More than 600 providers impacted by ransomware attack on payment vendor

A payment vendor was hit with a ransomware attack back in February that may have exposed patient data from more than 600 healthcare providers and organizations.

Professional Finance Company, an accounts receivable management company based in Greeley, Colorado, detected and stopped a sophisticated ransomware attack in which an unauthorized third party accessed and disabled some of PFC’s computer systems, the company said in a notice on its website about the cybersecurity incident.

The company said it immediately engaged third-party forensic specialists to secure the network environment and contacted law enforcement. During an ongoing investigation, it was determined that hackers accessed files containing certain individuals' personal information.

The incident may have affected 657 of the company's healthcare provider clients.

According to the PFC website, the company is one of the nation’s leading debt recovery agencies, and its client list includes many healthcare providers, retailers, financial organizations and government agencies.

PFC said it sent notification letters to all affected healthcare provider clients May 5.

The ransomware attack hit company computer systems that held data from clients such as Banner Health, Lifestance Health, Renown Health, DispatchHealth and hundreds of other provider customers (PDF).

The investigation uncovered no evidence of misuse of patient data, but data theft and misuse could not be ruled out. The types of information potentially accessed in the attack included names, addresses, accounts receivable balances, information regarding payments made to accounts and, for some individuals, birth dates, Social Security numbers, health insurance information and medical treatment information.

The company said it is providing complimentary credit monitoring and identity theft protection services to affected individuals.

The data breach has yet to appear on the the Department of Health and Human Services' Office for Civil Rights website, so it is unclear how many patients have been affected by the breach.

"Data security is one of PFC’s highest priorities. Since the incident, PFC wiped and rebuilt affected systems and has taken steps to bolster its network security," the company's notice stated.

"PFC also reviewed and altered its policies, procedures, and network security software relating to the security of systems and servers, as well as how data is stored and managed."

Companies operating in the healthcare space have a "perpetual target on their backs" for cybercrime, given the high volume of sensitive patient information that they are entrusted with, said Keith Neilson, technical evangelist at CloudSphere, a company that provides a cloud governance platform.

"Data breaches of this scale can be detrimental to a company’s reputation, and any company entrusted with confidential data like names, addresses, Social Security numbers, and financial information must be especially hypervigilant in their security and governance practices," Neilson said.

The attack serves as a reminder that an effective cybersecurity strategy begins with cyber asset management, according to Neilson.

"The most critical proactive step IT leaders can take to mitigate the risk for ransomware attacks is to take full inventory of all cyber assets hosted within their company’s IT environment. Once comprehensive, real-time visibility of all data is secured, companies can establish security and governance practices across the entire cloud landscape, significantly minimizing the potential attack surface," he said.

North Korean hackers targeting healthcare

It's been an alarming week for cybersecurity in healthcare, as the federal officials issued a warning that hackers sponsored by North Korea's government have been using the Maui ransomware to target healthcare and public health services providers since last May.

The FBI, the Cybersecurity and Infrastructure Security Agency and the Treasury Department released a joint cybersecurity advisory about the ransomware threat.

Federal officials "highly discourage" paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks, according to the advisory.

In the past year, the FBI has observed and responded to multiple Maui ransomware incidents at healthcare and public health sector organizations. North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services and intranet services, according to the agency.

The advisory says that Maui ransomware, known as maui.exe, is an encryption binary designed for manual execution by a remote actor using command-line interface to identify files to encrypt.

The FBI says North Korean state-sponsored cyber actors are using ransomware against healthcare organizations because the hackers believe providers are more willing to pay the ransom to retrieve their files.

The federal agencies recommend healthcare organizations maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. Organizations also should ensure all backup data are encrypted, immutable (i.e., cannot be altered or deleted) and cover the entire organization’s data infrastructure. 

Hospitals and health systems also need to create, maintain and exercise a basic cyber incident response plan and associated communications plan that includes response procedures for a ransomware incident.

According to the agencies, installing updates for operating systems, software and firmware as soon as they are released also is critical to mitigate risks. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.

The agencies also recommend healthcare organizations turn off network device management interfaces such as for wide area networks and secure with strong passwords and encryption when enabled, secure personal identifiable information/patient health information at collection points, encrypt the data at rest and in transit and implement and enforce multilayer network segmentation.