Category: Cybersecurity Attacks

The world’s biggest eyewear company Luxottica encountered a cyberattack that impacted a number of the company’s websites.

Luxottica owns eyewear brands that include Ray-Ban, Persol, and Oakley. It manufactures designer eyewear for a lot of widely recognized fashion brands. At the same time, it manages the EyeMed vision benefits firm in partnership with Pearle Vision, LensCrafters, EyeMed, Target Optical, and some other eye care companies.

Luxottica partners get access to an online appointment scheduling software program that makes it possible for patients to schedule consultation visits with eye care providers on the internet and via telephone. Based on the latest breach notification, unknown individuals hacked the appointment scheduling software program on August 5, 2020. The hackers potentially acquired access to the personal data and protected health information (PHI) of Luxottica’s eye care partners’ patients.

Luxottica learned about the occurrence of the cyberattack on August 9, 2020. Without delay, it took action to control the breach. The succeeding investigation affirmed that the hackers potentially accessed and got personal data and PHI of patients. The types of information compromised included the following: names, contact details, appointment dates and times, medical insurance policy numbers, notes on appointments, doctors’ notes, and data associated with eye care treatment, such as medical conditions, operations, and prescription medications. The credit card number and/or Social Security number of some patients may have been exposed, too.

Luxottica has not received reports of any cases regarding personal data or PHI misuse. However, as a safety precaution, the company offered free two-year identity theft protection services via Kroll to persons whose financial data or Social Security numbers were potentially exposed. Luxottica began sending breach notifications to 829,454 people on October 27, 2020.

Luxottica has encountered other security breaches this year. A Nefilim ransomware attack occurred on September 18, 2020 which resulted in substantial outages and disruption of the eyewear company’s services in China and Italy. The attackers also stole sensitive information before deploying the ransomware.

A ransomware attack on Medicaid billing company Timberline Billing Service, LLC based in Des Moines, IA resulted in file encryption with prior data theft.

The investigators of the attack confirmed that an unidentified person acquired access to its systems from February 12, 2020 to March 4, 2020 and installed ransomware. Before encrypting files, the attacker exfiltrated selected information from its systems.

Timberline has clients consisting of about 190 schools in Iowa. It has already notified the affected school districts in the state about the breach. Currently, the exact number of schools affected by the breach is still unclear. There is also no confirmation if the breach only affected schools in Iowa as Timberline likewise has offices in Illinois and Kansas.

The attacker potentially obtained the following types of data: names, birth dates, billing details and Medicaid ID numbers. The Social Security numbers of a limited number of clients were likewise potentially compromised. Although data theft was confirmed by the investigators, there is no report received yet that indicates data misuse.

Timberline has reported the breach to the Department of Health and Human Services’ Office for Civil Rights and indicated that 116,131 people
were affected.

PHI Breach at University of California San Francisco

A cyberattack on the University of California San Francisco (UCSF) led to the potential compromise of personal and health data kept by the UCSF School of Medicine. UCSF discovered the cyberattack on June 1, 2020, which affected a minimal part of the IT systems of the School of Medicine. There was no other information provided regarding the precise nature of the attack.

A top cybersecurity expert assisted with the investigation and confirmed the compromise of the records associated with present and past UCSF students, employees, collaborators, and research contributors. Those data included names, government ID numbers, medical data, medical insurance details, Social Security numbers, and some financial data. UCSF states that it does not know of any cases of personal data misuse.

UCSF has called in third-party cybersecurity experts to strengthen its IT security defenses to avert other breaches later on.

Two hospitals, St. Lawrence Health System in New York and Sky Lakes Medical Center in Klamath Falls, OR, have encountered ransomware attacks which led to the shutdown of their computer systems and have compelled physicians to use pen and paper to document patient data. The two ransomware attacks happened on Tuesday, October 27, 2020 and involved the Ryuk ransomware.

Sky Lakes Medical Center made an announcement on its Facebook page that although its computer systems are offline, it will continue to provide patient care. Its emergency and urgent care departments stayed open and in full operation. The majority of booked elective procedures continued as scheduled. At this point, there is no evidence found that suggests the compromise of any patient information; but the investigation is just in its beginning stages.

The ransomware attack on St. Lawrence Health System was discovered a few hours after the preliminary compromise. A statement issued by St. Lawrence Health System indicated that its IT department took its systems offline to try to control the attack and avoid the spread of the ransomware to the entire network.

According to the report, the ransomware attack affected three of St. Lawrence Health System’s hospitals – Gouverneur Hospital, Canton-Potsdam Hospital, and Massena Hospital. As a precautionary step, the ambulances were redirected from the affected hospitals to make sure that patients are provided with proper care.

Like the ransomware attack on Sky Lakes Medical Center, there is no evidence found yet that suggest the compromise of patient data, even if the Ryuk ransomware gang is previously identified to exfiltrate patient information before encrypting files.

CISA and the FBI issued a joint advisory this week, together with the HHS’ Department of Health and Human Services, to warn hospitals and public health sector institutions about the rising targeted Ryuk ransomware attacks. There is convincing evidence that suggests the number of attacks on hospitals and other healthcare organizations would most likely go up.

Healthcare providers are being instructed to take action to protect their systems from ransomware attacks. Indicators of compromise were publicized as well as mitigation measures to give assistance in preventing attacks and identifying attacks in progress.

Vastaamo, a leading psychotherapy provider from Finland, has experienced a cyberattack that resulted in the theft of highly sensitive patient information. The cybercriminals threatened to expose the stolen information if no ransom payment is made and selected patient records have already been published online.

Vastaamo serves around 40,000 patients throughout over two dozen clinics in Finland. Last week, Vastaamo started informing patients regarding the data breach after an individual contacted three of its employees and demanded 40 Bitcoin ($500,000) payment to avoid the exposure of stolen patient information.

