Cyberattacks on Highmark Health, Cardiovascular Associates, Aspire Surgical and Tallahassee Memorial HealthCare

300,000 Patients Affected by Highmark Health Phishing Attack

Highmark Health based in Pittsburg, PA is the second biggest integrated delivery and financing system provider in America. Recently, it reported a phishing attack that affected one of its employee’s email accounts. After the employee clicked the URL in the phishing email and disclosed some credentials, an unauthorized third party accessed the account remotely and potentially exfiltrated email messages and file attachments from the email account.

Highmark Health detected suspicious account activity on December 15, 2022, but the initial breach happened on December 13, 2022. An analysis of the email messages and attachments showed they included the protected health information (PHI) of health plan members, including group name, ID numbers, claim numbers, procedures, dates of service, prescription details, addresses, telephone numbers, email addresses, and financial details. The Social Security numbers of some people were likewise compromised.

Upon detection of the breach, the compromised mailbox was promptly deactivated. Highmark Health implemented network blocking and reset all passwords. Email security controls were likewise improved and extra training was given to employees about identifying phishing attacks and other cyber attacks. Although Highmark Health did not find any proof of improper use of the impacted data, it offered the affected persons free credit monitoring and identity theft protection services, regardless if their Social Security numbers had been compromised.

Based on the data breach notification submitted to the Maine Attorney General, as many as 300,000 persons were impacted, which include 2,774 Maine locals. Highmark Health mailed the notification letters on February 13, 2023.

Cyberattack on Cardiovascular Associates and Data Theft

Cardiovascular Associates (CVA) based in Birmingham, AL found suspicious activity inside its computer systems on December 5, 2022. After isolating the systems, the potential attack was investigated. The forensic investigation confirmed that hackers initially acquired access to its IT system on November 28, 2022. Until December 5, files that contain patient information were extracted from its systems.

The analysis of the affected files showed they included names, birth dates, addresses, Social Security numbers, medical insurance data, medical and treatment details, billings and claims data, passport numbers, driver’s license numbers, debit/credit card data, and financial account details and, for some persons, usernames and passwords. According to CVA, it secured its systems upon detection of unauthorized activity and improved its security and tracking capabilities to avert the same breaches later on. Impacted individuals were provided free credit checking and identity protection services.

This security incident report is not yet appearing on the HHS’ Office for Civil Rights breach website, therefore it is presently uncertain how many persons were impacted.

Cyberattack on Aspire Surgical and Potential Patient Data Theft

UT Specialty Dental Services, PLLC, which manages a number of oral and maxillofacial surgery facilities in Utah, doing business as Aspire Surgical, confirmed that it encountered a cyberattack in December 2022. The unauthorized access potentially involved the theft of sensitive patient information.

The company detected the cyberattack on December 7, 2022, and promptly engaged third-party cybersecurity professionals to control, evaluate, and remediate the cyberattack. The investigation determined that the attackers acquired access to areas of its IT system that included patient information for example names, patient account numbers, bills paid, and dates of service. Medical treatment information, financial data and Social Security numbers were not compromised.

Although there is no proof found that suggests the misuse of patient information, impacted persons received free credit monitoring and identity theft restoration services. Aspire Surgical has evaluated and improved its data security guidelines and procedures to secure against the same security breaches down the road.

There is still no report about the cyberattack posted on the HHS’ Office for Civil Rights breach website. Hence, the number of persons impacted is presently uncertain.

Tallahassee Memorial HealthCare Redirects Ambulances Because of Cyberattack

Tallahassee Memorial HealthCare (TMH) based in Florida was compelled to take its IT network offline, redirect ambulances, and hold all non-emergency medical operations because of a cyberattack. The hospital made a statement that only patients with Level 1 traumas will be accepted for immediate treatment while investigating the cyberattack and restoring its systems.

The hospital stated the attack just affected certain systems, however, unaffected systems were taken off the internet to control the attack. Systems are given priority in order to bring them back online soon when it is already safe. The hospital cannot give any specific time frame for restoration, nevertheless, said it will give updates on its website. It was confirmed that progress was made on reestablishing systems. TMH Physician Partners continue to operate and will begin seeing patients on February 6, 2023; nevertheless, all non-emergency surgical procedures and outpatient treatments scheduled for Monday were postponed and rescheduled. TMH additionally confirmed in an update that downtime processes remain in place and patient data is being noted on paper. The ambulance redirection continues for some patients.

TMH is working 24 / 7 together with outside specialists to look into the cause of the incident and safely reestablish all computer systems immediately. It takes time to investigate and determine precisely what happened to resolve IT security issues. Patient safety is still the number one priority of TMH. Standards for system downtime are implemented to limit trouble. There is no mention of the nature of the cyberattack.

The announcement of this cyberattack was a couple of days after Atlantic General Hospital in Maryland announced its ransomware attack, which also resulted in IT systems shut down. Although a few ransomware groups forbid their affiliates to attack the healthcare industry, some groups still attack hospitals, health systems, and other healthcare companies.

In December, a LockBit ransomware group affiliate carried out an attack on Hospital for Sick Children (SickKids). Later, the group made a statement that the affiliate behind the attack violated its terms and gave the keys to SickKids to enable data decryption for free. Nevertheless, LockBit recently posted information on its data leak website that was purportedly stolen during the cyberattacks on Jackson & Joyce Family Dentistry based in Florida and Juva Skin & Laser Center based in New York. No public statement had been issued by these healthcare companies concerning the cyberattacks.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone