Enloe Medical Center’s EMR Downtime Because of Ransomware Attack

A ransomware attack on Enloe Medical Center in Chico, CA two weeks ago is still causing this California healthcare provider’s medical record system to be out of action.

Enloe Medical Center identified the attack on January 2, 2020, which resulted in the encryption of its entire network, including the electronic medical record (EMR) system so that the center staff cannot access patient information. The provider quickly implemented emergency protocols to continue providing care to patients. Only a few elective medical procedures were rescheduled.

The attack also caused the telephone system to be out of action on the day the attack occurred. Enloe Medical Center had the telephone system restored the next day however its EMR system remained out of action. Employees simply use pen and paper to record patient data.

Although some appointments were canceled one week after the attack, Enloe Medical Center is making sure that care is given to patients expediently while the technical team works on systems restoration. There is no information publicly disclosed regarding the type of ransomware used by the attacker. However, according to the initial findings of the investigation, there’s no compromise of patient data.

Enloe’s chief financial officer, Kevin Woodward, said that the company took immediate steps to restore critical operating systems and to secure the network upon knowing about this incident. At this time, there is no evidence indicating the compromise of patient medical data. Local and federal law enforcement bureaus already received Enloe’s report about the ransomware attack and the investigation has been ongoing.

There has been a continuous increase of ransomware attacks throughout 2019 and most likely it won’t slow down. Besides file encryption, a number of ransomware gangs are using a new strategy to enhance the likelihood of getting ransom payments. Before deploying the ransomware, they are stealing sensitive data.

The latest attacks used various ransomware variants, including the MegaCortex, Maze, LockerGoGa, and Sodinokibi. The attackers stole data prior to deploying the ransomware. Those that used the Maze and Sodinokibi ransomware threatened the victims to expose their stolen information if they do not pay the ransom. The threat actors actually published the sensitive data when the victims decided not to pay the ransom.

Data Breaches at North Ottawa Community Health System and Center for Health Care Services

North Ottawa Community Health System (NOCH) found out that one employee at North Ottawa Community Hospital located in Grand Haven, MI, had accessed patients’ medical records without permission in a period of around 3 years.

Another employee told this matter to the health system on October 15. After two days, the alleged inappropriate access was investigated and the employee remained suspended while waiting for the investigation findings.

On November 25, 2019, NOCH confirmed the unauthorized access of the patient records of 4,013 persons by the employee from May 2016 to October 2019. The unauthorized access seemed to have no apparent pattern. Patient records were randomly accessed.

There was no proof that suggests the theft of any patient information. NOCH is convinced that the employee simply accessed patient data because of curiosity.

The employee potentially accessed the following types of information: names, birth dates, Social Security numbers, Medicaid and Medicare numbers, medical insurance details, and certain health data. NOCH offered any patient who had their Social Security number viewed free one-year credit monitoring and identity theft protection services.

All staff members received additional training on NOCH policies addressing medical record access and employee’s access to patient records was made stricter.

NOCH already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. OCR will need to decide whether there would be further action to be taken against the employee because of the HIPAA violation.

Center for Health Care Services’ Computer Systems Shutdown Due to Cyberattack

A cyberattack on the Center for Health Care Services (CHCS) located in San Antonio, TX during the holiday period compelled it to de-activate its computer systems.

CHCS is a healthcare services provider for persons with mental health issues, developmental handicaps, and substance abuse disorder. It manages a number of walk-in clinics and outreach centers within San Antonio area.

The CHCS IT team reported that just one server was affected after federal officials notified them regarding the cyberattack. As a precaution, CHCS decided to shut down its computer system. The IT department already began fixing its computer systems and will be accessible again one by one, beginning with the computer systems of its biggest clinics. The repair work might take a number of days.

This cyberattack is a part of a bigger attack that began before the holidays. It is not known at this time how many organizations were impacted.

Malware Infection on New Mexico Hospital Imaging Server

The radiology department of Roosevelt General Hospital located in Portales, New Mexico identified malware on a digital imaging server, which potentially resulted in allowing the cybercriminals to access the radiological images of about 500 patients.

The malware infection was identified on November 14, 2019 and quick action was taken to isolate the server and avoid further unauthorized access and deter communications with the command and control server of the attackers. The IT team was successful in removing the malware, rebuilding the server and recovering all patient data. A scan was performed to check for any vulnerabilities. The hospital is now pleased with the security and protection of the server.

The investigators of the breach didn’t find any information that suggests the viewing or theft of protected health information (PHI) and medical images by the hackers, nevertheless, the possibility of unauthorized data access and PHI theft cannot be ruled out.

The security breach investigation is still in progress, but the hospital’s IT team has verified that only the imaging server was affected by the breach. The breach did not affect its medical record system or billing systems. The types of information likely compromised included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server received notification letters regarding the security breach by mail and were instructed to keep track of their credit reports for signs of fraudulent activity. To date, the hospital has not received any report of patient information misuse.

