(Image source: Tinton5, 2011)
One-sentence summary:
Over 600,000 patients from CentraState hospital in Freehold, Monmouth County, New Jersey had their sensitive or patient records breached in a significant 2022 hack involving an archive that also diverted ambulances from the hospital and required non-electronic medical records.
Who was involved?
600,000+ CentraState patients, threat actor, FBI, and CentraState (HIPAA Journal, 2023; JDSupra & Console, 2023; U.S. HHS, 2023).
What was the timeline?
December 29, 2022: Breach occurred and was detected.
December 30, 2022: Hospital diverts ambulances, attempts to reduce patient volume (including in the ER), and goes to pen and paper.
January 3, 2023: Hospital resumes core operations, but is “still recovering” (HIPAA Journal, 2023, para. 7).
February 10, 2023: CentraState began notifying patients.
February 21, 2023: Class-action lawsuit is reportedly filed against CentraState regarding the breach.
What occurred?
On December 29, 2022, a threat actor breached CentraState’s information systems and obtained access to an “archived database” containing, among other information, protected health information for over 617,901 patients (CentraState, 2023, para. 2; U.S. HHS, 2023). An investigation ensued on that same day by CentraState, which involved the FBI and a third-party forensics team (CentraState, 2023, para. 2). Information breached included: “names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers” and potentially “physician names and departments, treatment plans, diagnoses, visit notes, and/or prescription information” (CentraState, 2023, para. 3). Notable disruption was observed by several news agencies over the new year: CentraState hospital diverting ambulances, attempts to reduce patient volume (including in the ER), and its operations going to pen and paper (Serrano, 2022; LNN Staff, 2023, para. 2). Finally, patients were notified, starting on February 10th, 2023 (CentraState, 2023, para. 5).
Estimated costs:
Litigation and “forensics firm” costs (News 12 Staff, 2023; CentraState, 2023, para. 2). Identity monitoring. M-F call center (CentraState, 2023, para. 6). Potential lost business from diverting patients and ambulances.
Involved laws:
HIPAA and HITECH.
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
TBA or N/A (see disclaimer)
Commentary:
CentraState does not currently specify any news or press releases of the breach on their website (the letter/PDF was found only in the uploads directory on their web server). JDSupra also removed its news report (JDSupra & Console, 2023). This may be due to ongoing litigation. However, considering the volume of patients involved, there should be a more conspicuous public notice. Lastly, they state:
Events of this nature are affecting an increasing number of companies in the U.S. and around the world, and federal government, law enforcement and industry experts are working in tandem to address this unlawful criminal activity
(CentraState, 2023, para. 7)
As a cybersecurity professional, the placement of this statement at the end of their report appears comical and, per my opinion, does come off as excusatory. I do not think this represents the whole organization, but represents the press writer (who may not even be internal) who wishes to shift attention to other cybersecurity incidents. Custodians of sensitive information, such as medical records, have a duty to protect that information (see HIPAA and HITECH), despite current events. As information comes out, I hope the root cause could be identified so that other hospitals and healthcare entities can use this information to prevent a similar tragedy. Ideally, I desire a CISO or other business/cyber professional to use this report in a board meeting to secure funding for an appropriate cybersecurity measure, upgrade, or technology and help keep more organizations secure.
Sources:
CentraState. (2023). Notice of Security Incident. In centrastate.com. Retrieved February 22, 2023, from https://centrastate.com/wp-content/uploads/sites/9/2023/02/Notice-of-Security-Incident.pdf
HIPAA Journal. (2023, January 5). Cyberattacks Reported by Heartland Alliance and CentraState Medical Center. Retrieved February 22, 2023, from https://www.hipaajournal.com/cyberattacks-reported-by-heartland-alliance-and-centrastate-medical-center/
JDSupra, & Console, R., Jr. (2023, February 20). CentraState Healthcare System Announces Data Breach Impacting as Many as 617k Patients. Google Cache: JDSupra. https://webcache.googleusercontent.com/search?q=cache:0ExIhrezmBEJ:https://www.jdsupra.com/legalnews/centrastate-healthcare-system-announces-6401097/&cd=2&hl=en&ct=clnk&gl=us
LNN Staff. (2023, January 5). CentraState Hospital Ambulances Resume Regular Operation After Cyberattack. Lakewood News Network. Retrieved February 22, 2023, from https://lnnnews.com/centrastate-hospital-ambulances-resume-regular-operation-after-cyberattack/
News 12 Staff. (2023, February 21). Woman files class-action suit against CentraState over massive cyberattack. News 12 – New Jersey. Retrieved February 22, 2023, from https://newjersey.news12.com/woman-files-class-action-lawsuit-centrastate-cyberattack
Serrano, K. (2022, December 30). Possible cyberattack at CentraState prompts hospital to divert ambulances. Asbury Park Press. Retrieved February 22, 2023, from https://eu.app.com/story/news/crime/2022/12/30/cybersecurity-problem-at-nj-hospital-prompts-patient-diversion/69767157007/
Tinton5. (2011, December 11). CentraState Hospital in Freehold Township, New Jersey. Wikimedia Commons. https://commons.wikimedia.org/wiki/File:CentraState_Front_view_2.jpg
U.S. HHS. (2023, February 10). Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health & Human Services – Office For Civil Rights. Retrieved February 23, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf