By Jill McKeon

Computers went down at 4:00 AM on Thursday morning. St. Joseph’s/Candler has not canceled any imaging, primary care, surgery, or special physician appointments, but has requested that oncology patients contact their doctors to check on appointment and procedure status.

In a statement posted to Facebook on June 17th, the hospital stated: “On the morning of June 17, St. Joseph’s/Candler became aware of suspicious network activity. As a security measure, SJ/C took immediate steps to isolate systems and to limit the potential impact.”

“We also promptly initiated an investigation into the scope of the incident, which is ongoing and in its early stages, although SJ/C has confirmed that the incident involved ransomware. Law enforcement has been notified. If we determine that personal or health information is involved in this incident, we will notify those individuals in accordance with applicable law.”

Law enforcement is still actively investigating the ransomware attack, and it is unclear how long the hospital’s systems will remain in downtime.

“Nothing is more important to us than continuing to provide the care our patients expect. Patient care operations continue at our facilities using established back-up processes and other downtime procedures,” the hospital’s statement continued.

“Our physicians, nurses and staff are trained to provide care in these types of situations and are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”

Cyberattacks on the healthcare industry are becoming more commonplace and can even impact patient care. Employees reported that a May 31st attack on the University of Florida Health Leesburg Hospital and The Villages Regional Hospital is now negatively impacting patient care by causing confusion over lab reports and incorrect prescription information.

In order to combat a string of ransomware attacks across multiple industries, President Biden recently issued an executive order outlining steps that must be taken to improve the country’s cybersecurity. In addition, the new Ransomware and Digital Extortion Task Force aims to address threats to the growing number of ransomware attacks.

The FDA recently voiced concerns over medical device cybersecurity in a paper responding to NIST’s request for comments on President Biden’s executive order, further conveying the government’s intention to use its extensive resources to prevent additional ransomware attacks.

“Publicly noted cybersecurity incidents in 2021 include ransomware disabling the Irish Healthcare Service, ransomware disrupting a hospital for weeks, and a fundamentally new problem where ransomware remediation disrupted the cloud services necessary for critical function of cancer radiation therapy rather than simply disrupting electronic health record systems and other, more traditional hospital IT infrastructure,” the FDA emphasized.

In addition, the National Institute of Standards and Technology (NIST) released a preliminary draft of its “Cybersecurity Framework Profile for Ransomware Risk Management.” The draft provides organizations with a step-by-step approach to preventing and responding to ransomware attacks. NIST identifies preventative measures and recovery tactics that can be adopted by any organization to mitigate the damage done by a cyberattack.

The Very Rev. Sam Candler, Dean of the Episcopal Cathedral of St. Philip in Atlanta, was awarded an honorary Doctor of Divinity degree by the University of the South last month for his “exemplary willingness to take on the hard soul work of Christian responsibility and carry on that work faithfully and lovingly,” particularly in his lifelong devotion to faithful parish ministry.

With a B.A. degree, cum laude, from Occidental College, and an M.Div. degree, magna cum laude, from Yale University Divinity School, Sam Candler loves the lively community and diversity of parish life. He has served as Dean of the Cathedral of St. Philip for the past 23 years, previously serving in parishes throughout Georgia and South Carolina. An amateur pianist, he had intended to become a jazz musician before he was called into the priesthood. Thus, he values the role of music in prayer, and has served on Liturgy and Music Committees in several dioceses. Besides his love of scripture and bible study, he also loves the outdoors; he continues to fish, hunt, hike, and observe the stars as much as possible. He speaks regularly on the role of religion in matters of science and environmental sustainability.

The Very Rev. James Turrell, who was installed as Dean of the School of Theology at Sewanee during the same service at All Saints’ Chapel in Sewanee, Tennessee, remarked that Candler is a “true son of the South” who has “labored devotedly under the burden of its peculiar history.” Turrell also said that throughout his career in a variety of parishes, Candler has had an “elegant, compelling, and accessible voice of . . . Good Faith and the Common Good.”

Candler thanked the Sewanee community at a gala dinner following the service: “I have given my ordained life in the Episcopal Church to parish ministry, over and over again; and, for me, Sewanee, and the University of the South, are the epitome of parish ministry. It is holy life. Faithful people, through thick and thin, learning and living with each other, in the presence of grace and in the presence of God, are what parish ministry is.”

Also recognized for their exemplary work in the Episcopal Church were Quintin E. Primo III, Board Chair of the Church Investment Group, and Thomas Murray, University Organist and Professor Emeritus at Yale School of Music and the Institute of Sacred Music.