The Department of Health and Human Services’ Office for Civil Rights has not published the incident yet on its breach portal, thus there is no report yet about the exact number of patients affected by the breach. As per RGH Marketing and Public Relations Director, Jeanette Orrantia, the hospital submitted the breach report to OCR within 60 days after discovering the incident.

Data Breaches at Cancer Center of Hawaii and Zuckerberg San Francisco General Hospital

A ransomware attack on the Cancer Center of Hawaii in Oahu on November 5, 2019 led to the forced shut down of its network servers. It also resulted in the temporary inability to provide radiation treatment to people at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

Though patient services experienced disruption, the center is convinced that the attackers had not accessed any patient data. The investigation of the breach still continues, but all data stored on the radiology machines had been retrieved and the network is already operational.

It is unknown how long the network was de-activated and information concerning the potentially compromised types of patient information is still unavailable.

The Cancer Center had notified the FBI concerning the breach. If the forensic investigators declare that hackers had gained access to patient data, the proper authorities will also be notified about the incident.

The breach merely affected the Cancer Center’s systems. The attack had not impacted St. Francis’ hospital and Pali Momi Medical Center since their patient records systems were separate from the Cancer Center.

Zuckerberg San Francisco General Hospital’s Improper Disposal Incident

Zuckerberg San Francisco General Hospital informed 1,174 patients about the improper disposal of meal tickets containing their protected health information (PHI).

The PHI printed on the meal tickets included the patients’ full names, their bed/unit in the hospital, birth month, dietary requirements, and their food selection. The proper method to dispose of the meal tickets is to put them in confidential garbage bins. Nonetheless, the tickets were accidentally disposed of along with common garbage.

The breach occurred because one staff didn’t know the need to shred the meal tickets. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The staff had thrown away meal tickets incorrectly from June 18 to November 4. After knowing about the breach, the staff was directed to adhere to the right procedures in sensitive information disposal.

Ransomware Attack on Large Canadian Medical Testing Company Potentially Impacts 15 Million Customers

LifeLabs in Toronto, one of Canada’s biggest medical testing and diagnostics firms, reported a serious data breach. Hackers potentially accessed the personal and health data of about 15 million people, the majority of whom reside in British Columbia and Ontario. Because of the number of individuals possibly impacted, this incident can be considered as one of the biggest healthcare ransomware attacks so far. The privacy commissioners in the two Canadian provinces said that this is an extremely troubling incident because of the enormity of the attack.

When the attackers accessed its systems, they downloaded ransomware and encrypted a substantial amount of client information. The investigators are still looking into the cyberattack, and so it is still uncertain what data was stolen. But it was confirmed that the attackers accessed the parts of the system containing the 2016 and earlier test data of about 85,000 Ontarians. There is no evidence that indicates access to current test data, or medical test data from clients in other places.

A few of those test data include very sensitive health data that attackers can potentially use for blackmail. The sensitive information includes names, dates of birth, email addresses, usernames, passwords, and health card numbers. At this point, it seems that the compromised data were not yet misused nor disclosed on the internet. According to the preliminary results of the investigation, the incident has a low risk to clients.

It is not clear if LifeLabs had data backups to retrieve the information, however, the company decided to pay the ransom demand. LifeLabs did not publicly disclose the amount of the ransom. LifeLabs chief executive officer Charles Brown said that they wanted the data back and thought that paying the ransom was the smart thing to do for the best interests of their customers.

Cybersecurity and computer forensics specialists are securing LifeLabs’ systems and finding out the full extent of the ransomware attack. More time may be necessary to know if the attackers stole any customer data.

It is believed that the attack began on or before November 1, 2019. However, the cyberattack became known to the public only on December 17, 2019. LifeLabs already notified the affected people and offered them 12 months of free credit monitoring and identity theft protection services.

Ransomware Attack on Hackensack Meridian Health

A recent cyberattack on Hackensack Meridian Health, which is New Jersey’s biggest health network, resulted in the deployment of ransomware on its network. The ransomware attack caused file encryption so that the network went offline for two days.

Because there was no access to computer systems and health records, Hackensack Meridian Health had to call off non-emergency medical operations. Physicians and nurses needed to use pen and paper to continue caring for patients.

Hackensack Meridian Health detected the attack immediately and notified law enforcement and government authorities. Cybersecurity specialists were conferred with to know what is the best action to take. The health network at first said it experienced external technical problems so there would be no interference with the investigation. Later, it affirmed the occurrence of a ransomware attack.

Because of the ransomware attack, encrypted files had to be recovered from backup files. Computer systems should also be restored. That action could take many weeks. To stop continuing interruption to patient services, the provider decided to pay the ransom. Hackensack Meridian Health’s spokesperson said that it is their obligation to safeguard their communities’ access to medical care.

