Maria Perez
Maria is an experienced writer, providing content for Healthcare Industry News since 2021. Working as a senior writer, Maria focuses on news reporting, making the complex healthcare topic comprehensible for readers. Maria’s expertise and dedication to delivering accurate stories make him a trusted source on our site.
by Maria Perez | Apr 14, 2021 | Compliance News
La Clinica de la Raza based in Oakland, CA is notifying a number of patients with regards to a likely compromise of their protected health information (PHI). The company detected the malware on its systems that contain patient information on January 28, 2021.
The health center engaged a third-party forensics firm to help investigate the malware attack and confirmed on February 26, 2021 that because of the malware, the attacker could have accessed files that contain patient data. However, the breach covered only a short time, because the malware was installed and became active only on January 12, 2021.
In the short stretch of time that the malware was activated it’s possible that unauthorized persons viewed documents, however, the center is convinced that only a few documents were accessed. Those files contained full names, birth dates, telephone numbers, home addresses, medical insurance data, and selected health data like dates of service, diagnosis, test results data, and treatment details associated with medical services given at the medical clinic.
Actions have been implemented to enhance data protection, such as boosting its attack detection and prevention process, protecting login credentials, giving more employees training, and employing other threat prevention procedures. The breach report sent to the HHS’ Office for Civil Rights indicates that the breach affected 31132 individuals.
Malware Possibly Allowed Cybercriminals to Access the PHI of Squirrel Hill Health Center Patients
Squirrel Hill Health Center located in Pittsburg, PA has found malware installed on its computer system that might have given cybercriminals access to documents that contain patients’ PHI. The provider identified the security breach on February 4, 2021 upon detecting suspicious activity on its computer system that hampered file access.
Third-party computer forensic experts investigated the breach and confirmed that unauthorized people acquired access to its networks on January 28, 2021 possibly until February 4, 2021. Although it is usual in attacks like this that sensitive data are exfiltrated, Squirrel Hill Health Center did not see any evidence that indicates actual or attempted misuse of personal information.
Analysis of the files that were possibly accessed showed they included names, addresses, birth dates, diagnostic codes, some appointment scheduling information, and, for some people, Social Security numbers. The malware attack impacted 23,869 people.
Guidelines, procedures, and operations associated with the safe-keeping of and access to patient data are under review and will be modified, as needed, to enhance security.
Laptop Containing Patient Data Stolen from Woolfson Eye Institute
Woolfson Eye Institute located in Atlanta, GA has reported the theft of a laptop computer associated with medical testing equipment on September 21, 2020. Analysis of the laptop contents confirmed it held patient data such as names and birth dates. There was no compromise of other information. The institute reported the theft to law enforcement, however, the laptop computer hasn’t been brought back.
Because of the limited data contained in the laptop, it is believed that patients are not in danger of identity theft and fraud however vigilance is still advised.
by Maria Perez | Apr 7, 2021 | Compliance News
Advanced persistent threat (APT) actors are targeting vulnerabilities in the Fortinet FortiOS operating system to obtain access to servers to enter networks as pre-placement for follow-on data exfiltration and information encryption attacks.
In the latest Joint Cybersecurity Advisory, the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency notified end-users of the Fortinet FortiOS to promptly employ patches for three vulnerabilities, monitored as CVE 2020-12812, CVE 2019-5591 and CVE 2018-13379.
Patches were introduced to fix the vulnerabilities in May 2019, July 2019, July 2020. Fortinet corresponded with impacted firms and shared a number of blog posts telling clients to upgrade the FortiOS to a secure version; then again, many users have not implemented the patches to fix the vulnerabilities and are prone to attack.
CVE-2018-13379 is a vulnerability resulting from the inappropriate limit of a pathname to a restricted directory and occurs in Fortinet FortiOS 5.4.6 to 5.4.12, 5.6.3 to 5.6.7 and 6.0.0 to 6.0.4. Under SSL VPN website, an unauthenticated attacker could get system files by transmitting specially made HTTP tickets to a vulnerable server. Before, Chinese Russian, and Iranian APT groups have taken advantage of the vulnerability so as to breach U.S. election support solutions.
CVE-2020-12812 is an inappropriate authentication vulnerability identified in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9, which can be exploited to let users get access with success without requiring an additional authentication factor – FortiToken – whenever they modified the case of their username.
CVE-2019-5591 is a default settings vulnerability found in FortiOS which may permit an unauthenticated hacker on the same subnet to snatch sensitive information by posing as the LDAP server.
The FBI/CISA point out that APT groups are listing servers that have not been patched to correct CVE-2020-12812 and CVE-2019-5591 and are checking for devices susceptible to CVE-2018-13379 on ports 10443, 4443 and 8443. The vulnerabilities were taken advantage of to obtain access to several businesses, government, and technology services sites. Other CVEs and exploitation tactics including spear-phishing could also be utilized in attacks to acquire access to vital infrastructure systems.
