Hackers Expose Data Stolen During the Cyberattack on the European Medicines Agency

A cyberattack on the European Medicines Agency (EMA) last December allowed hackers to access third party files. A number of the data stolen during the cyberattack were leaked on the internet.

The EMA is the organization in charge of regulating the testing and approvals of COVID-19 vaccines, treatment methods, and research in the European Union. The EMA had earlier released an update about its investigation of the cyberattack and stated that just one IT program was breached. The EMA mentioned it has notified all third parties regarding the attack, though it did not name those organizations. In the investigation updates, the EMA stated the main intention of the attackers was to access COVID-19 treatment and vaccine data. Although it was apparent that the attackers had accessed documents, the EMA merely affirmed that the exfiltration of data.

Before the cyberattack, BioNTech and Pfizer sent their vaccine information to the EMA to move through the approval process. But the hackers accessed the server containing the documents submitted by Pfizer and BioNTech. Pfizer and BioNTech gave a joint declaration in December affirming the unauthorized access of documents associated with their BNT162b2 vaccine. Moderna has likewise reported receiving the notification from EMA that hackers accessed the information corresponding to its mRNA-1273 COVID-19 vaccine candidate.

In the January 12, 2021 update, the EMA affirmed that the attackers exfiltrated data and a number of the documents that were accessed unlawfully related to COVID-19 remedies and were exposed online.

Neither the EMA, BioNTech, nor Pfizer have revealed which documents were exposed or what data were exposed to the public; nonetheless, Bleeping Computer said the information stolen during the attack were posted on a number of hacking forums. A number of sources in the cybersecurity intelligence community had affirmed that the exposed information contained peer review information, screenshots of emails, and a number of PDF files, Word docs, and PowerPoint slides.

EMA still gives full support to the criminal investigation of the data breach. It is ready to notify other entities and persons who had their documents and personal information accessed unlawfully. The law enforcement agencies are helping to take down and protect the exposed information and identify the people behind the attack. It is presently uncertain who was liable for the cyberattack and whether a nation-state was involved.

The attack investigation is still ongoing, however, the EMA stated that the time frame for reviewing and processing approvals for the vaccines won’t be affected.

Federal Task Force Announces the Probable Russian Origin of the SolarWinds Supply Chain Attack

The Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint statement with the approval of the Trump Administration saying that Russian threat actors are responsible for the supply chain attack on SolarWinds Orion software.

After the attack, the National Security Council formed a task force also known as the Cyber Unified Coordination Group (UCG) with the responsibility of investigating the breach. The task force is composed of CISA, the FBI, and ODNI, with NSA as a support. The task force is still checking out the extent of the data security incident nevertheless has reported that an Advanced Persistent Threat (APT) actor having likely Russian origins conducted the attack.

There are plenty of evidence indicating that the compromise of the SolarWinds software was included in the intelligence getting operation performed by Russia. Although various media outlets have formerly noted the security breach as being led by Russia, the first official public attribution declared by the Trump administration was made by and Secretary of State Mike Pompeo and former Attorney General Bill Barr. President Trump had recently mentioned China could have a participation has yet issued any remark on the attribution to Russia. once again, Russia dismissed any engagement in the attack.

The hackers jeopardized the program update function of SolarWinds Orion software and integrated a backdoor referred to as Sunburst/Solarigate to gain remote access to the systems of companies that got the compromised software program update. The investigation affirmed the fact that the activity has been ongoing for 9 months, and the systems of many entities were affected. The attackers then selected targets of interest to infect. In the second phase of the attack, additional malware was added and the hackers make an effort to get access to victims’ online environments. Microsoft stated that getting access to the web environments of victims was the major purpose of the attack.

The UCG feels that the systems of about 18,000 public and private sector organizations were breached by way of the SolarWinds Orion software update; nevertheless, a lot smaller number saw follow-on activity on their systems. Amazon and Microsoft have began looking into the security breach and were analyzing their web environments for indicators of compromise. Based upon their research, it appears like that the online environments of close to 250 of the 18,000 victims were impacted. That number may well go up as the inspection of the attack proceeds.

A further malware variant referred to as Supernova – a web shell. It was likewise discovered on the systems of certain victims. This malware variant was integrated by exploiting a zero-day vulnerability in the SolarWinds Orion program and doesn’t turn up to have been given by the same attackers.

Less than 10 U.S. government departments had their systems compromised. Most recently, the Department of Justice announced that it was breached. Though the hackers got access to its systems, the DOJ stated the breach only impacted its Microsoft Office 365 email environment and merely around 3% of its mailboxes were impacted. The DOJ stated that none of its identified systems seem impacted by the breach.

Healthcare Companies Warned About DoppelPaymer Ransomware Attacks

The Federal Bureau of Investigation (FBI) is warning the private industry concerning the increase in DoppelPaymer ransomware attacks. Now threat actors are compelling victims to pay the ransom.

The first appearance of the DoppelPaymer ransomware was in the summer of 2019. Since that time, it has become a common variant used by attackers on organizations providing education, medical care and the emergency services. Besides using the Dridex banking Trojan and the Locky ransomware, the Evil Corp (TA505) threat group uses the DoppelPaymer ransomware in its campaigns.

Before using the ransomware to encrypt files, the threat group exfiltrates data so it can use the stolen information to threaten the victims to pay ransom. Even if it’s possible for victims to recover the encrypted files using their backups, they opt to pay the ransom to avert the risk of exposing the stolen information.

The threat group has the reputation of demanding big ransom amounts of up to seven figures. There is reason to believe that group has also resorted to contacting the victims to force them to pay the ransom. Other ransomware groups including Sekhmet, Conti and Ryuk have done the same.