Hackensack Meridian Health did not disclose to the public the amount of ransom paid. However, it confirmed that its cybersecurity insurance plan will pay for a portion of the expense of the ransom payment and remediation work.

Hackensack Meridian Health has announced that the principal clinical system is now completely operational. However, other parts of the system might take a few more days to be back online.

A number of healthcare providers and business associates have likewise reported ransomware attacks in the last few weeks. Last week alone, the Cancer Center of Hawaii reported an attack and had to put off patients’ radiology treatments. A Colorado business associate also reported a ransomware attack that affected over 100 dental practices.

The HHS’ Office for Civil Rights, in its most recent cybersecurity letter, points out how HIPAA compliance could help stop ransomware attacks and make sure that healthcare companies can recover from ransomware attacks immediately when hackers are able to breach their defenses.

Insider Data Breach at Nebraska Medicine and Phishing Attack at Presbyterian Healthcare Services

Nebraska Medicine found out that an employee gained access to patients’ medical files without any legit work reason for a period of roughly three months.

Nebraska Medicine discovered the privacy violation when it conducted a routine audit of its medical record system. The audit revealed that the employee’s first access to the patient records was on July 11, 2019 and kept on doing so until October 1, 2019 when the company discovered the privacy violations.

Upon discovering the breach, steps were undertaken to avoid even further unauthorized access as the investigation of the issue was ongoing. The employee in question was dismissed from work a day after the discovery of privacy violations.

Based on a statement presented by Nebraska Medicine, the affected people received notifications by mail and any person who had his/her Social Security number potentially compromised received complimentary credit monitoring services for 12 months as a precautionary measure.

Nebraska Medicine believes that no sensitive information was or will be misused, insinuating that the employee was just curious about accessing the records. The number of individuals affected at this stage is uncertain.

The breach notification letter sent to affected patients indicated that the types of information potentially accessed includes names, addresses, birth dates, Social Security numbers, medical record numbers, driver’s license numbers, clinical data, physicians’ notes, lab test results and medical pictures.

Phishing Attack at Presbyterian Healthcare Services

Presbyterian Healthcare Services announced in August 2019 the compromise of several employees’ email accounts as a result of a phishing attack.

Presbyterian Healthcare Services found out about the breach on June 9. The investigators pointed out that the affected accounts contained 183,370 patients’ protected health information (PHI). Though the provider already sent notifications, the breach investigation still continued. Presbyterian Healthcare Services now found out that the breach was bigger than earlier thought. The compromised email accounts comprised of 276,000 patients’ PHI.

More notification letters were sent to patients on November 25. The notices stressed that there was no evidence indicating that any PHI was accessed, downloaded or misused. It was additionally proven that only the email system was impacted. The attackers had no access to medical files or its billing platform.

Ransomware Attack Impacts 107,000 Ferguson Medical Group Patients

Saint Francis Healthcare System made an announcement that there was a ransomware attack on Ferguson Medical Group’s computer network.

The attack transpired on September 21, 2019, prior to the acquisition of the medical group based in Sikeston, MO by Saint Francis Medical Center. Saint Francis Healthcare knew about the ransomware attack on the same day as the attack.

Based on the notice posted on Saint Francis Healthcare’s website, the attackers were able to encrypt the medical records of Ferguson Medical Group patients who received healthcare services before January 1, 2019. Saint Francis Healthcare reported the incident to the Federal Bureau of Investigation and took steps immediately to isolate the impacted systems.

The attackers asked for a ransom payment in exchange for the file decryption keys. Saint Francis Healthcare decided not to pay the ransom and use backups to recover files because there was no assurance that the attackers would give decryption keys able to restore the files and there were other concerns.

Although a lot of files were retrieved, some data were permanently lost and can’t be recovered. Records that can’t be recovered included any scanned documentation that was stored on its systems, and healthcare records of patients who got Ferguson Medical Group services from September 20, 2018 to December 31, 2018.

After analyzing the attack, there was no evidence uncovered that indicate the attackers acquired files that contain the protected health information (PHI) of patients before encryption. There was also no report received that suggest the misuse of any patient information. Nevertheless, unauthorized access and theft of data cannot be ruled out. So, Saint Francis Healthcare offered credit monitoring and identity theft protection services to the affected patients for free.

The breach incident is already listed on the breach portal of the Department of Health and Human Services’ Office for Civil Rights. According to the breach summary, 107,054 Ferguson Medical Group patients were impacted. There was no mention regarding the number of patients who had lost some or all their health data because of the attack.

Coverware Report Reveals Increased Average Ransomware Payment of $41,198 for Q3 of 2019

Ransomware is still one of the biggest cybersecurity threats experienced by healthcare organizations. Attacks have gone up not to mention the ransom demands.

