Healthcare facilities keep getting attacked. Earlier this year, hospitals with the Ascension network in Kansas were hit with a ransomware attack that has left a lasting impact. Now, the company is reaching out to patients who may have had their personal data compromised by the situation. Ascension shared a new update on Dec. 19 regarding the cyber-attack and will now contact people whose data was impacted. Ascension said the type of data is varied but can include medical, payment, insurance, government identification and other personal information. “Although patient data was involved, importantly, there remains no evidence that data was taken from our Electronic Health Records (EHR) and other clinical systems, where our full patient records are securely stored,” Ascension wrote in the press release.
Ascension has started to send letters to people who could’ve had their personal information stolen. The company said those letters should arrive in the mail in two to three weeks. Ascension manages hospitals and clinics in Wichita, Pittsburg, Wamego and Manhattan in Kansas.
Ascension reminds patients that systems have been restored in a “safe and secure fashion” and that downtime procedures have ended.[1]
2024 was a tumultuous year for cyber in the health sector. Hospitals, doctors and their business associates reported hundreds of health data breaches, including the highly disruptive Change Healthcare ransomware attack that compromised the privacy of 100 million Americans.
As of 20 December, the US Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website lists a total of 677 major health data breaches affecting more than 182.4 million people so far in 2024.[2] By far, the most dominant type of breach - no surprise - were hacking/IT incidents. The HHS OCR website on Dec. 20 shows 550 such hacks affecting more than 166 million people in 2024. But nothing was as massive as the February cyberattack on Change Healthcare, the IT services unit of UnitedHealth Group.
That incident - claimed by Russian-speaking ransomware group BlackCat or AlphV - alone broke records not only in terms of the eye-popping number of people affected - 100 million, but also for the vast IT and business disruption suffered by thousands of the company's healthcare sector clients and other entities for months.
The ‘Change Healthcare’ attack had more of an impact than any other incident to date due to the concentration of services in a single organization and the breadth of the sector that it served, said Mike Hamilton, field CISO at security firm Lumifi. "The disruption caused chaos across the sector like no other event and uncovered the danger of this concentration. Providers could not verify patients' insurance, could not get paid, and both patient care and the financial stability of hospitals and clinics were diminished." As for the data exfiltration breach, it touched about one out of every three people in the US and was responsible for about 55% of the total individuals affected by major health data breaches in 2024. Change Healthcare set another dubious record - a $22 million ransom payment to the cybercriminals - one of the largest such payouts. "The Change Healthcare events sent a clear message - many of those affected did not even know how or why they were connected to Change, and they certainly had no clue about the impacts, until it was too late," said former healthcare CIO David Finn, an advisory board member of consulting firm First Health Advisory and principal of consulting firm Cyber Health Integrity LLC.
When it comes to attacks on healthcare providers, the largest such breach stemmed from a May ransomware and data theft incident - reportedly by cybercriminal gang Black Basta - at Ascension Health. That incident caused the Missouri-based hospital chain to shut down IT systems including electronic health records for several weeks and resulted in a data breach affecting 5.6 million patients and employees. That breach ranked third biggest on the HHS' Office for Civil Rights' website for the year so far.
A December 20th snapshot of the HHS OCR website shows that business associates were involved in 212, or about a third of the major breaches reported so far in 2024. But those vendor incidents affected more than 131 million individuals, or about 75% of people affected by major health data breaches this year. That's due in large part to the massive impact of just one business associate's breach; the Change Healthcare hack. But other types of vendor incidents and not all cyber-related and not necessarily resulting in data compromises, also showcased the risk posed to concentrations of organizations - in healthcare and other industries, using certain third-party IT products and services. "The CrowdStrike software update also pointed out many issues in the software industry and how trusting 'buyers' are and how misplaced that trust can be," Finn said.
