The data-security news website BleepingComputer.com first reported the August data breach after its editor, Lawrence Abrams, said he was alerted by cybersecurity industry experts.
A group known as the Vice Society claimed responsibility for the attack and dumped at least some of the documents onto the internet, according to Abrams and to DataBreaches.net, another website.
The ransomware attack reportedly forced United Health Centers to shut down its entire computer network for a time.
David Phillips, a spokesperson for United Health Centers, issued a written statement Tuesday in response to questions from The Bee acknowledging that the organization “recently experienced technical difficulties, resulting in a disruption to certain computer systems.”
Phillips said UHC is “working diligently with third-party forensic specialists to investigate the source of the disruption and determine its impact on our information system.”
He added that the computer systems were quickly restored to “full functionality” to avoid disruptions to patient care.
A Selma resident, Kevin Linder, posted a notice Friday on Facebook that he was alerted by a credit report that some of his personal data, including his Social Security number, were found on the “dark web” where it was available for sale to identify thieves.
“I just got an alert that my SSN has been compromised and is available for identity thieves to access. The source of the breach was United Health Centers,” Linder wrote in his Facebook post. “If you go to United Health Centers, check your credit reports ASAP and consider freezing them! I froze all 3 of mine.”
A few minutes later, Linder posted a comment to a Facebook post by United Health Centers to complain about the data breach and a lack of notification to patients by the healthcare nonprofit.
“I find this to be quiet unnerving and irresponsible on your part for not sending out any kind of notification that this happened,” he wrote. “I am seriously considering going elsewhere for my future medical care needs because of this.”
In the statement issued by Phillips, UHC did not address questions about when the disruption occurred, how many patients’ records may have been compromised, or steps UHC has taken to secure its systems against future attacks.
As of Tuesday afternoon, there was no notice to clients or patients about the breach on the UHC website.
What’s been exposed?
The dark web is a murky area of the internet that is not publicly visible, but accessible only through specialized browsers, according to Kapersky Lab, a global cybersecurity company.
A “ransomware” attack is one in which hackers penetrate a computer system and encrypt the files that exist on that system, making them unusable. The federal Cybersecurity and Infrastructure Security Agency, or CISA, notes that the hackers then demand a payment, or a ransom, to release the files or the computer system back to its owners.
The hackers often threaten to dump the data onto the internet if the ransom is not paid.
DataBreaches.net, in a dark web search of the Vice Society’s website, reported discovering some of the documents that had been stolen and dumped online by the hackers. They included many that contained protected health information that medical providers are required to keep confidential.
Among the documents: medical insurance billing files including patients’ names, ages, insurance information and diagnostic or treatment codes; old billing collection records; and prescription refill forms for patients’ medications.
DataBreaches.net also found a patient roster with more than 5,000 entries of patients’ names, dates of birth, addresses, patient ID numbers or Social Security numbers, and more.
Abrams at Bleeping Computer reported that hospitals and medical facilities are sometimes treated as off-limits by hackers. He reached out by email to Vice Society to ask why it allows members to target hospitals and health clinics.
Vice Society response: ‘Why not?’
Their response, he reported, was, “Why not?”
“They always keep our private data open. You, me and anyone else go to hospitals, give them our passports, share our health problems etc. and they don't even try to protect our data,” Abrams wrote, quoting the email, which included grammatical errors. “They have billions of government money. Do they steal that money?”
“USA president gave big amount to protect government networks and where is their protection? Where is our protection?,” the email continued. “If IT department don’t want to do their job we will do ours and we don’t care if it hospital or university.”
Vice Society surfaced in mid-2021 and is considered a relatively new presence among ransomware threats, according to researchers with Cisco Talos Intelligence Group. The hackers “have been observed launching big-game hunting and double-extortion attacks, primarily targeting small or midsize victims,” a Cisco Talos blog post reports.
In addition to health providers “this group also has notably targeted public school districts and other educational institutions,” Cisco Talos reports. “As with other threat actors operating in the big-game hunting space, Vice Society operates a data leak site, which they use to publish data exfiltrated from victims who do not choose to pay their extortion demands.”
HIPPA Journal, a website that covers issues of compliance with health-care privacy and related data breaches, reported that Vice Society “is believed to be a spin-off of the HelloKitty ransomware operation” that threat analysts identified in 2020.
Disclosure requirements
Health care organizations are required under federal law to report data breaches affecting more than 500 people to the U.S. Department of Health & Human Services’ Office of Civil Rights within 60 days, or for smaller incidents within two months of the end of the calendar year in which the breach was discovered.
In California, state law requires health care facilities to report a breach of patient medical information to the state Department of Public Health within 15 business days after the breach is detected.
As of Tuesday, searches of the state and federal breach-reporting sites showed no reports from United Health Centers about the reported computer invasion by the Vice Society.
Concerns over health-care data breaches and ransomware attacks going unreported by California medical providers prompted state Attorney General Rob Bonta to issue a notice to industry organizations including the state’s medical, hospital and dental associations reminding members of their obligations under state law.
“Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats,” Bonta said in a written statement on Aug. 24 — just days before the UHC ransomware attack came to the attention of Bleeping Computers’ Abrams.
Bonta’s agency issued the bulletin “on the heels of multiple unreported ransomware attacks against California healthcare facilities.”
Phillips said Tuesday that UHC has reported the breach as required to government regulators, but did not address whether patients or clients had been warned of the potential breach of their medical or financial information.
United Health Centers reported treating more than 97,000 individual patients in 524,000 visits in 2019, according to the organization’s 2019 annual report. The organization’s revenue in 2019 was more than $108 million.
Tax records made available by ProPublica’s Nonprofit Explorer indicate that United Health Centers revenue grew to more than $143 million for the 2020 tax year.
© 2021 The Fresno Bee (Fresno, Calif.). Distributed by Tribune Content Agency, LLC.