Recent Cyberattack and Data Breach Reports by Healthcare Organizations

Mailing Error at CMS Vendor Impacts 10,000 Medicare Beneficiaries

The Centers for Medicare & Medicaid Services (CMS) has began informing a number of Medicaid beneficiaries regarding an impermissible disclosure of their protected health information (PHI) as a result of the mailing error by one of its providers. The incident happened at Palmetto GBA, which handles the claims for CMS. From January 8 to January 29, 2023, Palmetto GBA sent Medicare Summary Notices (MSNs) by mail to Medicare recipients; but its print mail services had a computer programming error that resulted in mailing the MSNs for the 4th quarter of 2022 to other Medicare beneficiaries that have a similar zip code.

Palmetto GBA discovered the programming error on February 7, 2023, and sent an incident report to the CMS that same day. Then, CMS and Palmetto GBA worked to determine the people impacted and identified the problem that led to the error of sending 10,011 MSNs for Medicare beneficiaries in Georgia, Tennessee and Alabama to the wrong recipients. The MSNs included information such as the Medicare beneficiary’s name, address, dates of service, claim number, the last four numbers of their Medicare Beneficiary number, and service/procedure details and billing codes. The CMS states that the threat of identity theft and Medicare fraudulence is negligible. Palmetto GBA has resolved the programming mistake and has improved the checking of printed mail for quality assurance and to safeguard against the same incidents later on.

Phishing Attack at Adelanto HealthCare Ventures Impacts UHS of Delaware Patients

UHS of Delaware, Inc. has just informed 40,290 persons with regard to a data breach that happened at a consulting firm. In November 2021, Adelanto HealthCare Ventures (AHCV) encountered a phishing attack that permitted unauthorized persons to gain access to employee email accounts. Investigation of the phishing incident confirmed that no PHI was compromised or stolen; but on August 19, 2022, the exposure of some PHI was reported.

AHCV has added extra security measures after the incident to increase protection against the same incidents later on. The workforce also received additional training. The incident impacted a number of its healthcare customers.

Northeast Behavioral Health Care Consortium Phishing Attack

Northeast Behavioral Health Care Consortium (NBHCC) located in Moosic, PA informed 13,240 patients about the exposure and potential theft of some of their PHI. On February 20, 2023, NBHCC found out that an unauthorized individual accessed the email account of an employee after responding to a phishing email.

An analysis of the impacted email account indicated that it included PHI, for example, names, Medicaid numbers, member numbers, diagnoses, complete incident information, and levels of care. NBHCC stated that it did not find any patient data misuse and it is convinced that the main objective of the attackers was to get the information of other companies. Nevertheless, misuse of patient information cannot be excluded. A third-party cybersecurity company helped with the investigation and the undertaking of mitigation to address the risk and stop the same incidents later on.

Graceworks Lutheran Services Reports Network Security Breach

Social services organization Graceworks Lutheran Services based in Centerville, OH stated that unauthorized persons acquired access to its computer systems and possibly viewed and acquired the PHI of 6,737 persons. It detected suspicious activity in its computer systems on or about February 18, 2023. An independent computer forensics company investigated the incident and confirmed the unauthorized systems access. Though there is no proof found of misuse of the exposed information, unauthorized data access and theft cannot be excluded. The compromised data was different from one person to another and could have included names, addresses, birth dates, Social Security Numbers, medical diagnosis and treatment data, medical insurance data, and prescription data.

The data analysis and confirmation of contact details were concluded on March 31, 2023. Graceworks Lutheran Services mailed notification letters in April.

The Exploitation of GoAnywhere and PaperCut Vulnerabilities by Ransomware Groups

A new Health Sector Cybersecurity and Coordination Center (HC3) advisory cautions the healthcare and public health (HPH) sector about the LockBit and Clop ransomware groups’ attacks on the HPH sector.

HC3 has released several notifications concerning the LockBit and Clop ransomware-as-a-service groups that have carried out several attacks on the healthcare industry. Clop was responsible for the attacks on Fortra’s GoAnywhere MFT solution last January/February 2023 as well as the attack on the Accellion File Transfer Application (FTA) in 2022, which took advantage of zero-day vulnerabilities in those programs. The most recent notification regarding LockBit was released in December 2022 after several attacks on HPH sector companies.

The Clop group stole information from about 130 organizations after taking advantage of vulnerability CVE-2023-0669 in the GoAnywhere MFT. The two ransomware groups were seen exploiting two other newly disclosed vulnerabilities. The vulnerabilities CVE-2023-27350 and CVE-2023-27351 are authentication bypass vulnerabilities in PaperCut MF/NG, which is a print management software program. The developer disclosed those two vulnerabilities on April 19, 2023, and were fixed in PaperCut versions 20.1.7, 21.2.11, and 22.0.9 and newer versions.

On April 26, 2023, Microsoft reported identifying a threat actor called Lace Tempest that exploited the PaperCut vulnerabilities. Its activity overlapped with the TA505 and FIN11 threat groups, which have connections to Clop. After taking advantage of the vulnerabilities, the threat actor deployed the TrueBot malware, which is identified to be used by the Clop ransomware group. Sometimes, the threat actor deployed the LockBit ransomware.

Network defenders were told to quickly patch their servers by implementing updates to the most recent versions of PaperCut. When that isn’t possible, an option is to block all traffic to the web management port (9191) coming from external IP addresses on edge gadgets and block all traffic going to default port 9191 on the server’s firewall. Those using Fortra’s GoAnywhere MFT solution need to rotate the Master Encryption Key, change all credentials, evaluate audit records, and remove suspicious accounts for administrators and users.

Additional recommended solutions for attacks by LockBit, Clop, and other cybercriminal groups can be read in the HC3 advisory.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at