Breach Notification , Fraud Management & Cybercrime , Ransomware
County 911 Service Notifying 180,000 About Breach in July
Compromised Patient Info Dates Back to 2011 at Muskogee City County 911 ServiceAn Oklahoma county provider of medical, fire, police and other 911 emergency services is notifying 180,000 individuals that their health information may have been compromised in a recent ransomware attack. The incident has affected patients receiving emergency medical care as far back as 2011.
See Also: OnDemand | Why You Have an MFA Emergency on Your Hands And What to do About It
Muskogee City County Enhanced 911 Trust Authority in Muskogee, Oklahoma, reported the hack to the U.S. Department of Health and Human Services on Sept. 20 as involving a network server. MCC991 said it discovered the criminal ransomware attack on July 25.
An investigation indicated that cybercriminals accessed its systems from April 4 through July 31 - potentially affecting anyone who received emergency medical services in Muskogee County from January 2011 through April 2023, the notice said.
The age of the data affected by the hack suggests either that cybercriminals compromised the 911 services backups or its records management system, said Mike Hamilton, founder and CISO of security firm Critical Insight, who is not involved in the incident.
He said the hacker most likely accessed the records management systems because "record retention limitations for RMS systems are not consistently applied, and it is unlikely that backups would be retained for more than 10 years."
The service provider, which is run by an 11-member board representing city and county, said information potentially affected by the incident includes name, address, date of birth, Social Security number, diagnosis, conditions, medication and treatment information, medical procedures, hospital provider name, and health insurance information.
"We immediately began an investigation and took steps to contain the situation, including by proactively taking certain systems offline, changing passwords, notifying federal law enforcement, and engaging cybersecurity and privacy professionals to assist," MCC911 said.
Since the incident, the 911 authority said it has taken measures to improve the security of its systems and practices. That includes implementing endpoint and monitoring tools, updating the firewall, introducing geolocation restrictions, and reconfiguring resources to provide additional protections.
MCC911 did not immediately respond to Information Security Media Group's request for additional details about the hack, including the type of IT systems containing data dating back 12 years that were compromised.
Soft Targets
The 911 authority in Muskogee is among the latest emergency medical services providers to report a major hacking incident in recent months.
Acadian Ambulance Service in Louisiana appears to have suffered the largest of such breaches so far this year. That incident, reported to HHS in August, affected nearly 3 million patients.
Ransomware gang Daixin claims to have stolen and published the Acadian patient data on its darkweb leak site (see: Acadian Ambulance Notifying Nearly 3 Million of Data Theft).
Other EMS providers reporting major health data breaches this year involving hacks include:
- Illinois-based Superior Air-Ground Ambulance Service, which in August reported a breach affecting 858,238 individuals;
- Oklahoma-based Emergency Medical Services Authority, which reported a ransomware incident in March affecting 611,743 patients;
- Pennsylvania-based Altoona Logan Township Mobile Medical Emergency Department Authority, which in June reported a data theft affecting 6,169 individuals.
Emergency services providers are considered U.S. critical infrastructure and often collect and store valuable health records and other information. Some of these organizations are soft, valuable targets for cybercriminals, Hamilton said.
"The loss of EMS services - even for a short time - is a threat to life safety," he said.
Besides the potential for data theft and other compromises in these attacks, the disruption of IT systems can pose danger to the community, especially if other area healthcare providers - such as hospitals - are attacked around the same time.
"Redundancy in EMS is frequently through inter-local agreements, which can be geographically several counties and hundreds of miles away," Hamilton said. "This can dilate response time. However, impacted 911 service can still be effective in dispatching EMS as a call to 911 can be rerouted. This assumes that regional radio systems are not impacted as well," he said.
Hamilton pointed out that 911 and EMS services typically lack funding for adequate resources to maintain a full cybersecurity program.
"These providers should lean into controls that address the most frequently used vectors for compromise: social engineering, phishing, credential abuse such as password guessing, stuffing and vulnerability exploits for internet-facing products," Hamilton said.
To help avoid falling victim to such attacks, he recommends EMS and similar agencies effectively train users, manage credentials using a password vault and multi-factor authentication, and prioritize patches and updates using the CISA known exploited vulnerabilities catalog.