Update on Healthcare Data Breaches

From large hospital systems to small ASCs, cyberattacks continue to target facilities of all types.

The relentless cyberattacks on healthcare organizations — including surgery centers and hospitals — continues unabated. Since April, at least seven practices involved in the ASC industry have reported incidents. Here’s an overview of what these centers are saying about the attacks.

Seven centers impacted

Panorama Eyecare of Fort Collins, Colo., a physician-led management services organization, announced in June that an unauthorized party may have obtained access to its internal network between May 22 and June 4, 2023. “Upon learning of this issue, Panorama secured the environment and commenced a prompt and thorough investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations,” states Panorama. which added that investigation reveled an unauthorized actor may have accessed and removed certain files from its network.

After a comprehensive review of the impacted files, Panorama discovered on May 9, 2024, that “certain impacted files containing personal information may have been accessed and/or acquired by an unauthorized individual.”

Panorama states that the potentially impacted files contained full names, variously combined with address, telephone number, date of birth, Social Security number, driver’s license number, driver’s license state, military identification number, passport number, Alien Registration Number, bank account number, routing number, credit and/or debit card number, expiration date, security code/PIN number, medical history, lab results, retina scans, prescription information, treating/referring physician name, patient number, medical treatment information, medical diagnosis information, medical record number, health insurance information, Medicare or Medicaid number, username and password, email address/username and password, and security question and answer.

Panorama says it has no evidence that any information has been used for identity theft or financial fraud as a result of the incident. “Nevertheless, out of an abundance of caution, Panorama is providing notice to the individuals whose information was potentially involved,” it states. The organization is providing credit monitoring services to individuals whose Social Security numbers are involved.

Panorama’s partner clinics in Colorado include Eye Center of Northern Colorado and 20/20 Vision Center in Fort Collins, Panorama LASIK at multiple locations, Denver Eye Surgeons in Lakewood, Evergreen Vision Clinic, Haas Vision Center in Colorado Springs, Windsor Eye Care & Vision Center, Arvada Vision & Eye Clinic and Boulder Eye Surgeons, along with Cheyenne Eye Clinic & Surgery Center in neighboring Wyoming.

In June, Coastal Orthopedics & Sports Medicine of Southwest Florida in Bradenton mailed data breach letters to current and former patients affected by a June 2023 data security incident about which it originally posted a notification in August 2023. Coastal states it is unaware of any identity theft or fraud that have occurred as a result of the event.

After Coastal became aware of suspicious unauthorized activity affecting certain systems on its network, it immediately launched an investigation to confirm its nature and scope, finding that certain files and folders were taken without authorization. It then worked to identify the sensitive information contained within the impacted files, as well as the individuals whose information may have been impacted. After identifying appropriate contact information for impacted individuals, it provided them written notification, while posting a notice on its website. Coastal also notified federal law enforcement and applicable regulatory authorities.

Coastal states the information affected “may include, but is not limited to, a combination of certain individuals’ names, Social Security numbers, patient identification numbers, medical record numbers, diagnosis information, other medical information, addresses, driver’s license number, health insurance information, financial account information and dates of birth.”

In June, The Mount Kisco (N.Y.) Surgery Center, which does business as The Ambulatory Surgery Center of Westchester (ASCW), announced it had learned of a data security incident that may have impacted data belonging to certain current and former employees and patients. Last November, it discovered unusual activity in an employee’s email account and immediately took steps to secure the account. It then engaged a digital forensics and incident response firm to investigate and determine if any data within the mailbox may have been affected. It found that certain files stored within the email account were accessed between October 23, 2023, and November 3, 2023. ASCW then performed a comprehensive review of the potentially affected data.

On May 30, ASCW identified that “certain individuals’ personal and/or protected health information” was contained in the account, including names, Social Security numbers, driver’s license or state identification numbers, dates of birth, medical information (including diagnosis, treatment and prescription information), health insurance information (including claim information and insurance ID numbers) and financial account information. On June 26, ASCW mailed written notification of the incident to impacted individuals. ASCW states that it is not aware of the misuse of any potentially affected individual’s information.

OrthoConnecticut in Danbury stated it had recently become aware of unauthorized access to its network. “As soon as we became aware of the issue, we launched an investigation, contained and secured the network, eradicated the threat, and alerted law enforcement,” it states, noting it is working closely with third-party cybersecurity professionals. The investigation determined that an unauthorized actor accessed OrthoConnecticut’s network in late November 2023 and may have accessed and removed certain files. After an extensive review of the impacted files, it discovered in March that certain files containing personal information “may have been accessed and/or acquired by the unauthorized party.” In May, it found that “additional individuals were identified as having personal information contained in the files.”

