Hospitals and health systems are tracking vulnerabilities in their own network infrastructures, in those of their vendors and in widely used fourth-party tools. But bad actors are still finding ways to target large organizations, regional hospitals and patients.

Stolen health and DNA data in Oklahoma

The Karakurt data extortion group says on its website that it has more than 1,175 gigabytes of data, including 5 GB of SQL data on the medical staff, from McAlester Regional Health Center in Oklahoma. The personally identifiable information contains social security numbers, bank statements and invoices, as well as patient health information, including medical reports and other confidential documents that have been exfiltrated, according to a report Monday on Cybernews.com. 

The ransomware gang reportedly plans to publish samples and then auction off the hospital's sensitive information, which includes 40 GB of genetic DNA from patient records. 

Last year, Karakurt stole 360 gigabytes of data from Collin County, Texas-based Methodist McKinney Hospital, Methodist Allen Surgical Center and Methodist Craig Ranch Surgical Center, and then threatened to post the data to the dark web.

Thought to be an offshoot of Conti ransomware, Karakurt will contact victims directly and threaten to leak their data unless they pay the ransom. Karakurt has been known to harass cyber victims with emails and phone calls for ransom demands that range from $25K to $13M in Bitcoin, according to the report. 

Payment deadlines expire within a week of first contact with the victim, the Cybersecurity and Infrastructure Security Agency and its partners said in an advisory in June 2022. 

McAlester Regional Health Center, a Level III trauma center, has not added a statement to its website, and its Facebook page does not address the patient data breach or any details about the PII and PHI that was compromised.

Karakurt relocated its website to the dark web after it went offline in the spring of 2022, CISA said.

Medicare data breached in MOVEit attack

According to Federal News Network on Monday, the Centers for Medicare and Medicaid Services is responding to a major data breach of the personal information of Medicare beneficiaries held by its business associate, Maximus Federal Services.

The company was reportedly one of several organizations that became victims of a fourth-party ransomware attack on the MOVEit file transfer software in late May.

"The incident involved a security vulnerability in the MOVEit software, a third-party application which allows for the transfer of files during the Medicare appeals process," the agency said in its media advisory and letter to victims posted to CMS.gov.

"Maximus is among the many organizations in the United States that have been impacted by the MOVEit vulnerability," the agency said.

CMS said the company notified the agency on June 2, and the ongoing investigation so far found evidence of compromise by an unauthorized party starting May 27 affecting 612,000 beneficiaries.

Through May 31, it was copying files saved in the Maximus' MOVEit application, "but no CMS system has been compromised."

Data included PII and medical histories, provider and prescription information, health insurance claims and subscriber information, according to CMS.

While the CMS advisory does not mention Cl0p, a June CISA advisory said the ransomware gang is using LEMURLOOT, a web shell written in C# that is designed to target the MOVEit Transfer platform. 

Cl0p exposes public health data on dark web

This week the Russia-linked ransomware gang also leaked a 40-GB dataset that allegedly belongs to CareSource, an Ohio-based nonprofit organization providing public healthcare programs, including Medicaid, Medicare and marketplace, according to Cybernews.com.

"The cybercriminals leaked sensitive healthcare information such as drugs prescribed, risk groups and patients’ treatment details," according to Wednesday's report. 

CareSource was also involved in the April 2022 data breach of OneTouchPoint, a print and mail-fulfillment service that many healthcare organizations use. That breach affected millions of patients.

Cl0p, or Clop, and other ransomware gangs have mapped the healthcare sector, and they target business associates' vulnerabilities, according to John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.

"They have figured out where the key strategic nodes are – those mission-critical third parties that have either access to bulk data, or they themselves have aggregated it," he told Healthcare IT News in December during a conversation about federal support to fight cyberattacks on the healthcare sector.

CareSource has made no statement as of press time about the data leaked by Clop.

The Health 3rd Party Trust Initiative, which comprises a spectrum of healthcare and security organizations such as HITRUST and CORL, offered a new blueprint for third-party risk management that will hopefully help healthcare organizations and third-party vendors – like OneTouchPoint and Maximus Federal Services – to better engage on and more quickly address known vulnerabilities in managed file transfer and other tools that contain PII and PHI.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.