Health Aid of Ohio Security Breach Impacts Around 141,00 People

Health Aid of Ohio, a full-service home medical equipment company based in Parma, OH, has found out that unauthorized persons acquired access to its systems and copied certain files from its system. The breach was discovered on February 19, 2021 upon detection of suspicious network activity. Health Aid of Ohio quickly took action to remove the attackers from the system and keep safe all patient information.

A breach investigation confirmed that the attacker accessed and exfiltrated files from Health Aid’s networks, however, it can’t be determined precisely which files were taken from its systems. Possibly, several of the exfiltrated files included the protected health information (PHI) of VA plan members.

The data potentially accessed included names, phone numbers, addresses, and particulars of the kind of equipment sent to homes or was fixed in people’s homes. The PHI of people who got services via their insurance provider or healthcare company included names, phone numbers, birth dates, Social Security numbers, insurance details, diagnosis data, and type of equipment.

Although the above details might have been stolen, there are no reports received that suggest any falsified misuse of the above data thus far.

Health Aid of Ohio hasn’t shared how the attackers obtained systems’ access and if there was malware or ransomware used. But it has informed the Federal Bureau of Investigation (FBI) and proper authorities. The breach report sent to the HHS’ Office for Civil Rights shows that around 141,149 people were potentially affected.

PHI Potentially Exposed in River Springs Health Plans Phishing Attack and Netgain Ransomware Attack

An unauthorized person obtained access to a River Springs Health Plans worker’s email account and deployed malware which likely made it possible for the copying of email account contents. The staff clicked on the phishing email on September 14, 2020. The provider found the malware and took it out the next day. The email account was furthermore made secure.

A prominent forensics agency was retained to aid the investigation and ascertain if attackers viewed or obtained any sensitive facts. There is no proof discovered which indicated the copying of any member data. Nevertheless, data theft cannot be eliminated. An extensive assessment of the affected account showed on February 17, 2021 that there were 31,195 River Springs Health Plans members’ PHI kept in the account.

The kinds of information contained in the account differed from person to person and might have involved these data: First and last names, birth dates, Medicaid ID, Medicare ID, member ID, Social Security number, and sources to medical data for instance healthcare provider details. No financial data was affected.

River Springs Health Plans has undertaken steps to boost email security and has re-trained the staff on phishing email identification and submitting reports on suspicious email messages. Impacted persons have already been advised and free credit monitoring services were given.

Netgain Ransomware Attack  Affected Health Center Partners of Southern California

Health Center Partners of Southern California (HCP) has reported that it was impacted by the ransomware attack on Netgain Technology LLC, its IT service supplier.

HCP offers help to community health units based in Southern California which necessitates access to patient data, several of which was saved on systems that were affected by the ransomware attack in September 2020. Netgain’s inquiry established that from October 22, 2020 until December 3, 2020, the attacker acquired files comprising PHI, including HCP information.

Netgain paid the ransom demand to avert further exposure of the stolen information and acquired guarantees that the attackers had wiped out the records. The darkweb is being searched and hacking community forums watched to determine any data exposure. HCP mentioned in its breach notification that there’s no reason to think any information stolen in the attack is going to be misused nevertheless, as a safety measure, impacted people were provided free identity protection services from IDX.

Radiation Treatments Interrupted Because of Software Vendor Cyberattack

Elekta, the Swedish oncology and radiology system provider, is recouping from a cyberattack that pushed it to take down its first-gen web-based storage system on April 20, 2021. Although the company has affirmed the security breach it has encountered, there is no information about the actual nature of the cyberattack yet. It is uncertain what kind of malware was used, however, it is assumed to be ransomware. The web-based storage system was taken off the internet to control the problem.

Elekta stated just a part of customers in the USA that utilizes its software program were impacted and are having a service outage because the web-based system is down. Elekta is working on moving those clients to its brand new Microsoft Azure cloud and the firm is working 24 / 7 to finish that process. All impacted clients received notification; but, a small amount of information regarding the incident was announced to the public in order not to compromise the company and police investigations, however, Elekta accounts that the problem has already been completely resolved.

Yale New Haven Health based in Connecticut is a U.S. healthcare company that is impacted by the cyberattack on Elekta. Yale New Haven Health had to take its radiation devices off the internet until the problems are settled. The software program is utilized on linear accelerators for radiation therapies. Systems were offline for over one week and a number of cancer patients were referred to other healthcare companies to go on with their therapies.

Other healthcare companies identified to have been impacted were Lifespan Corp and Southcoast Health in Massachusetts. Lifespan, which supervises
Rhode Island Hospital and the Lifespan Cancer Institute, has affirmed that just one afternoon of consultation services was missed in its radiation oncology centers, and they were easily rebooked the following day. There were no more postponed or delayed treatments.

Elekta released an announcement stating that there is no evidence found that indicates the extraction or copying of any data. Elekta stated about 170 U.S. customers that utilize its first-gen web system have had service interruptions to at least one of their products.

Ohio Law Firm Ransomware Attack and California Department of State Hospitals Insider Breach

Eckler mentioned the attackers affirmed the deletion of the stolen information and gave reassurances that no further disclosures of the stolen data will occur and that no copies of the information were kept.

Being a full-service law company helping customers in the healthcare sector, it was required for clients to give the law agency access to selected protected health information (PHI) during the client engagement. That data was utilized for the legal assistance given. It is likely that a number of that data might have been seen or acquired during the attack.

