Hospital Sisters Health System Cyberattack and 12 Million Medical Laboratory Records Exposed Online

A cyberattack that happened at the end of August impacted Hospital Sisters Health System (HSHS) located in Springfield, IL, and Prevea Health located in Green Bay, WI resulting in an outage on August 27, 2023. The computer systems, telephone lines, and websites of the hospitals were impacted. The outage continued for a number of days and so HSHS and Prevea had implemented downtime procedures. Because of the cyberattack, the hospital websites and a number of applications were offline, which include the MyChart and MyPrevea apps. HSHS likewise could not process payments online since its computer system was not accessible. Nevertheless, the hospitals continued to provide patient care.

HSHS made the decision to hold processing payments for outstanding bills while recovering from the cyberattack, even if some of their partners still sent bills to their patients. At the beginning of September, HSHS publicized an open letter addressed to its patients cautioning them about the possible misuse of their data. This was after receiving reports from a number of patients who were contacted via email, phone, and SMS by an unidentified third party professing to be a HSHS representative who was trying to get payment for bills. HSHS told patients not to answer the suspicious requests received by email, phone, and SMS and to carefully examine bills prior to sending any payment. HSHS stated in case of receiving a message or SMS, send the saved email to questions@hshs.org so the matter could be investigated. HSHS and Prevea Health would ascertain whether the request was genuine or bogus.

HSHS has already announced that an unauthorized third party acquired access to its systems containing the personal data and protected health information (PHI) of patients and HSHS employees. The breach is being investigated and the data possibly compromised in the attack is being reviewed. Although the open letter indicates that there was a likely misuse of stolen information, HSHS stated it is not aware of any instances of fraudulence or identity theft. HSHS began sending notification letters on October 26, 2023, to the impacted persons, who were provided free credit monitoring and identity theft protection services. HSHS stated the investigation of the incident and the notification of the impacted persons took time because the data review process took a long time.

HSHS mentioned the proper authorities already knew about the security breach; nevertheless, the incident is not yet posted on the HHS’ Office for Civil Rights breach website. HSHS and Previa have not publicly confirmed the number of individuals potentially impacted.

12 Million Medical Laboratory Records Compromised On the Internet

Security researcher Jeremiah Fowler recently stated that hackers can take advantage of unpatched vulnerabilities and mislead employees into giving access, however, at times substantial amounts of sensitive health data tend to be much easier to acquire. One of India’s biggest diagnostic centers, Noida, Redcliff Labs based in Uttar Pradesh, provides over 2.5 million people in over 220 Indian cities with a variety of diagnostic testing services. Fowler discovered an unsecured Redcliff Labs database with the medical test data of over 12 million people. The database was exposed online and can be viewed with no password required utilizing an internet browser, and the contents can be seen making use of an open-source or a native viewer offered by the cloud service company.

The 7-terabyte database stored 12,347,297 records including the names of patients and doctors, the place where the procedure was done, test data, and other sensitive information, and a database folder was discovered that included over 6 million PDF files of test data. Tests provided by the laboratory consist of blood testing, vitamin tests, diabetes tests, joint care, and specialized screening tests for cancer, pregnancy, genetics, HIV, and more. Fowler immediately informed Redcliff Labs, which made the database secure on the same day. It is not clear how long the database folder was compromised and if somebody else found it.

The database contained other sensitive data, such as development files for its mobile app, and the compromise of these records was possibly much more serious compared to the exposure of patient information. The files regulate the performance of a program and the particular data sent from the user to the host server. Malicious actors can possibly use this data or files to undertake different cyberattacks and expose user information, application functionality, or the protection of the mobile device itself. Breached code or resource documents can hypothetically be taken to reverse engineer, examine, or decompile the software to find out how it works. This can likely result in the detection of more vulnerabilities that can be taken advantage of later. That didn’t actually come about in this instance, however the discovery of the files indicates how harmful such a breach can be.

The wrong configuration of databases makes it possible for big volumes of sensitive data to be easily accessed. Fowler looks for exposed information and informs the entities involved to enable them to protect their information however Fowler is not the only individual searching for compromised databases, and others have no such civilized reasons to do so. Healthcare companies need to make sure they offer enough cybersecurity training for employees, encrypt sensitive information in cloud databases, use robust access controls, and create and apply guidelines and procedures that integrate monitoring of database security. Audits must be done on all data storage databases regularly. Breached databases and unsecured cloud databases are all very common such as the unsecured database of 16,000+ children’s records, the 1 billion-record database of CVS website searches compromised on the internet, the exposure of the Medical Software Database with 3.1 Million Patients PHI Online, the 5 million exposed records caused by an unsecured MongoDB Marketing Database, and the exposed Broadvoice databases with 350 million records and medical information.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone