Data breach exposes information of more than 200,000 MultiCare staff, patients

A medical practice management firm that provides support to MultiCare has alerted more than 200,000 patients, providers and staff of a ransomware attack of its tech vendor, potentially exposing personal information.

The information was retrieved after an undisclosed ransom was paid, according to Woodcreek Provider Services, in a public announcement issued March 9.

The attack was first reported on industry tech blogs and beckershospitalreview.com.

Woodcreek Provider Services uses tech services company Netgain Technology.

According to information on Woodcreek’s website: “Woodcreek’s information technology vendor, Netgain Technology, experienced a data breach secondary to a ransomware attack. According to Netgain Technology’s investigation, the breach occurred sometime between November 24 and December 3, 2020, although it is possible that access to Netgain’s systems was as early as September 2020.”

“The server containing Woodcreek’s medical records system was untouched; however, scanned clinical and financial data and other business records on an archive server was stolen by the attackers,” the company said in its public alert issued March 9.

“The data was returned after the ransom was paid and we have no reason to believe it has been or will be further used or disclosed. On January 18, 2021, Woodcreek received a copy of the recovered data set and has been working diligently since then to notify affected individuals.”

The attack allowed access to personal information on file. For employees, contractors, applicants, and providers, that meant Social Security numbers, dates of birth, bank account numbers, and more.

For parents/guardians who insure patients of Woodcreek Healthcare or MultiCare Health System: Full subscriber names and insurance policy numbers, according to Woodcreek.

On Feb. 17, counsel for Woodcreek notified the state Attorney General’s Office that it would send notifications to more than 200,000 people who potentially were compromised.

According to the letter: “Woodcreek Provider Services, LLC provides medical practice management and support to several pediatric clinics and urgent care centers owned and operated by MultiCare Health System, including certain clinics that were previously owned and operated by Woodcreek Healthcare.”

In response to questions from The News Tribune on Tuesday about the breach, MultiCare noted the breach was isolated to Woodcreek’s server and said that Woodcreek manages “a small number of pediatric clinics in the Puget Sound region for Mary Bridge Children’s Hospital and Health Network.”

“The breach was isolated to Woodcreek’s server, which is a separate system from MultiCare Health System and Mary Bridge Children’s,” MultiCare said in its statement.

It added, “The primary electronic medical records database for the system was not affected by this incident. All potentially impacted individuals have been notified by Woodcreek Provider Services.”

The health system said that it “deeply regrets that this breach has occurred on a vendor platform of one of our affiliated providers. Woodcreek provided MultiCare with prompt notice and has provided updates and requested information during this event and is fully compliant with all required notifications to the state and the impacted individuals.”

This story was originally published on The News Tribune.