Bricker & Eckler mentioned the following PHI might have been exposed: names and addresses and, for a number of people, medical data and/or education-associated data, Social Security numbers, and/or driver’s license numbers.

The law agency began mailing notification letters to all impacted persons on April 6, 2021. The law agency has implemented measures to improve the security of its network, internal systems, and software programs to avoid identical attacks down the road.

Bricker & Eckler has reported the breach to the HHS’ Office for Civil Rights indicating that about 420,532 people were affected.

California Department of State Hospitals Finds Out Insider Breach More Serious Than Earlier Thought

In March 2021, the California Department of State Hospitals reported that one staff with an IT job got access to the information of 1,415 present and past patients and 617 employees with no permission in a 10-month time period. The hospital discovered the breach on February 25, 2021 while doing routine monitoring of staff access to data folders.

During the announcement, the investigation of the insider breach was still in progress. It has now been affirmed that the breach was even worse than earlier imagined. The information of 1,735 present and past Atascadero State Hospital workers and 1,217 DSH job seekers who were not hired was likewise viewed. The information contained telephone numbers, email addresses, birth dates, social security numbers, and health data. Although the sensitive information was accessed, no report has been received of any misuse of information.

Ransomware Attacks on the University of Miami Health and Mott Community College

A ransomware attack on Accellion, a file transfer service provider, resulted in the access of the protected health information (PHI) of patients of the University of Miami Health by unauthorized individuals.

The University of Miami Health utilized Accellion’s file transfer technology for sharing files that were too large to send out via email. The University of Miami stated that only a small number of individuals at the university used the Accellion solution. Immediate action was done to restrict the impact of the incident. Since then, the university has ceased using Accellion’s file transfer services.

The investigation into the attack is not yet done and the review of the files that were obtained or potentially exposed in the attack is not yet done, therefore the number of people affected by the attack is not yet known.

The University of Miami thinks that none of its systems were breached in the attack and that the university only sent or received limited files through Accellion’s file transfer services.

The gang behind the attack asked for a $10 million ransom payment for the keys to decrypt data files and avoid getting the data posted on the internet or marketed on dark web marketplaces. A few of the information stolen in the ransomware attack was already published on the gang’s leak website, including a number of data associated with patients of the University of Miami Health.

The University of Miami was one of Accellion customers that were impacted by the breach. The others were the University of Colorado, Kroger, Arizona Complete Health, Centene, and Shell Oil.

Mott Community College Ransomware Attack Affected 1,612 Dental Plan Members

Mott Community College has informed 1,612 people that unauthorized individuals obtained files that contain their PHI prior to using ransomware on its systems.

Upon discovery of the attack, a third-party cybersecurity company helped investigate the incident to know the scope of the security breach. The investigation revealed that the attackers acquired access to its network from November 27, 2020 until January 9, 2021.

On January 23, 2021 Mott Community College found out that the attackers exfiltrated sensitive information before deploying the ransomware, and that a few of the files were associated with individuals covered under its self-insured dental plan. An evaluation of those data files showed that they included names, dates of birth, and dental plan enrollment and claims details for persons registered in the dental plan in 2014-2015, and 2019.

On March 24, 2021, Mott Community College started sending notification letters to all persons affected. Although data exfiltration was established, it does not imply the attackers viewed, misused, or disclosed the contents of the data files. Mott Community College has now put in place more safeguards and technical security steps to avoid any more attacks, such as multifactor authentication for all systems and email access and extra password requirements.

SalusCare Files Lawsuit Against Amazon to Get Access to AWS Audit Logs to Investigate Data Breach

SalusCare, a behavioral healthcare services provider based in Southwest Florida, encountered a cyberattack in March that resulted in the exfiltration of patient and employee data from its systems. SalusCare did not confirm the specific strategy employed to get access to its computers, but the cyberattack is thought to have begun through a phishing email with malware download. The attacker exfiltrated all of its database content to an Amazon AWS storage account.

The cyberattack happened on March 16, 2021 and, according to the breach investigation, the attacker seemed to be located in Ukraine. The attacker acquired access to SalusCare’s Microsoft 365 environment, stole sensitive information, and loaded it to two Amazon S3 storage buckets.

Amazon was informed regarding the criminal activity and it revoked access to the S3 buckets so that the attacker could not access the stolen information. SalusCare asked for copies of the audit logs, which it needs to proceed with investigating the breach and determining specifically what information was taken. SalusCare additionally would like to ensure that the suspension is irreversible and won’t be removed by Amazon.

The S3 buckets were employed to keep SalusCare data, however, Amazon won’t voluntarily give copies of the audit logs or the information kept in the S3 buckets since SalusCare does not own them. The two S3 buckets are known to contain about 86,000 files stolen during the attack.

In order to obtain copies of the audit logs and information, SalusCare submitted a lawsuit in federal court requesting injunctive relief under the Computer Abuse and Recovery Act of Florida. SalusCare is seeking a decision that will force Amazon to give audit logs access and a copy of the two S3 buckets content. SalusCare additionally would like the courts to mandate Amazon to suspend access permanently to keep the attacker from having data access or copying the stolen data to a different cloud storage service. SalusCare has likewise sued the person associated with the attacks – John Doe.

The lawsuit asserted that the stolen data, which was hosted by Amazon is highly sensitive and can be employed for identity theft, selling on the darknet marketplaces, or exposure to the general public.

