scripps Health Attackers Stole PHI of 147,000 PatientsBut Entity Says Its EHR System Was Not Compromised
Scripps Health this week began notifying more than 147,000 individuals that their financial and health information was contained in documents stolen by attackers who deployed ransomware on the healthcare organization's network in May.
In a statement Tuesday, San Diego-based Scripps Health says its investigation into the incident discovered on May 1 has determined that an "unauthorized person" gained access to its network, deployed malware and, on April 29, "acquired copies of some of the documents" containing patient information.
"As the investigation is ongoing, we do not yet know the content of the remainder of documents we believe are involved, though we are working with third party experts to determine those facts as quickly as possible," Scripps Health says.
The ransomware incident disrupted Scripps Health patient services for weeks as the entity took its electronic health records, patient portal and other systems offline during its recovery. Clinicians had to resort to using paper records and other manual processes in patient care, and many appointments and procedures were postponed (see: Security Incident Leads Scripps Health to Postpone Care).
In its statement, however, Scripps Health says its Epic EHR system was not infiltrated in the incident. Rather, the health information and personal financial information compromised in the incident were acquired by attackers "through other documents stored on our network," Scripps Health says.
For certain patients, information included in the stolen documents potentially included names, addresses, dates of birth, health insurance information, medical record numbers, patient account numbers and/or clinical information, such as physician name, dates of service and treatment information, Scripps says.
For less than 2.5% of affected patients, Social Security numbers and driver's license numbers were also compromised.
The entity is offering patients whose Social Security numbers and/or driver’s license numbers were affected complimentary credit monitoring and identity protection support services, the statement notes.
Scripps Health says that to date, there is no indication that any of the stolen data has been used to commit fraud.
In the wake of the incident, Scripps Health says it is continuing to "implement enhancements" to its information security, systems and monitoring capabilities.
"We also continue to work closely with federal law enforcement to assist their ongoing investigation," it says
Initially, Scripps Health described the incident only as a "cyberattack" and only publicly confirmed the incident involved ransomware three weeks into the organization's recovery.
Scripps Health on Tuesday also said its systems, including its patient portal, have been restored and that the organization has "resumed normal operations" at its hospitals and other healthcare facilities.
Scripps Health declined Information Security Media Group's request for additional details about the ransomware incident.
The ransomware incident at Scripps Health is among the latest such attacks on healthcare sector entities, which have surged during the COVID-19 pandemic, and the trend is evolving and worsening, some experts note (see: Health Data Breach Tally's 2021 Surge Continues).
"The term ‘ransomware’ has really become something of a misnomer insofar as it’s used to describe cyber-extortion incidents," says Brett Callow, a threat analyst at the security firm Emsisoft.
Exfiltration - such as what apparently occurred in the Scripps Health incident - is now a key element of many attacks, he notes. "In fact, one ransomware group claims to have completely abandoned ransomware, as in malware that encrypts files, and switched to an extortion model based on exfiltration only," he says.
"While most other groups will probably not abandon encryption, they’ll likely not abandon exfiltration either. The double extortion model of encryption plus exfiltration appears to be successful and so, unfortunately, will likely be with us over the long haul."
Crisis management and investigations attorney Bill Moran of the law firm Otterbourg P.C. offers a similar assessment.
"I believe the perpetrators of intrusions into the vulnerable healthcare sector will likely increase their attacks, which include both ransomware and data theft," he says.
To help deter these trends, the U.S government needs to "answer the call to draft U.S. Big Tech into joining forces to wage war on cybercrime and make it more difficult to succeed as an operation," he contends.
"Until that happens, ransoms will continue to be paid by healthcare providers to regain access to encrypted vital data … stolen personal data will continue to be sold to the highest bidder on the darkweb, for numerous nefarious purposes," he says.
In the meantime, Jen Ellis, co-chair of the Institute for Security and Technology's Ransomware Task Force and a vice president at security firm Rapid7, notes that ransomware attackers are also evolving their tactics.
"Ransomware attackers have also broadened the ways in which they attempt to infiltrate organizations they intend to ransom and try to take advantage of weak configurations in remote access components such as Microsoft Remote Desktop Protocol, Citrix and virtual private network gateways," she notes.
In addition, another burgeoning and concerning trend is the availability of ransomware-as-a-service, "which means attackers can pay others to do the dirty work and do not require the technical skills themselves," she adds. "This is an indication of the ransomware market maturing and it means the barriers to entry are lower than ever. With so much potential for profit, ransomware-as-a-service is likely to attract plenty of new players, increasing the number of attacks."
But as healthcare sector entities become a bigger target for ransomware attacks, they also must become more proactive in their defensive measures, more proficient in detection and better prepared to respond, Ellis says.
"There are some core fundamentals that should be widely adopted across the board, which include regularly backing up data, patching systems to reduce attack exposure, filtering emails to weed out malicious traffic, educating employees about how to avoid threats and deploying access management systems," she notes.
"Many of these measures have traditionally been seen as challenging for clinical healthcare environments to adopt, but the reality is that without them, hospitals are effectively sitting ducks for attackers."