Why Are Facilities Caring for the Elderly ‘Targets of Opportunity’ For Cybercrime?
More than a half-dozen nursing homes and rehabilitation centers have reported an assortment of major hacking incidents in the last month affecting more than 130,000 individuals. Experts say facilities that care for elderly and disabled individuals are attractive and vulnerable targets for cybercriminals.
See Also: Top 10 Technical Predictions for 2025
The largest hack involves a 2024 data theft; three incidents appear centered on the same unnamed third-party vendor; and another three breaches appear related to an incident discovered more than two years ago – but only recently reported to regulators.
All of the breaches had the same thing in common – the compromise of sensitive health and personal data belonging to a vulnerable population of patients.
“These organizations have a treasure-trove of valuable data such as Social Security numbers, drivers’ licenses, dates of birth, addresses, card payment numbers and sensitive personal health information that has value on the black market,” said Keith Forrester, principal security advisor at Optiv.
“What makes this data more valuable is that there is less likelihood that the elderly patients are actively monitoring their credit or personal information,” he said. “This gives the hackers more time to go undetected and use the stolen data in all sorts of fraudulent activity, from selling bulk info to opening bank accounts to filing fake insurance claims.”
Nursing homes, rehab facilities and similar healthcare practices are not necessarily “a target of intent for cybercriminals,” but rather “a target of opportunity,” said Keith Fricke, principal and partner at consulting firm tw-Security.
“These types of healthcare facilities generally operate on razor-thin margins and likely lack the skilled staff and budget necessary to establish and maintain an information security program,” Fricke said. “As more of these types of healthcare entities become victims of cyberattacks, criminals may see them as a target of intent.”
Largest Recent Hack
Hillcrest Convalescent Center, a North Carolina operator of two senior care facilities in Raleigh and Durham, reported to federal regulators on March 4 that its hacking incident affected nearly 106,200 individuals.
Hillcrest, in a breach notice posted on its website, said that on June 27, 2024, it identified suspicious activity on its network and “moved quickly” to secure its environment.
Through an investigation conducted with the aid of third-party cybersecurity experts, Hillcrest said it discovered unauthorized access to its network that compromised some Hillcrest data.
“Hillcrest then conducted an extensive and detailed review of the data to identify the potentially affected individuals and information. This review was completed on Feb. 13,” Hillcrest said.
Information potentially compromised includes name, date of birth, Social Security number, patient data, medical information, treatment information, health insurance information and healthcare provider information.
Hillcrest is offering affected individuals between 12 and 24 months of complimentary credit and identity theft monitoring, depending upon the person’s state of residence. Hillcrest is also advising the family of deceased patients to notify the three major credit bureaus and request “they flag the deceased credit file.”
Hillcrest is also advising parents and guardians of minors who might have been affected to “request that each of the three national credit reporting agencies perform a manual search for a minor’s Social Security number to determine if there is an associated credit report.”
Hillcrest did not immediately respond to Information Security Media Group’s request for additional details about the incident, including whether the breach affected employees and others, such as their dependents, in addition to patients.
Vendor Hack
At least three nursing home and rehab center breaches reported to the U.S. Department of Health and Human Services on March 3 appear to involve a hack on the same unnamed third-party vendor and a compromise of electronic medical records.
Those three practices are:
- Atlantis Operating LLC, which operates as The Phoenix Rehabilitation and Nursing Center in New York, reporting an EMR hack affecting 6,459 individuals;
- HHH Acquisition, LLC, which does business as The Grove at Valhalla Rehabilitation and Nursing Center in New York also reporting an EMR hack affecting 4,196 people;
- Palmetto Subacute Care Center in Florida, reporting that 2,746 individuals were affected in an “unauthorized access/disclosure” breach also involving EMRs.
Each of those three organizations issued essentially the same public notices saying that they learned on Sept. 19, 2024 that “a third-party vendor” data security incident potentially affected the personal information of their current and past patients. That includes names, addresses, medical information and, in some instances, Social Security numbers.