In the petition filed by SalusCare to the U.S. District Court in Fort Myers, it explained that the files consist of extremely personal and sensitive files of the psychiatric and addiction counseling and treatment of patients. The files additionally include sensitive financial data like credit card numbers and Social Security numbers of SalusCare employees. and patients.

The lawsuit is seeking that after Amazon gives SalusCare a copy of the information and audit logs, the S3 buckets must be cleared to stop any more unauthorized access.

Amazon didn’t go against any injunctive relief desired by SalusCare. On March 25, 2021, The News-Press reports that the request has been granted by a District Court federal judge.

Reinvestigation of 2019 Metro Presort Ransomware Attack Shows Potential Compromise of PHI

Technology and communication solutions provider Metro Presort based in Portland, OR encountered a ransomware attack last May 6, 2019 that allowed the encryption of files so that its staff could not access its systems. The company detected the ransomware attack immediately and secured its systems on May 15, 2019. The company had recovered from the attack somewhat easily. The investigators of the incident didn’t find any proof that suggests the removal of files from its system and considering that the company already applies encryption on customer information, it is unlikely that the attackers could access any sensitive data.

Metro Presort investigated the attack again in October 2020. This time, it did not confirm the encryption of files that contain customer data prior to the attack. Therefore, the attacker could have potential access to statements, invoices, and spreadsheets that Metro presort prepared for its clients, healthcare providers included. A substitute breach notice posted on the Metro Presort website on November 24, 2020 stated that an audit of those files affirmed their content as including patient names, addresses, birth dates, patient and health plan account numbers or IDs, appointment dates, diagnoses codes, treatment codes, and treatment dates.

The HHS’ Office for Civil Rights website recently published the incident indicating the potential compromise of the PHI of up to 38,387 people. Metro Presort mentioned in its breach notice that the Department of Health and Human Services’ Office for Civil Rights investigated Metro Presort’s response to the breach, its guidelines, and procedures. The case was closed on December 31, 2020 after OCR established that there was no violation of HIPAA rules.

Metro Presort also mentioned in its breach notice that both prior to the incident and afterward, MPI has given substantial resources to keeping and improving its data security, which includes setting up of the most recent technical security measures to avoid the same incidents, extra protections (encryption) of customer documents, and security reviews.

Universal Health Services Lost $67 Million in 2020 Due to Ransomware Attack

2020 was a remarkably horrible year for the medical care industry with regards to ransomware attacks. One of the hardest hit by ransomware attacks is the Fortune 500 healthcare system Universal Health Services (UHS) located in King of Prussia, PA.

UHS, which operates 400 hospitals and behavioral health centers throughout the U.K. and the U.S., experienced a cyberattack in September 2020 that ruined all of its IT systems, affecting all the hospitals and medical centers it operates all over the nation.

The telephone system, computers, and electronic health records were not accessible. For this reason, personnel used pen and paper for recording patient information. During the hours right after the ransomware attack, the health system rerouted rescue ambulances to other establishments and delayed or redirected some elective operations to other hospitals. Patients remarked that test results were also delayed while the UHS is working on recovery from the attack.

After the ransomware attack, UHS worked rapidly to bring back its IT system, working around the clock to restore normal business operations; however, it took 3 weeks to attain recovery. The interruption of course had a big impact on finances. The UHS’ revenue report for quarter 4 of 2020
indicated a loss of $42.1 million, which translates to 49 cents per diluted share. UHS ended the quarter with $308.7 million in revenue, rising by 6.6% compared to quarter 4 of 2019.

Restoring its IT infrastructure added a considerable amount to labor expenses, inside and outside the company. The impact on cash flows meant that some admin tasks such as coding and billing had become delinquent until December 2020.

Because of the ransomware attack, UHS sent reports of about $67 million pre-tax losses in 2020, primarily as a result of the decline of operating income, lower patient activity and greater revenue reserves on account of overdue billings. UHS believes that it will be able to get back the majority of the $67 million from its insurance policy coverage.

Microsoft Releases Patches for 4 Actively Exploited Flaws in Microsoft Exchange Server

Microsoft has launched out-of-band security adjustments to resolve four zero-day Microsoft Exchange Server vulnerabilities that a Chinese Advanced Persistent Threat (APT) group called Hafnium is actively exploiting.

The attacks have been taking place starting early January, as the APT group is targeting defense contractors, law agencies, colleges and universities, NGOs, think tanks, and infectious disease research organizations in the USA. Vulnerabilities exploitation enables the attackers to exfiltrate mailboxes and other information from vulnerable Microsoft Exchange servers, run practically any code on the servers, and add malware for continual access.

Hafnium is used to be an unidentified sophisticated APT group that is thought to be aided by the Chinese government. The group is chaining together the 4 zero-day vulnerabilities to steal sensitive files held in email messages. While developing the exploits needed skills, utilizing those exploits is easy and permits the attackers to exfiltrate big quantities of sensitive data easily. Although the APT group is in China, virtual private servers in America are hired for use in the attacks, which aids the group to remain under the radar.

The flaws are found in Exchange Server 2010 and all supported Microsoft Exchange Server versions (2013, 2016, 2019). There were patches released to repair the vulnerabilities in Exchange Server 2010, 2013, 2015, and 2019. The flaws have no effect on Exchange Online and personal email accounts, merely on-premises Exchange servers.

Microsoft has credited the cybersecurity companies Volexity and Dubex for assisting to uncover the attacks, which were initially identified on January 6, 2021. Now that the patches were introduced, attacks are likely to increase as the group rushes to obtain access to a lot of vulnerable Exchange servers before the patch application.

