WHO Confirms a Higher Number of Cyberattacks on its Staff

The World Health Organization (WHO) is a prominent agency that is combating COVID-19. Hackers and hacktivists have increased attacks on WHO as it deals with the COVID-19 pandemic. WHO gets five times more cyberattacks now compared to the same time last year.

Last month, WHO affirmed that hackers had tried to access its network as well as those of its partners by means of spoofing an internal email system of WHO and since then the attacks have kept coming. Last week, SITE Intelligence Group identified the credentials of a huge number of people engaged in the battle against COVID-19 that were dumped on the web on Pastebin, 4chan, Twitter and Telegram. Roughly 25,000 email and password information was revealed, which include about 2,700 credentials of WHO personnel. WHO mentioned the data were derived from an old extranet system and the majority of the credentials were not legit any more, but 457 were new and still active.

As a response to the situation, WHO performed a password reset to make sure that the credentials aren’t usable, strengthened internal security, implemented a more secure authentication system, and improved the employees’ security awareness training.

The other dumped credentials were from institutions like the Centers for Disease Control and Prevention, the Gates Foundation and the National Institutes of Health. It isn’t clear where the data came from or who exposed it on the internet, but the credentials were used for the right groups to attack agencies making vaccines and performing other activities associated with COVID-19.

WHO CIO, Bernardo Mariano, stated that making sure that the safety of health data for member states and the privacy of users interacting with us is WHO’s top priority at all times, but also particularly throughout the COVID-19 pandemic.

Mariano additionally affirmed that continuing phishing campaigns are performed that spoof WHO to mislead individuals into giving donations to a fictitious fund like the COVID-19 Solidarity Response Fund which is overseen by WHO and the United Nations. Nation-state hacking groups also conduct campaigns that spoof WHO to mislead individuals into downloading malware which is used for espionage.

COVID-19 and coronavirus themed malicious attacks have skyrocketed over the past few weeks. Data revealed by cybersecurity company Zscaler indicates that COVID-themed attacks increased by 30,000% in March with about 380,000 COVID-19 themed attacks attempted in contrast to January’s 1,200 or February’s 10,000.

COVID-19-themed phishing attacks on remote enterprise users increased by 85%. Threats directed at enterprise clients increased by 17%. In March, the company prevented 25% more malicious sites and malware samples. The company likewise identified 130,000 suspicious or malicious newly created domains that used words such as mask, Wuhan, test, and kit.

A lot of the attacks are successful. Statistics from the FTC suggest about $19 million went to COVID-19 associated scams since January 2020, while $7 million was lost within the past 10 days. Google shared statistics earlier this month that in one week it prevented 18 million COVID-19 phishing emails. Though the number of COVID-19 themed attacks has gone up dramatically, overall the number of attacks has stayed fairly steady. Microsoft information cited that cyberattacks did not significantly increase throughout the COVID-19 crisis. Threat actors are just repurposing their infrastructure and transitioning from their normal campaigns to COVID-19 related attacks.

PHI of Patients Potentially Compromised Due to Data Breaches at Andrews Braces and EVERSANA

The orthodontics practice Andrews Braces based in Sparks, NV has encountered a ransomware attack that resulted in patient data encryption. Andrews Braces discovered the attack on February 14, 2020 and the following investigation revealed that the ransomware was downloaded the preceding day.

Andrews Braces engaged a third-party forensic investigator to evaluate the extent of the attack and find out if there was access or exfiltration of patient data before encryption. Although it’s not unusual that ransomware attacks also involve data stealing, the investigators didn’t find any evidence that indicates the attackers accessed data. This attack seemed to be automated with the only purpose of encrypting data to demand ransom money from the provider.

Because the practice had regularly backed up all their patient data and had the backups stored carefully, it did not make any ransom payment and it restored the encrypted files by itself. There is no suspected data theft, yet the possibility can not be eliminated, and so Andrews Braces sent notification letters to all impacted patients. The attacker could have accessed the following types of data: names, addresses, birth dates, email addresses, Social Security numbers, and health data.

Andrews Braces has already implemented more security measures to improve security and prevent other attacks later on.

Data Breach at EVERSANA

EVERSANA is an independent global services provider in the life sciences sector. It discovered that an unauthorized person obtained access to some of its employees’ email accounts in 2019.

EVERSANA received notification about strange activity in the accounts of its employees and confirmed that an unauthorized person had accessed the accounts by using a legacy technology environment. According to the investigation, the compromise of accounts occurred from April 1 to July 3, 2019.

The information in the accounts included those from a few patient services programs. The investigators found no evidence of unauthorized data access. However, the attacker(s) could have accessed the sensitive data of some patients. A comprehensive analysis of the compromised accounts ended in February and it confirmed the potential compromise of the following data elements: names, addresses, driver’s license numbers, Social Security numbers, state identification numbers, tax identification numbers, passport numbers, debit/credit card details, financial account data, usernames and passwords, health data, treatment details, diagnoses, provider names, Medicare/Medicaid numbers, MRN/patient ID numbers, medical insurance data, treatment cost data, and/or prescription details.