Two weightlifting fanatics have been flying the flag for their local gym at tournaments across the world.

Craig Candler (36) and Paul Carter (46) are both members at Royals Gym in Holbeach, which is owned by Sam Fowler.

Having both joined the gym when it first opened in August 2018, their hard work and dedication has now seen them travel the world to take part in prestigious strongman and powerlifting competitions.

Mr Candler has competed twice at the official world Strongman Games, while Mr Carter was crowned his age category’s second-best in the world at November’s powerlifting championships.

The latter’s achievement is made all the more impressive by the fact that he only took up the sport in 2020.

“I’ve always lifted weights amongst other things, but as I got better at it I thought I’d try a competition,” he said.

“I did a competition two years ago, got bitten by the bug and a guy at another gym said I really take it up with the numbers I had.

“It went from there really, and obviously Sam has been a big help. He’s pushed me, and without him I wouldn’t have done it.

“It’s amazing. He’s such a good boss. I’ve seen a lot of gyms all over the country but this one is just brilliant. It’s for anybody.

“Everybody is friendly, there are no egos here and we push each other. You can’t find a better one.”

Mr Carter, who lives in Holbeach, has already qualified for the British championships in 2022 - and he faces a qualifier for the European equivalent in February.

“To be fair, the numbers I’m training at just now will qualify. So I’m pretty confident of that,” he added.

“At my last meet I benched 160kg, and my target is to go for the British record in my category - which is 176kg. So that’s what I’m working towards.”

Meanwhile, Mr Candler travelled to Florida in November in a bid to be crowned the world’s strongest man - and he was happy with his performance.

“It was a lot better than what I did last time,” he said, with his previous appearance coming in 2019.

“I got an illness when I was over there the first time, and couldn’t eat or drink so I struggled in the events.

“This time I managed to do them all. I’ll hopefully make the top ten next year - that will be the aim.”

He added that he owes at lot to Royals Gym, where he has put in the work that seen him lift a 450kg weight at his most recent event.

“Before Royals I was at another gym in Holbeach but they didn’t have too much strongman equipment,” he said.

“Since moving to Royals, they’ve helped me out and bought a lot of the equipment I need. So I can train heavier and be more prepared.”

Mr Carter recently began hosting fortnightly seminars at Royals Gym, where he teaches about weightlifting for free. Contact Royals to book a session now.

A ransomware attack against Georgia-based St. Joseph’s/Candler on June 17 spurred network outages and forced clinicians into EHR downtime procedures. Five days later, the workforce is continuing to use paper records for patient appointments.

St. Joseph’s/Candler is one of the largest health systems in the state, with two hospitals, home health care services, and specialized outpatient and inpatient care.

The initial cyberattack struck early Thursday morning, arising as suspicious activity on the network. As a precaution, the IT team took steps to isolate the impacted system and limit the spread of the attack.

An investigation was launched alongside the recovery efforts, and law enforcement was notified. Officials later confirmed ransomware was behind the outage, but declined to comment on the ransom amount or if a payment was made.

In the immediate wake of the attack, patients reported emergency room wait times of up to eight hours.

“While we continue to investigate the incident, we’re working to get systems up and running as quickly and as safely as possible,” Scott Larson, St. Joseph’s/Candler spokesman said in a statement on June 21.

“Our priority is patient care, and our staff are committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients,” he added.

The health system has remained open primarily thanks to previously established downtime procedures, for which the workforce received training prior the attack. The processes are designed for system upgrades or unforeseen circumstances that could cause network outages.

As such, scheduled appointments have continued for the majority of patients, outside of those receiving oncology care. Patients with chemotherapy and radiation needs have been asked to contact their provider to determine the status of previously scheduled appointments.

Local news outlets show patients are concerned with the paper processes nurses are using amid the outage, such as tracking medications by hand. Clinicians are unable to view medical images or review medication schedules.

Family members have also taken to social media to express concern for patients in the ICU or canceled chemotherapy appointments.

These care disruptions and concerns mirror patient reports and concerns at the University of Florida Health The Villages Regional Hospital and Leesburg Hospital, following a similar ransomware attack and EHR downtime response on May 31.

After more than three weeks, the provider remains under EHR downtime procedures as it attempts to recover.

The security incidents are among the ongoing wave of ransomware attacks against the health care sector. In the last month, network outages tied to ransomware have been reported by Stillwater Medical Center, Ireland Health Service Executive, and the New Zealand Waikato District Health Board.

Brett Callow, threat analyst for Emsisoft, told SC Magazine that the ongoing onslaught against health care is not at all surprising.

