Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Jun 2, 2021 | Compliance News
Microsoft has uncovered a massive spear phishing campaign carried out by the Russian Advanced Persistent Threat (APT) group associated with the SolarWinds Orion supply chain attack.
As of January 2021, Microsoft has monitored the APT group as Nobelium and also its spear-phishing campaign. The APT group is doing trial and error different delivery tactics, which include taking advantage of the Google Firebase system to present a malicious ISO file by using HTML email attachments that give various malware payloads.
Nobelium increased the campaign on May 25, 2021 when it commenced utilizing the Constant Contact mass-mailing service to send emails to targets in a broad selection of industry verticals. The newest campaign attacked approximately 3,000 personal accounts all through 150 businesses, many of which were in the U.S. Each and every target had its own exclusive infrastructure and tooling, which has permitted the group to keep under the radar.
The attackers accessed the U.S. Agency for International Development (USAID) Constant Contact account and sent spear-phishing messages masked as a USAID Special notification. The emails include a reply-to address on the usaid.gov domain and were delivered from the in.constantcontact.com website.
The messages mentioned that Donald Trump has released new information on election fraudulence, with the email messages having a button to click to check out the docs. In case the recipient clicks the URL in the message, they are sent to the legit Constant Contact service, and then forwarded to a website address manipulated by Nobelium that sends a malicious ISO file. The ISO file serves as a bait file and includes a .lnk shortcut that runs a Cobalt Strike Beacon loader, and also a malicious DLL file, a Cobalt Strike Beacon loader and backdoor, which Microsoft referred to as NativeZone.
When the payloads are used, Nobelium obtains persistent access to compromised systems and could later complete more targets for instance lateral movement, information exfiltration, and the sending of more malware.
A prior campaign in May additionally employed the mix of HTML and ISO files, which slipped a .NET first-stage implant, TrojanDownloader:MSIL/BoomBox, and utilized it for reconnaissance and to obtain added malicious payloads through Dropbox.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are looking into the phishing campaign. Constant Contact gave a statement affirming the breach of the account login information of one of its customers. It explained that the breach was a singled out case, and the impacted accounts had been momentarily deactivated while cooperating with customers and authorities.
Microsoft has given notice that the strategies, techniques, and processes utilized by Nobelium have had a great rate of development. It is predicted that extra activity may be performed by the group employing a changing set of techniques.
Microsoft has publicized Indicators of Compromise (IoCs) and has advised various mitigations that may cut down the effect of this threat, such as the usage of antivirus applications, employing network protection to stop applications or users from interacting with malicious domains, and using multi-factor authentication to avert using breached credentials.
by Maria Perez | May 25, 2021 | Compliance News
The Department of Health and Human Services’ Office for Civil Rights (OCR) stated that it has gotten to a settlement with Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories due to a number of HIPAA Security Rule violations.
Peachstate is a CLIA-accredited laboratory that delivers a selection of services such as clinical and genetic testing solutions via AEON Global Health Corporation (AGHC), its publicly traded parent firm.
OCR started a compliance audit on August 31, 2016 right after the U.S. Department of Veterans Affairs (VA) filed a report about a breach of unsecured protected health information (PHI) involving its business associate, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had hired AHC to handle the VA’s Telehealth Services Program. The purpose of the OCR investigation was to evaluate whether or not the breach was caused by the inability to follow the HIPAA Privacy and Security Rules.
All through the breach investigation, OCR discovered that on January 27, 2016, AHC had signed a reverse merger with Peachstate and had obtained Peachstate. OCR afterward performed a compliance evaluation of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In the course of that investigation, OCR discovered a number of probable violations of the HIPAA Security Rule.
Peachstate was determined not to have performed an appropriate and complete review to determine risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was not able to lower risks and vulnerabilities to a sensible and ideal level by taking on proper security actions, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).
Hardware, software, and step-by-step systems had not been used to report and check activity in information systems comprising or employing ePHI, violating 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been enforced to log actions, activities, and checks required by 45 C.F. R. § 164.312(b), which violates 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.
Peachstate consented to negotiate the case and make a $25,000 penalty payment and will carry out a comprehensive corrective action plan to deal with all aspects of non-compliance found by OCR while doing the investigation. Peachstate is going to be under close supervision by OCR for 3 years to make certain of compliance.
