Westchester Medical Center Health Network (WMCHealth) has encountered a cyberattack that impacted its IT systems. The health network discovered the attack last week. On October 20, 2023, at 10 p.m., all connected systems were shut down. The downtime was estimated to continue for 24 hours. The restoration of systems online was on an ongoing basis throughout the weekend and systems were restored online on October 24.
Because essential IT systems were inaccessible, ambulances were diverted to HealthAlliance of the Hudson Valley facilities, which include Margaretville Hospital in Margaretville, HealthAlliance Hospital in Kingston, and Mountainside Residential Care Center in Margaretville. The redirection was over on the night of October 24 and the hospitals admitted patients again, though stroke patients remain being transported to other hospitals.
WMCHealth stated the New York State Department of Health and Ulster and Delaware County officials had been informed concerning the attack. The officials are working together with law enforcement, such as the FBI, and have involved a third-party cybersecurity company to help investigate the incident. The main concern was making sure that patients were safe, which is why ambulances were redirected. The hospitals stayed open and still accepted walk-in patients, who were evaluated, treated, and discharged, or moved to other WMCHealth facilities.
The inspection of the cyberattack is not yet over, and there is no information yet as to whether patient data was exposed. If that is the case, WMChealth will issue notifications at the earliest opportunity.
PHI Exposed in Fellowship Village Cyberattack
A retirement community called Fellowship Village based in Bernards Township, NJ recently reported a security incident that was discovered on or about August 9, 2023. The forensic investigation revealed there was unauthorized access to its network from July 27, 2023 to August 9, 2023. Records that contain sensitive data might have been viewed and stolen.
The analysis of the impacted files is in progress, but the compromise of protected health information (PHI) has been confirmed. The breached data includes one or more of the following: names, addresses, patient ID numbers, Social Security numbers, health record numbers, medical data, treatment details, diagnosis data, medical insurance data, driver’s license/state ID numbers, financial account data, and birth dates.
Guidelines and procedures are under review and security is going to be improved to avoid other security breaches. To satisfy the requirements of breach reporting, Fellowship Village notified the HHS’ Office for Civil Rights indicating that about 501 persons were impacted. The total is going to be updated as soon as the complete extent of the breach is confirmed.
Hackers Acquired Access to PHI of BHI Energy Health Plan Members
BHI Energy based in Weymouth, MA, a project management and workforce support provider to the fossil, nuclear, hydro, wind, and government energy marketplaces, has uncovered an unauthorized third party acquired access to particular systems within its system. The breach was discovered on or about June 29, 2023, and the following investigation affirmed on September 1, 2023, that business records were viewed, a number of which included individuals’ personally identifiable information (PII).
Altogether, the PII of 91,269 people was possibly exposed, which includes 4,049 of its health plan members. The breached information included last, first, and middle name, address, birth date, Social Security number, and possibly medical data. Impacted persons were provided free credit monitoring and identity theft protection services. Extra security procedures were applied to enhance data security and avoid identical breaches later on.
MOVEit Transfer Hacking Victims
NASCO
NASCO based in Atlanta, GA is a benefits administration services provider to health plans that uses the MOVEit Transfer solution. It affirmed that it was impacted by the mass exploitation of a zero-day vulnerability identified in this Progress Software. The vulnerability was taken advantage of on May 30, 2023, the day before Progress Software launched the patch to correct the vulnerability. NASCO stated it discovered the impact of the hack on July 12, 2023. Although there was no discovered stolen data misuse, notification letters were sent to the 2,956 impacted persons and they were provided free credit monitoring and identity theft protection services for two years. The breached data contained names as well as Social Security numbers.
Meadville Medical Center
Meadville Medical Center based in Pennsylvania has affirmed the impact of the MOVEit Transfer hack. Westat Inc. uses the file transfer program to provide data collection and management services during the National Hospital Care Survey (NHCS). It discovered the breach on May 30, 2023, and learned the compromise of the PHI of roughly 1,300 patients. Westat has provided free credit monitoring services to the impacted persons for 12/24 months.
Cape Fear Valley Health
Cape Fear Valley Health located in Fayetteville, NC was likewise impacted by the MOVEit Transfer hack that happened at Westat. Files were cloned that contained the PHI of 1,943 patients, the majority of whom received treatment from February 2023 to May 2023. The stolen information contained names, addresses, birth dates, and medical diagnoses. Impacted persons were provided free credit monitoring services for 12/24 months.