The vulnerabilities identified are:

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that enables HTTP requests to be sent to an on-premises Exchange Server to authorize as the Exchange server itself.
  • CVE-2021-26857: An insecure deserialization vulnerability found in the Unified Messaging service that may be exploited to execute any arbitrary code as SYSTEM on the Exchange server.
  • CVE-2021-26858 and CVE-2021-26865 – These two file write vulnerabilities enable an authenticated person to write files to any path on the server. The vulnerabilities are chained with CVE-2021-26855, though it can also be taken advantage of utilizing stolen credentials.

Once initial access to the Exchange server is acquired, the attackers release a web shell that permits them to gather cached credentials, upload files like malware for persistent access, perform essentially any command on the compromised system, and exfiltrate inboxes and other information.

Exploits for the vulnerabilities are not believed to have been available publicly, with the attacks presently merely being carried out by Hafnium, even though that may not stay so for long.

Microsoft is informing all customers of the vulnerable Microsoft Exchange versions to utilize the patches right away. After implementing the patches, an investigation must be done to know if the vulnerabilities were already exploited, as patching won’t prevent any further malicious activity or data exfiltration in case the attackers have actually breached the server.

Microsoft has offered Indicators of Compromise (IoCs)  to assist clients to determine whether the vulnerabilities were already exploited.

PHI Potentially Exposed Due to Cyberattacks on Nebraska Medicine and Hackley Community Care

Nebraska Medicine has commenced sending notifications to around 219,000 patients concerning an unauthorized person that
potentially accessed patient data as a result of a malware attack.

On September 20, 2020, Nebraska Medicine found out that parts of its systems had strange activity. The firm singled out the infected devices to restrict the impact of the breach. The affected systems were shut down to prevent continuing unauthorized access. Third-party computer forensics experts helped in the investigation and determine the nature and magnitude of the data breach.

Based on the investigation results, an unauthorized individual first acquired system access on August 27, 2020 and corrupted it with malware. The unauthorized individual copied a number of files, with some containing patient data from August 27 up to September 20.

The compromised files belonged to patients who got medical services from the Nebraska Medical Center or University of Nebraska Medical Center. A number of patients received medical services from Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare.

The attackers got access to protected health information (PHI) such as one of the following data: Name, address, birth date, medical record number, medical insurance details, doctor’s notes, laboratory test data, imaging, diagnosis information, treatment information, and/or doctor-prescribed drugs information. Some patients’ driver’s license numbers and Social Security numbers were likewise potentially compromised.

Nebraska Medicine mailed notification letters to the affected individuals regarding the breach on February 5, 2021. The individuals who had their Social Security or driver’s license numbers exposed at the same time got credit monitoring and identity theft protection services for free. The provider’s IT environment is still under monitoring for potential breaches. It additionally improved its network monitoring solutions.

Phishing Attack Impacts 2,500 Hackley Community Care Patients

Hackley Community Care located in Muskegon, MI is informing about 2,500 patients concerning unauthorized persons
getting potential access to some of their PHI.

In September 2020, a number of employees had received a phishing email in their inbox. One employee clicked a hyperlink to a malicious site and keyed in his/her login credentials that the attacker snagged and used to access the email account of the employee remotely between September 7 and September 24, 2020.

The breach investigation affirmed the compromise of only one email account. There is no evidence identified that indicates the unauthorized persons opened any emails in the breached account. After the review of the compromised email account was completed on December 18, 2020, Hackley Community Care informed all people that were impacted by the incident.

Most of the affected individuals only had their names and addresses compromised. Individuals who had more sensitive data affected were given TransUnion credit monitoring services for free. Hackley Community Care is reinforcing its security procedures to prevent the occurrence of similar incidents later on.

Breach of Data at Capital Medical Center, Rehoboth McKinley Christian Health Care Services and Sutter Buttes Imaging Medical Group

Two healthcare organizations have experienced ransomware attacks whereby sensitive information was exfiltrated and disclosed on the internet because the victims did not pay the ransom.

The Conti ransomware gang has posted information on its leak website which was purportedly taken in an attack on Rehoboth McKinley Christian Health Care Services located in New Mexico. The leaked details includes sensitive patient data such as patient ID cards, diagnoses, treatment details, diagnostic data, driver’s license numbers, and passports.

It is uncertain how many individuals have had their PHI exposed to date. The Conti ransomware group states it has just released about 2% of the stolen data.

The current data leak by the Conti ransomware gang follows identical leaks of the information stolen at the time of the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas.

The Avaddon ransomware group has likewise posted data on its leak webpage that was exfiltrated during a ransomware attack on Capital Medical Center in Olympia, Washington. The gang has threatened to leak more information within the following few days when the ransom is not paid. The published data includes driver’s license numbers, patient files, diagnosis and treatment data, insurance details, lab test results, prescribed medicines, names of providers, and patient contact data.

Based on Emsisoft, there is presently a minimum of 17 ransomware gangs doing data exfiltration prior to file encryption, all of which say they will release or sell the stolen information in case the ransom isn’t paid. The most recent Coveware ransomware report indicates data exfiltration happens in approximately 70% of ransomware attacks. These double extortion attacks frequently get the ransom payment to stop the release of stolen information, however, there are signs that this technique is starting to be less effective because of a lack of trust that the threat groups will dispose of stolen data upon ransom payment.

