Ohio Law Firm Ransomware Attack and California Department of State Hospitals Insider Breach

Eckler mentioned the attackers affirmed the deletion of the stolen information and gave reassurances that no further disclosures of the stolen data will occur and that no copies of the information were kept.

Being a full-service law company helping customers in the healthcare sector, it was required for clients to give the law agency access to selected protected health information (PHI) during the client engagement. That data was utilized for the legal assistance given. It is likely that a number of that data might have been seen or acquired during the attack.

Bricker & Eckler mentioned the following PHI might have been exposed: names and addresses and, for a number of people, medical data and/or education-associated data, Social Security numbers, and/or driver’s license numbers.

The law agency began mailing notification letters to all impacted persons on April 6, 2021. The law agency has implemented measures to improve the security of its network, internal systems, and software programs to avoid identical attacks down the road.

Bricker & Eckler has reported the breach to the HHS’ Office for Civil Rights indicating that about 420,532 people were affected.

California Department of State Hospitals Finds Out Insider Breach More Serious Than Earlier Thought

In March 2021, the California Department of State Hospitals reported that one staff with an IT job got access to the information of 1,415 present and past patients and 617 employees with no permission in a 10-month time period. The hospital discovered the breach on February 25, 2021 while doing routine monitoring of staff access to data folders.

During the announcement, the investigation of the insider breach was still in progress. It has now been affirmed that the breach was even worse than earlier imagined. The information of 1,735 present and past Atascadero State Hospital workers and 1,217 DSH job seekers who were not hired was likewise viewed. The information contained telephone numbers, email addresses, birth dates, social security numbers, and health data. Although the sensitive information was accessed, no report has been received of any misuse of information.

Ransomware Attacks on the University of Miami Health and Mott Community College

A ransomware attack on Accellion, a file transfer service provider, resulted in the access of the protected health information (PHI) of patients of the University of Miami Health by unauthorized individuals.

The University of Miami Health utilized Accellion’s file transfer technology for sharing files that were too large to send out via email. The University of Miami stated that only a small number of individuals at the university used the Accellion solution. Immediate action was done to restrict the impact of the incident. Since then, the university has ceased using Accellion’s file transfer services.

The investigation into the attack is not yet done and the review of the files that were obtained or potentially exposed in the attack is not yet done, therefore the number of people affected by the attack is not yet known.

The University of Miami thinks that none of its systems were breached in the attack and that the university only sent or received limited files through Accellion’s file transfer services.

The gang behind the attack asked for a $10 million ransom payment for the keys to decrypt data files and avoid getting the data posted on the internet or marketed on dark web marketplaces. A few of the information stolen in the ransomware attack was already published on the gang’s leak website, including a number of data associated with patients of the University of Miami Health.

The University of Miami was one of Accellion customers that were impacted by the breach. The others were the University of Colorado, Kroger, Arizona Complete Health, Centene, and Shell Oil.

Mott Community College Ransomware Attack Affected 1,612 Dental Plan Members

Mott Community College has informed 1,612 people that unauthorized individuals obtained files that contain their PHI prior to using ransomware on its systems.

Upon discovery of the attack, a third-party cybersecurity company helped investigate the incident to know the scope of the security breach. The investigation revealed that the attackers acquired access to its network from November 27, 2020 until January 9, 2021.

On January 23, 2021 Mott Community College found out that the attackers exfiltrated sensitive information before deploying the ransomware, and that a few of the files were associated with individuals covered under its self-insured dental plan. An evaluation of those data files showed that they included names, dates of birth, and dental plan enrollment and claims details for persons registered in the dental plan in 2014-2015, and 2019.

On March 24, 2021, Mott Community College started sending notification letters to all persons affected. Although data exfiltration was established, it does not imply the attackers viewed, misused, or disclosed the contents of the data files. Mott Community College has now put in place more safeguards and technical security steps to avoid any more attacks, such as multifactor authentication for all systems and email access and extra password requirements.

SalusCare Files Lawsuit Against Amazon to Get Access to AWS Audit Logs to Investigate Data Breach

SalusCare, a behavioral healthcare services provider based in Southwest Florida, encountered a cyberattack in March that resulted in the exfiltration of patient and employee data from its systems. SalusCare did not confirm the specific strategy employed to get access to its computers, but the cyberattack is thought to have begun through a phishing email with malware download. The attacker exfiltrated all of its database content to an Amazon AWS storage account.

The cyberattack happened on March 16, 2021 and, according to the breach investigation, the attacker seemed to be located in Ukraine. The attacker acquired access to SalusCare’s Microsoft 365 environment, stole sensitive information, and loaded it to two Amazon S3 storage buckets.

Amazon was informed regarding the criminal activity and it revoked access to the S3 buckets so that the attacker could not access the stolen information. SalusCare asked for copies of the audit logs, which it needs to proceed with investigating the breach and determining specifically what information was taken. SalusCare additionally would like to ensure that the suspension is irreversible and won’t be removed by Amazon.

The S3 buckets were employed to keep SalusCare data, however, Amazon won’t voluntarily give copies of the audit logs or the information kept in the S3 buckets since SalusCare does not own them. The two S3 buckets are known to contain about 86,000 files stolen during the attack.

In order to obtain copies of the audit logs and information, SalusCare submitted a lawsuit in federal court requesting injunctive relief under the Computer Abuse and Recovery Act of Florida. SalusCare is seeking a decision that will force Amazon to give audit logs access and a copy of the two S3 buckets content. SalusCare additionally would like the courts to mandate Amazon to suspend access permanently to keep the attacker from having data access or copying the stolen data to a different cloud storage service. SalusCare has likewise sued the person associated with the attacks – John Doe.

