Cybercrime , Cybercrime as-a-service , Electronic Healthcare Records
Hive Ransomware Hits Louisiana Hospitals, Leaks Patient Data
Patients Notified About October Incident at Lake Charles Memorial Health SystemHackers stole and leaked personal data for nearly 270,000 patients and employees in a ransomware attack in October against a healthcare organization located in southwest Louisiana. The Hive ransomware group has taken credit for the attack.
See Also: Preparing for New Cybersecurity Reporting Requirements
Lake Charles Memorial Health System says in a newly released breach report that hackers accessed hospital systems from Oct. 20 to Oct. 21 and stole files containing details such as patients' names, addresses, birthdates, medical records or patient identification numbers, health insurance information, payment information and clinical information, including care received. For some breach victims, Social Security numbers were also exposed.
The Lake Charles Memorial Health System consists of Lake Charles Memorial Hospital, Lake Charles Memorial Hospital for Women, Moss Memorial Health Clinic, Archer Institute and the Memorial Medical Group.
The health system says it confirmed the attack on Oct. 25 and brought in cybersecurity experts to investigate. It also notified law enforcement that it had suffered a hack attack.
Despite confirming the breach two months ago, LCMHS notified the U.S. Department of Health and Human Services' Office for Civil Rights about the incident on Dec. 22. Such notifications are required under the HITECH Act for any breaches of unsecured protected health information affecting 500 or more individuals. The law requires such reporting to be done "without unreasonable delay and in no case later than 60 days following a breach."
The incident is listed by OCR as being under investigation. LCMHS told the office that 269,752 individuals were affected.
On Friday, one day after notifying OCR, LCMHS began sending notices to affected patients. "We are mailing letters to patients whose information may have been involved in this incident," it says.
Patients whose Social Security numbers were exposed are being offered prepaid credit monitoring and identity theft protection services. "Patients are encouraged to review statements from their health insurer and healthcare providers, and to contact them immediately if they see any services they did not receive," LCMHS says.
"LCMH deeply regrets any concern this incident may cause our patients," it says. "We take this matter very seriously and are continuing to take steps to enhance the security of our systems and the information we maintain to help prevent something like this from happening again."
Hive Claims Responsibility
The Hive ransomware group claimed responsibility for the attack via its Tor-based data leak site on Nov 15. The criminal syndicate claims that it encrypted the systems on Oct. 25, which is the day that the organization says it confirmed the attack - apparently, because multiple systems had been forcibly encrypted and left inaccessible, displaying only a ransom note.
After LCMHS declined to pay a ransom, Hive leaked data it had stolen, via a link on its data leak site - flagged with the message "SSN inside !!!" - that contained 270GB of data.
The U.S. Cybersecurity and Infrastructure Security Agency reports that as of last month, Hive has hit more than 1,300 companies worldwide and extorted victims for $100 million in ransom payments.
Affiliates of the ransomware-as-a-service group use a variety of techniques to gain initial access to a victim's network. In some cases, affiliates have taken advantage of a lack of multifactor authentication to access remote desktop protocol, VPNs or other remote network connection protocols. In other cases, affiliates has bypassed multifactor authentication, for example by exploiting the CVE-2020-12812 authentication vulnerability in unpatched Fortinet devices to gain remote access to FortiOS servers.
Other affiliates have employed phishing emails with malicious attachments that exploit known vulnerabilities in Microsoft Exchange servers - including CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523 - that organizations have failed to patch.