Surgical Practice Notifying 437,400 Patients of Data TheftThe Incident Involves Ransomware Encryption and Follows Familiar, Concerning Trends
A large, Seattle-based surgical group is notifying nearly 437,400 individuals that their information was potentially compromised in a ransomware and data theft incident earlier this year. The breach is part of a larger, disturbing trend in the healthcare sector in 2023.
Proliance Surgeons, which has about 100 locations in Washington state and treats more than 800,000 patients annually, reported the hacking incident involving a network server to the U.S. Department of Health and Human Services on Nov. 20.
In its breach notice, the specialty medical group said the cyberattack on its network had involved some IT systems and files being encrypted, as well as unauthorized access resulting in the removal of "a limited number" of files.
Proliance said it immediately launched an investigation, contacted law enforcement and began notifying individuals. But during a comprehensive forensics investigation by third-party cybersecurity experts, the practice discovered on May 24 that additional files potentially containing personal information also may have been accessed by attackers around Feb. 11.
The detailed review of all the data accessed or acquired in the incident identified the specific individuals affected and the information potentially compromised, Proliance said.
That data includes individual names, birthdates, Social Security numbers, medical treatment information, health insurance information, phone numbers, email addresses, financial account numbers, driver's license numbers or other identification information, and usernames and passwords.
Proliance said it is taking steps to enhance its existing cybersecurity protocols, including implementing additional measures.
The practice already faces at least one proposed class action lawsuit filed this week in Seattle federal court.
The complaint, filed by plaintiff Alicia Berend on behalf of herself and others similarly situated, alleges, among other claims, that Proliance failed to safeguard sensitive health and personal data in accordance with its internal policies, state law and federal law.
The lawsuit also alleges that Proliance experienced an earlier data breach involving unauthorized access of its online payment system for several months, between November 2019 and June 2020. A breach notice that Proliance issued in that previous incident said the compromise had not involved protected health information.
The earlier Proliance incident does not appear to have been posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Berend's lawsuit - which seeks monetary damages and an injunctive order for Proliance to improve its security practices - alleges that Proliance's most recent hacking incident is "simply part and parcel of defendant's pattern of negligent data security."
Proliance did not immediately respond to Information Security Media Group's request for comment.
Proliance's recent hack compromising PHI follows a troubling trend in the healthcare sector. With only one month left in 2023, the HHS OCR breach reporting website shows that hacking incidents were reported as being involved in 80% - or 487 of the 621 - major health data breaches reported so far in the year, as of Friday.
Even more concerning, hacking incidents were responsible for a whopping 92%, or nearly 106 million of the 114.4 million people affected by all of the major health data breaches posted on the HHS OCR website so far in 2023.
Those hacks include an array of incidents, such as ransomware attacks that involved either encryption or data exfiltration - or both, as in the Proliance breach; exploitation of vulnerabilities in third-party software such as Progress Software's MOVEit and Fortra's GoAnywhere file transfer applications; phishing and other related compromises.
"This trend reflects the increasing sophistication of cyberattackers and the evolving landscape of digital threats," said Ani Chaudhuri, co-founder and CEO of security firm Dasera.
"Due to the sensitive nature of the data it handles, the healthcare sector has always been a prime target for such attacks," he told ISMG. The Proliance incident involving both data encryption and exfiltration "is a classic example of the complexity and severity of these attacks."
Major PHI breaches caused by ransomware attacks and vulnerabilities in third-party software will continue well into 2024, he predicted.
"The healthcare sector's reliance on digital solutions and interconnected systems makes it vulnerable to such attacks. The mass exploitation of a zero-day vulnerability in Progress Software's MOVEit solution, affecting numerous healthcare organizations, underscores this risk."
To help avoid becoming the next victim of these trends, Chaudhuri strongly advises healthcare entities to adopt and implement a strong, multilayered security strategy.
This includes regular vulnerability assessments, employee training, robust data encryption, patching and updating software, regular backups, and having a well-rehearsed incident response plan.
"The healthcare sector's challenges with data breaches, particularly those caused by hacking incidents, are substantial but not insurmountable," he said.