Healthcare Fiscal Management Ransomware Attack Impacts Up to 58,000 People

The Wilmington, NC-based provider of self-pay conversion and insurance eligibility services to hospitals, clinics and physician groups, Healthcare Fiscal Management Inc. (HFMI), has revealed that is was hit by a ransomware attack in which the personal and protected health information of patients of St. Mary’s Health Care System in Athens, GA may have been accessed or obtained by cybercriminals.

An unauthorized person obtained access to HFMI systems on April 12, 2020 and downloaded a ransomware payload the next day, which encrypted its databases. The systems accessed by the hacker were found to include the personal and protected health information of patients who received healthcare services at St. Mary’s between November 2019 and April 2020.

Overall, the data of around 58,000 patients may have been accessed and obtained by the hackers, although data access/theft could not be confirmed. The PHI stored on the impacted systems was restricted to names, dates of birth, Social Security numbers, account numbers, medical record numbers, and appointments.

HFMI had been braced for such an attack and had viable backups that were used to restore data the same day to another hosting provider. A forensic investigation firm was engaged to look into the breach. The forensic investigators determined the data is not in the possession of the attackers and is not accessible over the internet.

Security specialists have been reviewing security management controls and, based on their recommendations, steps will be taken to enhance security measures. HFMI has offered all impacted individuals free credit monitoring and identity theft protection services as a precaution against identity theft and fraud.

Meanwhile, Russellville, AR-based Friendship Community Care (FCC), a nonprofit provider of care for adults and children with disabilities, fell victim to a phishing attack in January 2020.

The breach was identified on February 4, 2020 when suspicious activity was spotted in an employee’s email account. Forensic investigators helped with the investigation and determined on February 5, 2020 that an unauthorized individual had obtained access to the email account, but deeper look showed several Office 365 email accounts had been compromised using credentials obtained in the phishing attack.

FCC became aware on February 7, 2020 that the email accounts contained protected health information. A comprehensive review of the email accounts showed the PHI of 9,745 individuals may have been accessed, although no evidence was found to suggest emails were viewed or obtained by the hacker.

The impacted accounts contained  names, addresses, dates of birth, Social Security numbers, client ID numbers, Medicare IDs/Medicaid IDs, employer ID numbers, patient numbers, medical data, driver’s license numbers, state ID card details, student ID numbers, financial account information, mother’s maiden names, birth certificates, marriage certificates, disability codes, and facial images.

Affected persons have been offered free credit monitoring and identity protection services. A thorough review of email security was completed, and steps are being taken to enhance security to stop similar breaches in the future.

Author: Maria Perez