It is not only Vastaamo that has gotten ransom demands. When Vastaamo did not pay the ransom, the attacker who calls himself/themselves as “the ransom guy”, also gave patients ransom demands wanting them to make a payment of €200 ($236) in Bitcoin to avert the posting of their data. Preliminary reports advised that the information of around 300 patients were posted on a darknet site, though later reports suggest a 10GB file that contains the records of approximately 2,000 patients was posted on the dark web.

BBC contacted one patient who claimed the cyberattacker gave him 24 hours to pay the preliminary ransom demand or his teenage psychotherapy notes will be published. The attacker also said the payment will go up to €500 ($515) if the ransom is not paid within 24 hours.

Vastaamo reported on its website that systems access appeared to have been obtained at some point in November 2018; nonetheless, another breach took place in March 2019. The information stolen in the incident seems connected with patients who obtained treatment prior to November 2018, although it is possible that records were stolen in the second data breach in March 2019.

Vastaamo stated the breach affected the following data: customer names, ID numbers, dates of consultations, and information manually entered by the psychotherapy expert, which may have included care plans, notes from sessions, and statements submitted by the patients to authorities.

It is unclear at this time how many patients of Vastaamo were impacted by the breach, although the director of Finland’s National Bureau of Investigation, Robin Lardot, is convinced tens of thousands of patient data were stolen. It is additionally uncertain why the threats were just issued. Possibly, a third party might have sold the stolen data and has set out on an extortion campaign.

Psychotherapy sessions records are one of the most sensitive data held by healthcare providers. Patients talk about problems in their consultations in a confidential environment where they feel safe and protected. Information disclosed in sessions may not have been shared with anyone else. Finland’s interior minister referred to the incident as “a shocking act which hits all of us deep down.” He additionally stated that Finland must be a country where help is provided for mental health issues and it is accessible without fear.

For a company offering psychotherapy services, the confidentiality of customer data is incredibly vital, and the starting point for all operations. Vastaamo deeply regrets the leak due to the data breach. Vastaamo also gave a statement saying it has dismissed its CEO, Ville Tapio, for not informing its board of directors and parent company about the March 2019 breach.

The U.S. Department of Justice made an announcement regarding the indictment of 6 Russian hackers for participating in the 2017 NotPetya malware attacks and a lengthy listing of offensive cyber activities on several targets in the USA and other nations.

The six persons are alleged to be GRU associates. GRU is Russia’s Main Intelligence Directorate, particularly GRU Unit 74455, which is identified as Sandworm. The Sandworm unit is regarded as responsible for a lot of offensive cyber campaigns that took place within a number of years.

Sandworm is believed as being a key component in efforts to influence foreign elections, such as the 2017 French Presidential election and the 2016 U.S. presidential election. One of the most damaging offensive activities was the use of NotPetya malware in 2017. The wiper NotPetya malware was utilized in detrimental attacks around the world that exploited the Microsoft Windows Server Message Block (SMBv1) vulnerability.

NotPetya affected a number of medical centers and hospitals. Data were destroyed and computer systems were shut down. NotPetya attacked the pharmaceutical company Merck, FedEx sister company TNT Express and Danish shipping company Maersk. The cost of the NotPetya attack on Merck was estimated to be $1.3 billion. The total cost of damages due to the malware is over $10 billion and more than 300 firms around the world were impacted.

Sandworm was furthermore behind attempts to disturb the 2018 Winter Olympics by using the Olympic Destroyer malware. The attackers tried to interrupt the investigation of the Novichok poisonings of past Russian spy Sergei Skripal and his daughter, which was being pursued by the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory.

Sandworm was likewise responsible for the detrimental assaults on the energy grid of Ukraine between December 2015 and December 2016 and other federal targets employing BlackEnergy, KillDisk, and Industroyer malware, together with attacks on government entities and corporations in Georgia in 2018.

The indicted Russian operatives are Sergey Vladimirovich Detistov, Yuriy Sergeyevich Andrienko, Pavel Valeryevich Frolov, Artem Valeryevich Ochichenko, Anatoliy Sergeyevich Kovalev, and Petr Nikolayevich Pliskin. Each one has been accused of 7 counts detailed as:

• one count of conspiracy to commit computer fraud and abuse
• one count of conspiracy to commit wire fraud
• one count of intentional damage to a protected computer
• two counts of wire fraud
• two counts of aggravated identity theft, including false registration of domain names

The utmost likely sentence when found guilty on the 7 counts is 71 years imprisonment. The indictment furthermore consists of particulars of the distinct roles every defendant performed in the attacks, verified the specific nature of the intelligence gathered on every individual by intelligence agencies, foreign governments, law enforcement, and private firms.

Russian has reacted by denying any engagement in the cyberattacks ascribed to the hackers. A spokesperson for the Russian embassy in Washington mentioned that Russia does not and did not have motives to indulge in any sort of destabilizing action all over the world.

It is improbable that the charged attackers will ever face a trial since there isn’t any extradition treaty between Russia and America.

Piedmont Cancer Institute (PCI) located in Atlanta, GA is sending notifications to 5,226 patients about the potential compromise of some of their protected health information (PHI) because of an unauthorized person acquiring access to one employee’s email account.

An independent cybersecurity company assisted PCI in confirming the access of the email account for over a month. The unauthorized individual first got access to the email account on April 5, 2020. PCI secured the account on May 8, 2020.

The compromised account audit concluded on August 8, 2020 and showed that it included a number of protected health information. Besides names, the patients affected by the breach had one or more of these data elements exposed: birth date, credit/debit card number, financial account data, and/or medical details like diagnosis and treatment details.

To avert the occurrence of other breaches, PCI has put in place multi-factor authentication on its email accounts and provided additional training to its employees regarding email security.

McLaren Oakland Hospital Identified Potential Data Breach

McLaren Oakland Hospital based in Pontiac, MI has uncovered that 2,219 patients’ PHI was compromised and unauthorized individuals may have accessed it.

On July 10, 2020, McLaren Oakland learned that a file in a desktop computer contained an unauthorized and unsecured URL to a file that contains the protected health information of present and previous patients.

