The threat of ransomware is picking up for U.S. hospitals, their partners and the patients whose data they collect.
A recently disclosed ransomware attack at a payment vendor could have exposed patient data from more than 650 healthcare providers, including those at Arizona-based nonprofit Banner Health and Nevada physician network Renown Health.
While the exact number of patients affected is unclear, it could be one of the biggest healthcare data breaches this year given the extensive network of providers involved.
In addition, the federal government issued an advisory Wednesday warning healthcare and public health organizations that North Korea government-sponsored hackers have been targeting the industry using a particular form of ransomware for the past year.
Echoes of 2019’s biggest breach in new attack
Cyberattacks are a perennial issue for the healthcare industry. Providers and their partners are troves of highly sensitive data, and are an attractive target for geopolitical adversaries looking to disrupt continuity of medical care in a rival state.
Bad actors have seen particular opportunity in the chaos of the COVID-19 pandemic and rising geopolitical strife, especially Russia’s invasion of Ukraine. Health data breaches reached a record high last year, according to cybersecurity firm Critical Insights.
Ransomware is an especially malicious tool for hackers to use against hospitals, where IT downtime has been proven to have real effects on patient health and outcomes.
As a result, hospitals may be more willing to pay a ransom to recover use of their systems than other companies.
Earlier this month, Northern Colorado-based debt collections company Professional Finance Company began sending out breach notification letters to patients saying their personal and medical information may have been compromised in a February ransomware attack. PFC said it notified the 657 potentially impacted providers in early May.
Before PFC detected and blocked the attack, hackers were able to access and disable some PFC computers, giving access to information such as patient names, addresses, Social Security numbers and health insurance and medical treatment data, according to PFC’s notice.
The breach has not appeared on HHS’ data breach reporting website, so it’s unclear how many patients might have been affected. A 2019 breach at the American Medical Collection Agency, which provided similar services as PFC, exposed the data of 21 million patients.
It was the largest health data privacy incident in 2019 and the second-largest ever, trailing the 2015 breach of Anthem that exposed the data of more than 78 million people. Costs associated with the data breach drove AMCA into bankruptcy.
BayHealth Medical Center in Delaware is one of the first providers to disclose it was hit by the PFC breach, reporting to HHS that it affected the data of almost 17,500 patients.
Cybercriminals are hitting providers’ partner organizations in increasingly common third-party data breaches, along with targeting healthcare companies directly.
This year, cyberattacks on eye care management software provider Eye Care Leaders and patient care guidelines provider MCG Health affected the data of more than 2.2 million and 1.1 patients, respectively.
Health tech company Omnicell was also hit with a ransomware attack which it disclosed to the Securities and Exchange Commission in May.
North Korean threat
Federal agencies are also warning hospitals about a new ransomware threat that’s being used by North Korean hackers to target healthcare and public health organizations in the U.S.
The Maui group is a “different style of ransomware,” allowing hackers to select specific files to target without providing specific instructions to make payment, according to James McQuiggan, security awareness advocate at cybersecurity consultancy KnowBe4.
That makes it especially malicious, as the victim has little information about reclaiming their data, McQuiggan said in emailed comments to Healthcare Dive.
The Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency and the Department of the Treasury have issued an advisory against the Maui ransomware, which North Korean hackers have been using since at least May 2021 to target health organizations, the agencies said.
The hackers have been using Maui ransomware to encrypt servers responsible for healthcare services, including electronic health records, diagnostics, imaging and more, in some cases for “prolonged periods.”
According to the advisory, the FBI has responded to multiple Maui ransomware incidents at healthcare organizations since last spring.
“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations,” the advisory says.
Agencies advised healthcare organizations to maintain offline data backups, use secure networks and train employees on phishing and other suspicious activities, among other recommendations for mitigating and preventing ransomware.