Update of August 10: Following publication of our article with a statement from Greenway Health that the attack appeared to be on a former client and not them (but it was under investigation), DataBreaches.net checked the threat actor’s leak site today and found the entire listing is gone. This could mean a number of things, but it is curious and we will continue to monitor the reported incident.
Update of August 17: The listing has reappeared on Hive’s leak site — even though Greenway insists it was not them but a former client who was hit. Has Hive been trying to extort the wrong entity?
Greenway Health is a vendor of health information technology, including integrated EHR, practice management, revenue cycle management solutions, and teleheatlh. The firm has often highlighted the importance of data security and preventing breaches, including as recently as after the Colonial Pipeline ransomware incident, but over the past five years, Greenway itself has experienced a number of data security incidents.
Current Incident
Greenway Health has allegedly been the victim of an attack with some data dumped as proof on a leak site on the dark web. According to the threat actors, their data was encrypted on July 15, and proof of claim was dumped on August 3.
The 746 mb proof of claim dump does appear to relate to Greenway but contains mostly old files about client credentials and remittances (circa 2012, in some cases). While much of the data is old, some aspects of PII and ePHI generally do not change over the years even if the health insurer or demographic information for specific patients changes. So if this is, in fact, data from one of Greenway’s systems or platforms (and the Intergy platform is specifically named in one folder), then Greenway may have a lot of notifications to make just for this relatively small archive. And of course, since some of the data is old, they may have trouble tracking down those who should be notified.
The threat actors have not made any claims as to how much other data with PII or ePHI they may have accessed and exfiltrated.
In response to an August 4 inquiry from this site, Greenway Health responded:
Yesterday, Greenway became aware of an internet post referring to a potential data breach associated with select clients of Greenway Health. We are currently investigating the matter.
DataBreaches.net sent an inquiry yesterday asking if they had any update or more information that the could share, and has just received this reply post-publication:
Greenway Health recently learned that a third party claimed to have carried out a data breach involving the company. Greenway takes these matters very seriously and we immediately launched an investigation, leveraging outside advisers. At this time, it appears that a former client was the victim of an attack, not Greenway. Greenway is working to complete its investigation, and the company remains diligent in any situation – regardless if a threat is purported or real – to protect our clients’ data and their patient records.
DataBreaches.net will continue to follow developments in this incident.
Update 2: Greenway subsequently reiterated that it was a former client who was the actual victim of the attack, but they would not name the client or say anything more.
Past Incidents
In May, 2016, Florida Medical Clinic notified 1,000 patients that their patient due balance statements had been exposed to industrial account patients who had logged in to the Patient Portal between November 18, 2015 to January 6, 2016. Upon investigation, they had discovered a setting had been turned on by the patient portal vendor, Greenway Health.
In April, 2017, Greenway Health suffered a ransomware attack that necessitated them notifying 400 client organizations using their Intergy cloud-hosted platform.
In May, 2019, Greenway Health notified at least one client that it had a found a coding error in their software. The coding error would permit someone other than a patient to view very limited personal health information (“PHI”) about a patient, including the patient’s medical record number and medical orders, but not the patient’s chart. That incident does not appear to have been publicly reported by media.
In July, 2020, Greenway Health notified HHS on behalf of 91 covered entities that its “Greenway Patient Portal” had been hit by a brute force attack by a bot between May 1 and May 7, 2020. While Greenway found no evidence of misuse of any data, they reported that it was possible — depending on what patients entered in their records — that threat actors could have accessed a patient’s name, Social Security number, health insurance information, vitals, allergies, lab results, care plan, current and/or past medications, procedures and medical history, and visit history.