The lawsuit asserted that the stolen data, which was hosted by Amazon is highly sensitive and can be employed for identity theft, selling on the darknet marketplaces, or exposure to the general public.

In the petition filed by SalusCare to the U.S. District Court in Fort Myers, it explained that the files consist of extremely personal and sensitive files of the psychiatric and addiction counseling and treatment of patients. The files additionally include sensitive financial data like credit card numbers and Social Security numbers of SalusCare employees. and patients.

The lawsuit is seeking that after Amazon gives SalusCare a copy of the information and audit logs, the S3 buckets must be cleared to stop any more unauthorized access.

Amazon didn’t go against any injunctive relief desired by SalusCare. On March 25, 2021, The News-Press reports that the request has been granted by a District Court federal judge.

Reinvestigation of 2019 Metro Presort Ransomware Attack Shows Potential Compromise of PHI

Technology and communication solutions provider Metro Presort based in Portland, OR encountered a ransomware attack last May 6, 2019 that allowed the encryption of files so that its staff could not access its systems. The company detected the ransomware attack immediately and secured its systems on May 15, 2019. The company had recovered from the attack somewhat easily. The investigators of the incident didn’t find any proof that suggests the removal of files from its system and considering that the company already applies encryption on customer information, it is unlikely that the attackers could access any sensitive data.

Metro Presort investigated the attack again in October 2020. This time, it did not confirm the encryption of files that contain customer data prior to the attack. Therefore, the attacker could have potential access to statements, invoices, and spreadsheets that Metro presort prepared for its clients, healthcare providers included. A substitute breach notice posted on the Metro Presort website on November 24, 2020 stated that an audit of those files affirmed their content as including patient names, addresses, birth dates, patient and health plan account numbers or IDs, appointment dates, diagnoses codes, treatment codes, and treatment dates.

The HHS’ Office for Civil Rights website recently published the incident indicating the potential compromise of the PHI of up to 38,387 people. Metro Presort mentioned in its breach notice that the Department of Health and Human Services’ Office for Civil Rights investigated Metro Presort’s response to the breach, its guidelines, and procedures. The case was closed on December 31, 2020 after OCR established that there was no violation of HIPAA rules.

Metro Presort also mentioned in its breach notice that both prior to the incident and afterward, MPI has given substantial resources to keeping and improving its data security, which includes setting up of the most recent technical security measures to avoid the same incidents, extra protections (encryption) of customer documents, and security reviews.

Universal Health Services Lost $67 Million in 2020 Due to Ransomware Attack

2020 was a remarkably horrible year for the medical care industry with regards to ransomware attacks. One of the hardest hit by ransomware attacks is the Fortune 500 healthcare system Universal Health Services (UHS) located in King of Prussia, PA.

UHS, which operates 400 hospitals and behavioral health centers throughout the U.K. and the U.S., experienced a cyberattack in September 2020 that ruined all of its IT systems, affecting all the hospitals and medical centers it operates all over the nation.

The telephone system, computers, and electronic health records were not accessible. For this reason, personnel used pen and paper for recording patient information. During the hours right after the ransomware attack, the health system rerouted rescue ambulances to other establishments and delayed or redirected some elective operations to other hospitals. Patients remarked that test results were also delayed while the UHS is working on recovery from the attack.

After the ransomware attack, UHS worked rapidly to bring back its IT system, working around the clock to restore normal business operations; however, it took 3 weeks to attain recovery. The interruption of course had a big impact on finances. The UHS’ revenue report for quarter 4 of 2020
indicated a loss of $42.1 million, which translates to 49 cents per diluted share. UHS ended the quarter with $308.7 million in revenue, rising by 6.6% compared to quarter 4 of 2019.

Restoring its IT infrastructure added a considerable amount to labor expenses, inside and outside the company. The impact on cash flows meant that some admin tasks such as coding and billing had become delinquent until December 2020.

Because of the ransomware attack, UHS sent reports of about $67 million pre-tax losses in 2020, primarily as a result of the decline of operating income, lower patient activity and greater revenue reserves on account of overdue billings. UHS believes that it will be able to get back the majority of the $67 million from its insurance policy coverage.

Microsoft Releases Patches for 4 Actively Exploited Flaws in Microsoft Exchange Server

Microsoft has launched out-of-band security adjustments to resolve four zero-day Microsoft Exchange Server vulnerabilities that a Chinese Advanced Persistent Threat (APT) group called Hafnium is actively exploiting.

The attacks have been taking place starting early January, as the APT group is targeting defense contractors, law agencies, colleges and universities, NGOs, think tanks, and infectious disease research organizations in the USA. Vulnerabilities exploitation enables the attackers to exfiltrate mailboxes and other information from vulnerable Microsoft Exchange servers, run practically any code on the servers, and add malware for continual access.

Hafnium is used to be an unidentified sophisticated APT group that is thought to be aided by the Chinese government. The group is chaining together the 4 zero-day vulnerabilities to steal sensitive files held in email messages. While developing the exploits needed skills, utilizing those exploits is easy and permits the attackers to exfiltrate big quantities of sensitive data easily. Although the APT group is in China, virtual private servers in America are hired for use in the attacks, which aids the group to remain under the radar.

The flaws are found in Exchange Server 2010 and all supported Microsoft Exchange Server versions (2013, 2016, 2019). There were patches released to repair the vulnerabilities in Exchange Server 2010, 2013, 2015, and 2019. The flaws have no effect on Exchange Online and personal email accounts, merely on-premises Exchange servers.