EVERSANA upgraded its legacy technology environment and further enforced safety measures to bolster security. The impacted people already received notification letters and free credit monitoring and identity restoration services for 12 months.

The HHS’ Office for Civil Rights website has not published the information of the data breach yet, so the number of affected individuals is still uncertain at this time.

INTERPOL Issues Warning Over Increase in Ransomware Attacks on Healthcare Organizations

INTERPOL issued an advisory to hospitals concerning the ongoing ransomware attacks for the duration of the 2019 Novel Coronavirus pandemic. Although several ransomware gangs have openly expressed they will be halting attacks on healthcare companies that are directly addressing COVID-19, some are still executing attacks. Additionally, those attacks went up.

Growing Attempts of Ransomware Attacks on Healthcare Organizations over the Weekend

In the past weekend, it was discovered by INTERPOL’s Cybercrime Threat Response (CTR) team that the number of attempted ransomware attacks on healthcare providers and other establishments and infrastructure engaged with responding to the coronavirus pandemic had a great rise. INTERPOL released a ‘Purple Notice’ informing police authorities in all 194 member countries about the heightened risk of attacks. Because of the ransomware attacks, giving vital care to COVID-19 patients may possibly cause delays and can also directly cause deaths.

Hammersmith Medicines Research in the U.K., a medical research firm, is one of the healthcare companies that was just attacked. The firm is set to support the creation of a vaccine for SARS-CoV-2 when a Maze ransomware gang attacked it. The gang published the stolen sensitive data when the firm did not pay the ransom. The Maze gang gave a press release saying that all attacks on healthcare firms would be stopped during the COVID-19 outbreak and the stolen information posted on the Maze site was removed. Nonetheless, other threat groups remain highly active and target healthcare providers.

Biotechnology firm 10x Genomics based in Pleasanton, CA reported a new attack. According to the Sodinokibi (REvil) ransomware gang, it downloaded 1TB of data from 10x Genomics then deployed their ransomware payload. A part of that data was shared online in an attempt to force the company to pay the ransom.

In the latest SEC filing, the organization mentioned it is working with authorities and has hired a third-party company to assist investigate the incident. 10x Genomics states that it could bring back normal business operations quickly, without impact on daily operations. It was just notably disappointing for 10x Genomics that an attack happened at this time when researchers all over the world are extensively using our products to understand and combat COVID-19.

Support Being Provided to Healthcare Organizations

INTERPOL’s CTR team is working with hospitals and other healthcare organizations that were hit with ransomware to help them to defend against attacks and recover.

INTERPOL stated that ransomware is principally being propagated via malicious code in email attachments which activates a ransomware download upon opening. Hyperlinks are likewise often used to direct users to malicious web pages for a ransomware download.

INTERPOL tells healthcare providers to do the following actions to secure their systems from attack and make certain to have a quick recovery after a successful attack:

  • Only open emails and download applications from trusted sources
  • Do not click links or open attachments in emails from an unknown sender
  • Set-up email security solutions to block spam
  • Back-up important files regularly and keep them separately your systems.
  • Install the latest anti-virus software program on all system and mobile devices
  • Use strong passwords on all system accounts and change them on a regular basis

Attacks are also happening by means of exploiting vulnerabilities in RDP and VPN systems, therefore it is important to keep all software program current and to apply patches promptly. The Sodinokibi threat group exploiting vulnerabilities in VPNs upon attacking healthcare providers.

Stockdale Radiology and Affordacare Urgent Care Clinics Impacted by Ransomware Attacks

Stockdale Radiology based in California announced the compromise of patient data due to a ransomware attack that occurred on January 17, 2020.

According to its internal investigation, the attackers accessed the first and last names of patients, addresses, refund records, and personal health information (PHI), which includes the physician’s notes. Stockdale Radiology stated that the attackers publicly exposed a small number of patient records. Stockdale Radiology likewise learned on January 29, 2020, that more patient data were potentially accessed, though not exposed to the public.

Stockdale Radiology quickly shut down its systems to stop the attackers from further unauthorized data access. A third-party computer forensics company investigated the breach to know how the attacker gained access to its systems and who were affected. The FBI also came to Stockdale Radiology within 30 minutes after receiving its notification about the attack. The FBI is still investigating the breach.

As a response to the attack, Stockdale Radiology reviewed its internal data management as well as its security practices. To prevent future attacks, it has also made improvements to its cybersecurity.

The breach report submitted to the HHS’ Office for Civil Rights website indicated that the breach affected 10,700 patients.

Ransomware Attack at Affordacare Urgent Care Clinics

Affordacare Urgent Care Clinics based in Abilene, TX began notifying its patients about the potential compromise of some of their PHI because of a ransomware attack. The healthcare provider discovered the attack on February 4, 2020, but it is believed that the attack started on or approximately February 1, 2020.