There is no information found that shows the unauthorized access of any of the sensitive information contained in the file. There is also no report received suggesting that patient information was misused. As a precaution, McLaren Oakland Hospital advised the impacted persons to keep track of their statement of accounts and credit reports for any indication of misuse of their PHI. The company furthermore offered the affected patients complimentary membership to identity theft protection and monitoring services.

When the PHI exposure was discovered, the hyperlink was disabled. The investigators uncovered that an employee rendered the hyperlink insecure accidentally. McLaren Oakland has examined its policies and procedures and gave staff further training regarding patient privacy and data security.

Patient Records Stolen from Health and Wellness Clinic in Edmonds, WA

The Health and Wellness Clinic is a natural medicine and physical care solutions provider based in Edmonds, WA. Thieves broke into its facility and stole patient records.

Over the weekend of August 29 to 30, a burglar forced open a locked storage space found off the clinic’s massage suite. The room looked like it was rummaged, documents were removed from a number of files, and a box of paper files was missing. The stolen documents contained data like names, Social Security numbers, birth dates, health backgrounds, and treatment data.

The Health and Wellness Clinic reported the theft to the police authorities. The police performed an investigation and have identified a suspect and got back the stolen box of paper records. It is at the moment not clear how many paper records were taken from the wellness clinic.

The Department of Health and Human Services’ Office for Civil Rights issued an announcement regarding its 10th HIPAA violation penalty in 2020. This is the seventh financial penalty to settle HIPAA violations that has been published in several days.

The most recent financial penalty is the biggest to be enforced in 2020. It costs $2.3 million and settles a case concerning 5 potential HIPAA Rules violations, which includes exposure of the electronic protected health information (ePHI) of 6,121,158 people.

CHSPSC LLC based in Tennessee is a management firm that offers services to numerous subsidiary hospital operator firms and other affiliates of Community Health Systems. Services provided include legal, accounting, compliance, operations, IT, health information, and human resources management services. Offering those services involves ePHI access, therefore CHSPSC is categorized as a business associate and needs to abide by the HIPAA Security Rule.

On April 10, 2014, CHSPSC experienced a cyberattack conducted by an advanced persistent threat group called APT18. The attackers employed compromised admin credentials and had remotely accessed CHSPSC’s data systems through its virtual private network (VPN) solution. CHSPSC did not identify the attack until the Federal Bureau of Investigation (FBI) sent notification on April 18, 2014 about the breach of its systems.

When the hackers had access to CHSPSC systems, the ePHI of 6,121,158 persons was downloaded. The records were given to CHSPSC by 237 HIPAA-covered entities that utilized CHSPSC’s services. The stolen data contained these data elements: name, birth date, gender, telephone number, email address, social security number, ethnicity, and emergency contact data.

OCR began investigating the breach and discovered systemic noncompliance with the HIPAA Security Guideline. Although it may not continually be feasible to avoid cyber attacks by advanced hackers, when an attack is noticed, action should be taken immediately to restrict the harm created. In spite of being alerted by the FBI in April 2014 concerning the compromise of its systems, the hackers stayed active in its information systems for 4 months, just being eliminated in August 2014. In that period, CHSPSC didn’t stop unauthorized access to ePHI, in violation of 45 C.F.R. §164.502(a), and the attackers kept on stealing ePHI.

The inability to take action on an identified security occurrence from April 18, 2014 to June 18, 2014 and minimize the damaging impact of the data breach, record the breach and its effects, was in violation of 45 C.F.R.§164.308(a)(6)(ii).

OCR investigators discovered that CHSPSC was unable to perform an appropriate and comprehensive security risk examination to determine the risks to the availability, integrity, and confidentiality of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(A).

Technical guidelines and procedures enabling access to information databases that contains ePHI retained by CHSPSC just by certified persons and software programs were not put in place, which violates 45 C.F.R. § 164.312(a).

Procedures were not applied to make sure that data system activity documentation like logs and system security event monitoring reports were routinely assessed, which violates 45 C.F.R. § 164.308(a)(1)(ii)(D).

Threat actors and cyberthieves quite often target the health care sector. The inability to enforce the security requirements demanded by the HIPAA guidelines, particularly after being informed by the FBI of a probable breach, cannot be excused. A massive financial penalty was thus proper.

CHSPSC did not choose to argue the case and decided to pay the financial fine and resolved the HIPAA violation. The settlement additionally necessitates CHSPSC to undertake a solid and substantial corrective action plan to deal with all aspects of non-compliance, and CHSPSC is going to be closely supervised by OCR for two years.

Patient safety is at risk because of ransomware attacks on hospitals. File encryption leads to the crash of essential systems and breakdowns in communication systems, which prevent clinicians from being able to access the patients’ health records.

Very disruptive attacks can compel hospitals to bring patients to other facilities, which lately occurred in the University Clinic based in Düsseldorf, Germany because of a ransomware attack. One patient who needed emergency medical attention to address a fatal condition was rerouted to another facility in Wuppertal, roughly 21 miles away. Because of the redirection, there was a one-hour delay in giving treatment and the patient eventually passed away. The death may have been avoided if the patient received treatment sooner.

The ransomware attack that happened on September 10, 2020 completely disabled the clinic’s systems. Investigators confirmed that the attackers got access to the network by exploiting a vulnerability present in a popular commercial add-on software. As the encryption took its course, the hospital systems started to crash making the medical records unavailable.

The medical clinic had to hold registration for emergency care, delayed doctor visits, and outpatient care. All patients were informed that visits to the medical clinic will be on hold until the attack was resolved. After a week, the hospital still has not resumed normal functions, though the hospital has begun to reactivate crucial systems.

As per the latest Associated Press statement, the attack affected 30 servers at the hospital. The attackers’ ransom demand was discovered on an encrypted server. The hospital notified the police authorities which used the information in the ransom note to contact the attackers.