The latest analysis by Coveware, a company providing ransomware remediation and incident response, showed that the average ransom payment increased by 13% and stands at $41,198 in the third quarter of 2019. This value is six times the December 2018 average. Plenty of organizations have paid considerably more. The threat actors that make use of the Ryuk ransomware for their attacks ask for ransom demand in hundred thousand dollars. From the second and third quarters of 2019, Ryuk ransom payments reached $267,742 to $377,026. Attackers typically ask large enterprises to pay more than 1 million dollars t ransom payments.

Though no sector is free of ransomware attacks, certain industries often have a greater likelihood of paying ransom demands. The statistics of the most attacked sectors are:

1. professional services -18.3%
2. public sector – 13.3%
3. medical care – 12.8%
4. software solutions – 11.7%
5. merchants – 8.3%

There is also an increase in attacks on managed service providers (MSPs). These attacks frequently demand far more effort from the threat actors, but the prospective rewards are great. A good campaign against an MSP enables attackers to access systems and client data. The attackers target MSPs and big companies using the ransomware variants called Sodinokibi and Globelmposter. Some also use the ransomware variants Netwalker, Snatch and Hidden Tear.

Even if Coveware didn’t diclose specifically the number of clients that have paid ransom, CEO Bill Siegel of Coveware admits that the number hits hundreds.

Cybercriminals employ various strategies to propagate malware and launch ransomware attacks. As per Coveware’s report, there’s an apparent change in the execution of attacks, which are now much more sophisticated. When cybercriminals began attacking with ransomware, most attacks were automated and random. Today, attacks are more centered on businesses and use techniques that involve nation-state threat actors.

The clients of Covewarewere experience attacks that primarily use stolen RDP credentials (50.6%), phishing (39%) and software vulnerability exploitation (8.1%).

Surely, ransomware creators would prefer that the victims are able to recover their files, or else they would not get paid. Nevertheless, ransom payment does not assure file recovery. Coveware’s figures indicate that 98% of clients paying ransom obtained legit decryption keys, however data recovery was typically just around 94%.

The attackers employing Rapid and Dharma ransomware variants usually don’t give legit keys for decrypting files after paying the ransom. Mr. Dec ransomware’s encryption code is badly written so decryptors only permit 30% data recovery.

Paying the ransom is actually not necessary since free decryptors are available through the No More Ransom project. However the accessible decryptors don’t work when the ransomware variants used are Phobos (19.9%), and Ryuk (22.2%), Sodinokibi (21.1%) and Phobos (19.9%).

File recovery is likewise achievable when there are backups. Nonetheless, in many cases, backups aren’t updated and are corrupted, so file recovery is not possible. Backups could likewise be encrypted.

Phishing Attack Impacted Thousands of TennCare and Florida Blue Members

Other healthcare companies have affirmed that they were affected by the Magellan Health National Imaging Associates data breach. Magellan Health NIA provides managed pharmacy and radiology benefits services for a number of HIPAA-covered entities as a business associate.

Last month, Geisinger Health Plan based in Danville, PA said that the breach impacted 5,848 of its members. Recently, Florida Blue (a health insurance firm) and TennCare (the Medicaid program in Tennessee), made the same press releases. 56,226 members of Presbyterian Health Plan in Albuquerque, NM were also affected by the breach.

Magellan Health NIA encountered the phishing attack on May 28, 2019, but only became aware of the incident on July 5, 2019 when the attacker used the compromised email account to send a lot of spam email messages. The affected email account was secured upon discovery.

An internal investigation of the breach confirmed that a person from outside the United States accessed the mailbox several times. The intent of the attacker is likely just to send spam email using the email account. The investigators found no evidence of access or theft of protected health information (PHI), however, the possibility can’t be ruled out.

Magellan Health NIA informed TennCare about the breach on September 11, which was one day after the discovery of the breach impact by Magellan Health. Magellan Health NIA sent breach notifications to Geisinger Health Plan on September 24, and Florida Blue on September 25.

Florida Blue has no announcement yet about the exact number of its affected members, but it mentioned that the PHI of less than 1% of 5 million members were exposed. The compromised information only included name, birth date, health plan name, healthcare provider’s name, member ID number, medication name, code of imaging procedures done, benefit authorization details, and authorization number. Florida Blue is offering credit monitoring services for free to its affected members.

TennCare announced that the breach impacted 43,847 people. The potentially compromised data included members’ names, ID numbers, health plan data, healthcare providers’ names, names of drugs, and Social Security numbers. TennCare also offered credit monitoring services as a preventative measure against data misuse.

The Cost Due to Healthcare Data Breaches in the Industry May Reach $4 Billion in 2019

A recent survey was conducted to find out the cost associated with healthcare industry data breaches, the scope of the healthcare sector under attack, and what percentage of the attacks succeed.