The DoppelPaymer group giving victims a phone call since February 2020 to say that not paying the ransom would result to public exposure or selling of the stolen data. Sometimes, the group uses violence as a threat. For instance, an attacker used a spoofed U.S. number to call a victim and made it look like its a call from North Korea. The attacker also told the victim that if no ransom is paid, someone will go to his house. Then, the attacker also called some of the victim’s kin.

The FBI stated in the alert that some attacks in recent months disrupted the essential services of healthcare companies. A hospital in Germany had to take its to other facilities after an attack. Sadly, one patient died probably because of delayed treatment. A report by law enforcement authorities later stated its likely for the patient to die regardless of the attack due to poor health. As per an FBI report, the attacker did not push through with the extortion when he knew about the risk to patients’ lives. He also provided the decryption keys without demanding anything.

Another ransomware attack last July involved a big U.S. healthcare company. The 13 servers of the company were affected. No ransom payment was made. Backup files were used to restore the system but the recovery process took several weeks. The ransomware group also attacked a 911 dispatch center last September 2020. The center could not access its computer-aided dispatch (CAD) system. Another attack encrypted servers of a county so that it could not access its systems that manage its payroll, patrol, emergency dispatch, and jail sections . Last summer of 2020, there was also an attack that interrupted the emergency services, government functions and the police department of a U.S. city.

Kroll reported a 75% increase in attacks on healthcare providers last October 2020. Ransom payments also grew. Beazley stated that in the first half of 2020, ransom demands from attacks faced by its clients doubled. Coveware noted that Q3 of 2020 had a $234,000 average ransom demand, a 31% increase from Q2.

The FBI still advises companies not to pay ransom demands because it doesn’t ensure file recovery nor prevention of data exposure. When ransom is paid, attackers become more motivated to carry out more attacks.

Over 114,000 Patients’ Data Exposed Due to the Wilmington Surgical Associates Ransomware Attack

In October 2020, the NetWalker ransomware gang stated it attacked the Wilmington Surgical Associates surgical center based in North Carolina. The gang also stated that before deploying the Netwalker ransomware to encrypt files, it had stolen approximately 13GB of documents that contain sensitive information.

The report on the ransomware attack is now posted on the HHS’ Office for Civil Rights breach portal indicating that the attack resulted in the compromise of the protected health information (PHI) of 114,834 patients.

The NetWalker ransomware gang has increased its attacks in 2020 on targeted healthcare providers. It was responsible for the University of California San Francisco ransomware attack which also involved theft of sensitive and valuable research information. The University paid the ransom amounting to $1.14 million to retrieve the encrypted data.

The NetWalker ransomware gang also attacked the following healthcare providers last 2020: the Champaign-Urbana Public Health District in Illinois, the Crozer-Keystone Health System in Philadelphia, and the Brno University Hospital in the Czech Republic. Besides healthcare providers, the group also targeted universities such as the Columbia College of Chicago and Michigan State University.

Cybersecurity company McAfee released a report in August 2020 stating that the NetWalker gang had received ransom payments of at least $29 million since March 2020. The gang is considered to be very successful in its ransomware-as-a-service operations.

The group was found to have attacked big companies and high value targets this 2020 as well. It even recruited affiliates with speciality in performing targeted attacks on big companies that involved attacks on firewalls, web application interfaces, Virtual Private Networks, and Remote Desktop Protocol connections. Just like in the operations of other manual ransomware threat groups, the attacks involved data theft before file encryption. If the victims do not pay the ransom, the stolen information is released on dark net sites.

Because of the growing activities of the NetWalker ransomware gang, the FBI issued a flash alert in July 2020 to warn healthcare providers, educational entities, private sector firms, and government institutions concerning the higher risk of attack.

Ransomware Attack on GenRx Pharmacy and Additional Blackbaud Ransomware Attack Victims

GenRx Pharmacy based in Scottsdale, AZ is sending notifications to a number of patients concerning the potential exposure of some of their protected health information (PHI) because of a ransomware attack. The pharmacy discovered the ransomware attack on September 28, 2020. On the same day, its IT staff acted immediately and blocked the system access of the attacker. The investigation reported the use of ransomware on 27 September but before deploying the ransomware, the attacker exfiltrated some files that contain PHI.

An analysis of the breached files confirmed that they comprised PHI including names, addresses, birth dates, sexuality, patient IDs, allergy data, prescription transaction IDs, drugs lists, health plan details, and prescription data. The pharmacies don’t collect Social Security numbers and do not keep financial details, thus there is no breach of those data. GenRx Pharmacy had backups that were employed to bring back the encrypted information and didn’t pay the ransom.

Though the number of people impacted is presently not clear, GenRx Pharmacy said less than 5% of past patients were affected. Since the attack happened, GenRx has improved its firewall, anti-virus application, integrated a web filter, upgraded network tracking, incorporated multi-factor authentication, and set up a real-time attack detection system. It provided employees extra training and revised internal policies and guidelines as needed. More controls and measures are additionally being looked at to improve security.

Blackbaud Ransomware Attack Impacted Nebraska Methodist Health System and Texas Tech University Health Sciences Center

Two additional victims of the Blackbaud ransomware attack have reported being impacted by the data breach.

Nebraska Methodist Health System has verified that selected personal information and PHI of 39,912 persons were exposed in the attack. Texas Tech University Health Sciences Center has claimed that the incident affected 37,000 people.

The two entities utilize the customer relationship management and financial services solutions of Blackbaud for fundraising reasons. From February 7, 2020 to May 20, 2020, attackers got access to Blackbaud’s systems and could have obtained backup copies of client listings prior to ransomware deployment. Blackbaud paid the ransom demand and the hackers gave assurance of deleting the stolen data.

Nebraska Methodist Health System stated the compromise of these data: Names, demographic and contact data, medical record numbers, purposes for appointments, treating doctors, treating provider, and types of encounter (i.e. emergency outpatient, outpatient surgery, or observation).

