At a glance.
- Healthcare continues to suffer ransomware wave.
- Patient data leak at South Carolina hospital.
- Settlement in Missouri healthcare system data breach.
Healthcare ransomware storm continues.
As the CyberWire previously reported, a recent bulletin released jointly by the US Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services warned that US hospitals should be prepared for a wave of ransomware attacks. Axios reports that wave has begun, with as many as twenty facilities in several states including Vermont, New York, and Oregon being hit by a “tsunami” of attacks from Russian cybercriminals operating the world’s largest botnet, Trickbot. The impacted facilities face crippled operations due to inaccessible data, delaying surgeries and treatments. The attackers’ strategy of ambushing hospitals in the midst of a pandemic is an especially amoral tactic, even for cybercriminals, especially given that earlier this year many hackers pledged not to target healthcare institutions during this unprecedented time.
South Carolina hospital suffers accidental patient data leak.
Representatives for Beaufort Memorial Hospital (BHM) in the US state of South Carolina have confirmed a data breach was the result of an accidental disclosure, reports the Island Packet. The personal information of more than 12,600 patients was inadvertently exposed in August when billing collection documents were sent to the wrong addresses. No medical records were involved, but names and financial account info were compromised. BHM discovered the error two days after the documents were mailed and contacted the impacted individuals. As patients contact the hospital with questions, BHM is requiring two-factor authentication before discussing the incident over the phone. The US Department of Health and Human Services’ Office for Civil Rights is currently conducting an investigation.
Missouri healthcare system settles after data breach.
HealthITSecurity reports, Saint Francis Healthcare System located in the US state of Missouri has proposed a settlement of $350,000 for the lawsuit filed by impacted patients of a data breach in September 2019. Though the ransomware attack on Ferguson Medical Group (FMG) rendered much of Saint Francis’s data unretrievable, FMG was able to use backup files to restore some of the data without having to pay the demanded ransom. Some encrypted files remained unrecovered, which resulted in the loss of medical records spanning several months in 2018. In January of this year, 90,000 of the impacted patients sued Saint Francis for several claims, including invasion of privacy and negligence. After Saint Francis attempted to have the case dismissed, both sides agreed to settle out of court. In addition to the financial settlement, St Francis has promised to improve their data collection processes, including reviewing and updating their firewall, limiting remote access to its networks, and establishing a vulnerability management program. The settlement conference will take place on November 17.