Medusa Ransomware Hack of Pathology Lab Affects 18 Million
p
Breach Notification
Fraud Management Cybercrime
Healthcare
ppSix months after an employee opened a phishing email sent by ransomware gang Medusa a Coloradobased pathology laboratory is notifying more than 18 million patients that their sensitive information was compromised one of the largest breaches reported by a medical testing lab to US federal regulators to dateppSee Also Advancing Cyber Resiliency With Proactive Data Risk ReductionppThe lab Summit Pathology Laboratories said IT systems affected by the incident contained demographic and healthcare information including names addresses medical billing and insurance information diagnoses dates of birth Social Security numbers and financial informationppThe incident began in April when an employee clicked open a malicious email attachment despite staff being provided a gazillion warnings and training attorney Ellen Stewart of law firm Spencer Fane which is representing the lab in the incident told Information Security Media Group The company then detected suspicious activity in its IT environmentppWe immediately took steps to secure our network and launched an investigation with the assistance of thirdparty forensic specialists to determine the nature and scope of the activity the company said Based on this investigation we identified files within our systems that may have been accessed or acquired by the unauthorized cybercriminal and the impacted systems contained certain patient datappRansomware group Medusa claimed credit for Summits attack according to Stewart but she declined to say whether Summit paid a ransom The lab which also promptly reported the attack to the FBI had boots on the ground within 24 hours of discovering the incident helping to prevent disruptions to patient services she said Summits affected IT systems are now restored she saidppSummit Pathology as of Thursday is already facing eight proposed federal class action lawsuits filed in the past week centering on the breach which the company reported to the US Department of Health and Human Services on Oct 18 as a hacking incident involving a network serverppThe lawsuits which seek financial damages and injunctive orders for Summit to improve its data security practices make similar allegations including that the lab was negligent in failing to protect patients sensitive information putting plaintiffs and class members at risk for identity theft and fraudppStewart declined to comment on the proposed class action litigation filed against SummitppMike Hamilton CISO and founder of security firm Critical Insight said the apparent phishing vector suggests that either Summits email filtering doesnt have the ability to detect Medusa ransomware or that the company is not using email filters at all Exchange would have stopped that unless its a very new variant he saidppAccording to a snapshot Thursday of the HHS Office for Civil Rights HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals the Summit incident ranks among some of the largest breaches reported by medical laboratory testing firms to dateppA 2019 hacking incidents on Laboratory Corp of America affecting 103 million individuals still ranks as the largest health data breach reported to HHS OCR by a medical testing laboratory But that LabCorp incident as well as several other large breaches reported by medical laboratories stemmed from a 2019 cyberattack on American Medical Collection Agency a thirdparty debt collection firmppSummits breach disclosure also comes on the heels of a seriously disruptive ransomware attack this summer on another pathology testing laboratory Synnovis which provides services such as bloodtype matching for the United Kingdoms National Health Servicepp Synnovis June ransomware incident and the ensuing IT outage forced the NHS to cancel or postpone thousands of patient procedures in the London area for several months and also resulted in nationwide shortages of typeO blood supplies see NHS Most Patient Services Online Following Synnovis AttackppA medical testing laboratory is a prime example of a third party that is attacked because it holds sensitive patient information for lots of individual facilities its customers Hamilton said ppThere is an efficiency of scale for attacks like this from the actors point of view Further as cybercriminals are known to be working with the collaboration of if not directed by agencies of the government where they reside attacks like this can also be very destabilizing in that they erode trust in the healthcare sector he saidppMedical lab records stolen if sold rather then held in abeyance as an extortion tactic can be used for medical and financial fraud but also to directly extort patients Hamilton said ppProtected health information can contain information on conditions that may be embarrassing or affect employment ability We have seen patients being extorted in this way before although this was demanding payment to keep the records off the dark markets not a very scalable criminal tactic he said Nonetheless there are patients that would likely pay to ensure that their information does not become publicppBesides the resulting IT outages that ransomware and other cyberattacks can cause medical testing laboratories another worry is the incidents potentially affecting the integrity of test results and patient records he saidppAlong with the now routine theft of records patients and providers now have to address whether those records have been altered in some way he said If a criminal can steal records they can change them This can result in wrong medication or treatment being prescribed or the cessation of a necessary treatment altogetherppBut an even larger issue would be from the compromise of a laboratory that does clinical testing such as human trials for new drugs or treatments he said ppSystems involved in clinical testing must meet the configuration requirements of 21 CFR Part 11 the electronic records and signature regulations of the US Food and Drug Administration he saidppAny suggestion that the systems have been altered would nullify the results of testing and this would delay the release of new drugs and treatments If a compromise was not detected testing results could be altered and this could directly result in unwanted patient outcomesppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppCritical Infrastructure SecurityppDevSecOpsppGeo Focus AsiappSecurity and Exchange Commission compliance SECppppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppMedusa Ransomware Hack of Pathology Lab Affects 18 MillionppMedusa Ransomware Hack of Pathology Lab Affects 18 Millionpp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing govinfosecuritycom you agree to our use of cookiesp
Breach Notification
Fraud Management Cybercrime
Healthcare