Clinical laboratories, similar to other covered health care companies, need to abide by the HIPAA Security Rule. Not implementing the essential Security Rule standards makes HIPAA governed entities interesting targets for malicious activity, and unnecessarily risks to patients’ ePHI. This settlement deal shows OCR’s determination to making certain that covered entities adhere to rules that secure the privacy and security of PHI.
by Maria Perez | May 18, 2021 | Compliance News
The DarkSide ransomware gang has informed its affiliates regarding the shut down of its ransomware-as-a-service (RaaS) activity. The statement was made after the public infrastructure of the gang was taken off the internet in what seems to be a police campaign.
On May 13, the DarkSide data leak website was off the internet as well as much of the public infrastructure of the gang, which include the payment server employed to get the victims’ ransom payments and deliver breach data content. The ransomware gang likewise said its cryptocurrency wallets were emptied and the money was moved to an unidentified account.
Intel 471 acquired a copy of a note from the gang, which mentioned to its affiliates why its public infrastructure was gone, why its servers were inaccessible via SSH, and why its hosting panels were blocked. The gang claimed its hosting company didn’t give any more details except that the inaccessibility of the servers was requested by law enforcement.
The gang mentioned that it is going to release the decryptors for all firms that were attacked yet didn’t pay the ransom; nevertheless, the gang is releasing the decryptors to the affiliates who carried out the ransomware attacks, not to the victim firms. It will be the individual affiliates’ decision if they will give the decryptors to their victims or try to get payment.
Because of the pressure from the U.S. and the lost servers, the affiliate program is shut down, stated the gang.
On the day when that the group’s infrastructure was taken offline, President Biden conducted a press meeting concerning the Colonial Pipeline ransomware attack stating that the government’s efforts to restrict disruption and promising to take action will be counted against the DarkSide ransomware gang.
“We do not think the Russian government had anything to do with this attack, stated President Biden. There is no strong evidence that criminals from Russia did the attack. Biden said that the United States directly communicated with Moscow regarding the command for responsible nations to take action against the ransomware networks. President Biden additionally affirmed that the U.S. Department of Justice has a new task force focused on prosecuting ransomware hackers.
Before the shutdown, the hacking community had begun to avoid the DarkSide group. A top-tier dark web forum utilized by the DarkSide gang to promote its RaaS operations removed the DarkSide account as well as two threads concerning its ransomware operations, as per the Gemini Advisory. Gemini Advisory furthermore remarks to have heard from a number of reputable sources that the group has no more appearance on the dark web. Another top-tier dark web forum frequently employed by ransomware gangs has likewise enforced sanctions on ransomware activities and has blocked them completely from the forum, saying ransomware has turned out to be too toxic.
Intel 471 reports that aside from the DarkSide operations, a number of other ransomware operations also shut down their activities, though it is uncertain if the shutdown will last. Perhaps the ransomware gangs are just want to be inconspicuous and will operate again using another name. The Babuk ransomware operators said that they gave their source code to another gang and won’t do ransomware attacks anymore. They stated their ransomware will be run by another group with a different name.
The REvil ransomware gang also said that it won’t promote its ransomware operations on dark web forums anymore. It wants to make its activities private. REvil and Avaddon have decided to cease their affiliates that attack organizations in specific fields. The two ransomware gangs gave statements about the new rules for affiliates prohibiting them from executing attacks on the federal government, charities, healthcare, and educational organizations in any nation. They furthermore necessitate their affiliates to get approval from the group prior to making any attack. If an affiliate attacks a restricted target, the victim will get the decryptor for free and the affiliate will be completely expelled from the RaaS program.
Intel 471 likewise states that BitMix, a cryptocurrency mixing service utilized by REvil and Avaddon to illegally transfer the cryptocurrency acquired from ransomware attacks was shut down as well.
by Maria Perez | May 12, 2021 | Compliance News
Orthopedic Associates of Dutchess County, a New York medical group practice, has made an announcement about the potential theft of protected health information (PHI) of a number of patients during a cyberattack recently.
The security event was noticed on March 5, 2021 after discovering suspicious activity within its systems. A probe into the occurrence verified the unauthorized access of certain persons in its network on or about March 1, 2021. The attackers obtained access to a number of systems and encrypted files and made a ransom demand to get the keys for unlocking the encrypted files.