“Unfortunately, these types of incidents are becoming increasingly common and organizations with the most sophisticated IT infrastructure available continue to be affected,” the breach notices said.
None of the the three healthcare organizations immediately responded to ISMG’s requests for additional details about the incident, including the identity and type of third-party vendor at the center of their breaches.
2023 Hacking Incident
At least three nursing homes and rehab centers all operated by the same parent company, Atlas Healthcare, also reported breaches. Atlas Healthcare is based in New Jersey but runs facilities in several states.
The three breaches were reported by Atlas Healthcare facilities in Connecticut. That includes Vernon Rehabilitation and Healthcare Center, which reported to HHS OCR on March 3 that 5,416 people were affected by a hacking/IT incident involving network server; and Manchester Rehabilitation and Healthcare Center, which on the same day reported 5,415 people affected by a hack involving a network server.
A third Connecticut-based Atlas facility, Arbors of Hop Brook, also posted on its website a notice about a breach described the same way that Vernon Rehab and Manchester Rehab described their incidents. But as of Wednesday, a breach report from Arbors had not been posted on HHS OCR’s breach reporting website, so the number of people affected at Arbor is not yet publicly disclosed.
The Atlas Healthcare nursing homes and rehab centers in Connecticut said in their notices that the facilities learned that some IT systems in the Atlas network were affected by a data security incident occurring on Jan. 20, 2023. The notices do not state exactly when the Atlas facilities learned of the incident.
“Upon learning of the issue, we commenced an immediate and thorough investigation and alerted law enforcement,” the notices said. The investigation and “extensive manual file review” determined on Aug. 16, 2023 that certain files involved in the incident contained individuals’ information, including names, addresses, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license and financial information.
The facilities are offering complimentary credit and identity monitoring services to “eligible” individuals.
“Upon learning of the event we took immediate action to protect the individual personal information we maintain. We continually evaluate and modify our practices to enhance the security and privacy of personal information, and are taking measures to augment our existing cybersecurity,” the Atlas nursing homes and rehabs each said in their breach notices.
Atlas Healthcare did not immediately respond to ISMG’s requests for additional details pertaining to the breaches, including why it took about two years for the facilities to report the incident to regulators.
Other Hacks
This rash of nursing home breaches is just the latest incidents reported in by other rehab and long-term nursing facilities in recent months.
In February, ransomware gang Embargo claimed on its dark web site to have published 1.15 terabytes of data stolen from Memorial Hospital and Manor, a Georgia-based hospital and its nursing home.
In January, HCF Management, a family of companies based in Lima, Ohio, which operates healthcare and nursing home facilities in the Buckeye state and Pennsylvania, submitted at least 25 data breach reports to federal and state regulators related to a hack affecting about 70,000 individuals. Cybercrime gang Ransomhub claimed to have stolen 250-gbytes of HCF data in that hack.
And last October, ransomware group Rhysida on its dark web site claimed that it posted data from a 102-gbytes trove stolen in an alleged hack on Golden Age Nursing Home in Mississippi.
“We know that nursing homes and long-term care and rehab facilities are under immense budget constraints and often do not have cybersecurity resources and expertise on staff to monitor systems and assess cyber risk and compliance,” Forrester said.
These facilities are typically smaller and run lean, focusing on ensuring that they have sufficient staff to provide care and keep the facility functioning, Forrester said. “They don’t have the cybersecurity controls and processes that large healthcare providers, hospital and clinics have in place to protect PHI and respond to incidents.”
Nursing homes and similar practices should take note that if they have a “that won’t happen to us” mentality, they need to rethink their risk, Fricke said.
“As more criminals successfully compromise networks and information of these types of entities, these entities will become targets of intent,” he said.
“They must strengthen their security posture to protect the protected health information and personally identifiable information of their patients,” he said. Breaches often result in OCR investigations that result in fines plus corrective actions plans. Those plans often require “making investments in security controls they should have had in place to begin with,” he said.