ppSix months after an employee opened a phishing email sent by ransomware gang Medusa a Coloradobased pathology laboratory is notifying more than 18 million patients that their sensitive information was compromised one of the largest breaches reported by a medical testing lab to US federal regulators to dateppSee Also Advancing Cyber Resiliency With Proactive Data Risk ReductionppThe lab Summit Pathology Laboratories said IT systems affected by the incident contained demographic and healthcare information including names addresses medical billing and insurance information diagnoses dates of birth Social Security numbers and financial informationppThe incident began in April when an employee clicked open a malicious email attachment despite staff being provided a gazillion warnings and training attorney Ellen Stewart of law firm Spencer Fane which is representing the lab in the incident told Information Security Media Group The company then detected suspicious activity in its IT environmentppWe immediately took steps to secure our network and launched an investigation with the assistance of thirdparty forensic specialists to determine the nature and scope of the activity the company said Based on this investigation we identified files within our systems that may have been accessed or acquired by the unauthorized cybercriminal and the impacted systems contained certain patient datappRansomware group Medusa claimed credit for Summits attack according to Stewart but she declined to say whether Summit paid a ransom The lab which also promptly reported the attack to the FBI had boots on the ground within 24 hours of discovering the incident helping to prevent disruptions to patient services she said Summits affected IT systems are now restored she saidppSummit Pathology as of Thursday is already facing eight proposed federal class action lawsuits filed in the past week centering on the breach which the company reported to the US Department of Health and Human Services on Oct 18 as a hacking incident involving a network serverppThe lawsuits which seek financial damages and injunctive orders for Summit to improve its data security practices make similar allegations including that the lab was negligent in failing to protect patients sensitive information putting plaintiffs and class members at risk for identity theft and fraudppStewart declined to comment on the proposed class action litigation filed against SummitppMike Hamilton CISO and founder of security firm Critical Insight said the apparent phishing vector suggests that either Summits email filtering doesnt have the ability to detect Medusa ransomware or that the company is not using email filters at all Exchange would have stopped that unless its a very new variant he saidppAccording to a snapshot Thursday of the HHS Office for Civil Rights HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals the Summit incident ranks among some of the largest breaches reported by medical laboratory testing firms to dateppA 2019 hacking incidents on Laboratory Corp of America affecting 103 million individuals still ranks as the largest health data breach reported to HHS OCR by a medical testing laboratory But that LabCorp incident as well as several other large breaches reported by medical laboratories stemmed from a 2019 cyberattack on American Medical Collection Agency a thirdparty debt collection firmppSummits breach disclosure also comes on the heels of a seriously disruptive ransomware attack this summer on another pathology testing laboratory Synnovis which provides services such as bloodtype matching for the United Kingdoms National Health Servicepp Synnovis June ransomware incident and the ensuing IT outage forced the NHS to cancel or postpone thousands of patient procedures in the London area for several months and also resulted in nationwide shortages of typeO blood supplies see NHS Most Patient Services Online Following Synnovis AttackppA medical testing laboratory is a prime example of a third party that is attacked because it holds sensitive patient information for lots of individual facilities its customers Hamilton said ppThere is an efficiency of scale for attacks like this from the actors point of view Further as cybercriminals are known to be working with the collaboration of if not directed by agencies of the government where they reside attacks like this can also be very destabilizing in that they erode trust in the healthcare sector he saidppMedical lab records stolen if sold rather then held in abeyance as an extortion tactic can be used for medical and financial fraud but also to directly extort patients Hamilton said ppProtected health information can contain information on conditions that may be embarrassing or affect employment ability We have seen patients being extorted in this way before although this was demanding payment to keep the records off the dark markets not a very scalable criminal tactic he said Nonetheless there are patients that would likely pay to ensure that their information does not become publicppBesides the resulting IT outages that ransomware and other cyberattacks can cause medical testing laboratories another worry is the incidents potentially affecting the integrity of test results and patient records he saidppAlong with the now routine theft of records patients and providers now have to address whether those records have been altered in some way he said If a criminal can steal records they can change them This can result in wrong medication or treatment being prescribed or the cessation of a necessary treatment altogetherppBut an even larger issue would be from the compromise of a laboratory that does clinical testing such as human trials for new drugs or treatments he said ppSystems involved in clinical testing must meet the configuration requirements of 21 CFR Part 11 the electronic records and signature regulations of the US Food and Drug Administration he saidppAny suggestion that the systems have been altered would nullify the results of testing and this would delay the release of new drugs and treatments If a compromise was not detected testing results could be altered and this could directly result in unwanted patient outcomesppExecutive Editor HealthcareInfoSecurity ISMGppMcGee is executive editor of Information Security Media Groups HealthcareInfoSecuritycom media site She has about 30 years of IT journalism experience with a focus on healthcare information technology issues for more than 15 years Before joining ISMG in 2012 she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeeks healthcare IT media sitepp
ppCovering topics in risk management compliance fraud and information securityppBy submitting this form you agree to our Privacy GDPR StatementppwhitepaperppCritical Infrastructure SecurityppDevSecOpsppGeo Focus AsiappSecurity and Exchange Commission compliance SECppppContinue pp
90 minutes Premium OnDemand
ppOverviewppFrom heightened risks to increased regulations senior leaders at all levels are pressured to
improve their organizations risk management capabilities But no one is showing them how
until nowppLearn the fundamentals of developing a risk management program from the man who wrote the book
on the topic Ron Ross computer scientist for the National Institute of Standards and
Technology In an exclusive presentation Ross lead author of NIST Special Publication 80037
the bible of risk assessment and management will share his unique insights on how toppSr Computer Scientist Information Security Researcher
National Institute of Standards and Technology NISTppWas added to your briefcaseppMedusa Ransomware Hack of Pathology Lab Affects 18 MillionppMedusa Ransomware Hack of Pathology Lab Affects 18 Millionpp
Just to prove you are a human please solve the equation
ppSign in now ppNeed help registering
Contact support
ppComplete your profile and stay up to dateppContact Support ppCreate an ISMG account now ppCreate an ISMG account now ppNeed help registering
Contact support
ppSign in now ppNeed help registering
Contact support
ppSign in now ppOur website uses cookies Cookies enable us to provide the best experience possible and help us understand how visitors use our website By browsing govinfosecuritycom you agree to our use of cookiesp