The Texas Tech University Health Sciences Center database included names, email, mailing addresses, phone numbers, dates of birth, TTUHSC medical record numbers, names of doctor and specialization.

PHI of 295K Patients Potentially Exposed Due to AspenPointe Cyberattack

AspenPointe Colorado Springs encountered a cyberattack last September 2020 that led to potential patient data exposure. This provider of mental health and behavioral health services decided to shut down its systems while mitigating the attack. But its operations were disrupted for a few days.

Third-party cybersecurity specialists investigated the breach to know the extent of patient data compromise and helped with system restoration. On November 10, 2020, the investigators confirmed the potential access or acquisition of patient records by the attackers.

The documents in the breached systems included patient data such as names and one or more of the following information: birth date, Social Security number, bank account information, driver’s license number, Medicaid ID number, diagnosis code, date of last consultation and dates of admission/discharge.

Upon discovery of the breach, AspenPointe did a total password reset. It also used additional endpoint protection technology to reinforce cybersecurity, tweaked its firewall, and upgraded other processes and network tracking.

The healthcare provider is currently mailing breach notification letters to all patients possibly affected by the attack and is offering them complimentary IDX credit monitoring membership for 12 months. Breach victims are additionally protected by as much as $1 million identity theft insurance plan and, in case warranted, they get identity theft recovery services as well.

In the substitute breach notice issued by AspenPointe, there is no mention of reported fraud, identity theft, or misuse of patient information. There’s also no proof found with regards to actual patient data theft by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated the potential impact of the attack on the protected health information (PHI) of 295,617 patients.

UVM Health Electronic Health Record System is Now Online One Month After Ransomware Attack

A month after being hit with a ransomware attack, the University of Vermont Health Network reported that its electronic health record (EHR) system is now restored. The ransomware attack happened on October 25, 2020 and brought about a huge outage in six of its hospitals. For the last month, employees had no choice but to log patient information, orders, and prescription drugs using pen and paper because its computer systems were offline.

UVM continued to provide patient care during the attack and recovery process, however, the restoration of its EHR will significantly increase performance. The attack brought about major disruption, particularly at the University of Vermont Medical Center located in Burlington, nevertheless, the attack affected all its network. Because essential patient data is inaccessible, the schedule of various elective procedures was changed and the radiology department based on the main campus encountered delays and was simply partly open.

In a November 24, 2020 report, UVM Health said it had a significant milestone in the process of recovery, when its Epic EHR system is finally accessible online for its inpatient and outpatient domains, such as UVM Medical Center and the Central Vermont Medical Center ambulatory clinics, Champlain Valley Physicians Hospital, and Porter Medical Center.

Although electronic patient data can now be accessed and employees can note patient data electronically, the recovery process is not yet over and much work still must be carried out. The UVM Health teams keep on working 24 hours a day to fully restore everything quickly and safely.

The phone system has been fixed, however, patients still cannot use the MyChart patient website so patients cannot access their health data on the internet yet. There are hundreds of other patient care programs utilized by the health network that remains inaccessible. UVM Health is working really hard to restore those systems and they will be systematically re-established soon, with the major focus on patient-facing systems.

A few other healthcare systems suffered ransomware attacks around the same time as the UVM Health cyberattack. St Lawrence Health System in New York had restored its electronic health record systems two weeks after the ransomware attack, but Sky Lakes Medical Center had to replace the bulk of its networks and workstations because of the attack.

Ashtabula County Medical Center (ACMC) based in Ohio was notably badly impacted by a ransomware attack on September 24, 2020. Aside from the medical center, the attack also affected 5 health centers. Two months after the attack, the EHR is still not yet restored. A full restoration may be achieved at the end of the year.

Cyberattackers Ask for Ransom Demands from Four Winds Hospital, NY and Advanced Urgent Care of Florida Keys

Katonah, NY-based Four Winds Hospital found out that ransomware encrypted files on or around September 1, 2020. The ransomware attack blocked the hospital’s access to its computer systems and triggered a downtime for about two weeks while mitigating the attack.

When Four Winds Hospital learned about the attack, it immediately took steps to stop further unauthorized access to its system. Third-party cybersecurity professionals helped to identify the extent of the ransomware attack and know if patient information was compromised.

As mentioned in the substitute breach notice of Four Winds Hospital, cybersecurity professionals found information that the cybercriminals wiped out any files they had taken. However, this information cannot be independently verified. That indicates that there the cybercriminals received ransom payment, although Four Winds Hospital did not confirm this information.

The attack didn’t affect the electronic health record system, email system, cloud environment, or encrypted data fields. According to the investigation, the cybercriminals accessed password protected files and possibly viewed the listings of patients dated 1983 up to the present. Those listings contained names as well as medical record numbers, 100 records of which included Social Security numbers. The cybercriminals may have also accessed various files that contain patient information from 2013 up to the present. The files contained names, Social Security numbers, and treatment details of Medicare patients admitted to the hospital before 2019.

The HHS’ Office for Civil Rights breach portal breach has not published yet the incident and so the number of patients affected by the breach is still uncertain.

Advanced Urgent Care of Florida Keys

Advanced Urgent Care of Florida Keys commenced giving breach notifications to patients on November 6, 2020 regarding a ransomware attack that happened on March 1, 2020. Although there is no mention in the breach notice, on March 14, 2020, Databreaches.net reported the theft of patient data during the ransomware attack. The attackers dumped the stolen information on the web when there was no ransom payment made.

As per the Advanced Urgent Care breach notice, after the attack, an investigation to determine if patient data was compromised went on until September 11, 2020. The ransomware attack resulted in the encryption of files stored on a backup drive that contained protected health information (PHI) such as names, birth dates, medical treatment data, lab test results, medical diagnostic details, health insurance details, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing data, bank account details, debit or credit card data, driver’s license numbers, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.

