Ransomware Attack on OnePoint Patient Care by Incransom

OnePoint Patient Care, a leading provider of hospice pharmacy services and pharmacy benefit management (PBM) solutions, has fallen victim to a ransomware attack orchestrated by the cybercriminal group Incransom. The attack has resulted in a full data leak, compromising sensitive information and highlighting significant vulnerabilities within the company's cybersecurity infrastructure.

About OnePoint Patient Care

OnePoint Patient Care, headquartered in Tempe, Arizona, operates as a specialized pharmacy and PBM dedicated exclusively to the hospice industry. Established in the 1980s, the company serves over 45,000 patients daily across more than 550 hospice programs in all 50 states. OnePoint's operational model is characterized by flexibility and adaptability, allowing it to cater to the diverse needs of hospices. The company boasts a fully owned network of 24 regional pharmacies strategically located throughout the United States, enabling local dispensing and delivery services crucial for hospice patients.

What Makes OnePoint Stand Out

OnePoint Patient Care is distinguished by its comprehensive suite of services, including local hospice pharmacy dispensing and delivery, customized formulary design and management, custom medication compounding, and integrated technology solutions for medication ordering and management. The company's innovative PBM platform integrates seamlessly with major Electronic Medical Records (EMR) systems, enhancing medication ordering and management processes for healthcare providers. Additionally, OnePoint's recent partnership with Axxess aims to reduce administrative burdens on hospice organizations while improving nurse satisfaction and patient outcomes.

Attack Overview

The ransomware attack by Incransom has led to a full data leak, exposing critical patient data, potentially including personal identification details, medical records, and financial information. The breach underscores the severity of the attack and highlights the vulnerabilities within OnePoint Patient Care's cybersecurity infrastructure. The attack has not only encrypted data but also involved stealing it and threatening to release it publicly, a tactic known as double extortion, to increase pressure on the victim to comply with ransom demands.

About Incransom

Incransom is a highly sophisticated cybercriminal group known for its targeted ransomware attacks on corporate and organizational networks. The group employs advanced techniques like spear-phishing campaigns, exploiting vulnerabilities such as CVE-2023-3519 in Citrix NetScaler, and using both Commercial Off-The-Shelf (COTS) software and legitimate system tools for reconnaissance and lateral movement within a network. Incransom's attacks involve not only encrypting data but also stealing it and threatening to release it publicly. The group has targeted various industries, including healthcare, education, government entities, and technology companies, and has been active since 2023.

Penetration Methods

Incransom could have penetrated OnePoint Patient Care's systems through several methods, including spear-phishing campaigns targeting employees, exploiting known vulnerabilities in software and systems, and using legitimate system tools for lateral movement within the network. The group's sophisticated techniques and focus on double extortion make it a formidable threat to organizations with inadequate cybersecurity measures.

Sources

• OnePoint Patient Care
• About Us - OnePoint Patient Care
• Axxess and OnePoint Patient Care Announce Product Integration
• Dark Web Profile: Incransom