The breach analysis showed that the attackers accessed the clinics’ servers and deployed Maze ransomware. But before the ransomware deployment, the attackers acquired patient records. Part of the acquired patient data was disclosed to the public by the attackers.

The compromised servers contained the following types of data: names, addresses, phone numbers, birth dates, ages, dates of visit, visit locations, reasons for consultation, medical insurance provider names, medical insurance policy numbers, treatment codes and descriptions, insurance group numbers, and healthcare provider remarks. There was no financial data, Social Security numbers or electronic health records compromised.

Affected persons were provided with free identity theft protection, credit monitoring, and identity recovery services.

Cyberattacks at Arkansas Children’s Hospital, the University of Kentucky and UK HealthCare

Systems Reboot to Manage ‘Cybersecuirty Threat’ at Arkansas Children’s Hospital

Arkansas Children’s Hospital established in Little Rock had a cyberattack impacting Arkansas Children’s Hospital and Arkansas Children’s Northwest. The hospital had to reboot its IT systems to control the cybersecurity threat and had the incident investigated by an independent digital forensics firm.

There is no report yet concerning the precise nature of the cyberattack. It is likewise not yet known when the attack is going to be resolved. All Arkansas Children’s Hospital facilities still offer patient care, though non-urgent consultations were rescheduled.

The attack is still under investigation but no evidence of patient data breach has been found yet.

Cryptominer Attack at the University of Kentucky

Last February 2020, the University of Kentucky (UK) is struggling with the removal of downloaded malware on its network. Cybercriminals had accessed the UK network and were able to download cryptocurrency mining malware which used the UK computers’ processing functionality for mining Bitcoin and a variety of cryptocurrencies.

The malware caused a massive network slowdown along with temporary computer system problems triggering repeated daily interruptions to day-to-day functions, specifically at UK healthcare.

The UK is certain that the attack was resolved after working on it for a month. On Sunday morning, the UK performed a major reboot of its IT systems, which continued for 3 hours. The UK thought the cybercriminals were ejected from its systems, but network tracking will be carefully done to ensure the barring of external access. It is believed the attacker is was not from the U.S.A.

UK Healthcare has more than 2 million patients and manages the Good Samaritan Hospital located in Lexington, KY as well as the UK Albert B. Chandler Hospital. Though the computer systems were significantly impacted at certain times, patient care and safety were not affected.

A breach investigation with the help of third-party computer forensics specialists began. University spokesman Jay Blanton stated that it is hard to ascertain cases of access or duplication of sensitive data if any. It is thought that the malware attack was specifically undertaken to hijack the “vast processing capabilities” of the UK network’s for mining cryptocurrency.

The UK had taken steps to reinforce its cybersecurity, for instance, installing a security software program like CrowdStrike. More than $1.5 million was spent to rid the network of hackers and strengthen security.

Healthcare Providers Experienced 350% Increase in Ransomware Attacks in Q3 of 2019

A recent report from Corvus reveal the increase of ransomware attacks on healthcare organizations by 350% in Q4 of 2019. There is no indication that the attacks would diminish in 2020. Several attacks have already been reported in 2020 by NRC Health, Pediatric Physician’s Organization at Children’s, Jordan Health, and the BST & Co. accounting company, which impacted the Community Care Physicians medical group.

To determine ransomware developments in healthcare, Corvus’s Data Science group analyzed ransomware attacks on healthcare providers from Q1 of 2017. From Q1 of 2017 to Q2 of 2019, the average of ransomware attacks reported by healthcare organizations was 2.1 per quarter. Healthcare organizations reported 7 attacks in Q3 of 2019 and 9 attacks in Q4 of 2019. Corvus found that U.S. healthcare organizations reported over two dozen ransomware attacks in 2019 and forecasts a report of at least 12 ransomware attacks in Q1 of 2020.

Other cybersecurity companies reported similar information showing an increase in healthcare-related ransomware attacks in the latter half of the year. Emsisoft’s report indicated that 764 U.S. healthcare providers were affected by ransomware attacks in 2019.

The Corvus report reveals that the healthcare organizations’ attack surface is smaller compared to the web average so that it is less difficult to protect against attacks; nevertheless, attacks remain successful indicating that healthcare organizations are having difficulties blocking the main attack vectors employed by cybercriminals to send their ransomware payloads.

The two primary ways used by threat actors to gain access to healthcare networks and install ransomware are email and Remote Desktop Protocol (RDP). Threat actors look for healthcare organizations having exposed RDP ports and employ brute force strategies to figure out the passwords. Corvus determined that with an open RDP port, ransomware attacks potentially increase by 37%. Healthcare providers on average had 9 open ports, the least number in hospitals and the biggest in medical groups.

The primary attack vector was email, which was employed in most ransomware attacks on healthcare providers. 91% of ransomware attacks were due to phishing attacks.

Email security solutions can scan emails, email attachments and hyperlinks to detect and block email-based threats; but, 75% of hospitals have not used such tools. Only 14% of healthcare providers implemented email scanning and filtering tools.