Advanced Urgent Care offered complimentary credit monitoring services to patients who had their Social Security numbers compromised and have taken steps to improve security to avoid further attacks and to recognize and remediate upcoming threats.

829,454 Individuals Affected by Luxottica Data Breach

The world’s biggest eyewear company Luxottica encountered a cyberattack that impacted a number of the company’s websites.

Luxottica owns eyewear brands that include Ray-Ban, Persol, and Oakley. It manufactures designer eyewear for a lot of widely recognized fashion brands. At the same time, it manages the EyeMed vision benefits firm in partnership with Pearle Vision, LensCrafters, EyeMed, Target Optical, and some other eye care companies.

Luxottica partners get access to an online appointment scheduling software program that makes it possible for patients to schedule consultation visits with eye care providers on the internet and via telephone. Based on the latest breach notification, unknown individuals hacked the appointment scheduling software program on August 5, 2020. The hackers potentially acquired access to the personal data and protected health information (PHI) of Luxottica’s eye care partners’ patients.

Luxottica learned about the occurrence of the cyberattack on August 9, 2020. Without delay, it took action to control the breach. The succeeding investigation affirmed that the hackers potentially accessed and got personal data and PHI of patients. The types of information compromised included the following: names, contact details, appointment dates and times, medical insurance policy numbers, notes on appointments, doctors’ notes, and data associated with eye care treatment, such as medical conditions, operations, and prescription medications. The credit card number and/or Social Security number of some patients may have been exposed, too.

Luxottica has not received reports of any cases regarding personal data or PHI misuse. However, as a safety precaution, the company offered free two-year identity theft protection services via Kroll to persons whose financial data or Social Security numbers were potentially exposed. Luxottica began sending breach notifications to 829,454 people on October 27, 2020.

Luxottica has encountered other security breaches this year. A Nefilim ransomware attack occurred on September 18, 2020 which resulted in substantial outages and disruption of the eyewear company’s services in China and Italy. The attackers also stole sensitive information before deploying the ransomware.

Cyberattacks on Timberline Billing Service and University of California San Francisco

A ransomware attack on Medicaid billing company Timberline Billing Service, LLC based in Des Moines, IA resulted in file encryption with prior data theft.

The investigators of the attack confirmed that an unidentified person acquired access to its systems from February 12, 2020 to March 4, 2020 and installed ransomware. Before encrypting files, the attacker exfiltrated selected information from its systems.

Timberline has clients consisting of about 190 schools in Iowa. It has already notified the affected school districts in the state about the breach. Currently, the exact number of schools affected by the breach is still unclear. There is also no confirmation if the breach only affected schools in Iowa as Timberline likewise has offices in Illinois and Kansas.

The attacker potentially obtained the following types of data: names, birth dates, billing details and Medicaid ID numbers. The Social Security numbers of a limited number of clients were likewise potentially compromised. Although data theft was confirmed by the investigators, there is no report received yet that indicates data misuse.

Timberline has reported the breach to the Department of Health and Human Services’ Office for Civil Rights and indicated that 116,131 people
were affected.

PHI Breach at University of California San Francisco

A cyberattack on the University of California San Francisco (UCSF) led to the potential compromise of personal and health data kept by the UCSF School of Medicine. UCSF discovered the cyberattack on June 1, 2020, which affected a minimal part of the IT systems of the School of Medicine. There was no other information provided regarding the precise nature of the attack.

A top cybersecurity expert assisted with the investigation and confirmed the compromise of the records associated with present and past UCSF students, employees, collaborators, and research contributors. Those data included names, government ID numbers, medical data, medical insurance details, Social Security numbers, and some financial data. UCSF states that it does not know of any cases of personal data misuse.

UCSF has called in third-party cybersecurity experts to strengthen its IT security defenses to avert other breaches later on.

Sky Lakes Medical Center and St. Lawrence Health System Experience Ransomware Attacks

Two hospitals, St. Lawrence Health System in New York and Sky Lakes Medical Center in Klamath Falls, OR, have encountered ransomware attacks which led to the shutdown of their computer systems and have compelled physicians to use pen and paper to document patient data. The two ransomware attacks happened on Tuesday, October 27, 2020 and involved the Ryuk ransomware.

Sky Lakes Medical Center made an announcement on its Facebook page that although its computer systems are offline, it will continue to provide patient care. Its emergency and urgent care departments stayed open and in full operation. The majority of booked elective procedures continued as scheduled. At this point, there is no evidence found that suggests the compromise of any patient information; but the investigation is just in its beginning stages.

The ransomware attack on St. Lawrence Health System was discovered a few hours after the preliminary compromise. A statement issued by St. Lawrence Health System indicated that its IT department took its systems offline to try to control the attack and avoid the spread of the ransomware to the entire network.

According to the report, the ransomware attack affected three of St. Lawrence Health System’s hospitals – Gouverneur Hospital, Canton-Potsdam Hospital, and Massena Hospital. As a precautionary step, the ambulances were redirected from the affected hospitals to make sure that patients are provided with proper care.

Like the ransomware attack on Sky Lakes Medical Center, there is no evidence found yet that suggest the compromise of patient data, even if the Ryuk ransomware gang is previously identified to exfiltrate patient information before encrypting files.

CISA and the FBI issued a joint advisory this week, together with the HHS’ Department of Health and Human Services, to warn hospitals and public health sector institutions about the rising targeted Ryuk ransomware attacks. There is convincing evidence that suggests the number of attacks on hospitals and other healthcare organizations would most likely go up.

Healthcare providers are being instructed to take action to protect their systems from ransomware attacks. Indicators of compromise were publicized as well as mitigation measures to give assistance in preventing attacks and identifying attacks in progress.

