Records of more than 181,000 patients, others at Scranton cardiology group latest to be hacked in NEPA

Borys Krawczeniuk, The Times-Tribune, Scranton, Pa.
·4 min read

Jun. 12—Hackers breached a Scranton cardiology group's computer network and potentially obtained the private data of 181,764 patients and others, the Commonwealth Health System announced Monday.

It is the latest in a series of breaches targeting Northeast Pennsylvania medical providers, including one involving Commonwealth Health hospitals.

The breach of the cardiology group first occurred Feb. 2 in data maintained by Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology (GVC). The breach wasn't discovered until April 13, the system said in a news release.

In explaining why the health care system did not announce the breach until Monday, officials said they needed two months to conduct a forensic investigation to identify everyone affected.

The information exposed, which varied from person to person, included: names, addresses and demographic information such as dates of birth; Social Security, driver's license and passport numbers; credit card or debit card and bank accounts; and health insurance, claims and medical information. The medical information includes dates of service, diagnoses, medications and lab results.

In an email, Commonwealth Health spokeswoman Annmarie Poslock said the cardiology group has no indications the hackers used the information "in any way."

Poslock said the group learned of the incursion from the U.S. Department of Homeland Security, which tracks potential cyber threats.

The cardiology group disconnected its network from the internet, disabled VPN access to prevent further access and referred the matter to law enforcement, according to the news release.

"The unauthorized parties no longer have access to the GVC (Great Valley Cardiology) network," Poslock said.

The forensic investigation found that the hackers used a "'brute force' access attempt."

"This is where the unauthorized party uses specialized software to generate passwords until one is successful," she said. "Once the computer software found a real password, the unauthorized parties used that password to enter the GVC network. Where an unauthorized party has access to a network through a real set of credentials, it is often difficult to detect their presence immediately in the system."

Notices were mailed to affected clients Monday morning and a notice about the breach was posted on the Commonwealth Health Physicians Network website.

There were two stages involved in investigating the breach, Poslock said.

"First, GVC hired a forensic company to determine which files the unauthorized parties may have had access to," she said. "Second, once the potentially affected files were determined, GVC hired another company to electronically and manually review those files to identify which individuals were present in the affected files. GVC then went through a process to locate and update addresses for those individuals to ensure that as many people as possible received the notices by mail. ... Safeguarding patient information is a responsibility we take very seriously and we regret the inconvenience this situation may cause our patients."

The system is offering affected people free access to Experian IdentityWorks SM for 24 months to provide ID restoration and credit monitoring services. The group has a toll-free response line, 833-901-4624, available from 9 a.m. to 10 p.m. Mondays through Fridays, and from 11 a.m. to 7 p.m. Saturdays.

Information about signing up for the Experian services is included in letters mailed to individuals and is on the GVC website at www.cwhphysiciannetwork.net.

Other recent breaches in Northeast Pennsylvania include:

—In March, a cyberattack on a third-party firm that provides Commonwealth Health with file transfer software exposed confidential information, including names, addresses, billing and insurance information, birth dates, Social Security numbers and certain medical information, including diagnoses and medications.

Community Health said the breach exposed private information of one million patients across all its United States hospitals.

—In April, the Northeast Behavioral Health Care Consortium announced a cyberattack potentially exposed private health information of an unspecified number of clients. The consortium, created by Lackawanna, Luzerne, Susquehanna and Wyoming counties in 2006 to manage a care program that serves Medicaid clients, serves more than 180,000 members in the four counties.

The consortium told the U.S. Department of Health and Human Services the breach affected 13,240 people.

—In January, Maternal & Family Health Services Inc. publicly reported hackers potentially obtained confidential information on more than 460,000 clients in an April 2022 ransomware attack. Maternal & Family Health told the federal agency 500 people were actually affected.

A proposed federal class action lawsuit faults the nonprofit agency for failing the let patients know earlier.

—In February, Lehigh Valley Health Network reported hackers posted sensitive photos and information of patients at its Delta Medix locations to the dark web because the organization refused to pay a ransom demand. The breach affected 627 people, the network told Health and Human Services.

Contact the writer: bkrawczeniuk@timesshamrock.com; 570-348-9147; @BorysBlogTT on Twitter.