The hackers professed they had ripped off sensitive information before encrypting the files, even though it wasn’t possible to identify which files were compromised. An assessment of the systems, which the attackers accessed showed they comprised files with PHI including names, addresses, email addresses, contact phone numbers, dates of birth, payment data, emergency contact details, diagnoses, treatment data, medical record numbers, health insurance details, and Social Security numbers.
People likely impacted by the breach were alerted via mail and were given a one-year complimentary membership to credit monitoring and identity theft protection services. Thus far, there are no reports of actual or attempted improper use of any patient data.
The attack resulted in the potential compromise of the PHI of 331,376 persons.
PHI of 5,426 Persons Exposed in Entrust Medical Billing Ransomware Attack
Entrust Medical Billing, a medical billing firm located in Canton, OH, has encountered a ransomware attack that caused the probable exposure of the PHI of 5,426 people.
Third-party cybersecurity experts were hired to investigate and find out the scope of the breach. On or about March 1, 2021, the investigation established that the hackers had exfiltrated a number of the files that contain PHI like names, birth dates, addresses, health diagnosis/clinical data/treatment type or location, healthcare procedure details, medical insurance data, and patient account number.
Though the investigation affirmed the data theft, there is no proof identified that shows attempted or actual misuse of the stolen information. Impacted persons have already been advised and those who had their Social Security numbers exposed got offers of free credit monitoring services. The company likewise enforced new technical safety measures and amplified its monitoring campaigns throughout its network environment.
by Maria Perez | May 5, 2021 | Compliance News
Lawmakers in the Commonwealth of Pennsylvania want a data breach to be investigated. The case relates to the contact tracing information of 72,000 Pennsylvanians including sensitive data that was shared through unauthorized avenues without the required security protections.
Insight Global is a firm based in Atlanta that has been helping the Commonwealth of Pennsylvania do COVID-19 contact tracing throughout the pandemic. A number of people working at Insight Global were found to have made and shared unauthorized copies of files with each other during the conduct of their contact tracing responsibilities. Files and spreadsheets were shared by means of non-secure ways for example personal Google accounts, which supposed|suggested} sensitive data were transmitted to servers outside the control of the state or Insight Global.
Insight Global made an announcement about the breach on April 29, 2021 and stated in its substitute breach notice that the information associated with contract tracing of persons between September 2020 and April 21, 2021. An investigation into the breach was begun and third-party security specialists have been helping to find out the magnitude of the security problems and their effect. To date, no evidence has been discovered that suggests the misuse of any personal data or PHI. The investigation into the security concerns is ongoing.
Insight Global reports that the exposed information included names of people possibly exposed to COVID-19, positive/negative test status, whether there were symptoms or not, data on the names of household members, and telephone numbers, email addresses, and other information needed for particular social support services.
Insight Global mentioned it learned of the security problem on April 21, 2021 and took quick steps to fix the issues, and those steps were done by April 23. Insight Global has been working with the Pennsylvania Department of Health concerning the identification of the security problems and will be notifying affected persons via mail as soon as the address details have been confirmed. Insight Global stated there was no exposure of Social Security numbers or financial data and, as a safety precaution, affected people are given complimentary credit monitoring and identity protection services.
Target 11’s investigators found out that employees were using free versions of Google Sheets to record contact tracing information and were sending those spreadsheets and other files to colleagues through their individual email accounts. The free versions of Google services are not HIPAA compliant, therefore they must not be used.
Insight Global had security practices implemented to make sure that contact tracing data may be logged and shared securely. It is presently uncertain whether this was just a case of isolated employees circumventing security standards and making unauthorized records and spreadsheets to make their work less difficult. Nevertheless, regardless of the cause, sensitive information has been compromised.
The Commonwealth of Pennsylvania has made the decision not to renew its agreement with Insight Global regarding the security breach. The deal will expire on July 31, 2021. A Pennsylvania Department of Health spokesperson mentioned the company’s dismay regarding Insight Global workers that acted to compromise this type of data and truly apologize to all impacted persons.
State Representative Jason Ortitay (R- Allegheny, Washington) states that after learning about the breach, it was raised to the state Governor’s office on April 1, 2021. Republican lawmakers are currently calling for an investigation into the security breach by the federal law enforcement agencies, state Attorney General’s office, House Government Oversight Committee.