Corvus’s study indicates that if healthcare organizations would use email scanning and filtering tools, ransomware attacks could possibly decrease by 33%. The risk could be further minimized by giving employees regular security awareness training so they could recognize phishing emails and malware attacks. Email authentication procedures must also be enforced. In the case of email credentials compromise, 2-factor authentication could stop the use of stolen credentials to access internal resources.

Recovery of NRC Health From Ransomware Attack

A ransomware attack on NRC Health occurred on February 11, 2020, which impacted some of the provider’s computer systems. NRC Health is a patient survey services and software provider to over 9,000 healthcare companies, which include 75% of the biggest hospital systems in the U.S.A, and Canada.

NRC Health promptly did something to restrict the harm and closed its whole environment, which includes its client-facing websites. A prominent computer forensic investigation company was hired to ascertain the nature and magnitude of the ransomware attack. It also reported the incident to the Federal Bureau of Investigation.

The NRC Health website stated that it collects the information of over 25 million healthcare consumers in the U.S.A. and Canada every year. NRC conducts patient surveys on behalf of its clients, which shows that its patients are happy with the services they acquired. That data is essential for the improvement of patient care and knowing the amount of Medicare reimbursement received by healthcare providers under the Affordable Care Act. The patient satisfaction scores are also used to know the pay scale of executives and doctors.

NRC Health explained that it had made substantial progress in providing its customers with access to its systems and services and systems will be fully recovered in the next couple of days. NRC Health already sent notifications to its healthcare clients updating them with regards to the attack. Updates are being given to clients every day until the full resolution of the incident.

The notifications of NRC Health stated that the preliminary investigation findings indicate no compromise of any patient information or sensitive client information.

There has been a rise in ransomware attacks on healthcare companies over the last year after attacks declined in 2018. A number of threat groups are stealing patient information before deploying ransomware to compel victims to give in to their ransom demands. Based on the latest analysis by Comparitech, 172 healthcare ransomware attacks were launched since 2016. The cost of those attacks to the healthcare sector is around $157 million.

Enloe Medical Center’s EMR Downtime Because of Ransomware Attack

A ransomware attack on Enloe Medical Center in Chico, CA two weeks ago is still causing this California healthcare provider’s medical record system to be out of action.

Enloe Medical Center identified the attack on January 2, 2020, which resulted in the encryption of its entire network, including the electronic medical record (EMR) system so that the center staff cannot access patient information. The provider quickly implemented emergency protocols to continue providing care to patients. Only a few elective medical procedures were rescheduled.

The attack also caused the telephone system to be out of action on the day the attack occurred. Enloe Medical Center had the telephone system restored the next day however its EMR system remained out of action. Employees simply use pen and paper to record patient data.

Although some appointments were canceled one week after the attack, Enloe Medical Center is making sure that care is given to patients expediently while the technical team works on systems restoration. There is no information publicly disclosed regarding the type of ransomware used by the attacker. However, according to the initial findings of the investigation, there’s no compromise of patient data.

Enloe’s chief financial officer, Kevin Woodward, said that the company took immediate steps to restore critical operating systems and to secure the network upon knowing about this incident. At this time, there is no evidence indicating the compromise of patient medical data. Local and federal law enforcement bureaus already received Enloe’s report about the ransomware attack and the investigation has been ongoing.

There has been a continuous increase of ransomware attacks throughout 2019 and most likely it won’t slow down. Besides file encryption, a number of ransomware gangs are using a new strategy to enhance the likelihood of getting ransom payments. Before deploying the ransomware, they are stealing sensitive data.

The latest attacks used various ransomware variants, including the MegaCortex, Maze, LockerGoGa, and Sodinokibi. The attackers stole data prior to deploying the ransomware. Those that used the Maze and Sodinokibi ransomware threatened the victims to expose their stolen information if they do not pay the ransom. The threat actors actually published the sensitive data when the victims decided not to pay the ransom.

Data Breaches at North Ottawa Community Health System and Center for Health Care Services

North Ottawa Community Health System (NOCH) found out that one employee at North Ottawa Community Hospital located in Grand Haven, MI, had accessed patients’ medical records without permission in a period of around 3 years.

Another employee told this matter to the health system on October 15. After two days, the alleged inappropriate access was investigated and the employee remained suspended while waiting for the investigation findings.

On November 25, 2019, NOCH confirmed the unauthorized access of the patient records of 4,013 persons by the employee from May 2016 to October 2019. The unauthorized access seemed to have no apparent pattern. Patient records were randomly accessed.

There was no proof that suggests the theft of any patient information. NOCH is convinced that the employee simply accessed patient data because of curiosity.

The employee potentially accessed the following types of information: names, birth dates, Social Security numbers, Medicaid and Medicare numbers, medical insurance details, and certain health data. NOCH offered any patient who had their Social Security number viewed free one-year credit monitoring and identity theft protection services.

All staff members received additional training on NOCH policies addressing medical record access and employee’s access to patient records was made stricter.