Aside from implementing the patches to resolve vulnerabilities, the FBI/CISA advises these few other tips to avert vulnerabilities exploitation:
- Include key artifact files employed by FortiOS to execution deny lists to stop initiatives to install and operate the insecure program and its related data.
- Set up systems to necessitate administrator credentials prior to putting in software.
- Apply multi-factor authentication where probable, continue to keep good password hygiene and perform reviews of accounts having admin rights.
- Deactivate all remote access/RDP ports that are unused and review remote access/RDP records.
- Because phishing attacks are likely to happen, flag communications from external sources and deactivate links in emails.
- Educate the staff about data security and how to know phishing emails.
- Set up antivirus software program on all systems and keep it updated.
- Employ network segmentation to control the damage that can be created in the event of a network breach.
- Considering that extortion and data deletion attacks can take place, routinely backup data and save a backup copy on an air-gapped system and password-protect the file backup.
- Develop a recovery plan to regain sensitive information from a physically independent, segmented, protected area.
by Maria Perez | Mar 30, 2021 | Compliance News
Mobile Anesthesiologists lately found out about the compromise of some patients’ protected health information (PHI) as a result of a technical misconfiguration. The issue happened before December 14, 2020, and permitted public access to PHI including names, medical insurance data, date of service, medical treatment information, and birth dates.
An inquiry of the problem ended on January 28, 2021 and it confirmed the exposure of the PHI of 65,403 persons. Although the PHI could likely have been accessed by unauthorized people, there is no proof found that suggests unauthorized data access or PHI theft. Mobile Anesthesiologists notified the affected persons by mail beginning March 10, 2021.
Email Error Brings About Unauthorized Disclosure of Heart of Texas Community Health Center Patients’ PHI
Heart of Texas Community Health Center learned about the exposure of the PHI of a number of patients.
An email with patient information was sent to people who are permitted to view the data, however, the email got mailed to an account that was beyond the coverage of the firewall and might have been intercepted since the email had no encryption.
The email simply contained an email address and mentioned the email account holder was past due to have a pap smear. The email didn’t include any name or other data. The email merely corresponded to female patients who are 21 to 65 years old and had visited a Heart of Texas Community Health Center facility from September to December 2020.
There was no report obtained that suggests the interception of the email or its access by unauthorized persons.
Haven Behavioral Healthcare Reports Breach of Systems Comprising Patient Information
Haven Behavioral Healthcare located in Nashville, TN has publicized that unauthorized people acquired access to sections of its system that secured the PHI of patients. The provider detected the data breach on or around September 27, 2020 and started an investigation right away. Third-party cybersecurity professionals helped to find out the nature and extent of the breach.
The investigation showed that the attacker viewed its systems between September 24 and September 27, 2020. It was affirmed on January 27, 2021 that the files accessed by the attacker included patient information. An analysis of the files was done on March 11, 2021 and Haven Behavioral Healthcare started mailing notification letters on March 23, 2021.
Though the files were unsecured, the investigation cannot verify whether the hacker accessed the files. It is at the moment unknown which hospitals and patients were impacted.
by Maria Perez | Mar 24, 2021 | Compliance News
The Federal Bureau of Investigation (FBI) in its March 17, 2021 Private Industry Notification notified state, local, tribal, and territorial (SLTT) governments about Business Email Compromise (BEC) scammers. It has been noticed that BEC attacks on SLTT government entities went up from 2018 to 2020. Losses due to these attacks vary from $10,000 to $4 million.
BEC attacks entail getting access to an email account and mailing communications impersonating the account owner with the motive to persuade the target to go ahead with a falsified transaction. The email account is frequently utilized to send out messages to the payroll section to alter employee direct deposit data or to folks authorized to carry out wire transfers, to ask for modifications to bank account information or payment options.
In 2020, the FBI’s Internet Crime Complaint Center (IC3) got an advisory regarding the report of 19,369 BEC attacks and losses of more or less $1.9 billion. The following are a few occurrences of BEC scams:
In July 2019, a little city government lost $3 million after getting ripped off by means of a spoofed email that seemed to be from a service provider asking for a modification of their payment account.
In December 2019, the email account of a financial manager of a government agency of a US territory was attacked and employed to send out 146 communications to government agencies with information regarding financial transactions. A number of these requests were asked through email, and the scammer had intercepted and answered those emails. Altogether, $4 million was transmitted to the account of the attacker.
Aside from the financial losses, the attacks damage operational capacities of SLTT government organizations, cause reputational ruin, and can likewise bring about the loss of sensitive data for instance PII, banking data, and employment records.
BEC scammers can readily research targets and can learn SLTT operating details and information regarding vendors, suppliers, and providers from open resources. Getting access to the email accounts is simple as the email address of the target could be easily found, and phishing kits are accessible at low cost on the darknet for mining credentials.
