Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology (GVC), has notified 181,764 patients of a network breach that resulted in access to protected health information that included names, addresses and demographic information such as dates of birth; Social Security, driver’s license and passport numbers; credit card or debit card and bank accounts; and health insurance, claims and medical information. The medical information includes dates of service, diagnoses, medications and lab results.
What will likely be frustrating to patients is the fact that GVC admits it could not determine whether the unauthorized individuals viewed or exfiltrated the data to which they had access. The identity of the attackers has not been disclosed, if known. Nor has there been any mention of whether there was any ransom or extortion demand.
According to the notice by the Commonwealth Health Physician Network, the breach occurred on February 2 and continued until April 14. It was first discovered by GVC on April 13, but as some great reporting by Borys Krawczeniuk of The Times-Tribune made clear, GVC only discovered the breach then when they were alerted by the U.S. Department of Homeland Security.
Once they were alerted, GVC disconnected their network from the internet, disabled VPN access, and opened an investigation. According to GVC, the unauthorized parties no longer have access to the network and they have no indication that any data has been used or misused in any way.
Krawczeniuk provides additional details, provided by Commonwealth Health spokeswoman Annmarie Poslock in an email to the news outlet. He reports that the forensic investigation found that the hackers used a brute force attack to gain access. Poslock wrote:
“This is where the unauthorized party uses specialized software to generate passwords until one is successful,” she said. “Once the computer software found a real password, the unauthorized parties used that password to enter the GVC network. Where an unauthorized party has access to a network through a real set of credentials, it is often difficult to detect their presence immediately in the system.”
GVC does not reveal why the hospital never detected the brute force attack, or if they had detected it, how they had responded to it. And what kind of authentication did GVC have in place? Was there no second layer or multifactor authentication required? Could anyone who guessed a password just access all that patient data? There is still a lot we do not know about this incident.
This incident was reported to both law enforcement and to HHS. GVC is offering those notified 24 months of Experian IdentityWorks℠.
The GVC incident is the second incident Commonwealth Health Physician Network has reported this year. Community Health System had previously reported it was affected by the Fortra GoAnywhere attack.