Natasha Chen reports that Catholic Health Initiatives (CHI), some of whose doctors fell for a phishing scheme in January that compromised patient information in e-mails sent to and by the doctors, has fallen victim to an attack that also involved doctors’ e-mail accounts:
For the second time in five months, patients’ information may have been compromised in a data breach at nine local hospitals and dozens of others in 17 states across the U.S.
[…]
KIRO 7 found out about the new breach through a federal lawsuit filed by Catholic Health Initiatives against an unknown “John Doe” hacker.
By filing the lawsuit, the group of hospitals across the U.S. can submit a legal request to Microsoft to provide information about the email accounts used in the hacking.
Read more on KIRO.
According to their complaint, CHI operates hospitals and other health care facilities in 17 states, including nine health care facilities in Washington: Franciscan Medical Group in Tacoma, Harrison Medical Center in Bremerton, Highline Medical Center in Burien, Regional Hospital for Respiratory and Complex Care in Tukwila, St. Anthony Hospital in Gig Harbor, St. Clare Hospital in Lakewood, St. Elizabeth Hospital in Enumclaw, St. Francis Hospital in Federal Way, and St. Joseph Medical Center in Tacoma.
Also according to the complaint, the unknown “John Doe” hacker, who may be in Pakistan or connecting through a Pakistani IP, apparently managed to gain administrative control of CHI-East.org, and used that control to redirect email addressed to catholichealth.net e-mail addresses. Catholichealth.net is the domain that CHI’s doctors use for their e-mail accounts.
As a result, during the period March 25 – 30, e-mails sent to doctors at catholichealth.net by other doctors, laboratories, or patients was redirected to external e-mail accounts under the attacker’s control, such as a Hotmail or Outlook account.
CHI worked with Network Solutions to regain control of their domain and restore security.
In their complaint, CHI charges that the attacker violated the federal Wiretap Act. They seek damages, or in the alternative, profits from the attacker’s use of the information, punitive damages, as well as an injunction to prevent the attacker from diverting or viewing e-mails and any attachments, and attorneys’ fees.
From the wording of the complaint, which I’ve uploaded here. I wonder whether the redirected e-mails were deleted from the server. CHI doesn’t indicate that when they restored control over the domain, the e-mails that would have been delivered between March 25 and March 30 were delivered. They state that based on typical e-mail usage, they estimate that a lot of e-mail was intercepted. If that’s the case – that the attacker deleted mail from the server or that their configuration didn’t keep copies of e-mail on the server – that could have significant implications for patient care, as well as making it almost impossible for CHI to know which patients had their PHI intercepted.
PHIprivacy.net reached out to CHI on this question as to whether e-mail was redirected with a copy left on the server or redirected and deleted from the server, but they were not immediately available for comment.
Update of May 12th: CHI sent the following statement to PHIprivacy.net:
The suit that was filed May 8 in U.S. District Court in Seattle involves an attack on several Catholic Health Initiatives domain name service (DNS) accounts. The organization is in the midst of a comprehensive investigation, which includes a lawsuit to identify the attacker, to seek damages from those responsible, and to obtain an injunction barring any further attacks.
Catholic Health Initiatives has asked the court to allow it to seek early discovery to examine Microsoft Corp.’s email traffic logs during the period when the attack occurred. CHI has requested that portions of the court filings remain sealed to prevent copy-cat attempts. At this time, CHI cannot disclose additional information involving this matter.
As part of the investigation, CHI will attempt to determine whether any personal information has been compromised. If personal information was obtained by the attacker, Catholic Health Initiatives will notify any individuals who may have been affected.
This incident is not related to an earlier “phishing” scam involving Franciscan Health System.