NOCH already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. OCR will need to decide whether there would be further action to be taken against the employee because of the HIPAA violation.

Center for Health Care Services’ Computer Systems Shutdown Due to Cyberattack

A cyberattack on the Center for Health Care Services (CHCS) located in San Antonio, TX during the holiday period compelled it to de-activate its computer systems.

CHCS is a healthcare services provider for persons with mental health issues, developmental handicaps, and substance abuse disorder. It manages a number of walk-in clinics and outreach centers within San Antonio area.

The CHCS IT team reported that just one server was affected after federal officials notified them regarding the cyberattack. As a precaution, CHCS decided to shut down its computer system. The IT department already began fixing its computer systems and will be accessible again one by one, beginning with the computer systems of its biggest clinics. The repair work might take a number of days.

This cyberattack is a part of a bigger attack that began before the holidays. It is not known at this time how many organizations were impacted.

Malware Infection on New Mexico Hospital Imaging Server

The radiology department of Roosevelt General Hospital located in Portales, New Mexico identified malware on a digital imaging server, which potentially resulted in allowing the cybercriminals to access the radiological images of about 500 patients.

The malware infection was identified on November 14, 2019 and quick action was taken to isolate the server and avoid further unauthorized access and deter communications with the command and control server of the attackers. The IT team was successful in removing the malware, rebuilding the server and recovering all patient data. A scan was performed to check for any vulnerabilities. The hospital is now pleased with the security and protection of the server.

The investigators of the breach didn’t find any information that suggests the viewing or theft of protected health information (PHI) and medical images by the hackers, nevertheless, the possibility of unauthorized data access and PHI theft cannot be ruled out.

The security breach investigation is still in progress, but the hospital’s IT team has verified that only the imaging server was affected by the breach. The breach did not affect its medical record system or billing systems. The types of information likely compromised included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server received notification letters regarding the security breach by mail and were instructed to keep track of their credit reports for signs of fraudulent activity. To date, the hospital has not received any report of patient information misuse.

The Department of Health and Human Services’ Office for Civil Rights has not published the incident yet on its breach portal, thus there is no report yet about the exact number of patients affected by the breach. As per RGH Marketing and Public Relations Director, Jeanette Orrantia, the hospital submitted the breach report to OCR within 60 days after discovering the incident.

Data Breaches at Cancer Center of Hawaii and Zuckerberg San Francisco General Hospital

A ransomware attack on the Cancer Center of Hawaii in Oahu on November 5, 2019 led to the forced shut down of its network servers. It also resulted in the temporary inability to provide radiation treatment to people at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

Though patient services experienced disruption, the center is convinced that the attackers had not accessed any patient data. The investigation of the breach still continues, but all data stored on the radiology machines had been retrieved and the network is already operational.

It is unknown how long the network was de-activated and information concerning the potentially compromised types of patient information is still unavailable.

The Cancer Center had notified the FBI concerning the breach. If the forensic investigators declare that hackers had gained access to patient data, the proper authorities will also be notified about the incident.

The breach merely affected the Cancer Center’s systems. The attack had not impacted St. Francis’ hospital and Pali Momi Medical Center since their patient records systems were separate from the Cancer Center.

Zuckerberg San Francisco General Hospital’s Improper Disposal Incident

Zuckerberg San Francisco General Hospital informed 1,174 patients about the improper disposal of meal tickets containing their protected health information (PHI).

The PHI printed on the meal tickets included the patients’ full names, their bed/unit in the hospital, birth month, dietary requirements, and their food selection. The proper method to dispose of the meal tickets is to put them in confidential garbage bins. Nonetheless, the tickets were accidentally disposed of along with common garbage.

The breach occurred because one staff didn’t know the need to shred the meal tickets. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The staff had thrown away meal tickets incorrectly from June 18 to November 4. After knowing about the breach, the staff was directed to adhere to the right procedures in sensitive information disposal.

Ransomware Attack on Large Canadian Medical Testing Company Potentially Impacts 15 Million Customers

LifeLabs in Toronto, one of Canada’s biggest medical testing and diagnostics firms, reported a serious data breach. Hackers potentially accessed the personal and health data of about 15 million people, the majority of whom reside in British Columbia and Ontario. Because of the number of individuals possibly impacted, this incident can be considered as one of the biggest healthcare ransomware attacks so far. The privacy commissioners in the two Canadian provinces said that this is an extremely troubling incident because of the enormity of the attack.

When the attackers accessed its systems, they downloaded ransomware and encrypted a substantial amount of client information. The investigators are still looking into the cyberattack, and so it is still uncertain what data was stolen. But it was confirmed that the attackers accessed the parts of the system containing the 2016 and earlier test data of about 85,000 Ontarians. There is no evidence that indicates access to current test data, or medical test data from clients in other places.

