Monthly Breach Report: June 2023 Edition
The valuable personal data of healthcare patients is increasingly a magnet for cyber criminals. Our June Breach Report finds several clinics, counseling sites and other health-related organizations reporting data breaches that impacted millions of patients. The incidents are part of a troubling trend throughout the industry as the Department of Health and Human Services tracks a 30 percent increase in healthcare cyber-attacks in 2023, compared to 2022.
Arts and travel organizations were among the other sectors finding themselves vulnerable to attack over the past month, including one of the most famous opera houses in the world. Here’s how they were impacted.
Patients of All Ages at Risk
Patients of a medical equipment company, counseling startup, and rural clinic were among those whose data was exposed recently in leaks and attacks.
In May, Apria Healthcare finally notified nearly 2 million customers of a 2019 data breach. Potentially accessed was the personal identifying information of 1.86 million customers of one of the largest providers of home healthcare equipment, including respiratory products and devices for patients diagnosed with sleep apnea or COPD.
Hackers accessed the system in 2019 and again in 2021, putting Social Security numbers, health insurance, and other financial information of customers at risk. The company has said it believes the hackers were after funds, not data.
A virtual counseling site serving children, teenagers, and their families got caught up in the web of a Clop Ransomware zero-day vulnerability attack that impacted at least 130 organizations earlier this year. The breach at Brightline affected the data of 783,606 patients, revealing information such as birth dates, employer information, and membership numbers.
The Clop Ransomware attack took advantage of a vulnerability within the Fortra GoAnywhere MFT secure file-sharing platform used by organizations such as Brightline. The mental health startup said it has corrected the issue. After Bleeping Computer published its report, Clop Ransomware contacted them to say it has removed the Brightline data from its data leak site.
In rural Utah, Uintah Basin Healthcare temporarily took its system offline after detecting unusual activity that exposed the data of 103,974 patients. The healthcare center notified patients that the data at risk included diagnoses, medications, and test results. The center runs a 42-bed hospital in the small eastern Utah city of Roosevelt. The hack reached deep into the organization’s history, netting the confidential information of patients treated over a 10-year span between March 2012 and November 2022.
Sources
Healthcare Professionals Targeted, Too
It is not only patient data sought after by hackers. At NextGen Healthcare in Atlanta, an attacker stole the personal data of one million medical professionals who use the company’s electronic health records software. The data included the Social Security numbers of the doctors and other professionals who make up the company’s clientele. NextGen told the Maine Attorney General that the attacker accessed its database using “client credentials that appear to have been stolen from other sources or incidents unrelated to NextGen.”
While the number of people involved in an Australian ambulance service data breach reported was relatively small, the potential career consequences and embarrassment level was high. The confidential drug and alcohol test results of 600 graduate paramedics became available for every Ambulance Victoria staff member to view under a breach that has been reported to the state’s privacy watchdog. Officials from the Victorian Ambulance Service contacted the impacted people, including at least 30 whose tests were positive.
Sources
Attacks on Where People Play
The data of hikers and opera aficionados was also exposed recently. More than 45,000 opera fans learned in May that their personal data was stolen in a cyber-attack on New York’s iconic Metropolitan Opera over a three-month period last year. The attack—which the Snatch ransomware group has claimed credit for—impacted The Met’s website, box office, and call center systems. The organization was unable to use its system to process new ticket orders, provide refunds, or issue paychecks to employees.
Personal identifying information exposed included Social Security numbers, credit card details, and driver’s license numbers. An investigation determined that access occurred sometime between September 2022 and December 2022. The Met offered the 45,094 victims free identity monitoring services and other credit protection information.
A French company that provides services to hikers on trekking routes, including the famous Santiago de Compostela pilgrimage trail, left their clients’ data ripe for hacking, a cybernews research team discovered. La Malle Postale provides luggage, shuttles, and other transportation services to hikers in the Alps, Pyrenees, and other popular routes.
The available data of nearly 90,000 clients included emails and private communication made through SMS messages. Also exposed were the passwords of at least 70,000 customers. The password data was hashed, but used an algorithm that was unfortunately easy to crack.
La Malle Postale has apparently since repaired the leak.
Sources
Don’t be the next ones in the headlines. PKWARE can help enterprises in all industries make sure their data stays in the right hands—and remains unusable in the wrong hands. We offer the only data discovery and protection solution that locates and secures sensitive data to minimize organizational risks and costs, regardless of device or environment. Request your free demo to learn more.
Ben Meyers March 13, 2024
