California Heritage Provider Network Suffers Large-scale Ransomware Attack

Arguably the most malicious kind of ransomware attack is the kind that targets the sensitive data of healthcare organizations.

The latest victim is the California Heritage Provider Network, which recently confirmed a large-scale ransomware attack that impacted several of their affiliates and the data of more than 3 million patients. 

According to the U.S. Department of Health and Human Services breach portal, the data of 3,300,638 patients from the Regal Medical Group, Lakeside Medical Organization, ADOC Medical Group and Greater Covina Medical were exposed in the attack.

Based on the reported attacks in the U.S. Department of Health and Human Services’ breach portal, this is the largest breach for 2023 and the second largest breach of the past 24 months.

While we know self-reporting is not always a great indicator of the larger picture, the HITECH Act requires the Secretary of Health and Human Services to post a list of breaches of unsecured private health information which affect 500 or more individuals.

The Regal Medical Group was the first network member to suspect an attack when employees reported technical difficulties this past December, which led to the discovery that a malware attack had successfully infected their servers. 

So, what kind of patient information was exposed? Like most healthcare attacks, including the recent Highmark incident, the data included patients’ full names, social security numbers, birthdays, addresses and medical records, which potentially includes medical related information such as, lab test results, prescriptions, insurance information and radiology reports, etc.

Regal has notified those patients believed to have been affected  and provided them one year of free credit monitoring through Norton LifeLock (another organization who recently suffered a breach) as well as the standard mea culpa, stating they have since improved their security measures and protocols. 

This attack is another reminder that healthcare organizations remain a top target for threat actors. Healthcare data remains as one of the most valuable pieces of resalable information on the dark web and the critical nature of healthcare networks across the care continuum suggests a low risk tolerance for network downtown. The combination of these two factors make them highly attractive for data theft and ransomware.

Even with the recent news of the FBI taking down the Hive Ransomware group, ransomware attacks continue to barrage the healthcare industry – despite the costly, public and targeted actions taken to protect U.S. hospitals and healthcare providers.

As part of the Hive takedown, the FBI conducted a 7-month investigation, revealing that an estimated 80% of companies did not report potential cyber-related issues to officials. Whether the lack of self-reporting was due to fear of public backlash, working with private cybersecurity firms or simply opting to pay the ransom and move on is unknown.

While the Hive ransomware group bust may not make a significant dent in the number of future ransomware attacks over the long-term, it could help change the narrative on the healthcare industry’s perception and overall mistrust of federal involvement, which may help prevent future attacks on such as this one.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of expert practitioners offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

To learn more, visit our dedicated Cybersecurity page or contact the team at [email protected].

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.