A few of those test data include very sensitive health data that attackers can potentially use for blackmail. The sensitive information includes names, dates of birth, email addresses, usernames, passwords, and health card numbers. At this point, it seems that the compromised data were not yet misused nor disclosed on the internet. According to the preliminary results of the investigation, the incident has a low risk to clients.

It is not clear if LifeLabs had data backups to retrieve the information, however, the company decided to pay the ransom demand. LifeLabs did not publicly disclose the amount of the ransom. LifeLabs chief executive officer Charles Brown said that they wanted the data back and thought that paying the ransom was the smart thing to do for the best interests of their customers.

Cybersecurity and computer forensics specialists are securing LifeLabs’ systems and finding out the full extent of the ransomware attack. More time may be necessary to know if the attackers stole any customer data.

It is believed that the attack began on or before November 1, 2019. However, the cyberattack became known to the public only on December 17, 2019. LifeLabs already notified the affected people and offered them 12 months of free credit monitoring and identity theft protection services.

Ransomware Attack on Hackensack Meridian Health

A recent cyberattack on Hackensack Meridian Health, which is New Jersey’s biggest health network, resulted in the deployment of ransomware on its network. The ransomware attack caused file encryption so that the network went offline for two days.

Because there was no access to computer systems and health records, Hackensack Meridian Health had to call off non-emergency medical operations. Physicians and nurses needed to use pen and paper to continue caring for patients.

Hackensack Meridian Health detected the attack immediately and notified law enforcement and government authorities. Cybersecurity specialists were conferred with to know what is the best action to take. The health network at first said it experienced external technical problems so there would be no interference with the investigation. Later, it affirmed the occurrence of a ransomware attack.

Because of the ransomware attack, encrypted files had to be recovered from backup files. Computer systems should also be restored. That action could take many weeks. To stop continuing interruption to patient services, the provider decided to pay the ransom. Hackensack Meridian Health’s spokesperson said that it is their obligation to safeguard their communities’ access to medical care.

Hackensack Meridian Health did not disclose to the public the amount of ransom paid. However, it confirmed that its cybersecurity insurance plan will pay for a portion of the expense of the ransom payment and remediation work.

Hackensack Meridian Health has announced that the principal clinical system is now completely operational. However, other parts of the system might take a few more days to be back online.

A number of healthcare providers and business associates have likewise reported ransomware attacks in the last few weeks. Last week alone, the Cancer Center of Hawaii reported an attack and had to put off patients’ radiology treatments. A Colorado business associate also reported a ransomware attack that affected over 100 dental practices.

The HHS’ Office for Civil Rights, in its most recent cybersecurity letter, points out how HIPAA compliance could help stop ransomware attacks and make sure that healthcare companies can recover from ransomware attacks immediately when hackers are able to breach their defenses.

Insider Data Breach at Nebraska Medicine and Phishing Attack at Presbyterian Healthcare Services

Nebraska Medicine found out that an employee gained access to patients’ medical files without any legit work reason for a period of roughly three months.

Nebraska Medicine discovered the privacy violation when it conducted a routine audit of its medical record system. The audit revealed that the employee’s first access to the patient records was on July 11, 2019 and kept on doing so until October 1, 2019 when the company discovered the privacy violations.

Upon discovering the breach, steps were undertaken to avoid even further unauthorized access as the investigation of the issue was ongoing. The employee in question was dismissed from work a day after the discovery of privacy violations.

Based on a statement presented by Nebraska Medicine, the affected people received notifications by mail and any person who had his/her Social Security number potentially compromised received complimentary credit monitoring services for 12 months as a precautionary measure.

Nebraska Medicine believes that no sensitive information was or will be misused, insinuating that the employee was just curious about accessing the records. The number of individuals affected at this stage is uncertain.

The breach notification letter sent to affected patients indicated that the types of information potentially accessed includes names, addresses, birth dates, Social Security numbers, medical record numbers, driver’s license numbers, clinical data, physicians’ notes, lab test results and medical pictures.

Phishing Attack at Presbyterian Healthcare Services

Presbyterian Healthcare Services announced in August 2019 the compromise of several employees’ email accounts as a result of a phishing attack.

Presbyterian Healthcare Services found out about the breach on June 9. The investigators pointed out that the affected accounts contained 183,370 patients’ protected health information (PHI). Though the provider already sent notifications, the breach investigation still continued. Presbyterian Healthcare Services now found out that the breach was bigger than earlier thought. The compromised email accounts comprised of 276,000 patients’ PHI.

More notification letters were sent to patients on November 25. The notices stressed that there was no evidence indicating that any PHI was accessed, downloaded or misused. It was additionally proven that only the email system was impacted. The attackers had no access to medical files or its billing platform.

Ransomware Attack Impacts 107,000 Ferguson Medical Group Patients

Saint Francis Healthcare System made an announcement that there was a ransomware attack on Ferguson Medical Group’s computer network.

The attack transpired on September 21, 2019, prior to the acquisition of the medical group based in Sikeston, MO by Saint Francis Medical Center. Saint Francis Healthcare knew about the ransomware attack on the same day as the attack.