It would seem that the attackers had no intention of attacking the medical clinic since the ransom note was meant for Heinrich Heine University in Düsseldorf. Law enforcement authorities told the attackers that the attack affected the hospital and put patient safety in danger.

The attackers provided the files decryption keys and did not push through with the extortion. It was not possible to contact the attackers after this. Law enforcement is still investigating the attack and there is a possibility of filing charges on the attackers for negligent homicide.

So far there are no confirmed incidents of ransomware attacks on healthcare providers that caused the death of a patient. However, when ransomware attacks disable hospital systems, patients cannot receive treatments for fatal conditions, which may lead to tragic events.

A number of ransomware groups have made public statements that they won’t perform any attack on healthcare facilities if it will affect hospital systems. Moreover, the gangs will provide the keys to decrypt files for free. Nonetheless, whether or not decryption keys are provided, it is not easy to recover from an attack. Some ransomware groups made no such statements and still attack medical facilities.

Imperium Health Management based in Louisville, KY, a development services provider to Accountable Care Organizations (ACOs), is informing 139,114 people about the potential compromise of some of their protected health information (PHI) due to a new phishing attack.

Imperium Health discovered the attack on April 23, 2020. As per the investigation, two email accounts were compromised, one on April 21, 2020 and another on April 24, 2020 as a result of the employees’ response to phishing emails. The emails included hyperlinks that seemed to be legit however brought the employees to a web page where their email credentials were collected.

An analysis of the compromised email accounts showed that they held the following PHI: patient names, dates of birth, addresses,
medical record numbers, medical insurance information, account numbers, Medicare numbers, Medicare Health Insurance Claim Numbers (Social Security numbers probably included), and some clinical and treatment data. Imperium Health only knew on June 18, 2020 that the email accounts contained PHI.

An independent computer forensic agency helped with the investigation and affirmed the compromise of only two email accounts. The attackers did not access any other part of the Imperium Health systems. Although it is probable that the attacker viewed or obtained patient information, so far, there is no proof found that suggests the attacker viewed, acquired, or misused patient data in any way.

Imperium Health has enforced more security steps to secure its systems from other cyberattacks. Two-factor authentication on remote access to email accounts and new methodologies to secure sensitive data transfer were implemented. Employees also received further training on email security and phishing email identification.

Blackbaud Ransomware Attacks Impacts Atrium Health and Saint Luke’s Foundation

Saint Luke’s Health Foundation has reported the compromise of the personal and demographic data of 360,212 people due to the Blackbaud ransomware attack recently.

The attackers acquired a backup copy of a database and used it to extort money from Blackbaud. It is believed that data acquisition happened at some time from February 7, 2020 to May 20, 2020. Blackbaud decided to pay the ransom to get the keys to unlock the encrypted files and stop any more exposure of data ripped off in the attack. Blackbaud believes the attacker did not expose any data to any entity or the public and thinks all stolen data were deleted permanently.

The compromised data included names, mailing and email addresses, phone numbers, and/or birth date. Some patients may have had the names of their guarantors compromised, together with a number of patient medical data like dates of service and patient care departments.

Atrium Health is a leading healthcare system in the country with more than 900 care locations. It also reported that the Blackbaud ransomware attack affected the data of its patients. Compromised patient data included first and last names, contact details, demographic data (such as birth date, guarantor details, applicable decedent status, and patient ID numbers), dates of treatment, locations of service, and name of treating doctors. For minors impacted by the breach, the guarantor’s name and their relationship were also exposed. The date and amount of donation of patients who gave to Atrium Health were also stolen.

Northwestern Memorial HealthCare has learned about the potential compromise of the personal data of people who previously donated to Northwestern Memorial HealthCare because of a Blackbaud ransomware attack recently. An unauthorized person first accessed the Blackbaud systems on February 7, 2020 and possibly continued accessing it until the ransomware was deployed on May 20,2020.

Prior to the use of ransomware, the attacker possibly obtained access to a backup of a database which stored names, dates of birth, age, gender, medical record number, departments of service, dates of service, treating doctors, and/or limited clinical data. The Social Security numbers and/or financial/payment card details of 5 persons were additionally found in the database. In total, the details of 55,983 Northwestern Memorial HealthCare donors was probably compromised in the attack.

Northwestern Memorial HealthCare is reviewing its third-party database storage vendors and its connection with Blackbaud so as to avoid identical data breaches later on.

Names and Medical Insurance Data of 15,000 Lafayette Fire Department Ambulance Users Exposed

On July 27, 2020, a ransomware attack on the City of Lafayette, CO disrupted its telephone, email, online billing, and reservation systems and essential data became inaccessible. After evaluating the cost and benefits of all possible solutions, the city decided to pay $45,000 to the attackers to avoid the big disruption and issues affecting its online operations.
Before deploying the ransomware, the attackers could have accessed personal data saved on Lafayette’s computer system. The attackers potentially accessed some personal data, such as city employees’ Social Security numbers and the usernames and security passwords of those who used its online services. In addition, the attackers may have gotten the names and medical insurance identification numbers of 15,000 people that the Lafayette Fire Department ambulance transported before January 1, 2018.

The city has taken out the ransomware and restored its network servers and computers, deployed crypto-safe backup systems, and implemented extra cybersecurity measures to stop more ransomware attacks.

One of the biggest medical debt collection companies in the US encountered a ransomware attack. R1 RCM in Chicago, earlier known as Accretive Health Inc., made $1.18 billion in earnings in 2019 and works with over 750 healthcare customers. The number of clients impacted by the attack is uncertain at this time.

Brian Krebs of Krebs on Security reported the breach recently. R1 RCM affirmed the ransomware attack, which caused the shutdown of its systems. Attempts of restoration are still in progress.

There is no information issued concerning the type of ransomware utilized in the attack and it is uncertain if the attackers stole patient information before file encryption. Krebs mentioned that Defray was used in the ransomware attack. Defray ransomware typically spreads through emailing malicious Word files in small, targeted campaigns. The threat actors using this ransomware had attacked education and healthcare verticals in the past.