It states the impacted data included the personal information of certain individuals, including full names in combination with one or more of the following: Social Security number, driver’s license/government ID number, passport number, date of birth, medical record number, medical date of service, treatment location, treatment cost, procedure type, provider name, health insurance information, health insurance policy number, health insurance information, health benefit plan name, health insurance group number, patient ID number, mental or physical condition, diagnosis, diagnosis code, prescription information, subscriber member number, billing/claim information, patient account number, financial account number and routing number.

“We have no evidence that any information has been misused as a direct result of this incident,” states OrthoConnecticut. “Nevertheless, out of an abundance of caution, we are notifying affected individuals of the scope of the incident.”

In April, Island Ambulatory Surgery Center (IASC) in Brooklyn, N.Y., announced it had experienced a data security incident that may have involved personal and protected health information belonging to certain individuals who sought its services. In July 2023, IASC became aware of “unusual activity that disrupted access to certain systems,” took steps to secure its network and launched an investigation with independent cybersecurity experts. The investigation determined that an unauthorized actor accessed and acquired certain files stored in IASC’s network, some of which contained personal information.

BEST PRACTICES

Preventing Cyberattacks: Information Is Power

PREEMINENT PREVENTION Timely updates to security software and regular employee training are critical deterrence tactics.

Knowing how to combat cybersecurity threats is the first step toward thwarting them.

Anonymous threats that could cripple a healthcare facility seem to come from all directions and just thinking about how to prevent them can be dizzying. Thankfully, information about how to keep your business safe is plentiful. The federal government, for example, has an abundance of resources to help.

The Health Sector Cybersecurity Coordination Center (HC3) was created by the U.S. Department of Health and Human Services to help protect sensitive healthcare-related information and to coordinate information-sharing efforts in the healthcare industry about cybersecurity issues.

HC3 (osmag.net/cyber) provides healthcare executives and IT personnel with briefings about current threats, the tactics being used and effective mitigation tactics. The center also provides alerts about large-scale threats and hosts white papers and analyst notes to increase awareness about cybersecurity threats and recommendations on what to do about them.

A 2023 HC3 report lists phishing/smishing, ransomware attacks, data breaches, distributed denial-of-service attacks and information-stealing malware as the top cyberthreats facing the healthcare industry.

Cybersecurity experts have shared multiple strategies with Outpatient Surgery Magazine. Brett Johnson, a former hacker who now advises businesses how to combat information breaches, says healthcare systems are easy targets because they’re essentially forced to pay ransoms to ensure patient care isn’t disrupted.

Healthcare systems must regularly update their firewalls and anti-malware software and not make employee training a one-off event. Research shows that employee training is effective for months after sessions but must be repeated for employees to keep cyberthreats top-of-mind.

“Outpatient facilities have to be as concerned about protecting their data as they are about the physical welfare of their patients,” says Mr. Johnson.

Northwell Health’s Chief Information Security Officer Kathy Hughes echoed Mr. Johnson’s sentiments, saying the basic steps independent facilities lacking significant IT infrastructures can make themselves less of a target include employee education, security technology and cyber hygiene.

Staff should know how to identify potential phishing emails, as that technique remains the easiest way for cybercriminals to infiltrate any organization. Anti-malware firewalls must be supplemented with encryption technologies to protect confidential patient data. Protection software should be patched regularly with behavior-based solutions, not signature-based ones. Signature-based patches can identify fraudulent codes that have been caught in the past, but behavior-based solutions use artificial intelligence and machine learning to identify malicious behavior that is different from normal activities on computer workstations.

—Outpatient Surgery Editors

In February, IASC determined that certain individuals’ information may have been impacted, including name, date of birth, Social Security number, driver’s license number, medical information and/or health insurance information. In April, it provided notice of the incident to potentially impacted individuals.

These affected surgical facilities provided notification via mail to patients describing the incidents and what information belonging to them was compromised, and posted notices about the incidents on their websites, including information for possibly affected parties on steps they can take to protect themselves. They also set up dedicated toll-free response lines for individuals who have questions, need additional information, or need to determine if they are impacted.