Global Impact - But it was not just HIPAA-regulated entities in the US healthcare sector that bore the brunt of hacking incidents like ransomware and other cybercrime. Globally, attacks on healthcare sector players - including pathology services provider Synnovis in the United Kingdom, also caused massive disruptions to several hospitals in London, as well as triggering a national shortage of type-O blood. "What we should be doing is spending time preparing incident response plans with all the functional and operational areas of the organization," Finn said. That means rehearsing lots of potential scenarios and lots of practice - "from the board of directors to the groundskeepers," Finn said. That should include, "How you get meds when the medication cabinets are shut down; how do you move patients within the hospital when admissions, discharges and transfer systems are not working; how do you order and perform blood draws when those systems are down; how do you bill, charge, communicate when the computer isn't working," he said. "This is not made-up stuff - this is exactly what is happening," at many organizations faced with sudden and long IT outages. Many are left unprepared. But having contingency plans is vital, Finn said. "Yes, it will not be the same, it won't be as fast or as efficient but you have to be able to do it."
10 Largest U.S. Health Data Breaches in 2024:
Source: US Dept. of Health and Human Services
After hacking/IT incidents, the second most common type of breach reported in 2024 was unauthorized access/disclosure. The HHS OCR website shows 107 such incidents affecting more than 16 million individuals. Some of those breaches, including two of the largest such incidents reported by Kaiser Permanent and Atrium Health, involved those entities' previous use of tracking tools such as Meta Pixel, on their websites.
Another incident: reported by Pennsylvania-based health system Geisinger as affecting nearly 1.3 million individuals - spotlighted the ongoing risk posed by insiders. The Geisinger incident involved the former employee of a business associate, IT services provider Nuance Communication, a unit of Microsoft. The US Department of Justice last January indicted that individual on one count of "obtaining information from a protected computer," which is a federal crime under the Computer Fraud and Abuse Act. Some 6,584 major health data breaches affecting more than 746.6 million people had been posted on the HHS OCR website since September 2009. That's the about equivalent of every American having their PHI compromised at least twice in a major health data breach.
Looking Ahead - As the industry looks ahead to the new year, many of the same threats and other cyber issues facing healthcare in 2024, including ransomware attacks, data theft attacks, and supply chain hacks - will continue and perhaps worsen, experts predict. "In 2025 more key services will be targeted to inflict as much disruption to the healthcare sector as possible," Hamilton said. "Criminals and nation-states now have the roadmap to broadly destabilizing the population and this is a strategic goal of several countries."
Other evolving trends to watch include threats and risks involving the internet of medical things, telehealth security, and artificial intelligence in diagnoses and other healthcare activities, other experts expect. "The sustained growth of telehealth services is driven by the growing need for accessible healthcare solutions," said recent research by security firm Optiv. "Remote patient monitoring and mobile health technologies are integral to this shift, but they are also increasing the risk of exposure to vast amounts of sensitive patient records," the report noted. Additionally, the inclusion of AI in diagnostics and care "raises ethical concerns about AI transparency and the reliance on pre-trained data models with limited visibility into training data adds on to the risk of inaccurate outcomes," the report said.
Max Henderson, assistant vice president of digital forensics and incident response at security firm Pondurance, said one of the most notable trends he's seeing that's likely to continue in 2025 is a shift away from traditional attack vectors like email attachments to users. "Now over 75% of our casework is originating from remote access such as VPNs and exploited security vulnerabilities on unpatched devices," he said. "I think we're seeing a major shift in the communications and requirements to restore connectivity with vendors, such as pharmacy and radiology, as potential interconnected partners are truly understanding the risk at hand," he said.
To stay ahead of these trends, Henderson recommends healthcare sector organizations review all their allowed VPN users for any old accounts or accounts that do not require multifactor authentication, as well as ensure security patches are applied at the perimeter. Meanwhile, as the US healthcare sector prepares for an uncertain regulatory climate in 2025, cybersecurity issues will be in flux, some experts predict. "Given we have a new administration coming in, whatever we thought was going to happen is likely to change. Like the providers themselves, we all must be prepared," Finn said. "Be aware, keep your professional networks up and running. We will not change this individually; we will only change it by working together," he said. "Work together, inside your organization, across your community and with every group that is involved with cyber in the sector," Finn said.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://news.yahoo.com/news/ascension-contacting-patients-data-compromised-154801919.html/
[2] https://www.govinfosecurity.com/how-healthcare-cyberattacks-broke-records-in-2024-a-27116
Comments