Ransomware attack at Texas-based hospital chain affects 101,000

A Texas-based operator of rehabilitation hospitals is facing multiple federal proposed class action lawsuits in the wake of an apparent ransomware attack that affected dozens of its facilities in several states, potentially compromising the sensitive information of more than 101,000 individuals.

The U.S. Department of Health and Human Services’ Office for Civil Rights HIPAA Breach Reporting Tool website as of Thursday shows at least 33 separate breach reports filed on March 29 for hacking incidents at rehabilitation and long-term care hospitals in 12 states, all operated by Ernest Health, based in Mesquite, Texas.

Each breach was reported as a hacking incident involving a network server and a HIPAA business associate. The smallest of the Ernest Health breaches – affecting 848 individuals – was reported by Denver Regional Rehabilitation Hospital in Colorado, while the largest was reported by Trustpoint Rehabilitation Hospital of Lubbock, Texas as affecting 9,014.

Ernest Health, which treats patients recovering from disabilities caused by injuries or illnesses or from chronic or complex medical conditions, is already facing at least six proposed federal class action lawsuits involving the cyberattack and data breaches, all filed since April 10 in a Texas U.S. District Court.

One of the complaints was filed on April 26 by plaintiffs Marie Snow, a former patient of Ernest’s Mountain Valley Regional Rehabilitation Hospital in Arizona, and Gail Ledgerwood, a former employee at Ernest’s Lafayette Regional Rehabilitation Hospital in Indiana, on behalf of themselves and other individuals similarly affected. That lawsuit alleges, among other claims, that Ernest’s negligence in failing to protect the plaintiffs’ and class members’ sensitive personal information puts them in imminent risk of identity theft and other crimes.

The other proposed class action lawsuits make similar allegations against Ernest, all seeking relief, including financial damages, as well as an injunctive order for Ernest to improve its data security practices.

According to blog site DataBreaches.net, Ernest Health was listed twice briefly in February and March on LockBit3.0’s leak site, but both listings appear to have been removed.

Multiple breach reports
Ernest Health’s name does not appear in any of the individual hospitals’ breach report entries posted on the public-facing HHS OCR website. But each of the affected Ernest Health hospitals post essentially the same breach notice on their individual websites.

The notices say that on Feb. 1, the organization was alerted to unusual activity in its IT environment. “In response, we promptly secured and isolated our IT systems. We also commenced an investigation with assistance from a third-party cybersecurity firm and have been in communication with law enforcement.”

The ongoing Ernest Health breach investigation has determined that an unauthorized party gained access to the organization’s IT network between Jan. 16 and Feb. 4. “While in our IT network, the unauthorized party accessed and/or acquired files that contain information pertaining to certain patients.”

That potentially compromised information includes names, addresses, birthdates, medical record numbers, health insurance plan member IDs, claims data, diagnosis, and/or prescription information.

Social Security numbers and driver’s license numbers for some patients were also affected.

The organization is offering patients whose Social Security or driver’s license numbers were affected complimentary credit monitoring and identity protection services.

In the wake of the incident, the organization said it has implemented, and will continue to adopt, additional safeguards and technical security measures to further protect and monitor its systems.

In addition to the breach notices posted on their websites, some of the affected Ernest Health facilities also have warnings posted about fraudulent phone calls.

“Perpetrators are calling from what look like local phone numbers, claiming to be from a healthcare provider. The scam callers use stolen and readily available information from the internet and social media to convince victims of their legitimacy,” the warning says. “These scam calls usually ask for credit card numbers, social security numbers and other personal information from patients and their family members.”

Ernest Health did not immediately respond to Information Security Media Group’s request for comment and for additional details about its breach and whether the phone fraud warning is related to the hack.

Why Ernest Health submitted individual breach reports to HHS OCR for each of its affected hospitals is unclear, since most healthcare organizations in similar circumstances generally file a single breach report to regulators to cover all facilities affected by an incident.

“There are indeed pros and cons to this approach, and we can only speculate on Ernest’s motivation for the method,” said David Finn, executive vice president of governance, risk and compliance at security consulting firm First Health Advisory.

Having separate smaller breach reports for multiple facilities “does seem to lighten the load of breaches – and that is how our minds work – 9,000 records affected are not a huge number – unless you are one of the 9,000” affected, he said. But a six-digit breach report – such as a report stating 101,000 individuals are affected – “gets our attention,” he said.

“And while it should have been reported as a ‘system’ in any case, using the name of each hospital makes it harder for patients to make the connection to Ernest Health,” Finn said. “However, the bad guys are very good at finding connections, likely making it easier to gain access to other members of the ‘system.'”

“It does not change the impact of events, but it does seem to be a bit of muddying the waters.”

Taking action
Specialty healthcare entities, especially smaller ones, often lack security resources and expertise, which can make them particularly vulnerable to incidents such as the one at Ernest Health, some experts said.

“I don’t know that these hospitals were specifically targeted,” Finn said. “But like the car thief walking around the parking lot, they are going to take the unlocked vehicle without an alarm: It is easier and faster. That is likely what happened here. The value of the data is no less at small providers. There may be less data, but it is easier to get.”

Healthcare entities of any size and type should very seriously consider embracing the voluntary Health Industry Cybersecurity Practices – or HICP – playbook developed by the Health Sector Coordinating Council or the recent Cybersecurity Performance Goals issued by HHS in January, Finn said.

“The Cyber Performance Goals, while not a legal or regulatory requirement, are clear in both the essential and enhanced goals of what healthcare organizations should be doing,” he said.

That includes “basic measures such as vulnerability management, email security, multifactor authentication, training and awareness for the entire workforce, access management – including terminating accounts for people who have left the organization, third-party management, incident response planning and preparedness, and encryption,” he said.

“Required by law or not, the fact that a government agency over the sector has ‘prescribed’ them, they are things that Ernest Health as a member of the sector should have been doing.”

There are also other steps organizations with multiple facilities in many locations – such as Ernest Health – should consider taking to help reduce the risk of intrusions to one part of their IT environment that affects many related entities.

“Network segmentation is certainly helpful in reducing lateral movement within the network,” said Joe Gillespie, senior privacy and security consultant at tw-Security.

“Having 24×7 monitoring and alerting on network activity is key,” he said. “The sooner an intruder is detected, the faster the incident response team can contain the unauthorized access and reduce the scope of a breach. If the network is too flat, a breach in one part of the network can allow unfettered access across its expanse.” BankInfoSecurity