Not surprisingly, law firms also posted press releases about several of the incidents, encouraging affected parties to contact them in the interest of filing lawsuits against the impacted facilities. In addition, at least two other practices that operate ASCs proactively reported investigations of more recent breaches.

In May, Victoria (Texas) Eye Center/Victoria Surgery Center/Victoria Vision Center (VEC) issued a press release to provide information regarding a data security event. On March 21, it became aware that some of its computer systems and the data they held were inaccessible due to malicious file encryption. Aided by third-party computer forensic specialists, VEC worked to determine the nature and scope of the event and worked to secure its systems and restore access to the information. It also investigated whether the event resulted in unauthorized access to information, and determined that an unknown actor gained access to a limited number of its systems and that certain files in those systems were accessed.

“In an abundance of caution, VEC performed a comprehensive review of the contents of the affected systems to determine what information could be contained in the impacted files and to whom the information related,” the organization stated in May. “The review was recently completed. Although the investigation could not determine the specific files, at the time of the event, name, address and medical identification number of certain individuals could have been stored within the impacted systems. To date, VEC has not received reports of any fraudulent misuse of any information potentially impacted by the event.”

In April, Watson Clinic in Lakeland, Fla., provided notice of a data security incident “that may have involved some of our patients’ information.” It states that cybercriminals targeted portions of its network. Watson states it promptly began working with third-party experts to investigate and respond to the incident.

“During that investigation, we became aware that the unauthorized third party accessed records with personal information,” states Watson Clinic. “Although we are still investigating the scope of that access, we are providing this notice to share best practices to help protect personal information and because we value transparency. We will notify individuals if we determine that their personal or medical information was in the files the third party accessed. Please know that we are working to complete our investigation as quickly and thoroughly as we can.”

Hospitals still a prime target

Of course, hospitals and health systems are also under constant attack, and offer cybercriminals much larger data sets to steal.

In May, Ascension, a health system based in St. Louis that operates 140 hospitals, announced it had detected unusual activity on its network due to a ransomware attack. Access to some of its systems, including its electronic health record (EHR), were interrupted as an investigation was launched. Ascension stated its care teams were trained for such a disruption and had initiated established downtime protocols and procedures to ensure safe patient care delivery with minimal impact. These included the return of a lot of manual work: moving to paper records and processing numerous functions by hand, including dispensing medication, inputting health medical records, ordering and completion of diagnostic tests and procedures, contacting patients and sharing information securely. “There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption,” the health system stated.

Ascension alerted its business partners to ensure they were aware of the situation so they could take appropriate steps to safeguard their own systems and worked with a third-party cybersecurity expert to investigate the attack. It set up a webpage that offered constant updates on the situation.

By June, access to Ascension’s EHR and patient portals was restored, allowing significant clinical workflow in its hospitals and clinics to return to normal, particularly in terms of appointment scheduling, wait times for appointments and prescription fulfillment. “However, our investigation into this incident is ongoing, along with the remediation of additional systems,” Ascension noted. What, if any, information was stolen and possibly sold on the dark web? Ascension stated, “Right now, we don’t know precisely what data was potentially affected and for which patients or associates. In order to reach those conclusions, we need to conduct a full review of the files that may have been impacted and carefully analyze them. While we have started this process, it is a significant undertaking that will take time. It is expected that we will be utilizing downtime procedures for some time. Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”

Sometimes patients and providers are put at risk for cybercrime without the criminals even accessing the surgical facilities’ own network, but rather one of its third-party service providers’ networks. In March, Catholic Medical Center (CMC) in Manchester, N.H., was notified by Lamont Hanley & Associates (LH), which provides account receivable management services to the hospital, that it had suffered a data security incident in June 2023, when an unauthorized party accessed and/or acquired certain files containing personal and health information related to CMC patients. One employee email account was accessed by the unauthorized party via phishing.

LH conducted an investigation, contained and secured the email environment and changed the password to the affected email account. LH said it was not aware of any reports of identity fraud or improper use of personal and health information. In February, LH determined the specific personal information present within the account, including individual name, Social Security Number, date of birth, medical and claim information, health insurance information, individual identification information and financial account information. “The investigation did not identify evidence of specific data access or acquisition by an unauthorized party, but could not conclude with 100% certainty that data within the account was not accessed or acquired by an unauthorized party,” stated CMC in April, when it announced the breach. CMC stated it was working with LH to notify potentially impacted patients via mail, and LH is providing complimentary credit monitoring services to those who are eligible. OSM