Breach Notification , Fraud Management & Cybercrime , Healthcare
Medusa Ransomware Hack of Pathology Lab Affects 1.8 Million
Colorado Laboratory Already Facing Several Proposed Class Action Breach LawsuitsSix months after an employee opened a phishing email sent by ransomware gang Medusa, a Colorado-based pathology laboratory is notifying more than 1.8 million patients that their sensitive information was compromised - one of the largest breaches reported by a medical testing lab to U.S. federal regulators to date.
The lab, Summit Pathology Laboratories, said IT systems affected by the incident contained demographic and healthcare information, including names, addresses, medical billing and insurance information, diagnoses, dates of birth, Social Security numbers, and financial information.
The incident began in April when an employee clicked open a malicious email attachment, despite staff being provided "a gazillion" warnings and training, attorney Ellen Stewart of law firm Spencer Fane, which is representing the lab in the incident, told Information Security Media Group. The company then detected suspicious activity in its IT environment.
"We immediately took steps to secure our network and launched an investigation with the assistance of third-party forensic specialists to determine the nature and scope of the activity," the company said. "Based on this investigation, we identified files within our systems that may have been accessed or acquired by the unauthorized cybercriminal, and the impacted systems contained certain patient data."
Ransomware group Medusa claimed credit for Summit's attack, according to Stewart, but she declined to say whether Summit paid a ransom. The lab, which also promptly reported the attack to the FBI, had "boots on the ground" within 24 hours of discovering the incident, helping to prevent disruptions to patient services, she said. Summit's affected IT systems are now restored, she said.
Summit Pathology as of Thursday is already facing eight proposed federal class action lawsuits filed in the past week centering on the breach, which the company reported to the U.S. Department of Health and Human Services on Oct. 18 as a hacking incident involving a network server.
The lawsuits, which seek financial damages and injunctive orders for Summit to improve its data security practices, make similar allegations, including that the lab was negligent in failing to protect patients' sensitive information, putting plaintiffs and class members at risk for identity theft and fraud.
Stewart declined to comment on the proposed class action litigation filed against Summit.
Mike Hamilton, CISO and founder of security firm Critical Insight, said the apparent phishing vector suggests that either Summit's email filtering doesn’t have the ability to detect Medusa ransomware, or that the company is not using e-mail filters at all. "Exchange would have stopped that unless it’s a very new variant," he said.
According to a snapshot Thursday of the HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals, the Summit incident ranks among some of the largest breaches reported by medical laboratory testing firms to date.
A 2019 hacking incidents on Laboratory Corp. of America, affecting 10.3 million individuals, still ranks as the largest health data breach reported to HHS OCR by a medical testing laboratory. But that LabCorp incident, as well as several other large breaches reported by medical laboratories, stemmed from a 2019 cyberattack on American Medical Collection Agency, a third-party debt collection firm.
Critical Concerns
Summit's breach disclosure also comes on the heels of a seriously disruptive ransomware attack this summer on another pathology testing laboratory - Synnovis, which provides services such as blood-type matching for the United Kingdom's National Health Service.
Synnovis' June ransomware incident and the ensuing IT outage forced the NHS to cancel or postpone thousands of patient procedures in the London area for several months, and also resulted in nationwide shortages of type-O blood supplies (see: NHS: Most Patient Services Online Following Synnovis Attack).
"A medical testing laboratory is a prime example of a third party that is attacked because it holds sensitive patient information for lots of individual facilities - its customers," Hamilton said.
"There is an efficiency of scale for attacks like this from the actor’s point of view. Further, as cybercriminals are known to be working with the collaboration of, if not directed by, agencies of the government where they reside, attacks like this can also be very destabilizing in that they erode trust in the healthcare sector," he said.
Medical lab records stolen, if sold rather then held in abeyance as an extortion tactic, can be used for medical and financial fraud, but also to directly extort patients, Hamilton said.
"Protected health information can contain information on conditions that may be embarrassing or affect employment ability. We have seen patients being extorted in this way before, although this was demanding payment to keep the records off the dark markets - not a very scalable criminal tactic," he said. "Nonetheless, there are patients that would likely pay to ensure that their information does not become public."
Besides the resulting IT outages that ransomware and other cyberattacks can cause medical testing laboratories, another worry is the incidents potentially affecting the integrity of test results and patient records, he said.
"Along with the now routine theft of records, patients and providers now have to address whether those records have been altered in some way," he said. "If a criminal can steal records, they can change them. This can result in wrong medication or treatment being prescribed, or the cessation of a necessary treatment altogether."
But an even larger issue would be from the compromise of a laboratory that does clinical testing, such as human trials for new drugs or treatments, he said.
"Systems involved in clinical testing must meet the configuration requirements of 21 CFR Part 11," the electronic records and signature regulations of the U.S. Food and Drug Administration, he said.
"Any suggestion that the systems have been altered would nullify the results of testing, and this would delay the release of new drugs and treatments. If a compromise was not detected, testing results could be altered and this could directly result in unwanted patient outcomes."