Based on the notice posted on Saint Francis Healthcare’s website, the attackers were able to encrypt the medical records of Ferguson Medical Group patients who received healthcare services before January 1, 2019. Saint Francis Healthcare reported the incident to the Federal Bureau of Investigation and took steps immediately to isolate the impacted systems.

The attackers asked for a ransom payment in exchange for the file decryption keys. Saint Francis Healthcare decided not to pay the ransom and use backups to recover files because there was no assurance that the attackers would give decryption keys able to restore the files and there were other concerns.

Although a lot of files were retrieved, some data were permanently lost and can’t be recovered. Records that can’t be recovered included any scanned documentation that was stored on its systems, and healthcare records of patients who got Ferguson Medical Group services from September 20, 2018 to December 31, 2018.

After analyzing the attack, there was no evidence uncovered that indicate the attackers acquired files that contain the protected health information (PHI) of patients before encryption. There was also no report received that suggest the misuse of any patient information. Nevertheless, unauthorized access and theft of data cannot be ruled out. So, Saint Francis Healthcare offered credit monitoring and identity theft protection services to the affected patients for free.

The breach incident is already listed on the breach portal of the Department of Health and Human Services’ Office for Civil Rights. According to the breach summary, 107,054 Ferguson Medical Group patients were impacted. There was no mention regarding the number of patients who had lost some or all their health data because of the attack.

Coverware Report Reveals Increased Average Ransomware Payment of $41,198 for Q3 of 2019

Ransomware is still one of the biggest cybersecurity threats experienced by healthcare organizations. Attacks have gone up not to mention the ransom demands.

The latest analysis by Coveware, a company providing ransomware remediation and incident response, showed that the average ransom payment increased by 13% and stands at $41,198 in the third quarter of 2019. This value is six times the December 2018 average. Plenty of organizations have paid considerably more. The threat actors that make use of the Ryuk ransomware for their attacks ask for ransom demand in hundred thousand dollars. From the second and third quarters of 2019, Ryuk ransom payments reached $267,742 to $377,026. Attackers typically ask large enterprises to pay more than 1 million dollars t ransom payments.

Though no sector is free of ransomware attacks, certain industries often have a greater likelihood of paying ransom demands. The statistics of the most attacked sectors are:

1. professional services -18.3%
2. public sector – 13.3%
3. medical care – 12.8%
4. software solutions – 11.7%
5. merchants – 8.3%

There is also an increase in attacks on managed service providers (MSPs). These attacks frequently demand far more effort from the threat actors, but the prospective rewards are great. A good campaign against an MSP enables attackers to access systems and client data. The attackers target MSPs and big companies using the ransomware variants called Sodinokibi and Globelmposter. Some also use the ransomware variants Netwalker, Snatch and Hidden Tear.

Even if Coveware didn’t diclose specifically the number of clients that have paid ransom, CEO Bill Siegel of Coveware admits that the number hits hundreds.

Cybercriminals employ various strategies to propagate malware and launch ransomware attacks. As per Coveware’s report, there’s an apparent change in the execution of attacks, which are now much more sophisticated. When cybercriminals began attacking with ransomware, most attacks were automated and random. Today, attacks are more centered on businesses and use techniques that involve nation-state threat actors.

The clients of Covewarewere experience attacks that primarily use stolen RDP credentials (50.6%), phishing (39%) and software vulnerability exploitation (8.1%).

Surely, ransomware creators would prefer that the victims are able to recover their files, or else they would not get paid. Nevertheless, ransom payment does not assure file recovery. Coveware’s figures indicate that 98% of clients paying ransom obtained legit decryption keys, however data recovery was typically just around 94%.

The attackers employing Rapid and Dharma ransomware variants usually don’t give legit keys for decrypting files after paying the ransom. Mr. Dec ransomware’s encryption code is badly written so decryptors only permit 30% data recovery.

Paying the ransom is actually not necessary since free decryptors are available through the No More Ransom project. However the accessible decryptors don’t work when the ransomware variants used are Phobos (19.9%), and Ryuk (22.2%), Sodinokibi (21.1%) and Phobos (19.9%).

File recovery is likewise achievable when there are backups. Nonetheless, in many cases, backups aren’t updated and are corrupted, so file recovery is not possible. Backups could likewise be encrypted.

Phishing Attack Impacted Thousands of TennCare and Florida Blue Members

Other healthcare companies have affirmed that they were affected by the Magellan Health National Imaging Associates data breach. Magellan Health NIA provides managed pharmacy and radiology benefits services for a number of HIPAA-covered entities as a business associate.

Last month, Geisinger Health Plan based in Danville, PA said that the breach impacted 5,848 of its members. Recently, Florida Blue (a health insurance firm) and TennCare (the Medicaid program in Tennessee), made the same press releases. 56,226 members of Presbyterian Health Plan in Albuquerque, NM were also affected by the breach.