Hackers Blackmail Finnish Psychotherapy Provider and Patients

Vastaamo, a leading psychotherapy provider from Finland, has experienced a cyberattack that resulted in the theft of highly sensitive patient information. The cybercriminals threatened to expose the stolen information if no ransom payment is made and selected patient records have already been published online.

Vastaamo serves around 40,000 patients throughout over two dozen clinics in Finland. Last week, Vastaamo started informing patients regarding the data breach after an individual contacted three of its employees and demanded 40 Bitcoin ($500,000) payment to avoid the exposure of stolen patient information.

It is not only Vastaamo that has gotten ransom demands. When Vastaamo did not pay the ransom, the attacker who calls himself/themselves as “the ransom guy”, also gave patients ransom demands wanting them to make a payment of €200 ($236) in Bitcoin to avert the posting of their data. Preliminary reports advised that the information of around 300 patients were posted on a darknet site, though later reports suggest a 10GB file that contains the records of approximately 2,000 patients was posted on the dark web.

BBC contacted one patient who claimed the cyberattacker gave him 24 hours to pay the preliminary ransom demand or his teenage psychotherapy notes will be published. The attacker also said the payment will go up to €500 ($515) if the ransom is not paid within 24 hours.

Vastaamo reported on its website that systems access appeared to have been obtained at some point in November 2018; nonetheless, another breach took place in March 2019. The information stolen in the incident seems connected with patients who obtained treatment prior to November 2018, although it is possible that records were stolen in the second data breach in March 2019.

Vastaamo stated the breach affected the following data: customer names, ID numbers, dates of consultations, and information manually entered by the psychotherapy expert, which may have included care plans, notes from sessions, and statements submitted by the patients to authorities.

It is unclear at this time how many patients of Vastaamo were impacted by the breach, although the director of Finland’s National Bureau of Investigation, Robin Lardot, is convinced tens of thousands of patient data were stolen. It is additionally uncertain why the threats were just issued. Possibly, a third party might have sold the stolen data and has set out on an extortion campaign.

Psychotherapy sessions records are one of the most sensitive data held by healthcare providers. Patients talk about problems in their consultations in a confidential environment where they feel safe and protected. Information disclosed in sessions may not have been shared with anyone else. Finland’s interior minister referred to the incident as “a shocking act which hits all of us deep down.” He additionally stated that Finland must be a country where help is provided for mental health issues and it is accessible without fear.

For a company offering psychotherapy services, the confidentiality of customer data is incredibly vital, and the starting point for all operations. Vastaamo deeply regrets the leak due to the data breach. Vastaamo also gave a statement saying it has dismissed its CEO, Ville Tapio, for not informing its board of directors and parent company about the March 2019 breach.

6 Russian Hackers Charged for Offensive Cyber Campaigns – the 2017 NotPetya Wiper Attacks Included

The U.S. Department of Justice made an announcement regarding the indictment of 6 Russian hackers for participating in the 2017 NotPetya malware attacks and a lengthy listing of offensive cyber activities on several targets in the USA and other nations.

The six persons are alleged to be GRU associates. GRU is Russia’s Main Intelligence Directorate, particularly GRU Unit 74455, which is identified as Sandworm. The Sandworm unit is regarded as responsible for a lot of offensive cyber campaigns that took place within a number of years.

Sandworm is believed as being a key component in efforts to influence foreign elections, such as the 2017 French Presidential election and the 2016 U.S. presidential election. One of the most damaging offensive activities was the use of NotPetya malware in 2017. The wiper NotPetya malware was utilized in detrimental attacks around the world that exploited the Microsoft Windows Server Message Block (SMBv1) vulnerability.

NotPetya affected a number of medical centers and hospitals. Data were destroyed and computer systems were shut down. NotPetya attacked the pharmaceutical company Merck, FedEx sister company TNT Express and Danish shipping company Maersk. The cost of the NotPetya attack on Merck was estimated to be $1.3 billion. The total cost of damages due to the malware is over $10 billion and more than 300 firms around the world were impacted.

Sandworm was furthermore behind attempts to disturb the 2018 Winter Olympics by using the Olympic Destroyer malware. The attackers tried to interrupt the investigation of the Novichok poisonings of past Russian spy Sergei Skripal and his daughter, which was being pursued by the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory.

Sandworm was likewise responsible for the detrimental assaults on the energy grid of Ukraine between December 2015 and December 2016 and other federal targets employing BlackEnergy, KillDisk, and Industroyer malware, together with attacks on government entities and corporations in Georgia in 2018.

The indicted Russian operatives are Sergey Vladimirovich Detistov, Yuriy Sergeyevich Andrienko, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, Anatoliy Sergeyevich Kovalev, and Petr Nikolayevich Pliskin. Each one has been accused of 7 counts detailed as:

  • one count of conspiracy to commit computer fraud and abuse
  • one count of conspiracy to commit wire fraud
  • one count of intentional damage to a protected computer
  • two counts of wire fraud
  • two counts of aggravated identity theft, including false registration of domain names

The utmost likely sentence when found guilty on the 7 counts is 71 years imprisonment. The indictment furthermore consists of particulars of the distinct roles every defendant performed in the attacks, verified the specific nature of the intelligence gathered on every individual by intelligence agencies, foreign governments, law enforcement, and private firms.

Russian has reacted by denying any engagement in the cyberattacks ascribed to the hackers. A spokesperson for the Russian embassy in Washington mentioned that Russia does not and did not have motives to indulge in any sort of destabilizing action all over the world.

It is improbable that the charged attackers will ever face a trial since there isn’t any extradition treaty between Russia and America.

