Commonwealth Health Physician Network-Cardiology, operating as Great Valley Cardiology (GVC), faces a severe data breach affecting 181,764 patients, exposing a wealth of sensitive information, including names, addresses, and financial details. The breach occurred between February 2 and April 14 but was only discovered by GVC on April 13 after a notification from the U.S. Department of Homeland Security. The attackers employed a brute force attack, utilizing specialized software to generate passwords and gain access to the network. Despite the breach, GVC assures that the unauthorized parties no longer have access and claims no indication of data misuse.
Patients express frustration as GVC admits uncertainty regarding whether the unauthorized individuals viewed or extracted the accessed data. The identity of the attackers remains undisclosed, and there is no information about ransom or extortion demands. The breach prompted GVC to disconnect its network from the internet, disable VPN access, and launch an investigation. Forensic analysis revealed the use of a brute force attack, where the unauthorized party exploited real credentials to access the network, making immediate detection challenging. Critical details about GVC’s authentication measures and response to the attack remain unknown, raising questions about the incident’s handling.
Law enforcement and HHS have been notified of the breach, and GVC offers affected individuals 24 months of Experian IdentityWorks℠. This incident marks the second reported by Commonwealth Health Physician Network this year, with a previous one involving Community Health System affected by the Fortra GoAnywhere attack. The uncertainty surrounding the breach highlights the ongoing challenges in securing healthcare data and emphasizes the need for robust cybersecurity measures to protect patient information from increasingly sophisticated cyber threats.