Microsoft has credited the cybersecurity companies Volexity and Dubex for assisting to uncover the attacks, which were initially identified on January 6, 2021. Now that the patches were introduced, attacks are likely to increase as the group rushes to obtain access to a lot of vulnerable Exchange servers before the patch application.

The vulnerabilities identified are:

  • CVE-2021-26855: A server-side request forgery (SSRF) vulnerability that enables HTTP requests to be sent to an on-premises Exchange Server to authorize as the Exchange server itself.
  • CVE-2021-26857: An insecure deserialization vulnerability found in the Unified Messaging service that may be exploited to execute any arbitrary code as SYSTEM on the Exchange server.
  • CVE-2021-26858 and CVE-2021-26865 – These two file write vulnerabilities enable an authenticated person to write files to any path on the server. The vulnerabilities are chained with CVE-2021-26855, though it can also be taken advantage of utilizing stolen credentials.

Once initial access to the Exchange server is acquired, the attackers release a web shell that permits them to gather cached credentials, upload files like malware for persistent access, perform essentially any command on the compromised system, and exfiltrate inboxes and other information.

Exploits for the vulnerabilities are not believed to have been available publicly, with the attacks presently merely being carried out by Hafnium, even though that may not stay so for long.

Microsoft is informing all customers of the vulnerable Microsoft Exchange versions to utilize the patches right away. After implementing the patches, an investigation must be done to know if the vulnerabilities were already exploited, as patching won’t prevent any further malicious activity or data exfiltration in case the attackers have actually breached the server.

Microsoft has offered Indicators of Compromise (IoCs)  to assist clients to determine whether the vulnerabilities were already exploited.

PHI Potentially Exposed Due to Cyberattacks on Nebraska Medicine and Hackley Community Care

Nebraska Medicine has commenced sending notifications to around 219,000 patients concerning an unauthorized person that
potentially accessed patient data as a result of a malware attack.

On September 20, 2020, Nebraska Medicine found out that parts of its systems had strange activity. The firm singled out the infected devices to restrict the impact of the breach. The affected systems were shut down to prevent continuing unauthorized access. Third-party computer forensics experts helped in the investigation and determine the nature and magnitude of the data breach.

Based on the investigation results, an unauthorized individual first acquired system access on August 27, 2020 and corrupted it with malware. The unauthorized individual copied a number of files, with some containing patient data from August 27 up to September 20.

The compromised files belonged to patients who got medical services from the Nebraska Medical Center or University of Nebraska Medical Center. A number of patients received medical services from Faith Regional Health Services, Great Plains Health, or Mary Lanning Healthcare.

The attackers got access to protected health information (PHI) such as one of the following data: Name, address, birth date, medical record number, medical insurance details, doctor’s notes, laboratory test data, imaging, diagnosis information, treatment information, and/or doctor-prescribed drugs information. Some patients’ driver’s license numbers and Social Security numbers were likewise potentially compromised.

Nebraska Medicine mailed notification letters to the affected individuals regarding the breach on February 5, 2021. The individuals who had their Social Security or driver’s license numbers exposed at the same time got credit monitoring and identity theft protection services for free. The provider’s IT environment is still under monitoring for potential breaches. It additionally improved its network monitoring solutions.

Phishing Attack Impacts 2,500 Hackley Community Care Patients

Hackley Community Care located in Muskegon, MI is informing about 2,500 patients concerning unauthorized persons
getting potential access to some of their PHI.

In September 2020, a number of employees had received a phishing email in their inbox. One employee clicked a hyperlink to a malicious site and keyed in his/her login credentials that the attacker snagged and used to access the email account of the employee remotely between September 7 and September 24, 2020.

The breach investigation affirmed the compromise of only one email account. There is no evidence identified that indicates the unauthorized persons opened any emails in the breached account. After the review of the compromised email account was completed on December 18, 2020, Hackley Community Care informed all people that were impacted by the incident.

Most of the affected individuals only had their names and addresses compromised. Individuals who had more sensitive data affected were given TransUnion credit monitoring services for free. Hackley Community Care is reinforcing its security procedures to prevent the occurrence of similar incidents later on.

Breach of Data at Capital Medical Center, Rehoboth McKinley Christian Health Care Services and Sutter Buttes Imaging Medical Group

Two healthcare organizations have experienced ransomware attacks whereby sensitive information was exfiltrated and disclosed on the internet because the victims did not pay the ransom.

The Conti ransomware gang has posted information on its leak website which was purportedly taken in an attack on Rehoboth McKinley Christian Health Care Services located in New Mexico. The leaked details includes sensitive patient data such as patient ID cards, diagnoses, treatment details, diagnostic data, driver’s license numbers, and passports.

It is uncertain how many individuals have had their PHI exposed to date. The Conti ransomware group states it has just released about 2% of the stolen data.

The current data leak by the Conti ransomware gang follows identical leaks of the information stolen at the time of the ransomware attacks on Leon Medical Centers in Florida and Nocona General Hospital in Texas.

The Avaddon ransomware group has likewise posted data on its leak webpage that was exfiltrated during a ransomware attack on Capital Medical Center in Olympia, Washington. The gang has threatened to leak more information within the following few days when the ransom is not paid. The published data includes driver’s license numbers, patient files, diagnosis and treatment data, insurance details, lab test results, prescribed medicines, names of providers, and patient contact data.

Based on Emsisoft, there is presently a minimum of 17 ransomware gangs doing data exfiltration prior to file encryption, all of which say they will release or sell the stolen information in case the ransom isn’t paid. The most recent Coveware ransomware report indicates data exfiltration happens in approximately 70% of ransomware attacks. These double extortion attacks frequently get the ransom payment to stop the release of stolen information, however, there are signs that this technique is starting to be less effective because of a lack of trust that the threat groups will dispose of stolen data upon ransom payment.

