Ransomware Attacks at Lake Region Healthcare and the University of Vermont Health Network

Lake Region Healthcare in Fergus Falls, Minnesota is looking into a ransomware attack that was earliest noticed on December 22, 2020. The ransomware attack affected several systems of the healthcare provider resulting in some interruption of regular operations at its facilities in Fergus Falls, Ashby, Battle Lake, and Barnesville. Before the attack happened, the provider had developed and implemented emergency procedures. So, it was able to provide patient care while still investigating the attack and remediating disruption.

Third-party cybersecurity specialists helped with the investigation to find out the extent of the ransomware attack. Even as the investigation is in progress, Lake Region healthcare was able to recover nearly all the systems affected by the ransomware attack and had services running as before, thanks to its alternative systems.

Although data theft is common before deploying the ransomware, there is no evidence that indicates data theft with this attack. The provider continued to offer patient care, however, patients were advised to get in touch with the hospital to affirm their consultations. Other announcements will be given as the investigation moves along and all systems are available online again.

University of Vermont Health Network Ransomware Attack Slows Down EHR Rollout

A ransomware attack on the University of Vermont Health Network in Burlington, VT on October 28, 2020 resulted in a serious disruption.

Though after many weeks the majority of systems are already back online, the attack is still affecting some areas. For instance, a few applications are not yet back online. Some departments experiencing delays include the radiology department. After the attack, the University of Vermont Health Network stated that it was losing revenue in the amount of approximately $1.5 million each day.

Because of the attack, there was also a delay in the intended organization-wide rollout of the subsequent stage of its new Epic EHR system. Supposedly, the new EHR system will replace a patchwork of programs in and between hospitals belonging to the network that are presently not completely incorporated.

In 2020, various healthcare organizations across the world, including the University of Vermont Health Network, encountered great challenges because of the COVID-19 pandemic and had further burdened by ransomware attacks. UVM president and CEO John Brumsted, M.D. said that the health network has postponed for 4 to 8 months the implementation of the new EHR system at a number of its inpatient and outpatient centers.

2020’s Largest Healthcare Data Breaches

2020 was a really bad year when it comes to healthcare industry data breaches. There were 616 data breaches involving 500 or more health records documented by the HHS’ Office for Civil Rights. Those breaches had 28,756,445 healthcare records compromised, or impermissibly disclosed that makes 2020 the third worst year when it comes to the quantity of breached healthcare records.

2020’s Biggest Healthcare Data Breaches

In case a breach occurs at a business associate of a HIPAA-covered entity, the covered entity typically reports the incident and not the business associate. In 2020, the cloud service provider Blackbaud Inc. had suffered a huge data breach. Hackers obtained access to its network systems and stole its customer’s fundraising databases prior to deploying ransomware. Blackbaud got a ransom demand as well as a threat that if the ransom is not paid, the stolen records would be published to the public. Blackbaud opted to pay the ransom to avert exposing client data. Blackbaud was guarantees that the stolen files were completely disposed of and was not exposed.

The actual number of people affected individuals by the Blackbaud ransomware attack may never be reported correctly, nevertheless over 6 dozen healthcare companies have confirmed being affected thus far and above 8 million healthcare records were possibly exposed. That breach clearly is on top of the listing of the largest 2020’s healthcare data breaches and is one of the biggest healthcare data breaches in history.

Below is the list of the reported data breaches in 2020 involving 500,000 healthcare records. In some instances, the actual data breach took place prior to 2020, but was just uncovered and reported in 2020.

  1. Trinity Health – 3,320,726 people impacted
    Trinity Health was the most severely affected healthcare organization of the Blackbaud ransomware attack. The hackers likely got the philanthropy data bank of the Catholic health system based in Livonia, Michigan which comprised patient and donor records from 2000 to 2020.
  2. MEDNAX Services, Inc. – 1,290,670 people impacted
    MEDNAX Services Inc based in Sunrise, Florida experienced a security breach of its Office 365 account in June 2020 because staff members responded to phishing email messages. The substantial breach involved patient and guarantor data including driver’s license numbers, Social Security numbers, and health insurance and financial data.
  3. Inova Health System – 1,045,270 people impacted
    Inova Health System based in Virginia was also impacted by the Blackbaud ransomware attack. Inova’s fundraising data bank that comprised patient and donor records was possibly compromised.
  4. Magellan Health Inc. 1,013,956 persons affected
    Magellan Health based in Arizona experienced a ransomware attack in April 2020 that lead to the potential compromise of the protected health information (PHI) of patients. The ransomware attack actually started with a spear phishing email. A number of of its affiliated entities were likewise impacted by the breach as well.
  5. Dental Care Alliance – 1,004,304 persons impacted
    Dental Care Alliance, LLC in Sarasota, Florida reported a security breach of its networks in December. The nature of the breach is still uncertain as the investigation is still ongoing. The breach impacted a lot of its affiliated dental practices.
  6. Luxottica of America Inc. – 829,454 persons impacted
    Luxottica of America Inc. is a vision care company that is popular throughout the United States for the eyewear brands Oakley, Ray-Ban, and Persol. It experienced a cyberattack in August 2020 and hackers gained access to its online appointment scheduling system that stored the PHI its eye care partners’ of patients.
  7. Northern Light Health – 657,392 persons impacted
    Northern Light Health in Maine was also affected by the Blackbaud ransomware attack. The hackers likely acquired access to its fundraising repository that comprised patient and donor records.
  8. Health Share of Oregon – 654,362 Individuals
    In May 2020, Health Share of Oregon submitted a report of the theft of a laptop from its vendor of non-emergent medical transport. The stolen laptop lacked encryption, which likely permitted the crook to obtain access to patients’ contact details, Social Security numbers, and Health Share ID numbers.
  9. Florida Orthopaedic Institute – 640,000 people affected
    Florida Orthopaedic Institute encountered a ransomware attack in April that resulted in the encryption of patient data kept on its servers. Prior to the use of ransomware, the attackers could have viewed or acquired patient records.
  10. Elkhart Emergency Physicians – 550,000 persons affected
    Elkhart Emergency Physicians submitted a breach report in May 2020 regarding the incorrect disposal of patient documents by Central Files Inc., a third-party storage supplier. Elkhart Emergency Physicians was the worst impacted entity, nonetheless a number of other clients of the provider were likewise impacted by the breach. The documents were thrown out without shredding after the permanent closing of the storage center.