Northeast Behavioral Health Care Consortium hit by cyber attack

Terrie Morgan-Besecker, The Times-Tribune, Scranton, Pa.
·3 min read

Apr. 20—A cyberattack potentially exposed private health information of clients served by the Northeast Behavioral Health Care Consortium, the organization revealed Thursday.

In an ad placed in The Times-Tribune, the agency said it learned on Feb. 20 that an employee's email had been compromised through a phishing attack, which may have allowed hackers to gain access to clients' information, including names, member numbers, Medicaid numbers, diagnoses, detailed incident descriptions and levels of care.

The Moosic-based nonprofit consortium was created in 2006 by Lackawanna, Luzerne, Susquehanna and Wyoming counties to manage HealthChoices, a statewide managed care program serving medical assistance recipients. The agency currently serves over 180,000 members in the four counties, according to information posted on its website.

The breach notice does not say how many people may have been affected. Attempts to reach Yvonne Krashkevich, CEO of the consortium, for comment were unsuccessful.

The notice says the agency is not aware of fraud or misuse of personal information. Officials believe the hackers' primary objective was to continue the phishing email attack to potentially access other companies' information. It immediately hired a cyber security firm to assess the situation and took action to mitigate further risk.

The cyberattack is among a rash of data breaches at health care facilities nationwide and locally.

Health care providers are required to report data breaches to the U.S. Department of Health and Human Services. An online database maintained by DHS shows that since January 2021, 438 providers nationwide reported breaches that affected 39.2 million people, including 13 facilities in Pennsylvania impacting 772,693 patients.

Locally, the consortium is among four health care-related organizations in Northeast Pennsylvania that recently revealed their systems had been hacked.

Lehigh Valley Health Network reported in February that hackers posted sensitive photos and information of patients at its Lackawanna County-based Delta Medix locations to the dark web after the organization refused to pay a ransom demand.

Community Health Systems, which operates hospitals in 15 states, including Regional Hospital of Scranton, Moses Taylor Hospital in Scranton and Wilkes-Barre General Hospital in Wilkes-Barre, and Maternal & Family Health Services, which has locations in 17 counties including Lackawanna, Luzerne, Wyoming and Monroe counties,also recently revealed cyber criminals accessed patients' information.

CHS estimates the breach, which resulted from vulnerabilities in a third-party vendor's software, exposed information on 1 million patients across all its hospitals. The Maternal & Family Health breach impacted about 500 patients, according to a report filed with DHS, while LVHN attack impacted as many as 2,760 patients, the company said in a court filing in a federal class action lawsuit filed over the breach.

Gary Salman, CEO of Black Talon Security, a New York-based cyber security firm, said hackers have honed their sites on health care providers because their systems contain a treasure trove of personal information that can be used for identity theft.

"If you think about what a patient record has, it contains the patient's first name, last name, date of birth, often the social security number, address, relationships to other family members, driver's license, insurance cards," Salman said.

Despite that risk, many health care providers are not doing enough to protect against the attacks, he said.

"Most health care organizations are not focusing on understanding where their systems are vulnerable and they're not taking the proper steps to eliminate those vulnerabilities," he said.

DHS recently announced initiatives to help health care providers better protect data. Those efforts include free cyber security training and updates to a guide that provides advice on how to reduce cybersecurity threats.

Salman also urges providers to consult cyber security professionals, who have more knowledge than in-house information technology employees.

"Most health care organizations aren't looking to outside resources ... to come in and evaluate where they have risk," he said. "They're simply relying on internal resources to do that. You can't really have IT resources testing their own security. It really needs to be done by a third party."

Contact the writer: tbesecker@timesshamrock.com; 570-348-9137; @tmbeseckerTT on Twitter.