Data Breaches at Piedmont Cancer Institute, McLaren Oakland Hospital and The Health and Wellness Clinic

Piedmont Cancer Institute (PCI) located in Atlanta, GA is sending notifications to 5,226 patients about the potential compromise of some of their protected health information (PHI) because of an unauthorized person acquiring access to one employee’s email account.

An independent cybersecurity company assisted PCI in confirming the access of the email account for over a month. The unauthorized individual first got access to the email account on April 5, 2020. PCI secured the account on May 8, 2020.

The compromised account audit concluded on August 8, 2020 and showed that it included a number of protected health information. Besides names, the patients affected by the breach had one or more of these data elements exposed: birth date, credit/debit card number, financial account data, and/or medical details like diagnosis and treatment details.

To avert the occurrence of other breaches, PCI has put in place multi-factor authentication on its email accounts and provided additional training to its employees regarding email security.

McLaren Oakland Hospital Identified Potential Data Breach

McLaren Oakland Hospital based in Pontiac, MI has uncovered that 2,219 patients’ PHI was compromised and unauthorized individuals may have accessed it.

On July 10, 2020, McLaren Oakland learned that a file in a desktop computer contained an unauthorized and unsecured URL to a file that contains the protected health information of present and previous patients.

There is no information found that shows the unauthorized access of any of the sensitive information contained in the file. There is also no report received suggesting that patient information was misused. As a precaution, McLaren Oakland Hospital advised the impacted persons to keep track of their statement of accounts and credit reports for any indication of misuse of their PHI. The company furthermore offered the affected patients complimentary membership to identity theft protection and monitoring services.

When the PHI exposure was discovered, the hyperlink was disabled. The investigators uncovered that an employee rendered the hyperlink insecure accidentally. McLaren Oakland has examined its policies and procedures and gave staff further training regarding patient privacy and data security.

Patient Records Stolen from Health and Wellness Clinic in Edmonds, WA

The Health and Wellness Clinic is a natural medicine and physical care solutions provider based in Edmonds, WA. Thieves broke into its facility and stole patient records.

Over the weekend of August 29 to 30, a burglar forced open a locked storage space found off the clinic’s massage suite. The room looked like it was rummaged, documents were removed from a number of files, and a box of paper files was missing. The stolen documents contained data like names, Social Security numbers, birth dates, health backgrounds, and treatment data.

The Health and Wellness Clinic reported the theft to the police authorities. The police performed an investigation and have identified a suspect and got back the stolen box of paper records. It is at the moment not clear how many paper records were taken from the wellness clinic.

Business Associate Pays Penalty of $2.3 Million for ePHI Exposure of 6M People and Multiple HIPAA Failures

The Department of Health and Human Services’ Office for Civil Rights issued an announcement regarding its 10th HIPAA violation penalty in 2020. This is the seventh financial penalty to settle HIPAA violations that has been published in several days.

The most recent financial penalty is the biggest to be enforced in 2020. It costs $2.3 million and settles a case concerning 5 potential HIPAA Rules violations, which includes exposure of the electronic protected health information (ePHI) of 6,121,158 people.

CHSPSC LLC based in Tennessee is a management firm that offers services to numerous subsidiary hospital operator firms and other affiliates of Community Health Systems. Services provided include legal, accounting, compliance, operations, IT, health information, and human resources management services. Offering those services involves ePHI access, therefore CHSPSC is categorized as a business associate and needs to abide by the HIPAA Security Rule.

On April 10, 2014, CHSPSC experienced a cyberattack conducted by an advanced persistent threat group called APT18. The attackers employed compromised admin credentials and had remotely accessed CHSPSC’s data systems through its virtual private network (VPN) solution. CHSPSC did not identify the attack until the Federal Bureau of Investigation (FBI) sent notification on April 18, 2014 about the breach of its systems.

When the hackers had access to CHSPSC systems, the ePHI of 6,121,158 persons was downloaded. The records were given to CHSPSC by 237 HIPAA-covered entities that utilized CHSPSC’s services. The stolen data contained these data elements: name, birth date, gender, telephone number, email address, social security number, ethnicity, and emergency contact data.

OCR began investigating the breach and discovered systemic noncompliance with the HIPAA Security Guideline. Although it may not continually be feasible to avoid cyber attacks by advanced hackers, when an attack is noticed, action should be taken immediately to restrict the harm created. In spite of being alerted by the FBI in April 2014 concerning the compromise of its systems, the hackers stayed active in its information systems for 4 months, just being eliminated in August 2014. In that period, CHSPSC didn’t stop unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the attackers kept on stealing ePHI.

The inability to take action on an identified security occurrence from April 18, 2014 to June 18, 2014 and minimize the damaging impact of the data breach, record the breach and its effects, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators discovered that CHSPSC was unable to perform an appropriate and comprehensive security risk examination to determine the risks to the availability, integrity, and confidentiality of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical guidelines and procedures enabling access to information databases that contains ePHI retained by CHSPSC just by certified persons and software programs were not put in place, which violates 45 C.F.R. § 164.312(a).

Procedures were not applied to make sure that data system activity documentation like logs and system security event monitoring reports were routinely assessed, which violates 45 C.F.R. § 164.308(a)(1)(ii)(D).

Threat actors and cyberthieves quite often target the health care sector. The inability to enforce the security requirements demanded by the HIPAA guidelines, particularly after being informed by the FBI of a probable breach, cannot be excused. A massive financial penalty was thus proper.

CHSPSC did not choose to argue the case and decided to pay the financial fine and resolved the HIPAA violation. The settlement additionally necessitates CHSPSC to undertake a solid and substantial corrective action plan to deal with all aspects of non-compliance, and CHSPSC is going to be closely supervised by OCR for two years.

Patient Died Because of a Hospital Ransomware Attack

Patient safety is at risk because of ransomware attacks on hospitals. File encryption leads to the crash of essential systems and breakdowns in communication systems, which prevent clinicians from being able to access the patients’ health records.

