First came the cyber attack on September 1, causing the hospital to take all phone and email communications offline. Medical record systems were down and replaced with pen and paper. Then came a warning from the hacker group Daixin Team that it would release a “full leak” of the stolen data. They demanded tens of millions of dollars ransom.
Texas-based OakBend Medical Center is a nonprofit hospital system operating three hospitals, emergency centers, imaging centers and physical therapy clinics in the Houston metropolitan area. Since September the hospital system has been gradually rebuilding its electronic networks. But the problems keep mounting.
OakBend reported the breach to the Office for Civil Rights on October 28, noting that 500,000 individuals were affected. It could be many more and the investigation continues. The cyber criminals accessed protected health information (PHI) including names, dates of birth, addresses, email addresses and social security numbers.
A class action lawsuit was filed in federal district court in Texas on October 28, 2022 alleging negligence, breach of contract, breach of fiduciary duty, intrusion upon privacy and unjust enrichment. The lawsuit alleges that OakBend maintained sensitive information in “a reckless manner” prior to the September ransomware attack that reportedly compromised more than one million patient records. Large class action lawsuits are becoming more common in larger breaches.
How many patients were affected and exactly which records is not entirely clear. Blog site Databreaches.net reports that it previewed Daixin Team’s file list purportedly stolen from OakBend showing 258 directories containing 6,051 files. The Daixin hackers say they exfiltrated about 3.5 gigabytes of data, including 1.2 million records containing patient and employee data.
Cyber Criminals Target Healthcare
According to the FBI Internet Crime Complaint Center (IC3), as of October 2022, the healthcare sector accounts for 25 percent of ransomware complaints, across all 16 critical infrastructure sectors.
On October 21, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint alert about Daixin Team noting that it “is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.” The alert notes that the hacker group has targeted healthcare organizations since June, 2022.
HIPAA Risk Management Contains all the Tools
Advice from CISA and the FBI has been consistent. Strengthen cybersecurity defenses with data backups, access controls, strong password policies and software updates. Train the workforce in cybersecurity awareness and build a culture of HIPAA compliance where patient privacy and security is paramount.