There have been a few instances where despite the fact payment was made, the threat actors made even more extortion demands or still exposed the stolen files on leak websites.

Hacker Possibly Obtained Patient Information from Sutter Buttes Imaging Medical Group

Sutter Buttes Imaging Medical Group (SBIMG) based in Yuba City, CA has found out that an unauthorized individual has acquired access to third-party IT hardware utilized at its Yuba City imaging center and possibly viewed and acquired limited patient records.

In December 2020, SBIMG discovered that a hacker exploited an unpatched vulnerability in IT hardware that was employed to keep and transfer information associated with medical services given to patients. Action was quickly taken to remove the threat actor from its systems and protect patient information. A breach investigation revealed that the hacker first obtained access to the IT systems in July 2019, and accessed it until December 2020.

A security breach investigation revealed the attacker got access to limited patient details like names, birth dates, imaging procedures conducted, study name, study date, and internal patient/study numbers. There were no financial data, insurance details, or Social Security numbers compromised.

SBIMG has fixed the vulnerability and has taken steps to enhance security to avert similar breaches in the future, which include closing particular firewall ports. Third-party security professionals helped to evaluate system security and to implement additional security controls.

SBIMG has notified all patients by mail and reported the breach to the HHS’ Office for Civil Rights. The incident is not yet posted on the HHS breach portal, thus the number of individuals affected is currently not clear.

Kevin Fu Apppointed as FDA’s First Director of Medical Device Security

The U.S. Food and Drug Administration (FDA) has reported that University of Michigan associate professor Kevin Fu was appointed as the first medical device security director.

Kevin Fu will work for a term of one year as acting director of the FDA’s Center for Devices and Radiological Health (CDRH) medical device security as well as the recently established Digital Health Center of Excellence, beginning on January 1, 2021. Fu is going to assist in bridging the gap between medicine and computer science in addition to helping companies keep their medical devices secure from digital threats.

Fu is going to help in developing the CDRH cybersecurity strategies, public-private partnerships, and pre-sell vulnerability examination to make sure of the security of medical devices such as insulin pumps, imaging machines, pacemakers, and healthcare IoT devices and keep them secure from digital threats.

Fu has significant expertise in the discipline of medical device cybersecurity. Fu is presently the University of Michigan’s Archimedes Center for Medical Device Security’s chief scientist. He founded and co-founded the healthcare cybersecurity startup company Virtua Labs together with his doctoral students and was formerly a part of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has additionally carried out research on software radio attacks impacting implantable medical devices like cardiac defibrillators and pacemakers and showed how easily available radio software programs can be employed to get access to the devices and grab communications. Fu is at present an associate professor of electrical engineering and computer science and a lecturer at Dwight E. Harken Memorial. He will keep the roles in the University of Michigan.

Protecting medical devices is a difficult task. Large quantities of medical devices are currently utilized by hospitals in complicated interconnected systems. Numerous hospitals don’t have comprehensive inventories of their gadgets, and because many operate on legacy programs, vulnerabilities could very easily go unchecked. Cyber threat actors could exploit those vulnerabilities and result in harm to patients or acquire a footing in healthcare computer systems.

As Fu discussed in an interview lately publicized on Michigan News, the risk landscape has evolved considerably in the last 10 years. There are much more adversaries that are starting attacks. Ten years ago, it was quite hypothetical. These days you know about numerous hospitals practically closing down due to ransomware attacks. New security vulnerabilities are discovered in medical device software program practically on a daily basis. We must be heedful in ensuring that all medical devices are equipped with a basic level of security. Medical devices should stay safe and efficient in spite of cybersecurity risks.

Medical devices should possess privacy and security options by design, instead of being added afterward. By then, security problems would be a lot harder to deal with.

Sadly, commonly, medical device companies fail to’ seek feedback from security professionals when designing medical devices and so the devices are only created according to well-known computer security engineering concepts. That should change.

At this time, Fu is concentrated on medical device safety. He is looking forward to his work at the FDA to help build up public confidence in the security and efficiency of medical devices in spite of the built-in cybersecurity threats.

7-Year Breach of Florida Medicaid Applicants’ PHI Due to Failure in Patching

Florida Healthy Kids Corporation, a Medicaid health plan based in Tallahassee, FL, found out that its web hosting company did not patch vulnerabilities and cybercriminals exploited it to obtain access to its site and the protected health information (PHI) of individuals applying for benefits within the last 7 years.

Florida Healthy Kids employed Jelly Bean Communications Design, LLC. for website hosting. The website has an online application that logged the data of individuals when they sent applications for Florida KidCare benefits or requested to renew their health or dental coverage on the web.

On December 9, 2020, Jelly Bean Communications informed Florida Healthy Kids that unauthorized persons had acquired access to the webpage and made changes to the addresses of a few thousand applicants. Florida Healthy Kids had cybersecurity specialists who conducted an investigation to know the magnitude and severity of the security breach.

Florida Healthy Kids had to shut down the web page during the breach investigation to avoid any further unauthorized access. The analysis of the website platform and databases that kept the Florida KidCare application revealed some existing vulnerabilities between November 2013 and December 2020, and that cyber criminals exploited the vulnerabilities to get access to the website.

Although the evidence showed the tampering of applicant addresses, it is likewise possible that the hackers exfiltrated patient information, though there was no evidence of data theft found.

The hackers possibly accessed the following types of information: full names, birth dates, telephone numbers, Social Security numbers, email addresses, physical and mailing addresses, financial data, family relationships of persons provided in the application, and secondary insurance details.