Very disruptive attacks can compel hospitals to bring patients to other facilities, which lately occurred in the University Clinic based in Düsseldorf, Germany because of a ransomware attack. One patient who needed emergency medical attention to address a fatal condition was rerouted to another facility in Wuppertal, roughly 21 miles away. Because of the redirection, there was a one-hour delay in giving treatment and the patient eventually passed away. The death may have been avoided if the patient received treatment sooner.

The ransomware attack that happened on September 10, 2020 completely disabled the clinic’s systems. Investigators confirmed that the attackers got access to the network by exploiting a vulnerability present in a popular commercial add-on software. As the encryption took its course, the hospital systems started to crash making the medical records unavailable.

The medical clinic had to hold registration for emergency care, delayed doctor visits, and outpatient care. All patients were informed that visits to the medical clinic will be on hold until the attack was resolved. After a week, the hospital still has not resumed normal functions, though the hospital has begun to reactivate crucial systems.

As per the latest Associated Press statement, the attack affected 30 servers at the hospital. The attackers’ ransom demand was discovered on an encrypted server. The hospital notified the police authorities which used the information in the ransom note to contact the attackers.

It would seem that the attackers had no intention of attacking the medical clinic since the ransom note was meant for Heinrich Heine University in Düsseldorf. Law enforcement authorities told the attackers that the attack affected the hospital and put patient safety in danger.

The attackers provided the files decryption keys and did not push through with the extortion. It was not possible to contact the attackers after this. Law enforcement is still investigating the attack and there is a possibility of filing charges on the attackers for negligent homicide.

So far there are no confirmed incidents of ransomware attacks on healthcare providers that caused the death of a patient. However, when ransomware attacks disable hospital systems, patients cannot receive treatments for fatal conditions, which may lead to tragic events.

A number of ransomware groups have made public statements that they won’t perform any attack on healthcare facilities if it will affect hospital systems. Moreover, the gangs will provide the keys to decrypt files for free. Nonetheless, whether or not decryption keys are provided, it is not easy to recover from an attack. Some ransomware groups made no such statements and still attack medical facilities.

Breaches at Imperium Health, Atrium Health and Saint Luke’s Foundation

Imperium Health Management based in Louisville, KY, a development services provider to Accountable Care Organizations (ACOs), is informing 139,114 people about the potential compromise of some of their protected health information (PHI) due to a new phishing attack.

Imperium Health discovered the attack on April 23, 2020. As per the investigation, two email accounts were compromised, one on April 21, 2020 and another on April 24, 2020 as a result of the employees’ response to phishing emails. The emails included hyperlinks that seemed to be legit however brought the employees to a web page where their email credentials were collected.

An analysis of the compromised email accounts showed that they held the following PHI: patient names, dates of birth, addresses,
medical record numbers, medical insurance information, account numbers, Medicare numbers, Medicare Health Insurance Claim Numbers (Social Security numbers probably included), and some clinical and treatment data. Imperium Health only knew on June 18, 2020 that the email accounts contained PHI.

An independent computer forensic agency helped with the investigation and affirmed the compromise of only two email accounts. The attackers did not access any other part of the Imperium Health systems. Although it is probable that the attacker viewed or obtained patient information, so far, there is no proof found that suggests the attacker viewed, acquired, or misused patient data in any way.

Imperium Health has enforced more security steps to secure its systems from other cyberattacks. Two-factor authentication on remote access to email accounts and new methodologies to secure sensitive data transfer were implemented. Employees also received further training on email security and phishing email identification.

Blackbaud Ransomware Attacks Impacts Atrium Health and Saint Luke’s Foundation

Saint Luke’s Health Foundation has reported the compromise of the personal and demographic data of 360,212 people due to the Blackbaud ransomware attack recently.

The attackers acquired a backup copy of a database and used it to extort money from Blackbaud. It is believed that data acquisition happened at some time from February 7, 2020 to May 20, 2020. Blackbaud decided to pay the ransom to get the keys to unlock the encrypted files and stop any more exposure of data ripped off in the attack. Blackbaud believes the attacker did not expose any data to any entity or the public and thinks all stolen data were deleted permanently.

The compromised data included names, mailing and email addresses, phone numbers, and/or birth date. Some patients may have had the names of their guarantors compromised, together with a number of patient medical data like dates of service and patient care departments.

Atrium Health is a leading healthcare system in the country with more than 900 care locations. It also reported that the Blackbaud ransomware attack affected the data of its patients. Compromised patient data included first and last names, contact details, demographic data (such as birth date, guarantor details, applicable decedent status, and patient ID numbers), dates of treatment, locations of service, and name of treating doctors. For minors impacted by the breach, the guarantor’s name and their relationship were also exposed. The date and amount of donation of patients who gave to Atrium Health were also stolen.

Over 60,000 People Affected by Ransomware Attacks on Northwestern Memorial HealthCare and the City of Lafayette

Northwestern Memorial HealthCare has learned about the potential compromise of the personal data of people who previously donated to Northwestern Memorial HealthCare because of a Blackbaud ransomware attack recently. An unauthorized person first accessed the Blackbaud systems on February 7, 2020 and possibly continued accessing it until the ransomware was deployed on May 20,2020.

Prior to the use of ransomware, the attacker possibly obtained access to a backup of a database which stored names, dates of birth, age, gender, medical record number, departments of service, dates of service, treating doctors, and/or limited clinical data. The Social Security numbers and/or financial/payment card details of 5 persons were additionally found in the database. In total, the details of 55,983 Northwestern Memorial HealthCare donors was probably compromised in the attack.

Northwestern Memorial HealthCare is reviewing its third-party database storage vendors and its connection with Blackbaud so as to avoid identical data breaches later on.