The Black Book Market Research conducted a survey on 2,876 security experts at 733 companies from Q4, 2018 to, Q3, 2019. Respondents shared their opinions on cybersecurity to know the vulnerabilities and security issues and find out why a lot of these cyberattacks succeed.

According to 96% of surveyed IT experts, cybercriminals are moving faster than medical companies, which is not surprising considering that 93% of healthcare companies claimed having encountered a data breach since quarter 3 of 2016. The report stated that 57% of companies had encountered over five data breaches during that period of time. Over 50 percent of the data breaches that healthcare organizations reported were caused by hacks and external threat actor attacks.

The healthcare sector is the target of attacks since hospitals and insurance companies keep massive amounts of sensitive and important information and there are usually security vulnerabilities that may be quickly exploited. Because the risk of attack is really high, the industry stays remarkably prone to data breaches.

There is a considerable cost associated with these healthcare sector attacks. Based on the report, the expenditure due to data breaches at hospitals in 2019 was $423 for every record. The report forecasts that, according to the present volume of data breaches, the cost to the healthcare industry is going to reach $4 billion by the end of the year. Seeing the present trends and the yearly growth in healthcare data breaches, that number is very likely to be significantly higher in 2020.

The survey highlighted that a major reason why the healthcare sector is vulnerable is budget limitations. Legacy systems and equipment remain extensively used in the healthcare sector, however, the cost of updating those systems is hard to rationalize when the cash does not grow with revenue.

Overall, money invested in cybersecurity for 2020 is designed to be increased to about 6% of total IT funds at hospital systems, however, smaller practices had a cut down in investment in cybersecurity, particularly at medical organizations where just 1% of the 2020 IT funds will be invested on cybersecurity. 90% of hospital reps surveyed stated their cybersecurity finances had no change from 2016.

Purchases of cybersecurity solutions are mostly bought blindly. One-third of surveyed hospital professionals stated they selected cybersecurity solutions without having a lot of insight or discernment. 92% of decisions on security product or services since 2016 were made by C-level executives without involving department administrators and consumers in the purchasing decision. Merely 4% of companies stated they had a guiding committee to help assess the effect of funds in cybersecurity.

A lot of healthcare companies are also working without a accountable security manager. Just 21% mentioned they had a committed security officer and only 6% reported that individual was the Chief Information Security Officer. At physician groups with over 10 clinicians, only 1.5% said they had a committed CISO. This is partly due to a lack of competent staff. 21% of healthcare companies claimed they had to outsource the work and are utilizing cyber security-as-a-service as a temporary solution.

Apple IOS Vulnerability Allows Hackers to Spy on FaceTime Calls

A severe Apple IOS vulnerability has been noticed that lets people to gain access to both the microphone and the front-facing camera on Apple appliances by manipulating a fault in FaceTime. Further, the fault even lets microphone/camera access if the call is not replied. The fault has prompted several safety experts to advise Apple device proprietors to stop using FaceTime until the fault is rectified.

To manipulate the fault, a user would require to use FaceTime to call another individual with an iOS appliance. Before the call is replied, the users would need to add themselves as additional contacts to Group FaceTime. As soon as that has occurred, the persons being called would have their microphones turned on and the callers could listen to what is occurring in the room, even when the call is not replied.

If the individual being called was to silent the call (by pressing the power button) the front-facing camera would also be triggered, providing the caller video footage and audio.

Safety specialists have cautioned that it does not matter whether the call is replied, just by calling a person it is possible to listen to what is occurring in the room and see everything in the camera’s field of view. Although this might prove distressing for some FaceTime users, it might also result in serious harm. Compromising footage might be recorded and utilized for extortion.

Several cases of this happening have been posted on social media networks and it is obvious that this Apple IOS vulnerability is being actively abused. Apple is conscious of the problem and has announced that a solution will be issued later this week. Until such time, Apple appliance owners have been instructed to inactivate FaceTime through appliance settings. If FaceTime is inactivated, the vulnerability cannot be abused.

773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Continue reading “773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale”

California Wildfire-Themed BEC Attack Identified

It’s usual for phishers to use natural catastrophes as a lure to get ‘donations’ to line their pouches instead of helping the sufferers and the California wildfires are no exception. A lot of people have lost their lives in the fires and the death toll is likely to increase further as hundreds of people are still unaccounted for.

Entire towns such as Paradise have been completely devastated by the wildfires and hundreds of people have lost their homes. Numerous are suffering, have nowhere to reside, and have lost everything. As expected many people desire to donate money to assist the sufferers rebuild their lives. The attackers are using the sympathy of others to deceive companies.

A California wildfire phishing cheat was recently noticed by Agari that tries to capitalize on the tragedy. Nevertheless, contrary to several similar phishing campaigns that depend on huge volumes of electronic mails, this campaign is much more targeted.