In 2019, American Medical Collection Agency (AMCA), also a medical debt collection agency, encountered a ransomware attack. Before data encryption, the attackers stole about 27 million records. The AMCA incident was the 2019’s biggest data breach. The attack demanded a big cost forcing AMCA into bankruptcy. Having a lot more customers than AMCA, this R1 RCM ransomware attack could likely be much bigger, though it is not yet known if the culprits behind this Defray ransomware stole data before encrypting files.

6,000 Patients Affected by Beaumont Health Phishing Attack

Beaumont Health, the biggest healthcare system in Michigan, began informing 6,000 patients concerning the potential access of some of their protected health information (PHI) by unauthorized people due to a phishing attack.

Unauthorized people acquired access to several employee email accounts from January 3, 2020 to January 29, 2020. Beaumont Health found out on June 5, 2020 that one or more of the compromised email accounts comprised patient information. The following data might have been included: names, birth dates, diagnosis codes, diagnoses, procedures performed, treatment holiday area, treatment type, medication details, Beaumont medical record numbers and patient account numbers. Beaumont Health notified the impacted patients regarding the incident on July 28, 2020.

This is Beaumont Health’s second data breach report that is related to a phishing attack in 2020. In April, the health system informed 112,000 people regarding a phishing attack that happened in 2019. After the attacks, Beaumont Health took important steps to enhance email security, such as enhancing its multi-factor authentication software program, completing a risk analysis, and giving more training and education to Beaumont staff about identifying and managing malicious emails. The internal policies and procedures likewise had alterations to determine and remediate potential threats to reduce the possibility of the same event happening later on.

Boyce Technologies Inc based in Long Island City, NY, a transport communication systems provider recently turned its manufacturing facilitiesto create ventilators that hospitals can use during the pandemic. A DoppelPaymer ransomware attacked Boyce Technologies and prior to file encyption, data was stolen. The threat actor published on its blog some of the stolen information, which includes assignment forms, purchase orders, and other sensitive information.

The FDA approved Boyce Technologies Inc. to produce ventilators and was manufacturing approximately 300 machines per day. Hospitals in New York use the ventilators and the company is currently producing ventilators for other locations. The ransomware attack is a threat to the creation of those ventilators and may put lives at risk.

Piedmont Orthpedics/OrthoAtlanta, which is an orthopedic and sports medicine network located in the greater Atlanta area, encountered a Pysa (Mespinosa) ransomware attack. Like with the Boyce Technologies attack, before the file encryption, the threat actors stole sensitive information. Databreaches.net reported that the threat actors published approximately 3.5 GB of information online, which includes files containing the protected health information (PHI) of patients.

The Center for Fertility and Gynecology in Los Angeles, CA and the Olympia House Rehab in Petaluma, CA, on the other hand, encountered a Netwalker ransomware. The threat actors stole data, including patients’ PHI, and published it on the internet.

Muskingum Valley Health Centers in Zanesville, OH informed recently 7,447 of its patients that threat actors potentially obtained some of their PHI as a result of a ransomware attack on the EHR of OB GYN Specialists of Southeastern Ohio Inc, which contained the information of patients who obtained treatment from 2012 to 2017. The attack happened on May 31, 2020 but Muskingum Valley identified the incident on June 2.

The investigators did not find any evidence indicating the theft of patient information before the ransomware attack, although there is still the possibility of data theft. The attackers most likely accessed names, birth dates, addresses, diagnoses, health conditions, laboratory test data, treatment data, insurance claim details, Social Security numbers, and financial data.

Muskingum Valley offered the affected persons free credit monitoring and identity theft recovery services for 2 years. Security guidelines, procedures and passwords were also updated to avoid more attacks.

There were 41 healthcare providers that submitted ransomware attack reports in the first six months of 2020 as per Emsisoft. The double-extortion attacks which entail threats to expose or sell information when the victim doesn’t pay the ransom are increasing, considering that a lot of threat groups are now taking on this strategy. Emsisoft states that about 1 in 10 ransomware attacks today come with data theft.

The APT29 hacking group, also known as Cozy Bear, is looking to attack healthcare organizations, pharma companies, and research agencies in the United States, United Kingdom, and Canada and is trying to swipe research information about COVID-19 and the creation of a vaccine.

On July 16, 2020, Canada’s Communications Security Establishment (CSE), the National Security Agency (NSA), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint advisory to heighten awareness of the threat.

APT29 is a cyber espionage group that’s almost definitely a partner of the Russian intelligence services. The group mainly finds government entities, diplomats, think-tanks, and energy targets in order to steal sensitive information. The group has become very active throughout the COVID-19 pandemic and has done several attacks on entities working on COVID-19 research and vaccine creation.

The group conducts widespread scanning to determine unpatched vulnerabilities and makes use of exploits available to the public to acquire access in vulnerable systems. The group has been able to use exploits for these vulnerabilities: Citrix vulnerability CVE-2019-19781, FortiGate vulnerability CVE-2019-13379, the Pulse Secure vulnerability CVE-2019-11510 and the Zimbra vulnerability CVE-2019-9670. The group may also use other exploits.

APT29 utilizes a number of tools to acquire access credentials and attain persistent access to systems and employs anonymizing services whenever utilizing stolen credentials. APT29 is utilizing custom malware variants to strike organizations, such as WellMess and WellMail, two variants of malware that APT29 has not used previously.

WelMess is a lightweight malware written in Golang or .NET that is able to carry out arbitrary shell commands and even upload and download documents and uses HTTP, TLS and DNS for sending messages. WellMail is a lightweight application that utilizes hard-coded client and certificate authority TLS certificates to send messages with C2 servers. The third variant of malware, called SoreFang, is being used too. SoreFang is a first phase downloader that exfiltrates information using HTTP and downloads one more state malware. The attackers use the malware to target SangFor devices.

Attacks on institutions engaged in COVID-19 research are most likely to keep going and any organization involved in COVID-19 research ought to consider itself as a target. Entities were advised to take action to protect their systems and keep track of attacks.

