Cyberattacks continue to pummel healthcare organizations already stretched thin by lack of resources and the ongoing COVID-19 pandemic, as evidenced by two recently disclosed attacks targeting providers in California and Arizona.
Starting Aug. 24, 2021, California-based LifeLong Medical Care began informing individuals that their data was affected in a ransomware attack against Netgain, a third-party vendor that provides services to healthcare providers. LifeLong reported to the Department of Health and Human Services that 115,448 people were affected in the attack.
Netgain first detected anomalous network activity on Nov. 24, 2020, LifeLong reported in a letter disclosing the breach to affected customers. On Feb. 25, 2021, Netgain's investigation revealed "certain files were accessed and/or acquired without authorization." LifeLong conducted a review of the contents of the stolen files to determine whether they contained any sensitive data.
On Aug. 9, LifeLong found some identifiable personal and health information was accessed from Netgain's network in relation to the attack. This data included full names and one or more of the following: Social Security numbers, dates of birth, patient cardholder numbers, and/or treatment and diagnosis information, the letter states. Officials are not aware of reports of identity fraud or improper use of the affected data directly related to the attack.
LifeLong advises those affected to take steps to protect their data with actions such as placing a fraud alert or security freeze on their credit files, receiving free credit reports, enrolling in free credit monitoring if their SSN was affected, and paying close attention when reviewing financial statements, credit reports, and explanation of benefits statements for suspicious activity.
In a separate attack, Arizona-based Desert Wells Family Medicine has begun notifying patients whose data may have been involved in a "recent ransomware and data loss incident" that took place on May 21, 2021, and affected many of its IT systems.
When it learned of suspicious activity on its network, Desert Wells hired security experts and an incident response team to assess and remediate the damage. The healthcare provider also alerted federal law enforcement and began an investigation with a third-party IT forensics firm to determine the extent of information accessed and stolen by the attackers.
Their investigation revealed no evidence that sensitive data was taken; however, the attacker who accessed the network corrupted the data. As a result, the patient electronic health records that Desert Wells possessed before May 21 cannot be recovered "despite our exhaustive efforts to try to recover our patients' sensitive information," officials wrote in their letter.
The data in affected patient records "may have included patients' names in combination with their address, date of birth, Social Security number, driver's license number, patient account number, billing account number, health insurance plan member ID, medical record number, dates of service, provider names, and medical and clinical treatment information," they report.
To date, the firms investigating the attack have not found evidence indicating any of this information has been misused.
Desert Wells says it will continue trying to rebuild patients' electronic health records in a "new and enhanced electronic medical record system," a process that includes compiling patient data from other sources, such as medical specialists, previous medical providers, hospitals, pharmacies, imaging centers, and labs, among others. The provider is offering complimentary credit monitoring and identity theft protection, and patients are advised to review statements from healthcare providers and insurers to watch for medical services they did not receive.
News of the attacks follows research that finds midsize healthcare organizations face higher costs after cyberattacks compared with larger organizations. The average cost of a cyberattack-related shutdown exceeds $440,000 for smaller organizations and $130,000 for larger ones. Researchers say while attacks against healthcare have increased, many victims – especially midsize hospitals – have not adapted to the change.