The scammer is carrying out a business electronic mail compromise attack using the electronic mail account – or a deceived account – of the CEO of a firm. The first phase of the scam involves a rapid electronic mail to a worker questioning if they are available to assist. When a response is received, a second electronic mail is sent asking the worker to make a purchase of 4 Google Play gift cards, each of $500.

The CEO asks if there is a local store where the cards can be bought and asks the worker to make the purchase ASAP and to scratch off the reverse side, get the codes, and email them back. The electronic mail claims the CEO requires the cards to send to customers who have been caught up in the wildfires to provide help.

While the selected method of sending help is doubtful, to say the least, and the electronic mails have grammatical and spelling mistakes, the use of the CEO’s electronic mail account may persuade workers to go ahead as ordered. These cheats work because workers do not want to ask their CEO and desire to reply swiftly. Even though a request may be strange, the reasoning behind the request seems perfectly genuine.

Although this might seem like an obvious fraud, at least worthy of a call or text to the CEO to confirm its validity, some workers will no doubt not question the request. Each one that does as trained will cost the company $2,000.

This kind of cheat is common. They are often associated with wire transfer requests. In the rush to reply to the CEO’s request, a transfer is made, which might be for tens of thousands of dollars. The worker replies to the message through electronic mail saying the transfer has been made, the scammer erases the electronic mail, and the fake transfer is often not detected until after the scammer has used money mules to withdraw the money from the account.

Access to the CEO’s electronic mail account can be obtained in several ways, even though a spear phishing attack is common. Spam filtering solutions can assist to decrease the possibility for the first attack to take place and two-factor verification controls can avoid account access if identifications are stolen.

Staff training is vital to increase awareness of the danger of BEC attacks. Policies must also be applied that need all transfer requests sent through electronic mail, and any out-of-bounds requests, to be confirmed over the phone or through a text before a transfer is made.

Q3 2018 Healthcare Data Breaches Report Released

A Q3 2018 healthcare data breach report from Protenus demonstrates there has been a substantial decrease in healthcare data breaches compared to the preceding quarter. In Q2, 142 healthcare companies reported data breaches compared to 117 in Q3.

However, because of some big breaches in Q3, the total number of disclosed records was considerably higher. Between July and September, the health records of 4,390,512 patients were disclosed, impermissibly disclosed, or thieved compared to 3,143,642 healthcare records in Q2. Each quarter in 2018, the number of disclosed records has increased considerably.

The large increase in disclosed records in Q3 is partly because of a huge data breach at UnityPoint Health that was disclosed in July. In that single breach, more records were disclosed than in the 110 healthcare data breaches in Q1, 2018. The breach was a phishing attack that saw a number of UnityPoint Health electronic mail accounts undermined. Those accounts had the PHI of 1.4 million patients. The biggest healthcare data breach in August was a hacking occurrence at a healthcare supplier that led to the disclosure of 502,416 records. The biggest breach in September was reported by a health plan and affected 26,942 plan members.

Hacking and other IT occurrences comprised of 51.28% of all data breaches in Q3. The second largest cause of breaches was insider occurrences (23.08%), after that loss/theft occurrences (10.26%). The reason of 15.38% of breaches in Q3 is not clear.

Hacks and IT occurrences also led to the maximum number of exposed/stolen healthcare records – 86% of all breached records in Q3. 3,649,149 records were undermined in the 60 occurrences pertained to hacks and IT occurrences. There were 8 reported ransomware/malware attacks and 10 occurrences involving phishing. It was not possible to decide the precise reason of 18 ‘hacking’ occurrences.

Q3 saw a surge in insider breaches. Insider breaches were divided into two types: insider flaws and insider crime. Insider crime contains impermissible disclosures of PHI, workers spying on medical records, and theft of healthcare records by workers. Insider breaches led to the thievery, exposure, or impermissible revelation of 680,117 patient records.

19 occurrences were categorized as insider flaws and affected 389,428 patients. There were 8 verified cases of insider crime that affected 290,689 patients – which is a major surge from the 70,562 patients affected by insider wrongdoing occurrences in Q2, and the 4,597 patients affected by similar occurrences in Q1.

In Q3, 19% of breaches involved paper records and 81% involved electronic medical records.

Healthcare suppliers suffered the most breaches in Q3 (74% of breaches), followed by health plans (11%) and business allies (11%). 23% of the quarter’s breaches had some business associate participation.

The report discloses that healthcare companies and their suppliers are sluggish to identify breaches. In one instance, it took a healthcare supplier 15 years to find out that a worker had been spying on healthcare records. In those 15 years, the worker illegally accessed the records of thousands of patients.

The average time to identify a breach was 402 days and the median time was 51 days. The average time to inform breaches was 71 days and the median time was 57.5 days.