There have been a few instances where despite the fact payment was made, the threat actors made even more extortion demands or still exposed the stolen files on leak websites.

Hacker Possibly Obtained Patient Information from Sutter Buttes Imaging Medical Group

Sutter Buttes Imaging Medical Group (SBIMG) based in Yuba City, CA has found out that an unauthorized individual has acquired access to third-party IT hardware utilized at its Yuba City imaging center and possibly viewed and acquired limited patient records.

In December 2020, SBIMG discovered that a hacker exploited an unpatched vulnerability in IT hardware that was employed to keep and transfer information associated with medical services given to patients. Action was quickly taken to remove the threat actor from its systems and protect patient information. A breach investigation revealed that the hacker first obtained access to the IT systems in July 2019, and accessed it until December 2020.

A security breach investigation revealed the attacker got access to limited patient details like names, birth dates, imaging procedures conducted, study name, study date, and internal patient/study numbers. There were no financial data, insurance details, or Social Security numbers compromised.

SBIMG has fixed the vulnerability and has taken steps to enhance security to avert similar breaches in the future, which include closing particular firewall ports. Third-party security professionals helped to evaluate system security and to implement additional security controls.

SBIMG has notified all patients by mail and reported the breach to the HHS’ Office for Civil Rights. The incident is not yet posted on the HHS breach portal, thus the number of individuals affected is currently not clear.

Kevin Fu Apppointed as FDA’s First Director of Medical Device Security

The U.S. Food and Drug Administration (FDA) has reported that University of Michigan associate professor Kevin Fu was appointed as the first medical device security director.

Kevin Fu will work for a term of one year as acting director of the FDA’s Center for Devices and Radiological Health (CDRH) medical device security as well as the recently established Digital Health Center of Excellence, beginning on January 1, 2021. Fu is going to assist in bridging the gap between medicine and computer science in addition to helping companies keep their medical devices secure from digital threats.

Fu is going to help in developing the CDRH cybersecurity strategies, public-private partnerships, and pre-sell vulnerability examination to make sure of the security of medical devices such as insulin pumps, imaging machines, pacemakers, and healthcare IoT devices and keep them secure from digital threats.

Fu has significant expertise in the discipline of medical device cybersecurity. Fu is presently the University of Michigan’s Archimedes Center for Medical Device Security’s chief scientist. He founded and co-founded the healthcare cybersecurity startup company Virtua Labs together with his doctoral students and was formerly a part of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has additionally carried out research on software radio attacks impacting implantable medical devices like cardiac defibrillators and pacemakers and showed how easily available radio software programs can be employed to get access to the devices and grab communications. Fu is at present an associate professor of electrical engineering and computer science and a lecturer at Dwight E. Harken Memorial. He will keep the roles in the University of Michigan.

Protecting medical devices is a difficult task. Large quantities of medical devices are currently utilized by hospitals in complicated interconnected systems. Numerous hospitals don’t have comprehensive inventories of their gadgets, and because many operate on legacy programs, vulnerabilities could very easily go unchecked. Cyber threat actors could exploit those vulnerabilities and result in harm to patients or acquire a footing in healthcare computer systems.

As Fu discussed in an interview lately publicized on Michigan News, the risk landscape has evolved considerably in the last 10 years. There are much more adversaries that are starting attacks. Ten years ago, it was quite hypothetical. These days you know about numerous hospitals practically closing down due to ransomware attacks. New security vulnerabilities are discovered in medical device software program practically on a daily basis. We must be heedful in ensuring that all medical devices are equipped with a basic level of security. Medical devices should stay safe and efficient in spite of cybersecurity risks.

Medical devices should possess privacy and security options by design, instead of being added afterward. By then, security problems would be a lot harder to deal with.

Sadly, commonly, medical device companies fail to’ seek feedback from security professionals when designing medical devices and so the devices are only created according to well-known computer security engineering concepts. That should change.

At this time, Fu is concentrated on medical device safety. He is looking forward to his work at the FDA to help build up public confidence in the security and efficiency of medical devices in spite of the built-in cybersecurity threats.

7-Year Breach of Florida Medicaid Applicants’ PHI Due to Failure in Patching

Florida Healthy Kids Corporation, a Medicaid health plan based in Tallahassee, FL, found out that its web hosting company did not patch vulnerabilities and cybercriminals exploited it to obtain access to its site and the protected health information (PHI) of individuals applying for benefits within the last 7 years.

Florida Healthy Kids employed Jelly Bean Communications Design, LLC. for website hosting. The website has an online application that logged the data of individuals when they sent applications for Florida KidCare benefits or requested to renew their health or dental coverage on the web.

On December 9, 2020, Jelly Bean Communications informed Florida Healthy Kids that unauthorized persons had acquired access to the webpage and made changes to the addresses of a few thousand applicants. Florida Healthy Kids had cybersecurity specialists who conducted an investigation to know the magnitude and severity of the security breach.

Florida Healthy Kids had to shut down the web page during the breach investigation to avoid any further unauthorized access. The analysis of the website platform and databases that kept the Florida KidCare application revealed some existing vulnerabilities between November 2013 and December 2020, and that cyber criminals exploited the vulnerabilities to get access to the website.

Although the evidence showed the tampering of applicant addresses, it is likewise possible that the hackers exfiltrated patient information, though there was no evidence of data theft found.

The hackers possibly accessed the following types of information: full names, birth dates, telephone numbers, Social Security numbers, email addresses, physical and mailing addresses, financial data, family relationships of persons provided in the application, and secondary insurance details.

