Cyberattacks on BST & Co. CPAs LLC and United Regional Health Care System

BST & Co. CPAs LLC based in Albany, NY was attacked by a Maze ransomware gang and impacted the patients of Community Care Physicians P.C., a New York medical group.

A Maze ransomware gang is a threat group that steals the victims’ data before deploying the ransomware payload. The group then threatens the victims that it will publish the stolen information if no ransom is paid. The gang has already published some stolen data, such as names, birth dates, addresses, contact phone numbers, and Social Security numbers of BST personnel.

The accounting, tax, and advisory company, BST, made a statement that there’s a computer virus found on December 7, 2019 that made its files inaccessible. Aside from the potential compromise of internal data, certain data associated with local clients, including Community Care Physicians, were likewise possibly compromised.

A top computer forensics company helped investigate and find out the nature and extent of the attack. The forensics professionals confirmed that the virus had been active on the network between December 4, 2019 and December 7, 2019. The attackers accessed sections of the network that contained client information. BST was able to retrieve the encrypted information from backups.

On February 5, 2020, BST stated that the breach affected people and sent notification letters to them on February 14, 2020. The exposed client information included names, birth dates, medical record numbers, insurance descriptions and medical billing codes.

The HHS’ Office for Civil Rights has not published the incident yet on the breach portal, hence the number of affected individuals is still uncertain.

Phishing Attack on United Regional Impacts Around 2,000 Patients

A phishing attack on United Regional Health Care System based in Wichita Falls, TX resulted in the unauthorized access of the email account of one employee. The attack happened in July 2019, however, the investigation of the breach was only completed on December 2019. The email account was also reviewed to know if patient data was exposed.

It wasn’t possible to know if the attacker accessed or copied email messages, however, it cannot be certain that there was no unauthorized access or data theft. The email account contained information such as patient names, birth dates, medical record and/or patient account numbers, and clinical data like provider name and place, laboratory test results, diagnostic information, prescription data, procedures, and/or treatment details. Some people likewise had their Social Security numbers, medical insurance data, and/or passport details and/or driver’s license numbers exposed.

United Regional notified the patients regarding the breach on February 18, 2020 and offered free credit monitoring and identity theft protection services to the people whose driver’s license numbers, or Social Security numbers were exposed.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at