Organizations must make sure to patch and update all software and prioritize the patches for CVE-2019-13379, CVE-2019-9670, CVE-2019-19781 and CVE-2019-11510. Antivirus software must be utilized and kept up to date, and regular scans must be done to determine downloaded malware variants.

Multi-factor authentication should be enforced to avoid using stolen credentials to obtain access to systems. All staff ought to be educated about the threat from phishing and all workers should be assured in their ability to determine a phishing attack. All staff should be told to report any suspected phishing attacks to their security teams and reports ought to be investigated quickly and carefully.

Organizations have been cautioned to create a security monitoring system to ensure that all required data is gathered to support investigations into network intrusions. Networks ought to be segmented, and there ought to be action to prevent and detect lateral movement within networks.

Benefit Recovery Specialists, Inc. based in Houston, TX, billing and collection company, announced the discovery of malware on its systems and the potential access of unauthorized persons to protected health information (PHI).

BRSI is a business associate with health plan and healthcare providers, which provided the personal information and PHI of their present and past members and patients stored on the BRSI systems.

BRSI discovered the malware on April 30, 2020 and launched an internal investigation without delay. Third-party computer forensics experts investigated the breach to establish the magnitude and scope of the malware attack. According to the investigation result, an unauthorized person accessed the BRSI systems by using compromised employee account information. After establishing a foothold in the system, the attacker was able to download the malware.

The forensic specialists came to the conclusion that the attacker’s initial access to the BRSI systems was on April 20, 202o, which continued up to April 30, 2020. Throughout that time, the attacker had access to PHI, which could have been copied. BRSI posted a substitute breach notice on its website but there was no mention of the kind of malware used.

The compromised types of sensitive information stored on its systems included names, birth dates, dates of service, names of providers, policy ID numbers, diagnosis codes, and/or procedure codes. The Social Security numbers of certain people were likewise most likely breached.

The conducted investigation of the breach finished on May 29, 2020. BRSI began sending notification letters to patients on June 2, 2020. There is no evidence found regarding the misuse of any PHI, nevertheless, BRSI advised the affected persons to stay alert to the possibility of identity theft and scams and to keep checking their account transactions and explanation of benefits statements for any indication of misuse of their data. According to the substitute breach notice, it seems that BRSI did not offer the breach victims any credit monitoring services.

BRSI already reported the incident to the Department of Health and Human Services’ Office for Civil Rights. It was indicated in the breach summary that there were 274,837 people, affected. Thus, this breach incident is one of the biggest healthcare data breaches that is documented in 2020.

University of California San Francisco made a ransom payment worth $1.14 million to the NetWalker ransomware gang to resolve an attack on its School of Medicine servers that resulted in the encryption of data. The attack happened on June 1, 2020. UCSF singled out the impacted servers, however, it did not avert file encryption.

UCSF School of Medicine is involved in research to discover a COVID-19 cure and the university is seriously engaged in antibody tests. The ransomware attack did not hinder COVID-19 related work nor patient care delivery procedures. UCSF is convinced that the attackers did not get access to patient information, though certain files were compromised during the attack.

The encrypted information was important to the university’s research. Since file recovery using backups was not possible, UCSF had to make a deal with the attackers to pay roughly $1.14 million ransom in exchange for the decryption of data and to get back of the data they stole.

The BBC got a nameless tip-off regarding the negotiators and the NetWalker ransomware operators’ live chat on the dark web. Based on the report, the attackers posted a sample of the stolen data online. However, after UCSF contacted the attackers via email, the data was removed online to give way to the negotiation. At first, UCSF offered a ransom payment of $780,000, however, the NetWalker group demanded $3 million. Later, the two agreed on the payment of 116.4 Bitcoin or $1,140,895.

UCSF explained on its website that the ransomware attack investigation seems to indicate that the target of the attack was not UCSF nor the School of Medicine. The investigators think that the malware encryption of the servers happened opportunistically. No specific area was targeted. UCSF reported the attack to the FBI and is helping with the investigation.

The Netwalker ransomware attacked three Universities in the U.S.A., including UCSF, in the period of one week in June. The other universities attacked were Columbia College, Chicago and Michigan State University. The stolen Columbia College data posted on the Netwalker website is now gone, which means the college paid the ransom as well.

Rangely District Hospital in Colorado started notifying patients regarding the ransomware attack in April 2020 that impacted some of their protected health information (PHI) stored on parts of its network.

The hospital discovered the ransomware attack on April 9, 2020 and took steps to contain the attack. But it wasn’t possible to stop the encryption of some files, a number of which held patient information.

Rangely District Hospital said the first attack on its systems happened on April 2, 2020, however, ransomware was not deployed until April 9, 2020. The hospital reported that the encryption process was automated, and there was no evidence found that suggest data access or exfiltration. The investigation shows that an international threat actor carried out the attack, however, it was impossible to know who was behind the attack.

Though it is believed that the attackers did not access patient data, it wasn’t possible to ascertain there was no unauthorized access. The ransomware encrypted files that could have been viewed. The following types of personal and PHI were included: names, addresses, telephone numbers, dates of birth, social security numbers, driver’s license copies, dates of hospital admissions or service, diagnoses and conditions, treatment or procedure notes and orders, medications, imaging studies, and health insurance and claims and billing details.

Although it was possible to restore many files from backups without paying the ransom, a number of patient data remain inaccessible. Besides the files that contain patient information, files necessary to a legacy software system were also encrypted and couldn’t be recovered. Rangely District Hospital employed a ‘Meditech’ database for keeping patient documents between August 2012 and August 2017 and the legacy software is necessary to view patient data in the database. The attack did not affect the database itself, but without the software, patient documents created during that 5-year period can’t be accessed. The information of certain patients who got home health services between June 2019 and April 2020 was still inaccessible. Rangely District Hospital is presently considering other options to access the database.

