Irish Hospital, Texas Practice Deal with Attack AftermathLatest Healthcare Sector Ransomware Victims, Inside and Outside the U.S.
As the final weeks of 2021 wrap up, healthcare entities in and outside the U.S. continue to deal with IT systems disruptions and major data breaches involving ransomware and other cyberattacks.
That includes a hospital for women and infants in Ireland that on Monday was still dealing with an apparent ransomware incident that occurred late last week.
The incident at Dublin-based Coombe Women and Infants University Hospital comes on the heels of a recent report from PricewaterhouseCoopers spotlighting a long list of security shortcomings contributing to a ransomware attack in May. That incident caused more widespread IT outages for several months across Ireland's Health Service Executive, the country's healthcare system (see: Report Dissects Conti Ransomware Attack on Ireland's HSE).
Meanwhile, a Texas-based ear, nose and throat medical specialty practice has reported to federal regulators a recent ransomware breach involving the theft of patient data and affecting more than 535,000 individuals.
As of Monday, the hacking incident reported on Dec. 10 by Houston-based Texas ENT Specialists was the 17th-largest health data breach posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far in 2021.
A spokesman for Texas ENT tells Information Security Media Group that the practice learned of the data security incident in October from the FBI.
The Coombe's Incident
A message posted on the home page of the Coombe's website on Monday confirmed that the hospital had been the subject of a cyberattack.
"We wish to advise all those accessing our services that we are operating as normal," the message says. The Coombe says it has "locked down all our IT systems on a precautionary basis and are working closely with the HSE to resolve the matter."
Patients coming to The Coombe are being requested to bring their appointment cards, because the hospital's Healthlink secure messaging network is currently not available, the message says.
Neither the HSE nor The Coombe immediately responded to ISMG's request for additional information about the incident.
HSE Chief Executive Paul Reid says the overnight attack on Thursday appeared to have been limited to The Coombe and did not affect the country's wider health network, according the Irish Times.
The Coombe’s radiology system and some patients management systems were among those initially affected last week, according to the Irish news outlet.
Earlier this month, PwC released a 157-page report commissioned by the HSE that analyzed the May ransomware attack on the HSE, which caused widespread disruption to the country's healthcare system, lasting about four months.
PwC says attackers took advantage of a number of vulnerabilities that are not unique to Ireland's national health system, including issues faced by other organizations. Those issues included HSE having "a very low level of cybersecurity maturity" as evaluated against the National Institute of Standards and Technology's Cybersecurity Framework, the report says.
The report said that the earlier, larger HSE attack began on March 18 from a malware infection on an HSE workstation as the result of a user clicking and opening a malicious Microsoft Excel file that was attached to a phishing email sent to the user on March 16.
After gaining unauthorized access to the HSE’s IT environment on March 18, the attacker continued to operate in the environment over an eight-week period until the "detonation" of the Conti ransomware on May 14, the report says.
Additionally, on Monday the Irish Examiner reported that the HSE is examining a newly discovered trove of data stolen in its May's cyberattack to identify patients whose information was affected, following an agreement between the Garda National Cyber Crime Bureau and the U.S. Department of Justice.
Texas ENT Breach
In the U.S., the Texas ENT ransomware incident did not result in encryption of data or disruption to patient services because the practice's systems stopped that from occurring, the spokesman tells ISMG.
The attackers have not made extortion demands against the practice, the spokesman says. He says the incident is still under investigation by law enforcement authorities, and the practice does not know what type of ransomware was involved or whether any patient information has appeared on the dark web.
In its breach notification statement, Texas ENT says that on Oct. 19, it learned that files containing patient information had been subject to unauthorized access during a data security incident.
"With assistance from a third-party cybersecurity firm, we determined that unauthorized parties gained access to our computer systems and took copies of Texas ENT files between Aug. 9 and Aug. 15," the statement says.
A review of the affected files determined that compromised information includes patient names, dates of birth, medical record numbers, and procedure codes used for billing purposes, as well as "a limited number" of patient Social Security numbers, the statement says. It also says Texas ENT’s electronic medical records system was not accessed in the incident.
Some experts note that the latest attacks spotlight the ongoing threats and risks facing healthcare entities and their patients' sensitive information.
"Usually, ransomware gangs not only try and lock down a victim network, but they exfiltrate, or steal, a victims data first in order to use that as a means to force a quicker and more profitable negotiation," says retired FBI supervisory agent Jason G. Weiss, an attorney at Faegre Drinker Biddle & Reath.
"The theft of a victim's data does not always include the rollout of ransomware malware during the incident," Weiss says, "but in many cases the two are tied together, providing a bigger embarrassment and work disruption to the victim in order to try and obtain a larger and faster ransom."
Threat analyst Brett Callow of the security firm Emsisoft says healthcare providers should be required to disclose more detail about security incidents and how patient information was compromised.
"From the perspective of patients, there’s probably a big difference between 'took copies of files' and 'took copies of files and posted them on the dark web from where they’ve since been downloaded,' potentially thousands of times," he says.
The lack of information about some data security incidents is problematic in other ways, too, according to Callow.
"You can’t manage what you can’t measure, as the old saying goes. Understanding how and why incidents such as these happen can help other organizations take steps to ensure the same thing doesn’t happen to them."