The Florida KidCare online application stays offline while the company finds a new web hosting vendor. Florida Healthy Kids began notifying affected individuals on January 27, 2020 and advised them to take the proper steps to safeguard their identities, including creating security freezes and fraud alerts. There is no clear number yet regarding the number of people impacted.

Rady Children’s Hospital Faces Class Action Lawsuit Due to the Blackbaud Ransomware Attack

In May 2020, the cloud software firm Blackbaud experienced a ransomware attack. As is well-known in human-operated ransomware attacks, the attackers exfiltrated files prior to encrypting files. A number of the stolen data files included the fundraising data of its healthcare clients.

Rady Children’s Hospital in San Diego is one of the healthcare providers affected. It is California’s largest children’s hospital when it comes to admissions. A proposed class-action lawsuit alleges that Rady was responsible for failing to protect the sensitive information of 19,788 people which the hackers obtained through Blackbaud’s donor management software solution.

The lawsuit claims Rady did not employ sufficient security measures and didn’t make certain Blackbaud had enough security measures set up to safeguard ePHI and make sure it remained private. The lawsuit states persons impacted by the breach are facing an impending, immediate, significant and continuing increased risk of identity theft and fraud due to the breach and Rady’s neglect.

Blackbaud found out about the ransomware attack in May 2020. The investigation confirmed the hackers got access to the fundraising files of its healthcare customers from February 7 to June 4, 2020. Blackbaud mentioned the hackers were taken out of the network the moment the breach was found out but had learned that the attackers acquired a section of client files.

Blackbaud made the decision to give the ransom demand to make certain the stolen information was deleted. The attackers gave assurances that the records were permanently destroyed. Rady issued breach notification letters explaining that the types of data likely obtained by the attackers contained patients’ names, birth dates, addresses, doctors’ names, and the department that provided the medical services.

The lawsuit claims Rady cannot reasonably maintain that the hackers deleted the plaintiffs’ personal information. Based on the complaint, Blackbaud did not provide confirmation or additional details concerning the disposition of the files to verify that the stolen records were deleted. The lawsuit additionally states neither Rady nor Blackbaud knew how the attackers exfiltrated information, and whether it was transmitted safely and if it was intercepted by other persons.

As per the lawsuit, Rady had the required means to secure patient data however missed the implementation of appropriate security. The plaintiffs are seeking compensation, continuous protection against identity theft and fraud, as well as a court order to impose adjustments to Rady’s security procedures to make sure breaches such as this, and several others mentioned in the report, do not occur again.

Blackbaud is furthermore facing several class-action lawsuits associated with the breach. No less than 23 putative class action lawsuits were filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been submitted in 17 federal courts, 4 state courts, and 2 Canadian courts. Each claims breach victims have experienced harm because of the theft of their personal information.

Blackbaud also stated receiving over 160 claims from its customers and their lawyers in Canada, the U.S., and U.K. Blackbaud is additionally being investigated by government institutions and regulators, which include 43 state Attorneys General and the District of Columbia, Federal Trade Commission, the Department of Health and Human Services, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

Hackers Expose Data Stolen During the Cyberattack on the European Medicines Agency

A cyberattack on the European Medicines Agency (EMA) last December allowed hackers to access third party files. A number of the data stolen during the cyberattack were leaked on the internet.

The EMA is the organization in charge of regulating the testing and approvals of COVID-19 vaccines, treatment methods, and research in the European Union. The EMA had earlier released an update about its investigation of the cyberattack and stated that just one IT program was breached. The EMA mentioned it has notified all third parties regarding the attack, though it did not name those organizations. In the investigation updates, the EMA stated the main intention of the attackers was to access COVID-19 treatment and vaccine data. Although it was apparent that the attackers had accessed documents, the EMA merely affirmed that the exfiltration of data.

Before the cyberattack, BioNTech and Pfizer sent their vaccine information to the EMA to move through the approval process. But the hackers accessed the server containing the documents submitted by Pfizer and BioNTech. Pfizer and BioNTech gave a joint declaration in December affirming the unauthorized access of documents associated with their BNT162b2 vaccine. Moderna has likewise reported receiving the notification from EMA that hackers accessed the information corresponding to its mRNA-1273 COVID-19 vaccine candidate.

In the January 12, 2021 update, the EMA affirmed that the attackers exfiltrated data and a number of the documents that were accessed unlawfully related to COVID-19 remedies and were exposed online.

Neither the EMA, BioNTech, nor Pfizer have revealed which documents were exposed or what data were exposed to the public; nonetheless, Bleeping Computer said the information stolen during the attack were posted on a number of hacking forums. A number of sources in the cybersecurity intelligence community had affirmed that the exposed information contained peer review information, screenshots of emails, and a number of PDF files, Word docs, and PowerPoint slides.

EMA still gives full support to the criminal investigation of the data breach. It is ready to notify other entities and persons who had their documents and personal information accessed unlawfully. The law enforcement agencies are helping to take down and protect the exposed information and identify the people behind the attack. It is presently uncertain who was liable for the cyberattack and whether a nation-state was involved.

The attack investigation is still ongoing, however, the EMA stated that the time frame for reviewing and processing approvals for the vaccines won’t be affected.

Federal Task Force Announces the Probable Russian Origin of the SolarWinds Supply Chain Attack

The Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint statement with the approval of the Trump Administration saying that Russian threat actors are responsible for the supply chain attack on SolarWinds Orion software.