When an email account is accessed, the scammer mimics the writing style of the account holder and usually hijacks message posts. The scam may include a number of messages where the target thinks they are conversing with the true account owner when they are speaking with the attacker.
The FBI explains that BEC scammers usually aim for SLTT government entities with poor cybersecurity standards and exploit SLTT government entities that do not offer enough training to the employees. The shift to remote employment as a result of the pandemic has furthermore made it a lot easier for the fraudsters.
In 2020, CISA held phishing simulations with SLTT government entities. Of the 152 campaigns comprising about 40,000 messages, there were approximately 5,500 unique clicks of fraudulent malicious hyperlinks. With a click rate of 13.6%, it implies security awareness training does not teach employees concerning the threat of email-based attacks and shows the importance of “defense in depth mitigations.”
The FBI advises making certain that all workers get training about security awareness, fully understand BEC attacks, and how to recognize phishing emails and fake emails. Workers need to be taught to cautiously verify email messages for advance payments, alterations to bank account data, or requests for sensitive details. Guidelines and procedures must be enforced that necessitate any bank account modification or transaction request to be confirmed by phone call utilizing a verified number, not data given in email messages.
Extra measures that ought to be considered comprise multi-factor authentication implementation on email accounts, phishing simulations, stopping auto email forwarding, tracking email Exchange servers for configuration modifications, putting banners to emails coming from outside sources, and employing email filtering solutions.
Find out about additional steps that could be enforced to stop and recognize BEC attacks in the FBI Alert.
by Maria Perez | Mar 17, 2021 | Compliance News
Ransomware attacks on the healthcare sector exploded in 2020. No less than 91 U.S. healthcare companies experienced ransomware attacks, 50 more than the past year. 2020 additionally had a big ransomware attack on Blackbaud, which impacted around 100 U.S. healthcare companies.
The very first ransomware attack reported happened in 1989 however earlier types of ransomware weren’t specifically complex and attacks were quick to mitigate. The scenario evolved in 2016 when a different type of ransomware was employed in attacks.
These different ransomware variants make use of strong encryption and remove or encrypt backup files to make sure data recovery is not possible without a ransom payment. In the last 5 years, ransomware was a continuous threat to the healthcare sector. Healthcare companies are more and more targeted recently. Attacks today involve stealing of sensitive data before file encryption, therefore even though files are recoverable from backups, paying the ransom is still necessary to avoid the exposure or selling of stolen information.
Healthcare ransomware attacks impair IT systems, make patient health records inaccessible, interrupt patient care, and endanger patient safety. Retrieving information and restoring systems could last weeks or months and handling the attacks is costly, with substantial loss of income because of outages. In 2020, the University of Vermont Health Network ransomware attack cost $1.5 million per day in recovery expenses and lost income.
The True Cost of Healthcare Ransomware Attacks
Researchers at Comparitech lately performed a study to determine the true price of ransomware attacks on US healthcare companies. The researchers collected data on all ransomware attacks documented by the U.S. Department of Health and Human Services’ Office for Civil Rights since 2016, along with attacks documented via media outlets although were not publicized by OCR as they impacted less than 500 people.
Computing the actual price of healthcare ransomware attacks is hard because only minimal information is publicized. Ransoms could be paid, although the sums are frequently not shared and attacks that impact under 500 people are usually not publicized.
The researchers reported that there were 92 healthcare ransomware attacks in 2020, which include the Blackbaud attack. Over 600 distinct hospitals, clinics, and other healthcare centers were impacted by those ransomware attacks, with another 100 impacted by the Blackbaud attack. Those attacks occurred with the stealing or exposure of the protected health information (PHI) of about 18,069,012 patients.
Ransom demands vary from $300,000 to $1.14 million. The average ransom demand is $169,446 in 2020, according to Coveware. Attackers demanded $15.6 million in ransoms from U.S. healthcare organizations in 2020, and $2,112,744 was confirmed to have been paid to ransomware gangs. The true amount is considerably bigger as ransom payments were usually not publicly shared.
Besides the ransom payment, downtime lasting weeks or months is another cost of ransomware attacks. Coveware research shows that the average downtime was 15 days (Q1 of 2020) to 21 days (Q4 of 2020. According to the Comparitech researchers, the total downtime from the 2020 attacks was 1,669 days. If using the 2017 estimation of downtime cost of $8,662 a minute, the attacks in 2020 cost approximately $20.8 billion, which is two times more than the approximated ransomware attacks cost in 2019 ($8.46 billion).
The researchers determined 270 healthcare ransomware attacks in the U.S.A. from January 2016 to December 2020, which impacted about 2,100 clinics, hospitals, and other healthcare centers. The attacks saw the stealing or encryption of data of over 25 million people, having a total estimated cost of $31 billion to the healthcare industry.
Read the complete details of the Comparitech healthcare ransomware study here.