“Ransomware is so enormously profitable that, even if Putin were to be able to control Russia-based groups, others would likely continue where they left off,” said Callow. “Unfortunately, short of banning ransom payments, there’s no quick and easy solution to the ransomware problem.”

“Tackling the issue will be a long, hard haul during which time health care and other sectors will continue to come under attack,” he added.

In response, health care providers should make hardening defenses and ensuring network visibility a key priority, if they’ve not done so already. Those entities with limited resources should review free insights and guidance from NIST, Microsoft, and the Office for Civil Rights.

Emsisoft has also been providing free assistance to health care entities impacted by ransomware, amid the COVID-19 national emergency.

Once reported, OCR posts healthcare data breach information on its breach portal, which is publicly available. Sometimes referred to as the HIPAA “wall of shame,” the portal provides information on the number of individuals impacted, the breach submission date, type of breach, and the location of the breached information.

The portal’s 2021 entries show the continuation of a troubling trend—as the pandemic continues to overwhelm providers and threat actors get savvier, healthcare data breaches are not slowing down. OCR named over 550 covered entities that have experienced a data breach in 2021, at the time of publication. Over 40 million individuals faced PHI exposure as a result of these breaches.

The 10 biggest reported healthcare data breaches of 2021 (by number of individuals affected) were all hacking/IT incidents, and all but one occurred on the organization’s network server. Ransomware continues to be a threat across the healthcare sector, and the trend is likely to continue in 2022.

Despite a growing number of cyber threats, many healthcare organizations have learned to adapt and prepare for cyberattacks and data breaches by implementing cyber incident response plans, conducting third-party risk assessments, and enacting technical safeguards.

Health plan Florida Healthy Kids Corporation started the year by reporting the biggest healthcare data breach of 2021 to date on January 29. The breach impacted 3.5 million individuals.

According to Health News Florida, the personal information of millions who applied for coverage or were enrolled in Florida KidCare between 2013 and 2020 was exposed after the health plan’s website was targeted in a cyberattack.

Florida KidCare is a nonprofit that includes Medicaid, MediKids, Florida Healthy Kids, and the Children’s Medical Services program.

Florida Healthy Kids Corporation said it was notified of the incident on December 9, 2020. Social Security numbers, birth dates, names, addresses, and financial information may have been accessed by threat actors during the cyberattack. Further investigation revealed that the health plan’s website, maintained by Jelly Bean Communications Design, had significant security vulnerabilities that were overlooked.

Florida-based 20/20 Eye Care Network reported a healthcare data breach to HHS on May 24. According to a notice from the Maine attorney general’s office, 20/20 discovered suspicious activity on its Amazon Web Services (AWS) environment on January 11, 2021.

20/20 notified the FBI immediately after it deactivated and reset access credentials. Some information was accessed and possibly deleted after a bad actor hacked into the provider’s AWS cloud storage environment to download and destroy data.

20/20 informed over 3.2 million individuals that their Social Security numbers, names, addresses, member identification numbers, birth dates, and health insurance information may have been exposed or deleted.

Forefront Dermatology, S.C., notified HHS on July 8 of a data breach that impacted over 2.4 million individuals, including patients and employees. The dermatology practice identified a network intrusion on June 4 and promptly took its network offline.

However, between May 38 and June 4, an unauthorized party had access to Forefront Dermatology’s IT network and accessed files containing names, birth dates, patient account numbers, addresses, dates of service, provider names, medical treatment information, and medical record numbers.

“While the investigation found evidence that only a small number of patients' information was specifically involved, Forefront Dermatology could not rule out the possibility that files containing other patients' information may have been subject to unauthorized access,” Forefront Dermatology stated in July.

“Patients whose information may have been involved in this incident are being notified by Forefront Dermatology and are advised to review the statements they receive from their health care providers and health insurance plan. If individuals see services they did not receive, they should contact the provider or health plan immediately. To help prevent something like this from happening again, Forefront Dermatology is enhancing its security protocols.”

NEC Networks, which does business under the name CaptureRx, faced a healthcare data breach in February that impacted over 1.6 million people and impacted more than 16 healthcare organizations. CaptureRx is an IT vendor that helps healthcare systems manage their 340B drug programs.

Further investigation and notices by other healthcare organizations brought the total number of patients impacted to approximately 2.4 million individuals.

Although initially reported to HHS on May 5, healthcare systems that were impacted by the business associate breach continued to announce their involvement throughout the summer of 2021. In July, MetroHealth System in Ohio announced that its patient files were accessed during the breach. In August, New York-based Catholic Health said that patient PHI was impacted as a result of the CaptureRx incident.