Florida was the state worst affected by healthcare data breaches in Q3 with 11 incidents, followed by California on 10 and Texas on 9.

U.S. Treasury Probing $700,000 Loss to Phishing Scam

In July 2018, the Washington D.C. government fell for an electronic mail cheat that led to wire transfers totaling approximately $700,000 being sent to a scammer’s account.

The scammer mimicked a seller used by the city and demanded unsettled bills for construction work be paid. The seller had been hired to work on a design and build the project on a permanent supportive lodging facility.

The electronic mails demanded the payment method be altered from check to bank transfer, and particulars of a Bank of America account was specified where the payments needed to be directed. Three separate payments were made adding up $690,912.75.

The account details provided were for an account managed by the scammer. By the time the cheat was exposed, the money had already been drawn from the account and might not be recovered. As per a Washington Post inquiry, the scammer had mimicked the company Winmar Construction.

The electronic mails were transmitted from a domain that had been listed by the scammer that imitated that of the construction company. The domain was same except two letters which had been transferred. The scammer then generated an electronic mail address using that domain which was utilized to request payment of the bills.

As per the Washington Post, before this cheat, the D.C. government was targeted with several phishing electronic mails, even though Mike Rupert, a representative for the city’s chief technology officer, said those phishing attacks were not fruitful and were not linked to the wire transfer cheat.

These cheats are usual. They frequently involve an electronic mail account compromise which lets the scammers identify sellers and get details of remaining payments. David Umansky, a spokesman for the city’s chief financial officer stated the Washington Post that the attacker had gotten the information required to pull off the scam from the seller’s system and that D.C. officers failed to identify the fake domain and electronic mail.

After noticing the fake wire transfers, the D.C. government got in touch with law enforcement and steps have been taken to trace the scammers. Extra safety controls have now been implemented to avoid similar cheats from succeeding in the future, including the requirement for extra confirmation to take place to verify the genuineness of any request to alter bank information or payment methods.

The U.S Treasury Division has now started an inquiry into the breach, as bank scam is a central offense. That inquiry is continuing.

Cofense Expands 24/7 Global Phishing Defense

Cofense has declared that it has expanded its 24/7 Phishing Defense Facility to deliver even greater help to clients beyond business hours and make sure that phishing dangers are identified in the shortest possible time.

The Cofense Phishing Defense Center (PDC) was introduced to ease the load on IT safety teams by letting them offload some of the load of searching through electronic mails informed by their end users and analyzing those electronic mails to identify the actual threats.

When workers report doubtful electronic mails – through Cofense Reporter for example – the electronic mails are transmitted to Cofense Triage for scrutiny. The malware and danger experts in the Cofense PDC team carry out an in-depth study of the reported dangers and send complete information back to clients’ incident responders that let them take action to alleviate the threat. The quicker a threat can be identified, the lower the possibility of a worker reacting to the danger.

The Phishing Defense Service saves companies a substantial amount of time and effort and lets dangers to be identified and alleviated much more quickly. With the volume of phishing dangers rising, occurrence responders can easily get caught up identifying dangers in the hundreds of electronic mails that are informed as ‘suspicious’ by their workers. Data from Cofense indicates that usually, just 10%-15% of reported electronic mails are malevolent, however, all messages must be tested and evaluated.

The Cofense PDC team already works round-the-clock to evaluate active phishing dangers, nevertheless, the growth of the facility makes sure that irrespective of the time of day or night, new dangers are recognized in the shortest possible time frame. This is particularly vital for firms that have offices in several countries and time zones. Those businesses must not have to wait until business hours for dangers to be identified. They need to be identified day or night.

“Since threat actors do not sleep, neither should your defense capabilities,” clarified Josh Nicholson, Senior VP of Professional Services at Cofense. “Our improved, round-the-clock phishing defense facility puts clients at ease by offering expert analysis and reaction for any informed doubtful electronic mail, any day, any time, in a matter of minutes.”

The expansion will make sure that malware experts are always on hand to evaluate informed phishing attempts and assist clients to alleviate new phishing attempts much more quickly.

United States Leads the World as Primary Host of Malware C2 Infrastructure

The United States is home to the maximum proportion of malware command and control (C2) infrastructure – 35% of the international total, as per fresh research circulated by phishing defense and threat intelligence company Cofense.  27% of network Indicators of Compromise (IoCs) from phishing-borne malware are also either situated in or proxied through the United States. Cofense data indicate that Russia is in the second position with 11%, followed by the Netherlands and Germany with 5% each and Canada with 3%.

C2 infrastructure is utilized by hackers to communicate with malware-infected hosts and deliver orders, download new malware modules, and exfiltrate data. Cofense clarified that simply because the C2 infrastructure is hosted in the United States doesn’t necessarily imply that more attacks are being carried out on U.S inhabitants than in other nations. It is usual for attackers to host their C2 infrastructure outside their own country to make it tougher for the agencies to identify their actions. C2 infrastructure is also usually situated in nations that don’t have a repatriation contract with the host nation.

