Cyber roundup: OneBlood recovers from ransomware, Change starts sending breach notices
This week brings some positives for hospitals and health systems in the southeast United States that are dependent on blood supplies with critical network systems back online after the August 1 ransomware attack shut the supplier OneBlood down. In addition, the high-profile breach of a Supreme Court Justice's protected health information in 2019 by an alleged insider has been heard in federal court and resulted in a conviction.
In other news, the U.S. Health and Human Services accepted a breach notification from Change Healthcare indicating the minimum number of individuals affected – 500 – after ransomware caused a major nationwide outage in claims payments, disrupting care and exposing the PHI of potentially millions of patients.
OneBlood's critical software online
The Orlando-based blood supplier said its network has been partially restored after a ransomware attack and encouraged blood donations with Tropical Storm Debby threatening the region, according to a report from CBS News Miami on Monday.
"The priority was to bring the software system used to manage the blood supply back online and the team that has been working around the clock made it happen," Susan Forbes, OneBlood's senior vice president of corporate communications and public relations, said in an update Tuesday.
"At this time, our processing and distribution of blood products to hospitals is near normal output," she said.
OneBlood, which distributed blood to more than 250 hospitals in the southeast United States, became the third target of ransomware attacks on blood suppliers in recent months. That prompted the American Hospital Association to warn U.S. hospitals to make contingency plans for blood supplies.
"The blood supply cannot be taken for granted," Forbes said in the ransomware event update.
"In an instant, any one of us can find ourselves on the receiving end of a blood transfusion."
The company indicated in its FAQs that it does not yet have information on whether donors' personal information had been breached in the July 29 attack.
Change reports to HHS
Nearly five months after a ransomware attack shut down Change Healthcare, parent company United Health Group reported the data breach to the HHS Office for Civil Rights.
UHG reported that 500 individuals had been affected. However, the required data breach report comes after the health payments clearinghouse began sending its breach notice directly to affected patients on July 31.
The scale of the breach is thought to have affected millions of patients, and in June OCR said Change has the responsibility to notify affected patients of stolen information.
That month the company sent notices to customers whose members’ or patients’ data were involved in the attack.
While the agency previously opened an investigation into the breach, it recently said that the data analysis to understand the magnitude of the breach has been ongoing.
"Change Healthcare’s breach report to OCR identifies 500 individuals as the approximate number of individuals affected," the agency said on its Change Healthcare Cybersecurity Incident FAQ page.
"Change Healthcare is still determining the number of individuals affected," the agency said, noting that the information on the HHS Breach Portal would be amended if Change Healthcare updates the total number of individuals affected.
On May 1, UnitedHeath Group CEO Andrew Witty told Congress why he made the decision to pay a $22 million Bitcoin ransom, adding that the company didn't have access to the exfiltrated data until the middle of March.
"We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever," he told the lawmakers.
Justice for Ginsburg's data breach
Last week a federal court convicted Trent James Russell of Arlington, Virginia, a former army medic who worked as an organ donor transplant coordinator, guilty of accessing and publicly exposing U.S. Supreme Court Justice Ruth Bader Ginsburg's health information in July 2019.
Russell was accused of posting a screenshot of her cancer care information, including dates of radiation treatment.
The screenshot first appeared on the bulletin board 4chan in a discussion that suggested Justice Ginsburg, who passed away on September 18, 2020, had died the year before in a conspiracy to prevent then-President Donald Trump from picking a new judge.
The image then began circulating on the Internet.
Russell pleaded not guilty and said that he never accessed her medical records at George Washington University Hospital in Washington, D.C., where she was undergoing radiation and other cancer treatments, a WRAL News report said.
He testified that he and his colleagues shared passwords to get around technical requirements that slowed the donation process, according to the story. However, prosecutors said he attempted to destroy evidence after his remote access was disabled and moved to Nebraska.
Russell faces a maximum sentence of 20 years in prison when he is sentenced on November 7.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.