The Florida KidCare online application stays offline while the company finds a new web hosting vendor. Florida Healthy Kids began notifying affected individuals on January 27, 2020 and advised them to take the proper steps to safeguard their identities, including creating security freezes and fraud alerts. There is no clear number yet regarding the number of people impacted.

Rady Children’s Hospital Faces Class Action Lawsuit Due to the Blackbaud Ransomware Attack

In May 2020, the cloud software firm Blackbaud experienced a ransomware attack. As is well-known in human-operated ransomware attacks, the attackers exfiltrated files prior to encrypting files. A number of the stolen data files included the fundraising data of its healthcare clients.

Rady Children’s Hospital in San Diego is one of the healthcare providers affected. It is California’s largest children’s hospital when it comes to admissions. A proposed class-action lawsuit alleges that Rady was responsible for failing to protect the sensitive information of 19,788 people which the hackers obtained through Blackbaud’s donor management software solution.

The lawsuit claims Rady did not employ sufficient security measures and didn’t make certain Blackbaud had enough security measures set up to safeguard ePHI and make sure it remained private. The lawsuit states persons impacted by the breach are facing an impending, immediate, significant and continuing increased risk of identity theft and fraud due to the breach and Rady’s neglect.

Blackbaud found out about the ransomware attack in May 2020. The investigation confirmed the hackers got access to the fundraising files of its healthcare customers from February 7 to June 4, 2020. Blackbaud mentioned the hackers were taken out of the network the moment the breach was found out but had learned that the attackers acquired a section of client files.

Blackbaud made the decision to give the ransom demand to make certain the stolen information was deleted. The attackers gave assurances that the records were permanently destroyed. Rady issued breach notification letters explaining that the types of data likely obtained by the attackers contained patients’ names, birth dates, addresses, doctors’ names, and the department that provided the medical services.

The lawsuit claims Rady cannot reasonably maintain that the hackers deleted the plaintiffs’ personal information. Based on the complaint, Blackbaud did not provide confirmation or additional details concerning the disposition of the files to verify that the stolen records were deleted. The lawsuit additionally states neither Rady nor Blackbaud knew how the attackers exfiltrated information, and whether it was transmitted safely and if it was intercepted by other persons.

As per the lawsuit, Rady had the required means to secure patient data however missed the implementation of appropriate security. The plaintiffs are seeking compensation, continuous protection against identity theft and fraud, as well as a court order to impose adjustments to Rady’s security procedures to make sure breaches such as this, and several others mentioned in the report, do not occur again.

Blackbaud is furthermore facing several class-action lawsuits associated with the breach. No less than 23 putative class action lawsuits were filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been submitted in 17 federal courts, 4 state courts, and 2 Canadian courts. Each claims breach victims have experienced harm because of the theft of their personal information.

Blackbaud also stated receiving over 160 claims from its customers and their lawyers in Canada, the U.S., and U.K. Blackbaud is additionally being investigated by government institutions and regulators, which include 43 state Attorneys General and the District of Columbia, Federal Trade Commission, the Department of Health and Human Services, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

Hackers Expose Data Stolen During the Cyberattack on the European Medicines Agency

A cyberattack on the European Medicines Agency (EMA) last December allowed hackers to access third party files. A number of the data stolen during the cyberattack were leaked on the internet.

The EMA is the organization in charge of regulating the testing and approvals of COVID-19 vaccines, treatment methods, and research in the European Union. The EMA had earlier released an update about its investigation of the cyberattack and stated that just one IT program was breached. The EMA mentioned it has notified all third parties regarding the attack, though it did not name those organizations. In the investigation updates, the EMA stated the main intention of the attackers was to access COVID-19 treatment and vaccine data. Although it was apparent that the attackers had accessed documents, the EMA merely affirmed that the exfiltration of data.

Before the cyberattack, BioNTech and Pfizer sent their vaccine information to the EMA to move through the approval process. But the hackers accessed the server containing the documents submitted by Pfizer and BioNTech. Pfizer and BioNTech gave a joint declaration in December affirming the unauthorized access of documents associated with their BNT162b2 vaccine. Moderna has likewise reported receiving the notification from EMA that hackers accessed the information corresponding to its mRNA-1273 COVID-19 vaccine candidate.

In the January 12, 2021 update, the EMA affirmed that the attackers exfiltrated data and a number of the documents that were accessed unlawfully related to COVID-19 remedies and were exposed online.

Neither the EMA, BioNTech, nor Pfizer have revealed which documents were exposed or what data were exposed to the public; nonetheless, Bleeping Computer said the information stolen during the attack were posted on a number of hacking forums. A number of sources in the cybersecurity intelligence community had affirmed that the exposed information contained peer review information, screenshots of emails, and a number of PDF files, Word docs, and PowerPoint slides.

EMA still gives full support to the criminal investigation of the data breach. It is ready to notify other entities and persons who had their documents and personal information accessed unlawfully. The law enforcement agencies are helping to take down and protect the exposed information and identify the people behind the attack. It is presently uncertain who was liable for the cyberattack and whether a nation-state was involved.

The attack investigation is still ongoing, however, the EMA stated that the time frame for reviewing and processing approvals for the vaccines won’t be affected.

Federal Task Force Announces the Probable Russian Origin of the SolarWinds Supply Chain Attack

The Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) issued a joint statement with the approval of the Trump Administration saying that Russian threat actors are responsible for the supply chain attack on SolarWinds Orion software.

After the attack, the National Security Council formed a task force also known as the Cyber Unified Coordination Group (UCG) with the responsibility of investigating the breach. The task force is composed of CISA, the FBI, and ODNI, with NSA as a support. The task force is still checking out the extent of the data security incident nevertheless has reported that an Advanced Persistent Threat (APT) actor having likely Russian origins conducted the attack.