Names and Medical Insurance Data of 15,000 Lafayette Fire Department Ambulance Users Exposed

On July 27, 2020, a ransomware attack on the City of Lafayette, CO disrupted its telephone, email, online billing, and reservation systems and essential data became inaccessible. After evaluating the cost and benefits of all possible solutions, the city decided to pay $45,000 to the attackers to avoid the big disruption and issues affecting its online operations.
Before deploying the ransomware, the attackers could have accessed personal data saved on Lafayette’s computer system. The attackers potentially accessed some personal data, such as city employees’ Social Security numbers and the usernames and security passwords of those who used its online services. In addition, the attackers may have gotten the names and medical insurance identification numbers of 15,000 people that the Lafayette Fire Department ambulance transported before January 1, 2018.

The city has taken out the ransomware and restored its network servers and computers, deployed crypto-safe backup systems, and implemented extra cybersecurity measures to stop more ransomware attacks.

Cyber Attacks on R1 RCM Medical Collection Agency and Beaumont Health

One of the biggest medical debt collection companies in the US encountered a ransomware attack. R1 RCM in Chicago, earlier known as Accretive Health Inc., made $1.18 billion in earnings in 2019 and works with over 750 healthcare customers. The number of clients impacted by the attack is uncertain at this time.

Brian Krebs of Krebs on Security reported the breach recently. R1 RCM affirmed the ransomware attack, which caused the shutdown of its systems. Attempts of restoration are still in progress.

There is no information issued concerning the type of ransomware utilized in the attack and it is uncertain if the attackers stole patient information before file encryption. Krebs mentioned that Defray was used in the ransomware attack. Defray ransomware typically spreads through emailing malicious Word files in small, targeted campaigns. The threat actors using this ransomware had attacked education and healthcare verticals in the past.

In 2019, American Medical Collection Agency (AMCA), also a medical debt collection agency, encountered a ransomware attack. Before data encryption, the attackers stole about 27 million records. The AMCA incident was the 2019’s biggest data breach. The attack demanded a big cost forcing AMCA into bankruptcy. Having a lot more customers than AMCA, this R1 RCM ransomware attack could likely be much bigger, though it is not yet known if the culprits behind this Defray ransomware stole data before encrypting files.

6,000 Patients Affected by Beaumont Health Phishing Attack

Beaumont Health, the biggest healthcare system in Michigan, began informing 6,000 patients concerning the potential access of some of their protected health information (PHI) by unauthorized people due to a phishing attack.

Unauthorized people acquired access to several employee email accounts from January 3, 2020 to January 29, 2020. Beaumont Health found out on June 5, 2020 that one or more of the compromised email accounts comprised patient information. The following data might have been included: names, birth dates, diagnosis codes, diagnoses, procedures performed, treatment holiday area, treatment type, medication details, Beaumont medical record numbers and patient account numbers. Beaumont Health notified the impacted patients regarding the incident on July 28, 2020.

This is Beaumont Health’s second data breach report that is related to a phishing attack in 2020. In April, the health system informed 112,000 people regarding a phishing attack that happened in 2019. After the attacks, Beaumont Health took important steps to enhance email security, such as enhancing its multi-factor authentication software program, completing a risk analysis, and giving more training and education to Beaumont staff about identifying and managing malicious emails. The internal policies and procedures likewise had alterations to determine and remediate potential threats to reduce the possibility of the same event happening later on.

Ransomware Attacks on Four Healthcare Companies and a Ventilator Manufacturer

Boyce Technologies Inc based in Long Island City, NY, a transport communication systems provider recently turned its manufacturing facilitiesto create ventilators that hospitals can use during the pandemic. A DoppelPaymer ransomware attacked Boyce Technologies and prior to file encyption, data was stolen. The threat actor published on its blog some of the stolen information, which includes assignment forms, purchase orders, and other sensitive information.

The FDA approved Boyce Technologies Inc. to produce ventilators and was manufacturing approximately 300 machines per day. Hospitals in New York use the ventilators and the company is currently producing ventilators for other locations. The ransomware attack is a threat to the creation of those ventilators and may put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, which is an orthopedic and sports medicine network located in the greater Atlanta area, encountered a Pysa (Mespinosa) ransomware attack. Like with the Boyce Technologies attack, before the file encryption, the threat actors stole sensitive information. Databreaches.net reported that the threat actors published approximately 3.5 GB of information online, which includes files containing the protected health information (PHI) of patients.

The Center for Fertility and Gynecology in Los Angeles, CA and the Olympia House Rehab in Petaluma, CA, on the other hand, encountered a Netwalker ransomware. The threat actors stole data, including patients’ PHI, and published it on the internet.

Muskingum Valley Health Centers in Zanesville, OH informed recently 7,447 of its patients that threat actors potentially obtained some of their PHI as a result of a ransomware attack on the EHR of OB GYN Specialists of Southeastern Ohio Inc, which contained the information of patients who obtained treatment from 2012 to 2017. The attack happened on May 31, 2020 but Muskingum Valley identified the incident on June 2.

The investigators did not find any evidence indicating the theft of patient information before the ransomware attack, although there is still the possibility of data theft. The attackers most likely accessed names, birth dates, addresses, diagnoses, health conditions, laboratory test data, treatment data, insurance claim details, Social Security numbers, and financial data.

Muskingum Valley offered the affected persons free credit monitoring and identity theft recovery services for 2 years. Security guidelines, procedures and passwords were also updated to avoid more attacks.

There were 41 healthcare providers that submitted ransomware attack reports in the first six months of 2020 as per Emsisoft. The double-extortion attacks which entail threats to expose or sell information when the victim doesn’t pay the ransom are increasing, considering that a lot of threat groups are now taking on this strategy. Emsisoft states that about 1 in 10 ransomware attacks today come with data theft.