Threat actors are more concerned with locating somewhere to find their C2 infrastructure to minimize risk instead of locating it in a particular country. Cofense notices that “C2 infrastructure is extremely prejudiced toward compromised hosts, showing a high occurrence of host compromises inside the United States.” That obviously makes perfect sense, since there are more possible hosts to compromise in the United States than in other nations.

“Some companies will obstruct any links coming from nations known for the origination of malevolent activity that they don’t do business with,” clarified Darrel Rendell, the principal intelligence expert at Cofense. That would make hosting C2 infrastructure in the United States beneficial, as links between malware and those servers would be less likely to raise red flags.

In a latest blog post, Cofense provides instances of the distribution of C2 infrastructure using two usual banking Trojans: TrickBot and Geodo. Both banking Trojans are widely used in attacks on Western nations, and attacks have risen in frequency in 2018. The two Trojans are conspicuously different because they belong to different malware families and are used by different threat actors.

In both instances, the infrastructure is growing and the C2 sites are highly different, even though data demonstrate very different distributions of C2 infrastructure for each malware variation. TrickBot’s main site for its C2 infrastructure is Russia, followed by the U.S. Geodo on the other hand mainly uses the U.S, followed by the Germany, France and the United Kingdom, with next to nothing situated in Russia.

Cofense notices that although the differences between the two seem odd at first glance, their dissemination makes sense. Geodo utilizes genuine web servers as a reverse proxy, which then transmits traffic via actual servers to hosts on concealed C2 infrastructure. TrickBot, in contrast, utilizes for-purpose Virtual Private Servers (VPSs) to host its infrastructure. Its C2 might be mainly in the east, but it is mainly used to attack the west and much of its C2 infrastructure is in nations that lack a repatriation contract with the United States. That said, some infrastructure is in the U.S and European nations, which might be an attempt to make its infrastructure tougher to profile.

Cofense clarifies that the widespread and widely distributed C2 infrastructure will not only assist to make sure these two threats remain active for longer but also that using geolocation to distinguish genuine and malevolent traffic might not be particularly effective.

Anthem Data Breach Settlement of $16 Million Agreed with OCR

The biggest ever healthcare data breach in the United States has attracted the biggest ever penalty for noncompliance with HIPAA Laws. The Anthem data breach settlement of $16 million overshadows the earlier maximum HIPAA penalty of $5.55 million and reflects not only the harshness of the Anthem Inc data breach, which saw the protected health information of 78.8 million plan members stolen but also the level of noncompliance with HIPAA Laws.

The Division of Health and Human Services’ Office for Civil Rights (OCR), the leading enforcer of HIPAA Laws, started a HIPAA compliance analysis of Anthem in February 2015 when news of the huge cyberattack was reported in the mass media. The inquiry was begun a complete month before Anthem informed OCR of the breach.

Anthem found the cyberattack in late January 2015. Anthem probed the breach, helped by the cybersecurity company Mandiant, and found the attackers initially gained access to its systems in December 2014. Entrance to its systems remained possible until January 2015 during which time the data of 78.8 million plan members was thieved.

The attack began with spear phishing electronic mails transmitted to one of its associates, the reply to which permitted the attackers to gain a footing in the network. From there they studied its systems and stole its data warehouse, thieving highly confidential information of its plan members, including names, employment details, email addresses, addresses, and Social Security numbers.

OCR’s compliance analysis exposed a number of areas where Anthem Inc., has failed to completely abide by HIPAA Laws. OCR declared that Anthem had failed to carry out a complete risk analysis to identify threats to ePHI, in violation of 45 C.F.R. § 164.308(u) (1) (ii) (A).

OCR also decided that inadequate policies and procedures had been applied to study records of information system activity in breach of 45 C.F.R. § 164.308(a) (1) (ii) (D), and there was a failure to limit access to its systems and data to approved people – a breach of 45 C.F.R. § 164.312(a).

HIPAA requires all protected units to avoid the illegal accessing of ePHI – 45 C.F.R. § 164.502(a) – which Anthem had failed to do.

Anthem selected to resolve the case and pay a considerable fine with no admission of liability. A robust corrective action plan has also been approved to tackle HIPAA failures and make sure safety is improved.

“Unluckily, Anthem failed to apply proper measures for identifying hackers who had gained access to their system to harvest passwords and steal people’s private information,” said OCR Director, Roger Severino. “We know that big health care units are attractive targets for hackers, which is why they are expected to have strong password policies and to check and react to safety occurrences in a timely manner or risk implementation by OCR.” The size of the HIPAA fine reflects the scale of the break. “The biggest health data break in U.S. history completely merits the biggest HIPAA settlement in history,” said Severino.