July 24, 2023
Onix group, a Pennsylvania-based business administration service provider, fell victim to a ransomware attack on March 27, 2023. The said data breach exposed the confidential patient information of around 320,000 patients. Moments after detection, its network immediately went offline to avoid further damage to the system. Onix Group also conducted a forensic investigation to identify which type of files were affected.
Recent News Headlines
Onix Group Ransomware Attack: 320,000 Patients Impacted
Seven days before the ransomware attack deployment, the forensic investigation confirmed unauthorized access to the Onix Group electronic database. During that time, hackers successfully exfiltrated files containing sensitive data of patients. Moreover, the same threat actors were able to install powerful encryption on specific systems.
According to the investigation findings, compromised patient data included protected health information (PHI) from healthcare clients such as Addiction Recovery Systems, Cadia Healthcare, Physician’s Mobile X-Ray, and the Onix Hospitality Group.
While data varies from individual to individual, the investigation confirmed the inclusion of relevant information in the Onix Group data breach incident. These include names, birth dates, contact numbers, billing information, Social Security numbers, and clinical information of patients. Most of the stolen files were for HR purposes, including direct deposit and health plan enrollment information.
Immediately after the hacking incident, the real estate development firm sent breach notification letters to affected individuals. The company also filed a breach report to the HHS Office for Civil Rights (OCR). Onix Group also offered 12 months of complimentary credit monitoring and identity theft protection services to affected individuals as part of their corrective action plan.
Despite these efforts, Onix Group still faces a negligence lawsuit filed by Eric Meyers. Onix Group failed to implement adequate safeguards to protect PHI. As part of the corrective action plan, the company must conduct comprehensive employee training on HIPAA data protection regulations and enhance its data security measures to prevent future data breaches.
Ascension Notifies Patients of Vendor Breach: 148,606 Affected
In related news, Ascension, a Texas-based healthcare service provider, recently suffered a third-party vendor data breach at Vertex, affecting around 148,606 individuals last March. Accordingly, Ascension uses Vertex to manage legacy websites such as Seton.net and DellChildren’s.net.
Following the data theft at Ascension, Vertex hired a forensic investigator to identify the nature and complexity of the hacking incident. While the investigation is ongoing, no sufficient evidence has been found indicating the theft of substantial patient data. However, if there was data theft involved, compromised data may include names, addresses, contact numbers, Social Security numbers, credit card numbers, health plans, and insurance information.
“At this time, we do not believe that any information was removed from the affected systems or that it has been misused or shared. Ascension networks and medical record systems were not affected by this incident,” as said in the statement released by Ascension.
As a HIPAA standard and requirement, Ascension immediately filed a breach report to the HHS Office for Civil Rights (OCR). Accordingly, the breach affected 17,191 Ascension Seton and 1,415 Ascension Providence patients, but overall, it affected up to 148,606 individuals. In response, Ascension offered the affected individuals complimentary credit monitoring and identity theft protection services. The healthcare service provider also confirmed that they shut down the affected sites and are now hosting new ones.
Ransomware Attack on Columbus Regional: Patient Data in Jeopardy
On June 9, 2023, Columbus Regional Healthcare System (CRHS) suffered a data breach that was initiated by the Daixin ransomware gang. According to the reports, the nonprofit Indiana health system lost an estimated 70 gigabytes of data from their patient health records. Moreover, the Daixin team successfully deleted stored backups on the system.
In exchange for the stolen data, the Daixin ransomware gang asked for ransom money amounting to $2 million. Meanwhile, CRHS negotiated with the Daixin team and asked to reduce the ransom demand to $1 million. However, ransom negotiations were halted, so there’s yet to be a confirmation if the Daixin ransomware gang will start releasing stolen data in the next few days or not. A JD Supra report also states that Daixin plans to release over 250,000 files, including tax forms, employee records, and billing and accounting records.
If CRHS fails to meet Daixin’s demands, a massive amount of their confidential patient data could be in danger. Following the incident, CRHS will send breach notification letters to affected individuals.