Patient Data Potentially Exposed Due to a Ransomware Attack at Electronic Waveform Lab

Electronic Waveform Lab, a manufacturer of medical, ophthalmic, surgical, and veterinary instruments based in Huntington Beach, CA, reported a ransomware attack and the encryption of information stored on some of its servers.

The impacted servers had a minimal amount of private and health data of patients including their names, addresses, medical diagnosis codes, and selected treatment data. The forensic specialists looking into the ransomware attack could not ascertain if the attackers accessed or acquired patient data before data encryption, however, the possibility cannot be eliminated.

Electronic Waveform Lab had enforced security measures prior to the attack to secure patient data, however, it seems insufficient to stop the attack. Security policies have already been assessed and are being upgraded to avoid the same breaches later on.

Electronic Waveform Lab succeeded in restoring its servers and records. There was no loss of patient data that resulted from the attack.

Although a number of threat groups have mentioned that they are not going to attack healthcare institutions on the frontline responding to the COVID-19 crisis, that definitely does not apply to the NetWalker ransomware operators.

The latest research performed by Advanced Intelligence LLC showed that the operators of the ransomware are extensively attacking healthcare industry targets and expanding their operations.

The majority of ransomware attacks done by Russian-speaking threat actors use massive phishing campaigns instead of targeted attacks. The NetWalker ransomware has spread all through the COVID-19 pandemic by means of spam emails making claims to give details about cases of SARS-CoV-2 and COVID-19. The emails have an attached Visual Basic script file named as CORONAVIRUS_COVID-19.vbs, which retrieves the ransomware from a remote server.

Although still using phishing emails, the group now engages in massive network infiltration. The group’s representatives are posting ads on top-tier darknet forums about a different affiliate program with the ransomware-as-a-service model. Though a lot of threat groups are not notably choosy concerning who they get to spread their ransomware, the NetWalker gang is looking out for quality instead of quantity approach and is merely wanting to get competent affiliates who have or can access business networks.

The gang chooses first affiliates who previously have access to business networks and hackers who have got substantial experience in executing regular attacks. Just like Russian threat groups, affiliates are banned from targeting Russia or the CIS.

The group states it could exfiltrate information before data encryption and the information stolen from victims will be posted on its blog when no ransom is paid, just like with other ransomware groups. The group additionally says that it always decrypt files after receiving ransom payment.

To entice seasoned hackers, the group is giving a high proportion of the ransom payment to affiliates. A lot of affiliate programs have a 30/70 sharing of ransom payments, with the affiliate getting 70%. NetWalker is giving 80% of ransom payments when below $300K, and 84% when over $300K. The group demands a ransom payment in amounts of a few hundred thousand bucks to millions.

The group has performed attacks on a number of healthcare institutions, such as the Champaign-Urbana Public Health District in Illinois, the Australian shipping company Toll Group, and the Australian customer experience company Stellar.

The group is utilizing fileless ransomware as per Trend Micro. Fileless ransomware does not need a disk, just the memory, so that security solutions are unable to identify attacks. Microsoft has cautioned healthcare organizations that attackers employed misconfigured IIS-based apps to utilize the Mimikatz credential-stealing application, and PsExec to install NetWalker.

The modification in strategies, techniques and processes favoring extremely targeted attacks, the present affiliate recruitment strategy, and the high percentage given to affiliates will possibly see NetWalker ransomware turn into an even greater risk in the next months as the group takes other manual ransomware threat groups like Maze and REvil.

Considering the growing manual ransomware attacks on healthcare corporations, network defenders must take preemptive steps to minimize risks like:

• dealing with known vulnerabilities,
• protecting vulnerable internet-facing systems
• examining servers and apps for misconfigurations
• keeping track of the use of penetration testing apps, security log tampering, and credential theft activities that could show a prior system breach

The Little Clinic, which manages a network of over 215 medical care clinics established in Kansas, Kentucky, Tennessee, Ohio, Arizona, Georgia, Colorado, Virginia and Indiana, found a bug in its web-based appointment system that likely made possible the unauthorized disclosure of PHI of patients.

The Little Clinic identified the bug and confirmed that it was brought in on October 7, 2018. The network corrected the problem on February 13, 2020 and implemented measures to avert the same breaches from now on.

Because of the coding error, when a patient booked an appointment and afterward altered it on the internet, the patient’s name, birth date, phone number and address can be seen by other domains. The investigation results showed that about 10,974 patients were likely impacted and might have had a number of their personal data exposed.

The Little Clinic didn’t find any proof to indicate the access or improper use of patient information however concluded on April 7, 2020 that the occurrence was regarded as a data breach. Hence, the clinic sent notification letters by mail to all persons likely affected.

Ransomware Attack at Mat-Su Surgical Associates

Mat-Su Surgical Associates based in Palmer, AK reported that it experienced a ransomware attack last March. The employees found out about the attack on March 16 when they were unable to access the computer systems due to the encryption of key files.

A group of third party computer forensics detectives checked out the nature and extent of the attack and to verify if the attackers viewed or took any patient information. It wasn’t possible to ascertain if the attacker could exfiltrate information or view patient data before encryption, however, the investigators cannot exclude unauthorized information access. The attacker was persistent to have obtained access to sections of its computer system that held the protected health information (PHI) of 13,146 patients.

The following data were likely breached in the ransomware attack: names of present and past patients of Mat-Su Surgical Associates and Valley Surgical Associates coupled with addresses, diagnoses, treatment details, laboratory test findings, medical insurance details, Social Security numbers, and other advice connected to the obtained medical care.

Mat-Su Surgical Associates delivered breach notification letters via mail to all impacted patients and provided them free credit monitoring and identity theft protection services via ID Experts.

Mat-Su Surgical Associates likewise did necessary security enhancements, such as applying more measures to prevent unauthorized remote access to its systems.

 

The Verizon Data Breach Investigations Report for 2020 indicates that malware attacks are dropping because threat actors target data stored in the cloud. Verizon has been producing a report for 13 years. This year’s report includes an analysis of 32,002 security cases and 3,950 validated data breaches from 81 contributors located in 81 countries around the world.

