Breach Notification , Fraud Management & Cybercrime , Governance & Risk Management

Blood Testing Lab Data Leaked

After Apparent Ransomware Attack, Patient Information Posted Prajeet Nair (@prajeetspeaks) • January 6, 2021

Apex Laboratory, a Farmingdale, New York-based blood testing facility, is notifying patients about the leak of their information, including test results.

The security incident – which appears to have involved ransomware - happened in July. Apex reports that certain systems and files within its network initially were no longer accessible or were encrypted. A forensics firm helped to restore network access, according to a notification recently posted on Apex’s website.

And while the initial investigation did not reveal that data was missing or compromised, Apex found on Dec. 15 that hackers had started posting patient information online, Apex says.

"Upon learning of the data that was taken, Apex, along with the assistance of forensic specialists, conducted a review of the files to determine what information was impacted and ensured that the data was removed from the hacker’s blog," according to the Apex data breach notification. "It is believed that this information may have been acquired from Apex’s systems between July 21, 2020 and July 25, 2020."

The additional investigation revealed that the compromised data includes patient names, dates of birth, test results and for some individuals, Social Security numbers as well as phone numbers, according to the breach notice.

Apex did not specify the amount of data compromised, but the company says it’s not aware of misuse of the information for identity theft or other malicious activity.

"Apex is continuing to investigate this incident," Apex notes. "As part of our ongoing commitment to the security of information, we notified law enforcement and are reviewing and enhancing existing policies and procedures to reduce the likelihood of a similar future event."

Ransomware Responsible?

The security blog DataBreaches.net reports that the DoppelPaymer ransomware gang carried out the attack and has posted about 10,000 files on its darknet leak site.

The FBI warned in December of increased activity by the operators behind DoppelPaymer (see: FBI Warns of DoppelPaymer Ransomware Attack Surge).

Saryu Nayyar, CEO at security firm Gurucul, says that the apparent ransomware attack against Apex systems follows a familiar pattern of the dual-extortion racket: The attackers get in and disrupt systems. The victim manages to recover their encrypted files and return to operation, but the gang then releases some confidential information stolen during the attack.

"The disturbing part is the delay between the initial breach in July 2020 and the notification coming months later in December," Nayyar says. "The stolen data would be quite useful for attackers looking to stage spear-phishing or targeted social engineering attacks or to simply leverage the stolen data to conduct identity theft. The fact that their initial investigation revealed no evidence of confidential patient data theft, with the attackers revealing the fact that they had acquired confidential data, is of additional concern."

Privacy attorney David Holtzman, principal of the consulting firm HITprivacy, says the delay between the initial detection of the incident and the notification that Apex posted on Dec. 31 would likely draw the attention of healthcare regulators.

"The HIPAA Security Rule requires covered entities and business associates to implement technical safeguards for monitoring access and alerting organizations to inappropriate activity and identifying potential threats in the network," Holtzman says. "It took over six months for Apex to learn that the hacker had scanned the system for valuable data and had extracted sensitive patient information about individuals, all of which had gone undetected. I would expect that the failure to discover that patient had been disclosed without authorization will be a focus of regulators investigating this breach."

Healthcare Security

James McQuiggan, a security awareness advocate at security firm KnowBe4, expects that in 2021, the trend of ransomware gangs exfiltrating data from victims will continue until more organizations improve their data security.

"These activities are why organizations must have a multilevel security model to protect, monitor and respond promptly to any attacks. These tactics include technical controls and security awareness training, as many ransomware attacks are successful due to phishing," McQuiggan says.

Hacking incidents, including ransomware and phishing attacks, as well as security incidents involving vendors dominated the federal tally of major health data breaches in 2020, according to the Department of Health and Human Service's HIPAA Breach Reporting Tool website (see: Analysis: 2020 Health Data Breach Trends).

A report released this week by Check Point Software Technologies found that ransomware and other cyberattacks on healthcare entities globally have increased by about 45% in the last two months (see: Ransomware Attacks in Healthcare Surging).