After the attack, the National Security Council formed a task force also known as the Cyber Unified Coordination Group (UCG) with the responsibility of investigating the breach. The task force is composed of CISA, the FBI, and ODNI, with NSA as a support. The task force is still checking out the extent of the data security incident nevertheless has reported that an Advanced Persistent Threat (APT) actor having likely Russian origins conducted the attack.

There are plenty of evidence indicating that the compromise of the SolarWinds software was included in the intelligence getting operation performed by Russia. Although various media outlets have formerly noted the security breach as being led by Russia, the first official public attribution declared by the Trump administration was made by and Secretary of State Mike Pompeo and former Attorney General Bill Barr. President Trump had recently mentioned China could have a participation has yet issued any remark on the attribution to Russia. once again, Russia dismissed any engagement in the attack.

The hackers jeopardized the program update function of SolarWinds Orion software and integrated a backdoor referred to as Sunburst/Solarigate to gain remote access to the systems of companies that got the compromised software program update. The investigation affirmed the fact that the activity has been ongoing for 9 months, and the systems of many entities were affected. The attackers then selected targets of interest to infect. In the second phase of the attack, additional malware was added and the hackers make an effort to get access to victims’ online environments. Microsoft stated that getting access to the web environments of victims was the major purpose of the attack.

The UCG feels that the systems of about 18,000 public and private sector organizations were breached by way of the SolarWinds Orion software update; nevertheless, a lot smaller number saw follow-on activity on their systems. Amazon and Microsoft have began looking into the security breach and were analyzing their web environments for indicators of compromise. Based upon their research, it appears like that the online environments of close to 250 of the 18,000 victims were impacted. That number may well go up as the inspection of the attack proceeds.

A further malware variant referred to as Supernova – a web shell. It was likewise discovered on the systems of certain victims. This malware variant was integrated by exploiting a zero-day vulnerability in the SolarWinds Orion program and doesn’t turn up to have been given by the same attackers.

Less than 10 U.S. government departments had their systems compromised. Most recently, the Department of Justice announced that it was breached. Though the hackers got access to its systems, the DOJ stated the breach only impacted its Microsoft Office 365 email environment and merely around 3% of its mailboxes were impacted. The DOJ stated that none of its identified systems seem impacted by the breach.

Healthcare Companies Warned About DoppelPaymer Ransomware Attacks

The Federal Bureau of Investigation (FBI) is warning the private industry concerning the increase in DoppelPaymer ransomware attacks. Now threat actors are compelling victims to pay the ransom.

The first appearance of the DoppelPaymer ransomware was in the summer of 2019. Since that time, it has become a common variant used by attackers on organizations providing education, medical care and the emergency services. Besides using the Dridex banking Trojan and the Locky ransomware, the Evil Corp (TA505) threat group uses the DoppelPaymer ransomware in its campaigns.

Before using the ransomware to encrypt files, the threat group exfiltrates data so it can use the stolen information to threaten the victims to pay ransom. Even if it’s possible for victims to recover the encrypted files using their backups, they opt to pay the ransom to avert the risk of exposing the stolen information.

The threat group has the reputation of demanding big ransom amounts of up to seven figures. There is reason to believe that group has also resorted to contacting the victims to force them to pay the ransom. Other ransomware groups including Sekhmet, Conti and Ryuk have done the same.

The DoppelPaymer group giving victims a phone call since February 2020 to say that not paying the ransom would result to public exposure or selling of the stolen data. Sometimes, the group uses violence as a threat. For instance, an attacker used a spoofed U.S. number to call a victim and made it look like its a call from North Korea. The attacker also told the victim that if no ransom is paid, someone will go to his house. Then, the attacker also called some of the victim’s kin.

The FBI stated in the alert that some attacks in recent months disrupted the essential services of healthcare companies. A hospital in Germany had to take its to other facilities after an attack. Sadly, one patient died probably because of delayed treatment. A report by law enforcement authorities later stated its likely for the patient to die regardless of the attack due to poor health. As per an FBI report, the attacker did not push through with the extortion when he knew about the risk to patients’ lives. He also provided the decryption keys without demanding anything.

Another ransomware attack last July involved a big U.S. healthcare company. The 13 servers of the company were affected. No ransom payment was made. Backup files were used to restore the system but the recovery process took several weeks. The ransomware group also attacked a 911 dispatch center last September 2020. The center could not access its computer-aided dispatch (CAD) system. Another attack encrypted servers of a county so that it could not access its systems that manage its payroll, patrol, emergency dispatch, and jail sections . Last summer of 2020, there was also an attack that interrupted the emergency services, government functions and the police department of a U.S. city.

Kroll reported a 75% increase in attacks on healthcare providers last October 2020. Ransom payments also grew. Beazley stated that in the first half of 2020, ransom demands from attacks faced by its clients doubled. Coveware noted that Q3 of 2020 had a $234,000 average ransom demand, a 31% increase from Q2.

The FBI still advises companies not to pay ransom demands because it doesn’t ensure file recovery nor prevention of data exposure. When ransom is paid, attackers become more motivated to carry out more attacks.

Over 114,000 Patients’ Data Exposed Due to the Wilmington Surgical Associates Ransomware Attack

In October 2020, the NetWalker ransomware gang stated it attacked the Wilmington Surgical Associates surgical center based in North Carolina. The gang also stated that before deploying the Netwalker ransomware to encrypt files, it had stolen approximately 13GB of documents that contain sensitive information.