The breach impacted patient PHI across multiple healthcare organizations, exposing prescription data, names, and birth dates.

The breach also impacted Walmart, Jones Memorial Hospital, and Trinity Twin City Hospital, among others.

Indianapolis-based Eskenazi Health notified HHS of a data breach on October 1. The breach was discovered on August 4 and led to significant EHR downtime and ambulance diversions.

Initially, Eskenazi Health said it was unsure whether patient information was used maliciously. On October 1, the hospital announced that further investigation had revealed that bad actors stole and posted patient information on the dark web. Bad actors may have had access to the hospital’s network as early as May.

As of November, one patient was seeking class-action status in a lawsuit against Eskenazi Health, alleging the hospital’s ransomware attack resulted in fraudulent charges on her credit card along with wasted money and time.

The Kroger Co. reported a healthcare data breach to HHS on February 19. The grocery chain was one of over 100 victims of the Accellion data breach, which occurred in December 2020 and impacted a dozen healthcare organizations.

No more than 1 percent of Kroger Health and Money Services customers were impacted, along with some employees whose HR records were impacted. Accellion’s File Transfer Application (FTA) was compromised when bad actors from Clop ransomware exploited zero-day vulnerabilities.

“The incident was isolated to Accellion's services and did not affect the Kroger Family of Companies' IT systems or any grocery store systems or data. No credit or debit card information or customer account passwords were affected by this incident,” Kroger’s statement explained.

“After being informed of the incident's effect on January 23, 2021, Kroger discontinued the use of Accellion's services, reported the incident to federal law enforcement, and initiated its own forensic investigation to review the potential scope and impact of the incident.”

Beaumont Health announced in September that around 1,500 of its patients had also been impacted by the Accellion breach.

St. Joseph’s/Candler (SJ/C) Health System in Savannah, Georgia discovered a ransomware attack on June 17 that led to significant EHR downtime. Further investigation determined that the breach began on December 18, 2020. The hospital system’s computers and telecommunications systems were inaccessible, and clinicians had to document clinical notes on pen and paper.

SJ/C notified HHS and released an official press release on August 10. The release stated that “SJ/C cannot rule out the possibility that, as a result of this incident, files containing patient and co-worker information may have been subject to unauthorized access.”

As of September, patients had filed two class-action lawsuits against SJ/C, alleging that the Georgia health system was negligent in preventing the attack, which went undetected for six months.

“It wasn’t a simple software glitch or temporary power outage. It was, instead, a complete information technology (IT) meltdown,” one of the lawsuit filings stated.

“Everything, from electronic medical record[s] (EMR) used to document encounters to the lab, radiology and billing software, went down. Even the phones, which are formatted as voice over the internet protocol (VOIP) devices, stopped working. All of St. Joseph’s/Candler usual patient encounter protocols were immediately rendered ineffective. The hospital system was, in essence, flying blind.”

University Medical Center Southern Nevada fell victim to a REvil/Sodinokibi ransomware attack in June that compromised files containing the personal information of 1.3 million individuals. The hackers also posted photos of passports, Social Security cards, and driver’s licenses on the dark web for about a dozen individuals.

McAfee’s quarterly cyber threat report showed that REvil/Sodinokibi were responsible for 73 percent of ransomware detections in Q2 2021.

The Department of Justice (DOJ) announced in November that it charged two individuals in connection with REvil/Sodinokibi cyberattacks.

New York-based American Anesthesiology (owned by North American Partners in Anesthesia) client information was exposed when an unauthorized party gained access to the email system of the practice’s business associate, MEDNAX.

Bad actors orchestrated a phishing attack and successfully gained access to several email accounts for five days between June 17 and June 22 of 2021. The breach was submitted to HHS on January 8.

The hacker appeared to be primarily interested in payroll fraud, although their attempts were unsuccessful.

Patient contact information, health insurance information, treatment information, and billing information was impacted during the business associate breach.

In July, practice management vendor Professional Business Systems, doing business as Practicefirst, announced that a 2020 ransomware attack had potentially exposed the PHI of patients and employees.

A malicious hacker attempted to deploy ransomware and successfully copied files from Practicefirst’s system that contained birth dates, names, addresses, Social Security numbers, email addresses, tax identification numbers, diagnoses, lab results, medication information, and employee usernames and passwords. The information was later deleted.

“We immediately reported the Incident to appropriate law enforcement authorities and implemented measures to further improve the security of our systems and practices,” the vendor’s statement explained.

As 2021 comes to a close and holidays approach, bad actors are unlikely to stop targeting the healthcare sector with ransomware attacks and exploitation attempts.