There are plenty of evidence indicating that the compromise of the SolarWinds software was included in the intelligence getting operation performed by Russia. Although various media outlets have formerly noted the security breach as being led by Russia, the first official public attribution declared by the Trump administration was made by and Secretary of State Mike Pompeo and former Attorney General Bill Barr. President Trump had recently mentioned China could have a participation has yet issued any remark on the attribution to Russia. once again, Russia dismissed any engagement in the attack.

The hackers jeopardized the program update function of SolarWinds Orion software and integrated a backdoor referred to as Sunburst/Solarigate to gain remote access to the systems of companies that got the compromised software program update. The investigation affirmed the fact that the activity has been ongoing for 9 months, and the systems of many entities were affected. The attackers then selected targets of interest to infect. In the second phase of the attack, additional malware was added and the hackers make an effort to get access to victims’ online environments. Microsoft stated that getting access to the web environments of victims was the major purpose of the attack.

The UCG feels that the systems of about 18,000 public and private sector organizations were breached by way of the SolarWinds Orion software update; nevertheless, a lot smaller number saw follow-on activity on their systems. Amazon and Microsoft have began looking into the security breach and were analyzing their web environments for indicators of compromise. Based upon their research, it appears like that the online environments of close to 250 of the 18,000 victims were impacted. That number may well go up as the inspection of the attack proceeds.

A further malware variant referred to as Supernova – a web shell. It was likewise discovered on the systems of certain victims. This malware variant was integrated by exploiting a zero-day vulnerability in the SolarWinds Orion program and doesn’t turn up to have been given by the same attackers.

Less than 10 U.S. government departments had their systems compromised. Most recently, the Department of Justice announced that it was breached. Though the hackers got access to its systems, the DOJ stated the breach only impacted its Microsoft Office 365 email environment and merely around 3% of its mailboxes were impacted. The DOJ stated that none of its identified systems seem impacted by the breach.

Healthcare Companies Warned About DoppelPaymer Ransomware Attacks

The Federal Bureau of Investigation (FBI) is warning the private industry concerning the increase in DoppelPaymer ransomware attacks. Now threat actors are compelling victims to pay the ransom.

The first appearance of the DoppelPaymer ransomware was in the summer of 2019. Since that time, it has become a common variant used by attackers on organizations providing education, medical care and the emergency services. Besides using the Dridex banking Trojan and the Locky ransomware, the Evil Corp (TA505) threat group uses the DoppelPaymer ransomware in its campaigns.

Before using the ransomware to encrypt files, the threat group exfiltrates data so it can use the stolen information to threaten the victims to pay ransom. Even if it’s possible for victims to recover the encrypted files using their backups, they opt to pay the ransom to avert the risk of exposing the stolen information.

The threat group has the reputation of demanding big ransom amounts of up to seven figures. There is reason to believe that group has also resorted to contacting the victims to force them to pay the ransom. Other ransomware groups including Sekhmet, Conti and Ryuk have done the same.

The DoppelPaymer group giving victims a phone call since February 2020 to say that not paying the ransom would result to public exposure or selling of the stolen data. Sometimes, the group uses violence as a threat. For instance, an attacker used a spoofed U.S. number to call a victim and made it look like its a call from North Korea. The attacker also told the victim that if no ransom is paid, someone will go to his house. Then, the attacker also called some of the victim’s kin.

The FBI stated in the alert that some attacks in recent months disrupted the essential services of healthcare companies. A hospital in Germany had to take its to other facilities after an attack. Sadly, one patient died probably because of delayed treatment. A report by law enforcement authorities later stated its likely for the patient to die regardless of the attack due to poor health. As per an FBI report, the attacker did not push through with the extortion when he knew about the risk to patients’ lives. He also provided the decryption keys without demanding anything.

Another ransomware attack last July involved a big U.S. healthcare company. The 13 servers of the company were affected. No ransom payment was made. Backup files were used to restore the system but the recovery process took several weeks. The ransomware group also attacked a 911 dispatch center last September 2020. The center could not access its computer-aided dispatch (CAD) system. Another attack encrypted servers of a county so that it could not access its systems that manage its payroll, patrol, emergency dispatch, and jail sections . Last summer of 2020, there was also an attack that interrupted the emergency services, government functions and the police department of a U.S. city.

Kroll reported a 75% increase in attacks on healthcare providers last October 2020. Ransom payments also grew. Beazley stated that in the first half of 2020, ransom demands from attacks faced by its clients doubled. Coveware noted that Q3 of 2020 had a $234,000 average ransom demand, a 31% increase from Q2.

The FBI still advises companies not to pay ransom demands because it doesn’t ensure file recovery nor prevention of data exposure. When ransom is paid, attackers become more motivated to carry out more attacks.

Over 114,000 Patients’ Data Exposed Due to the Wilmington Surgical Associates Ransomware Attack

In October 2020, the NetWalker ransomware gang stated it attacked the Wilmington Surgical Associates surgical center based in North Carolina. The gang also stated that before deploying the Netwalker ransomware to encrypt files, it had stolen approximately 13GB of documents that contain sensitive information.

The report on the ransomware attack is now posted on the HHS’ Office for Civil Rights breach portal indicating that the attack resulted in the compromise of the protected health information (PHI) of 114,834 patients.

The NetWalker ransomware gang has increased its attacks in 2020 on targeted healthcare providers. It was responsible for the University of California San Francisco ransomware attack which also involved theft of sensitive and valuable research information. The University paid the ransom amounting to $1.14 million to retrieve the encrypted data.

