Another hospital system has gone down in a ransomware attack with half a million patient records accessed — just weeks after one of the biggest healthcare hacks in US history.
Texas-based OakBend Medical Center said names, dates of birth, addresses, email addresses and social security numbers had all been accessed in the cyberattack last Thursday.
The nonprofit hospital chain company operates three hospitals as well as emergency centers, imaging centers and physical therapy clinics hospital in the greater Houston area.
The medical system reported the data breach to the Department of Health and Human Services (HHS) on October 28, stating that around 500,000 individuals had been affected.
Daixin Team — a ransomware and data extortion group — has claimed responsibility for the attack.
The group is financially motivated and emerged in June this year. Its previous victim is Fitzgibbon Hospital in Missouri, where the team claim to have stolen 40GB of sensitive data containing employee and patient records.
The group is actively targeting the healthcare sector, a joint alert from the FBI, Cybersecurity and Infrastructure Security Agency, and Department of Health and Human Services released last month said.
It comes after CommonSpirit Health – a hospital system that spans 21 states and has 20million patients on its register – fell victim to a similar ransomware attack.
CommonSpirit admitted ‘some’ of its systems are still down after a ransomware attack in early October. The incident led to a three-year-old Iowa being being overdosed on pain meds, and delays to critical scans and surgery.
Unlike OakBend Medical Center, CommonSpirit is still refusing to say who did the hack, if patient data was accessed, and if so, how many records were obtained.
The above map shows Oakbend Medical Center’s three hospital sites. The system was hit by a cyberattack on September 1, when the ransomware group Daixin Team stole hundreds of thousands of employee and patient data
Healthcare provider CommonSpirit, with its HQ in Chicago, has 140 hospitals in 21 states. The company suffered a ransomware attack on October 3 , forcing it to shut down its computer systems. The next day a toddler was mistakenly overdosed on medication in Iowa because a doctor could not access the dispensing IT program. Ambulances had to be diverted away from the struggling hospital. In Washington, patients’ cancer care was delayed for days while the hospital systems were down
In an update to patients, OakBend said it believed a ‘limited amount of data’ was actually lifted from the IT system, and that the hackers did not remove patient’s entire medical records.
But it said that the hackers were able to access and remove employee data and reports that contained ‘personal and medical information’ of current and former patients.
A sample of data shown to DataBreaches.net is said to contain BMIs, heights, weights, last admission date and medical record number.
OakBend said: ‘While we know that the cybercriminals had sufficient access to OakBend’s systems to encrypt our data, our investigation indicates that a limited amount of data was actually transferred out of the OakBend computing environment.
‘For example, we do not believe that the cybercriminals were able to remove the entire medical record of OakBend’s patients.’
It added: ‘It does appear, however, that the cybercriminals were able to access and/or remove certain employee data sets and certain reports that included the personal and medical information related to our current and former patients, employees, and related individuals.
‘In some instances, this information may have included the name, contact information (such as street and email address), social security number, and date of birth for the impacted individuals.’
It said it has contacted the individuals it believes have been affected, and will be offering them ‘certain identity theft protection services’ for a ‘limited period of time’.
However, ransomware group Daixin Team claimed responsibility for the OakBend attack, and claimed to have stolen over a million patient records.
It said it obtained patient account numbers and medical and treatment information which could be used for things such as ‘opening new financial accounts, taking out loans… filing fraudulent tax returns… and giving false information to police during an arrest’.
HIPAA Journal reported: ‘Some of the stolen data has been uploaded to the [Daixin Team’s] data leak site.’
The ominous notice from the cybercrime group claimed two further data leaks are planned, followed by a ‘full leak’, all of which ‘will be soon’.
The hospital system said it had reported the attack to ‘law enforcement’ and was cooperating with the FBI. It said it had put in place extra security measures to deter future attacks.
Cybercriminals demanded a ransom of tens of millions of dollars from the hospital, an OakBend spokesman confirmed to Information Security Media Group in September.
OakBend Medical Center did not respond to a request for DailyMail.com to reveal how many patients it serves, whether or not the ransom had been paid, and to confirm how many records had been accessed.
The nonprofit hospital is also being sued by two patients affected by the attack.
Ryan Higgs and Alissa Wojnar took legal action on October 28 in response to the theft of their protected health information.
Filed by Texas-based attorney Joe Kendall, the lawsuit said the hospital system handled patients’ confidential information ‘in a reckless manner’ and ‘failed to properly monitor the computer network’.
Mr Higgs and Ms Wojnar are alleging ‘negligence, breach of implied contract, negligence per se, breach of fiduciary duty, intrusion upon seclusion/invasion of privacy and unjust enrichment’.
The lawsuit seeks compensatory charges, financial reimbursement and injunctive relief ensuring OakBend ups its security defenses.
OakBend first learned of the attack on September 1, and instantly took all IT systems offline.
In an initial notice about the attack, OakBend claimed: ‘At no time was patient safety ever in jeopardy.’
On September 9, it announced it was bringing clinical systems back online, and said on September 22 that almost all clinical systems were functional.
Meanwhile, Chicago-based hospital system CommonSpirit is still struggling six weeks after a ransomware attack.
It has admitted that some of its IT systems are still not running, and that the ‘majority’ of providers now have access to electronic health records.
Most but not all patients can get into the patient portal to see their medical histories.
CommonSpirit said it was trying to restore appointment scheduling programs, but patients should get in touch with providers directly to book an appointment.
Security experts told the DailyMail.com that twenty million Americans were at risk of ‘dangerous’ healthcare after the cyberattack at one of the country’s biggest hospital chains last month.
***
Read more at DailyMail.co.uk