Commentary

Beware The BlackCat: Cyber Criminals Threaten Healthcare Industry

My primary care provider is One Medical, so I'm sure like many others, I’m a bit concerned about Amazon gaining access to my health records once its pending $3.9 billion purchase of the provider is finalized.

Perhaps we should be more worried about outside interlopers.

The healthcare industry continues to be a prime target for both hackers stealing patient data and ransomware operators, who go a step further -- they encrypt the victim’s data while demanding an exorbitant payment to get it back. If they don’t, they threaten to make the data public.

“Lives Are at Stake,” a July article in The Guardian, said that cybersecurity firm Sophos had reported a 94% increase in ransomware attacks on healthcare organizations from 2021 to 2022. “More than two-thirds of healthcare organizations in the U.S. said they had experienced a ransomware attack in 2021, the study said, up from 34% in 2020.”

One of those 2021 attacks hit Memorial Health System, operator of three hospitals in West Virginia and Ohio, which was essentially thrust back into the pre-computer era when a ransomware group called Hive infiltrated its IT systems. For more than a week, new patients couldn’t be admitted, surgeries were cancelled, and so on.

A few weeks ago, Memorial Health confirmed that health data of 216,000 patients had been compromised.

And, last week, in a rare victory against such cybercriminals, the FBI and European law-enforcers succeeded in shutting down Hive.

A September New York magazine article titled “Inside the Ransomware Gangs That Extort Hospitals,” detailed the experience of Sky Lakes Medical Center in Klamath Falls, Oregon, which in fall 2020 spent three weeks “back in time” while the pandemic raged. The article related the appalling story of one patient forced to repeatedly travel 70 miles a day to another facility for chemotherapy treatments.

John Glaede, Sky Lakes’ director of information systems, told New York that hospitals who haven’t experienced a ransomware attack “have no idea how impactful this is and what it takes to actually recover.”

The Sky Lakes attack occurred in a year when ransomware groups “mostly avoided attacks on patient care,” according to New York, but now “attacks are as prevalent and damaging as ever.”

That’s despite such statements as this recent one from ransomware group BlackCat, per the U.S. Department of Health & Human Services (HHS) : “We do not attack state medical institutions, ambulances, hospitals.” But, BlackCat added, “This rule does not apply to pharmaceutical companies, private clinics.”

BlackCat, along with another ransomware group, Royal, was cited in mid-January by HHS’ Office of Information Security in a warning to health sector companies.

Soon afterward, government and health IT publications reported two new BlackCat victims: NextGen Healthcare, a provider of electronic health records (EHR), and PharmaCare Services, a management and consulting company.

Healthcare Info Security, meanwhile, said that the HHS’ Office of Civil Rights had reported a 2022 total of over 549 ransomware and hacking incidents affecting more than 500 people apiece in the healthcare industry.

And the Identity Theft Research Center (ITRC) said that healthcare led all other industries in known data breaches in 2022, with 344 companies breached out of a total of 1,802, or 19% of the total. Financial service companies came in second, at 268 companies.

Both HHS and ITRC pointed to a major incident at Eye Care Leaders, an electronic health records provider to ophthalmologists and optometrists, which the IRTC listed as the largest healthcare  breach of 2022.

But, even affecting dozens of eye care providers and 3.4 million patients, the Eye Care Leaders breach placed only ninth on IRTC’s list of the year’s largest breaches.

Topping the list was a massive December attack impacting 221 million Twitter users in which accounts were “offered for sale by cybercriminals in an illicit identity marketplace,” an attack never announced publicly by Elon Musk’s company.

Then again, reporting about last week’s Hive shutdown, The Washington Post said that the government -- as it examined Hive’s infrastructure -- found that only 20% of the group’s victims had even bothered to notify authorities of the crimes against them.

I would assume that One Medical, under Amazon, would take a different approach -- and would also be transparent with its customers.

Fingers crossed.

Next story loading loading..