The NetWalker ransomware gang also attacked the following healthcare providers last 2020: the Champaign-Urbana Public Health District in Illinois, the Crozer-Keystone Health System in Philadelphia, and the Brno University Hospital in the Czech Republic. Besides healthcare providers, the group also targeted universities such as the Columbia College of Chicago and Michigan State University.

Cybersecurity company McAfee released a report in August 2020 stating that the NetWalker gang had received ransom payments of at least $29 million since March 2020. The gang is considered to be very successful in its ransomware-as-a-service operations.

The group was found to have attacked big companies and high value targets this 2020 as well. It even recruited affiliates with speciality in performing targeted attacks on big companies that involved attacks on firewalls, web application interfaces, Virtual Private Networks, and Remote Desktop Protocol connections. Just like in the operations of other manual ransomware threat groups, the attacks involved data theft before file encryption. If the victims do not pay the ransom, the stolen information is released on dark net sites.

Because of the growing activities of the NetWalker ransomware gang, the FBI issued a flash alert in July 2020 to warn healthcare providers, educational entities, private sector firms, and government institutions concerning the higher risk of attack.

Ransomware Attack on GenRx Pharmacy and Additional Blackbaud Ransomware Attack Victims

GenRx Pharmacy based in Scottsdale, AZ is sending notifications to a number of patients concerning the potential exposure of some of their protected health information (PHI) because of a ransomware attack. The pharmacy discovered the ransomware attack on September 28, 2020. On the same day, its IT staff acted immediately and blocked the system access of the attacker. The investigation reported the use of ransomware on 27 September but before deploying the ransomware, the attacker exfiltrated some files that contain PHI.

An analysis of the breached files confirmed that they comprised PHI including names, addresses, birth dates, sexuality, patient IDs, allergy data, prescription transaction IDs, drugs lists, health plan details, and prescription data. The pharmacies don’t collect Social Security numbers and do not keep financial details, thus there is no breach of those data. GenRx Pharmacy had backups that were employed to bring back the encrypted information and didn’t pay the ransom.

Though the number of people impacted is presently not clear, GenRx Pharmacy said less than 5% of past patients were affected. Since the attack happened, GenRx has improved its firewall, anti-virus application, integrated a web filter, upgraded network tracking, incorporated multi-factor authentication, and set up a real-time attack detection system. It provided employees extra training and revised internal policies and guidelines as needed. More controls and measures are additionally being looked at to improve security.

Blackbaud Ransomware Attack Impacted Nebraska Methodist Health System and Texas Tech University Health Sciences Center

Two additional victims of the Blackbaud ransomware attack have reported being impacted by the data breach.

Nebraska Methodist Health System has verified that selected personal information and PHI of 39,912 persons were exposed in the attack. Texas Tech University Health Sciences Center has claimed that the incident affected 37,000 people.

The two entities utilize the customer relationship management and financial services solutions of Blackbaud for fundraising reasons. From February 7, 2020 to May 20, 2020, attackers got access to Blackbaud’s systems and could have obtained backup copies of client listings prior to ransomware deployment. Blackbaud paid the ransom demand and the hackers gave assurance of deleting the stolen data.

Nebraska Methodist Health System stated the compromise of these data: Names, demographic and contact data, medical record numbers, purposes for appointments, treating doctors, treating provider, and types of encounter (i.e. emergency outpatient, outpatient surgery, or observation).

The Texas Tech University Health Sciences Center database included names, email, mailing addresses, phone numbers, dates of birth, TTUHSC medical record numbers, names of doctor and specialization.

PHI of 295K Patients Potentially Exposed Due to AspenPointe Cyberattack

AspenPointe Colorado Springs encountered a cyberattack last September 2020 that led to potential patient data exposure. This provider of mental health and behavioral health services decided to shut down its systems while mitigating the attack. But its operations were disrupted for a few days.

Third-party cybersecurity specialists investigated the breach to know the extent of patient data compromise and helped with system restoration. On November 10, 2020, the investigators confirmed the potential access or acquisition of patient records by the attackers.

The documents in the breached systems included patient data such as names and one or more of the following information: birth date, Social Security number, bank account information, driver’s license number, Medicaid ID number, diagnosis code, date of last consultation and dates of admission/discharge.

Upon discovery of the breach, AspenPointe did a total password reset. It also used additional endpoint protection technology to reinforce cybersecurity, tweaked its firewall, and upgraded other processes and network tracking.

The healthcare provider is currently mailing breach notification letters to all patients possibly affected by the attack and is offering them complimentary IDX credit monitoring membership for 12 months. Breach victims are additionally protected by as much as $1 million identity theft insurance plan and, in case warranted, they get identity theft recovery services as well.

In the substitute breach notice issued by AspenPointe, there is no mention of reported fraud, identity theft, or misuse of patient information. There’s also no proof found with regards to actual patient data theft by the attackers.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicated the potential impact of the attack on the protected health information (PHI) of 295,617 patients.

UVM Health Electronic Health Record System is Now Online One Month After Ransomware Attack

A month after being hit with a ransomware attack, the University of Vermont Health Network reported that its electronic health record (EHR) system is now restored. The ransomware attack happened on October 25, 2020 and brought about a huge outage in six of its hospitals. For the last month, employees had no choice but to log patient information, orders, and prescription drugs using pen and paper because its computer systems were offline.

UVM continued to provide patient care during the attack and recovery process, however, the restoration of its EHR will significantly increase performance. The attack brought about major disruption, particularly at the University of Vermont Medical Center located in Burlington, nevertheless, the attack affected all its network. Because essential patient data is inaccessible, the schedule of various elective procedures was changed and the radiology department based on the main campus encountered delays and was simply partly open.