The report on the ransomware attack is now posted on the HHS’ Office for Civil Rights breach portal indicating that the attack resulted in the compromise of the protected health information (PHI) of 114,834 patients.

The NetWalker ransomware gang has increased its attacks in 2020 on targeted healthcare providers. It was responsible for the University of California San Francisco ransomware attack which also involved theft of sensitive and valuable research information. The University paid the ransom amounting to $1.14 million to retrieve the encrypted data.

The NetWalker ransomware gang also attacked the following healthcare providers last 2020: the Champaign-Urbana Public Health District in Illinois, the Crozer-Keystone Health System in Philadelphia, and the Brno University Hospital in the Czech Republic. Besides healthcare providers, the group also targeted universities such as the Columbia College of Chicago and Michigan State University.

Cybersecurity company McAfee released a report in August 2020 stating that the NetWalker gang had received ransom payments of at least $29 million since March 2020. The gang is considered to be very successful in its ransomware-as-a-service operations.

The group was found to have attacked big companies and high value targets this 2020 as well. It even recruited affiliates with speciality in performing targeted attacks on big companies that involved attacks on firewalls, web application interfaces, Virtual Private Networks, and Remote Desktop Protocol connections. Just like in the operations of other manual ransomware threat groups, the attacks involved data theft before file encryption. If the victims do not pay the ransom, the stolen information is released on dark net sites.

Because of the growing activities of the NetWalker ransomware gang, the FBI issued a flash alert in July 2020 to warn healthcare providers, educational entities, private sector firms, and government institutions concerning the higher risk of attack.

Ransomware Attack on GenRx Pharmacy and Additional Blackbaud Ransomware Attack Victims

GenRx Pharmacy based in Scottsdale, AZ is sending notifications to a number of patients concerning the potential exposure of some of their protected health information (PHI) because of a ransomware attack. The pharmacy discovered the ransomware attack on September 28, 2020. On the same day, its IT staff acted immediately and blocked the system access of the attacker. The investigation reported the use of ransomware on 27 September but before deploying the ransomware, the attacker exfiltrated some files that contain PHI.

An analysis of the breached files confirmed that they comprised PHI including names, addresses, birth dates, sexuality, patient IDs, allergy data, prescription transaction IDs, drugs lists, health plan details, and prescription data. The pharmacies don’t collect Social Security numbers and do not keep financial details, thus there is no breach of those data. GenRx Pharmacy had backups that were employed to bring back the encrypted information and didn’t pay the ransom.

Though the number of people impacted is presently not clear, GenRx Pharmacy said less than 5% of past patients were affected. Since the attack happened, GenRx has improved its firewall, anti-virus application, integrated a web filter, upgraded network tracking, incorporated multi-factor authentication, and set up a real-time attack detection system. It provided employees extra training and revised internal policies and guidelines as needed. More controls and measures are additionally being looked at to improve security.

Blackbaud Ransomware Attack Impacted Nebraska Methodist Health System and Texas Tech University Health Sciences Center

Two additional victims of the Blackbaud ransomware attack have reported being impacted by the data breach.

Nebraska Methodist Health System has verified that selected personal information and PHI of 39,912 persons were exposed in the attack. Texas Tech University Health Sciences Center has claimed that the incident affected 37,000 people.

The two entities utilize the customer relationship management and financial services solutions of Blackbaud for fundraising reasons. From February 7, 2020 to May 20, 2020, attackers got access to Blackbaud’s systems and could have obtained backup copies of client listings prior to ransomware deployment. Blackbaud paid the ransom demand and the hackers gave assurance of deleting the stolen data.

Nebraska Methodist Health System stated the compromise of these data: Names, demographic and contact data, medical record numbers, purposes for appointments, treating doctors, treating provider, and types of encounter (i.e. emergency outpatient, outpatient surgery, or observation).

The Texas Tech University Health Sciences Center database included names, email, mailing addresses, phone numbers, dates of birth, TTUHSC medical record numbers, names of doctor and specialization.

PHI of 295K Patients Potentially Exposed Due to AspenPointe Cyberattack

AspenPointe Colorado Springs encountered a cyberattack last September 2020 that led to potential patient data exposure. This provider of mental health and behavioral health services decided to shut down its systems while mitigating the attack. But its operations were disrupted for a few days.

Third-party cybersecurity specialists investigated the breach to know the extent of patient data compromise and helped with system restoration. On November 10, 2020, the investigators confirmed the potential access or acquisition of patient records by the attackers.

The documents in the breached systems included patient data such as names and one or more of the following information: birth date, Social Security number, bank account information, driver’s license number, Medicaid ID number, diagnosis code, date of last consultation and dates of admission/discharge.

Upon discovery of the breach, AspenPointe did a total password reset. It also used additional endpoint protection technology to reinforce cybersecurity, tweaked its firewall, and upgraded other processes and network tracking.

The healthcare provider is currently mailing breach notification letters to all patients possibly affected by the attack and is offering them complimentary IDX credit monitoring membership for 12 months. Breach victims are additionally protected by as much as $1 million identity theft insurance plan and, in case warranted, they get identity theft recovery services as well.

In the substitute breach notice issued by AspenPointe, there is no mention of reported fraud, identity theft, or misuse of patient information. There’s also no proof found with regards to actual patient data theft by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated the potential impact of the attack on the protected health information (PHI) of 295,617 patients.