Breach notice confirms One Brooklyn Health cyberattack, outage in November

The New York State Department of Health confirmed to SC Media that the One Brooklyn Health network outage in November was a cyberattack. (Army National Guard)

One Brooklyn Health released a breach notice highlighting the reported network outages suffered by the New York provider in November and December.

OBH had kept relatively quiet amid local media outlets’ coverage of patients experiencing delays in care due to the breach. As SC Media previously reported, its hospitals were forced offline in November due to an unexplained IT issue, with providers operating under electronic health record downtime and having to maintain patient care. Taking advantage of paper procedures.

The New York State Department of Health confirmed to SC Media that it was aware of the incident and was working with OBH to prioritize patient safety. However, the health system provided little detail about the outage or the attack, much to the dismay of patients.

The notice confirms a “cybersecurity incident” that occurred on November 19 and affected three OBH hospitals and affiliated care sites: Brookdale Hospital Medical Center, Interfaith Medical Center and Kingsbrook Jewish Medical Center. These safety net hospitals serve nearly 1 million under-resourced patients in the Flatbush neighborhood of Brooklyn.

The event affected all computer systems and temporarily disrupted some operating processes. While the description of the incident points to ransomware, officials did not confirm the reason behind the attack.

OBH actively took systems offline in the wake of the attack and worked with an outside expert to determine the nature of the attack. Forensics revealed that access to the OBH system began four months before the attack was deployed, allowing the threat actor to “copy a limited amount of data” from the network.

The investigative team is still reviewing the contents of the compromised data to determine what protected health information or personal data was contained in the affected files. Preliminary assessment confirmed that some patient information was part of the excluded data.

OBH verifies patient names, dates of birth, billing and claims data, treatment details, medical record numbers, prescriptions and health insurance information.

Law enforcement has been contacted, and health system leaders continue to cooperate with their ongoing, independent investigation. OBH is currently reviewing its existing data protection policies and training protocols after implementing advanced security measures and monitoring tools.

NextGen added to ALPHV dark web posting

Early last week, the actors behind the BlackCat, aka ALPHV, ransomware published a new post on their dark web site, claiming to have stolen data from NextGen Healthcare. NextGen Releases Healthcare IT Platform, EHR, Practice Management Tools for Ambulatory Care Providers.

The posting appeared on January 17 with several other alleged victims outside the health sector. In a comment sent to SC Media, a NextGen Healthcare spokesperson confirmed that they are “aware of this claim” and are “working with leading cyber security experts to investigate and remediate.”

“We quickly contained the threat, secured our network and have returned to normal operations,” the spokesperson said. The forensic “review is ongoing and to date, we have not uncovered any evidence of access or exfiltration of client or patient data. The privacy and security of our clients and their patient information is of the utmost importance to us.”

The Department of Health and Human Services recently issued an alert on the black cat threat to the sector in December, issuing an almost identical warning earlier this month. The “extraordinarily competent” group is likely manned by experienced threat actors.

The HHS Cyber ​​Security Coordination Center warns that ALPHV is “one of the most sophisticated ransomware-as-a-service (RaaS) operations in the global cybercriminal ecosystem,” in the form of a human-powered variant. BlackCat should be of concern to all provider organizations as its capabilities with a wide range of corporate environments are technically superior to other RaaS variants.

BayCare Clinic Reported Violation Linked to Use of Pixel Tracking Tool

BayCare Clinic is notifying its 134,000 patients that their data was compromised due to the use of Google and Meta Pixel tracking tools on their MyCareBay patient portal. BayCare Clinic is the largest physician-owned specialty-care clinic in Northeast Wisconsin and Michigan’s Upper Peninsula and is part of Advocate Aurora Health.

The notice posted on its website directs patients to a pixel notification previously posted on the Advocate Aurora website. However, both the patient notice and FAQ page posted on the parent company’s site have been removed.

As SC Media reported, Advocate Arora previously notified patients that their protected health information was shared with third-party vendors such as Google and Facebook as a result of its patient portal websites, applications, and some scheduling tools. But the pixel tracking tool was used. ,

The health system previously used tracking technologies to “understand how patients and others interact with our websites” by measuring and evaluating the trends and preferences of patients who use its websites.

However, Advocate Arora found that the tool disclosed details about patients’ website interactions with third-party vendors, specifically that users had “concurrently logged into their Google or Facebook accounts and entered into a transaction with these companies”. shared his identity and other surfing habits with,” officials explained. time.

Their investigation also revealed that the pixel and similar technology used on its websites also disclosed certain protected health information in “special circumstances” to specific vendors. Given its affiliation with Advocate Aurora and the redirection to a previously posted breach notice, Baycare Clinic patients saw similar disclosures.

Advocate Aurora disabled and/or removed Pixel from its platform after discovering the unauthorized disclosure and is currently defending itself against a patient-led lawsuit in the wake of its breach notice and multiple reports alleging that Meta The Pixel device was scraping the hospital’s data without the patient. permission.

Facebook, Novant Health and WakeMed are also fighting similar lawsuits filed after providers issued similar notices to patients.

Insulate’s OmniPod users may be exposed to third-party exposure

Using similar language to provider organizations affected by the use of the pixel, Insulate recently notified 29,000 OmniPod medical device users that their data was exposed to “website performance and marketing partners” due to a misconfiguration in their email receipt verification. had come

The notice explained that Omnipod DASH patients were sent a medical device correction letter with an email follow-up acknowledgment request. The configuration of the webpages used for this verification “exposed certain limited personal information” about patients to outside parties through the use of cookies and “other trackers” embedded in the Omnipod site.

The URL page, customized for each user, included their IP addresses, whether the person was a Dash user, and if the patient had a Personal Diabetes Manager. All of this information was inadvertently shared with Insulate’s website performance and marketing partners.

Upon discovering the misconfiguration on December 6, Insulate disabled all tracking code used on its site to prevent further exposure to secure health information. Insulate also requested that partners who received this information delete logs of IP addresses and unique URLs to block their access to this personal information.

Arkansas reports ongoing investigation into hospital data theft

Howard Memorial Hospital in Arkansas recently began notifying an undisclosed number of patients that it is currently investigating a data security incident, after a threat actor claimed to have stolen data from its network on December 4. did.

HMH detected suspicious activity within its computer network in early December, just as the actors made their allegations. The response team quickly worked to secure their network and launched an investigation with the support of an external cyber security firm to continue treating patients “while securely maintaining full operational functionality”.

The investigation is ongoing, but HMH has since confirmed that the threat actors did indeed steal “certain files” from the network between 14 November and 4 December.

For now, HMH has confirmed that the data potentially stolen could include names, contact details, SSNs, health insurance information, medical record numbers, medical histories, diagnoses, treatments and provider names. For employees, the data may include name, contact details, SSN, date of birth and direct deposit bank account information.

The response team is still reviewing files at risk to “identify current and former patients, and any current and former employees, whose information may have been affected by this incident.” After confirming the impact, HMH intends to issue follow-up notices directly to those affected patients.

The prompt notice will enable patients to quickly identify and respond to potential fraud attempts, while allowing HMH to comply with the 60-day reporting requirement set forth in the Health Insurance Portability and Accountability Act.

HMH is currently evaluating its existing policies and procedures and intends to implement additional administrative and technical safeguards to prevent a recurrence.

Leave a Comment