In a November 24, 2020 report, UVM Health said it had a significant milestone in the process of recovery, when its Epic EHR system is finally accessible online for its inpatient and outpatient domains, such as UVM Medical Center and the Central Vermont Medical Center ambulatory clinics, Champlain Valley Physicians Hospital, and Porter Medical Center.

Although electronic patient data can now be accessed and employees can note patient data electronically, the recovery process is not yet over and much work still must be carried out. The UVM Health teams keep on working 24 hours a day to fully restore everything quickly and safely.

The phone system has been fixed, however, patients still cannot use the MyChart patient website so patients cannot access their health data on the internet yet. There are hundreds of other patient care programs utilized by the health network that remains inaccessible. UVM Health is working really hard to restore those systems and they will be systematically re-established soon, with the major focus on patient-facing systems.

A few other healthcare systems suffered ransomware attacks around the same time as the UVM Health cyberattack. St Lawrence Health System in New York had restored its electronic health record systems two weeks after the ransomware attack, but Sky Lakes Medical Center had to replace the bulk of its networks and workstations because of the attack.

Ashtabula County Medical Center (ACMC) based in Ohio was notably badly impacted by a ransomware attack on September 24, 2020. Aside from the medical center, the attack also affected 5 health centers. Two months after the attack, the EHR is still not yet restored. A full restoration may be achieved at the end of the year.

Cyberattackers Ask for Ransom Demands from Four Winds Hospital, NY and Advanced Urgent Care of Florida Keys

Katonah, NY-based Four Winds Hospital found out that ransomware encrypted files on or around September 1, 2020. The ransomware attack blocked the hospital’s access to its computer systems and triggered a downtime for about two weeks while mitigating the attack.

When Four Winds Hospital learned about the attack, it immediately took steps to stop further unauthorized access to its system. Third-party cybersecurity professionals helped to identify the extent of the ransomware attack and know if patient information was compromised.

As mentioned in the substitute breach notice of Four Winds Hospital, cybersecurity professionals found information that the cybercriminals wiped out any files they had taken. However, this information cannot be independently verified. That indicates that there the cybercriminals received ransom payment, although Four Winds Hospital did not confirm this information.

The attack didn’t affect the electronic health record system, email system, cloud environment, or encrypted data fields. According to the investigation, the cybercriminals accessed password protected files and possibly viewed the listings of patients dated 1983 up to the present. Those listings contained names as well as medical record numbers, 100 records of which included Social Security numbers. The cybercriminals may have also accessed various files that contain patient information from 2013 up to the present. The files contained names, Social Security numbers, and treatment details of Medicare patients admitted to the hospital before 2019.

The HHS’ Office for Civil Rights breach portal breach has not published yet the incident and so the number of patients affected by the breach is still uncertain.

Advanced Urgent Care of Florida Keys

Advanced Urgent Care of Florida Keys commenced giving breach notifications to patients on November 6, 2020 regarding a ransomware attack that happened on March 1, 2020. Although there is no mention in the breach notice, on March 14, 2020, Databreaches.net reported the theft of patient data during the ransomware attack. The attackers dumped the stolen information on the web when there was no ransom payment made.

As per the Advanced Urgent Care breach notice, after the attack, an investigation to determine if patient data was compromised went on until September 11, 2020. The ransomware attack resulted in the encryption of files stored on a backup drive that contained protected health information (PHI) such as names, birth dates, medical treatment data, lab test results, medical diagnostic details, health insurance details, medical record numbers, Medicare or Medicaid beneficiary numbers, medical billing data, bank account details, debit or credit card data, driver’s license numbers, CHAMPUS ID numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.

Advanced Urgent Care offered complimentary credit monitoring services to patients who had their Social Security numbers compromised and have taken steps to improve security to avoid further attacks and to recognize and remediate upcoming threats.

829,454 Individuals Affected by Luxottica Data Breach

The world’s biggest eyewear company Luxottica encountered a cyberattack that impacted a number of the company’s websites.

Luxottica owns eyewear brands that include Ray-Ban, Persol, and Oakley. It manufactures designer eyewear for a lot of widely recognized fashion brands. At the same time, it manages the EyeMed vision benefits firm in partnership with Pearle Vision, LensCrafters, EyeMed, Target Optical, and some other eye care companies.

Luxottica partners get access to an online appointment scheduling software program that makes it possible for patients to schedule consultation visits with eye care providers on the internet and via telephone. Based on the latest breach notification, unknown individuals hacked the appointment scheduling software program on August 5, 2020. The hackers potentially acquired access to the personal data and protected health information (PHI) of Luxottica’s eye care partners’ patients.

Luxottica learned about the occurrence of the cyberattack on August 9, 2020. Without delay, it took action to control the breach. The succeeding investigation affirmed that the hackers potentially accessed and got personal data and PHI of patients. The types of information compromised included the following: names, contact details, appointment dates and times, medical insurance policy numbers, notes on appointments, doctors’ notes, and data associated with eye care treatment, such as medical conditions, operations, and prescription medications. The credit card number and/or Social Security number of some patients may have been exposed, too.

Luxottica has not received reports of any cases regarding personal data or PHI misuse. However, as a safety precaution, the company offered free two-year identity theft protection services via Kroll to persons whose financial data or Social Security numbers were potentially exposed. Luxottica began sending breach notifications to 829,454 people on October 27, 2020.

Luxottica has encountered other security breaches this year. A Nefilim ransomware attack occurred on September 18, 2020 which resulted in substantial outages and disruption of the eyewear company’s services in China and Italy. The attackers also stole sensitive information before deploying the ransomware.