The report explains that the primary motivating factor for running attacks is financial gain. Here are some relevant statistics:

• 86% of all security breaches were financially inspired
• 70% were because of external actors
• 55% were performed by cybercriminals
• 22% were caused by human error
• 25% were caused by phishing and other social engineering attacks
• 37% were caused by brute-forcing of weak credentials
• 67% were caused by credential theft

Only 20% of breaches were because of the exploitation of vulnerabilities. It is worth noting that it is a lot easier to perform attacks by means of stolen credentials instead of exploiting vulnerabilities. This is the reason for the fairly low number of vulnerability-related attacks and it’s not due to the fact that organizations are patching vulnerabilities quickly.

The simplicity of performing attacks utilizing stolen passwords or brute-forced credentials made malware attacks less widely used. That said, ransomware is showing to be an appealing choice, with increasing malware-related attacks from 24% to 27% of all breaches.

There was a considerable rise in web application attacks in the last 12 months, which increased twofold to 43% of all breaches. 80% of those breaches were associated with credential theft. With many more organizations transmitting their information from established domain controllers and internal infrastructure, it is not surprising that there was a big increase in attacks online.

The information gathered for the report does not cover the period of the COVID-19 public health emergency, when a lot of organizations sped up their cloud migration plans to enable more workers to work from home. It is very likely that the report next year will see a greater percentage of attacks on cloud data.

Tami Erwin, CEO of Verizon Business, states that with the increase of remote working during the global pandemic, end-to-end security covering the web up to employee PC becomes very important. In addition to safeguarding their systems from attack, all organizations should continue employee education as phishing schemes are increasingly sophisticated and malicious.

Cyberattacks and Insider Breaches in the Field of Healthcare

Financially inspired cyber attacks accounted for 88% of all healthcare breaches, the majority of which involved ransomware. 4% of healthcare cyberattacks were performed for pleasure and 3% were done due to convenience.

Verizon reports a substantial number of healthcare data breaches in the last 12 months. The report last year listed 304 healthcare data breaches, however, this year’s report covered 521 breaches. The most common type of attack on healthcare providers is crimeware, which includes ransomware and malware. Just as in other industry sectors, the attacks on cloud applications are growing.

The healthcare industry generally has a higher than the average number of cases of privilege misuse. Such involves insiders that have access to sensitive and abuse their access rights to commit theft or misuse of data. With so many employees with authorized access to patient records and its big value on the black market, this is expected.

This year’s report has some wonderful news though. It’s the first time that privilege misuse is not among the top three causes of healthcare data breaches. This is part of a pattern that can be seen across all fields of industry, which indicates that employees are more mindful about accessing data without permission and healthcare organizations are better able to protect data.

Another good news is a lower number of breaches involving multiple actors, which typically refer to a third-party, for instance, an identity thief partnering with an insider who gives the data. In the 2019 report, multiple actors were involved in 4% of breaches whereas in 2020 the percentage slipped to 1%. The percentage of breaches due to internal actors vs external actors likewise changed considerably. In the 2019 report, internal actors caused 59% of healthcare breaches and external attackers caused 42% of breaches. This year’s report finds that internal actors are to blame for 48% of breaches with external actors account for 51% of breaches.

This year, the top reason behind healthcare breaches were miscellaneous errors and web application breaches. Miscellaneous breaches were brought about by misdirection, or the sending of emails not to the correct recipients and mass mailings that deliver the letters to the wrong patients, like when a mail merge error happens.

Mille Lacs Health System located in Onamia, Mn has encountered a phishing attack that likely caused the exposure of over the protected health information (PHI) of 10,000 patients.

Some employees of Mille Lacs Health System received phishing emails containing url links that directed them to a web page that requested their email information. Some employees were fooled by the scam.

Mille Lacs Health System discovered about the phishing attack on November 14, 2020 and started an investigation to determine the scope of the breach. The investigators confirmed on February 24, 2020 that the attacker used the stolen email information to access email accounts from August 26, 2019 to January 7, 2020. A assessment of the compromised email accounts was finished on April 22, 2020 and affirmed that the attacker could have accessed the patient information.

The compromised information likely included first and last names, dates of birth, addresses, provider names, clinical details, dates of service, treatment data, procedure types, and for some persons, Social Security numbers. There is no evidence found that suggest the attackers obtained or misused patient information.

Mille Lacs Health System secured all accounts by performing a full password reset for all email accounts, and implementing additional measures to strengthen email security. Affected people received notification about the breach through mail on May 11, 2020 and received offers of complimentary credit monitoring services.

The breach report submitted by Mille Lacs Health System to the Department of Health and Human Services’ Office for Civil Rights reveals that the breach affected 10,630 patients.

Ransomware Attack on North Shore Pain Management

North Shore Pain Management based in Massachusetts has encountered a manual AKO ransomware attack and theft of some patient data.

The HHS’ Office for Civil Rights has not reported the incident yet on its breach portal, at the time of writing. There is likewise no substitute breach notice posted on the company’s site. Databreaches.net reported the breach mentioning that around 4GB of data relating to the company were posted on the Tor site utilized by the attackers. The exposed data online contained more than 4,000 files of patient and employee data.

The files included a variety of sensitive protected health information which includes Social Security numbers, health data, and insurance information.

PsyGenics Employee Emailed Client Information to Personal Email Account

PsyGenics, Inc. based in Detroit, an occupational therapy, family therapy and speech therapy provider, found out that one of its employees emailed a spreadsheet made up of customer information to a personal email account. The breach was noticed on March 25, 2020 while doing a standard security review. The employee sent the email on March 24, 2020.

The spreadsheet included the following data: customers’ names, diagnosis codes, provider names, and appointment times. No other data like treatment notes were specified in the spreadsheet. No reason was provided regarding why the employee sent the spreadsheet to their personal email account. PsyGenics states it found no proof of attempted or actual misuse of client data.