Magellan Health NIA encountered the phishing attack on May 28, 2019, but only became aware of the incident on July 5, 2019 when the attacker used the compromised email account to send a lot of spam email messages. The affected email account was secured upon discovery.

An internal investigation of the breach confirmed that a person from outside the United States accessed the mailbox several times. The intent of the attacker is likely just to send spam email using the email account. The investigators found no evidence of access or theft of protected health information (PHI), however, the possibility can’t be ruled out.

Magellan Health NIA informed TennCare about the breach on September 11, which was one day after the discovery of the breach impact by Magellan Health. Magellan Health NIA sent breach notifications to Geisinger Health Plan on September 24, and Florida Blue on September 25.

Florida Blue has no announcement yet about the exact number of its affected members, but it mentioned that the PHI of less than 1% of 5 million members were exposed. The compromised information only included name, birth date, health plan name, healthcare provider’s name, member ID number, medication name, code of imaging procedures done, benefit authorization details, and authorization number. Florida Blue is offering credit monitoring services for free to its affected members.

TennCare announced that the breach impacted 43,847 people. The potentially compromised data included members’ names, ID numbers, health plan data, healthcare providers’ names, names of drugs, and Social Security numbers. TennCare also offered credit monitoring services as a preventative measure against data misuse.

The Cost Due to Healthcare Data Breaches in the Industry May Reach $4 Billion in 2019

A recent survey was conducted to find out the cost associated with healthcare industry data breaches, the scope of the healthcare sector under attack, and what percentage of the attacks succeed.

The Black Book Market Research conducted a survey on 2,876 security experts at 733 companies from Q4, 2018 to, Q3, 2019. Respondents shared their opinions on cybersecurity to know the vulnerabilities and security issues and find out why a lot of these cyberattacks succeed.

According to 96% of surveyed IT experts, cybercriminals are moving faster than medical companies, which is not surprising considering that 93% of healthcare companies claimed having encountered a data breach since quarter 3 of 2016. The report stated that 57% of companies had encountered over five data breaches during that period of time. Over 50 percent of the data breaches that healthcare organizations reported were caused by hacks and external threat actor attacks.

The healthcare sector is the target of attacks since hospitals and insurance companies keep massive amounts of sensitive and important information and there are usually security vulnerabilities that may be quickly exploited. Because the risk of attack is really high, the industry stays remarkably prone to data breaches.

There is a considerable cost associated with these healthcare sector attacks. Based on the report, the expenditure due to data breaches at hospitals in 2019 was $423 for every record. The report forecasts that, according to the present volume of data breaches, the cost to the healthcare industry is going to reach $4 billion by the end of the year. Seeing the present trends and the yearly growth in healthcare data breaches, that number is very likely to be significantly higher in 2020.

The survey highlighted that a major reason why the healthcare sector is vulnerable is budget limitations. Legacy systems and equipment remain extensively used in the healthcare sector, however, the cost of updating those systems is hard to rationalize when the cash does not grow with revenue.

Overall, money invested in cybersecurity for 2020 is designed to be increased to about 6% of total IT funds at hospital systems, however, smaller practices had a cut down in investment in cybersecurity, particularly at medical organizations where just 1% of the 2020 IT funds will be invested on cybersecurity. 90% of hospital reps surveyed stated their cybersecurity finances had no change from 2016.

Purchases of cybersecurity solutions are mostly bought blindly. One-third of surveyed hospital professionals stated they selected cybersecurity solutions without having a lot of insight or discernment. 92% of decisions on security product or services since 2016 were made by C-level executives without involving department administrators and consumers in the purchasing decision. Merely 4% of companies stated they had a guiding committee to help assess the effect of funds in cybersecurity.

A lot of healthcare companies are also working without a accountable security manager. Just 21% mentioned they had a committed security officer and only 6% reported that individual was the Chief Information Security Officer. At physician groups with over 10 clinicians, only 1.5% said they had a committed CISO. This is partly due to a lack of competent staff. 21% of healthcare companies claimed they had to outsource the work and are utilizing cyber security-as-a-service as a temporary solution.

Apple IOS Vulnerability Allows Hackers to Spy on FaceTime Calls

A severe Apple IOS vulnerability has been noticed that lets people to gain access to both the microphone and the front-facing camera on Apple appliances by manipulating a fault in FaceTime. Further, the fault even lets microphone/camera access if the call is not replied. The fault has prompted several safety experts to advise Apple device proprietors to stop using FaceTime until the fault is rectified.

To manipulate the fault, a user would require to use FaceTime to call another individual with an iOS appliance. Before the call is replied, the users would need to add themselves as additional contacts to Group FaceTime. As soon as that has occurred, the persons being called would have their microphones turned on and the callers could listen to what is occurring in the room, even when the call is not replied.

If the individual being called was to silent the call (by pressing the power button) the front-facing camera would also be triggered, providing the caller video footage and audio.

Safety specialists have cautioned that it does not matter whether the call is replied, just by calling a person it is possible to listen to what is occurring in the room and see everything in the camera’s field of view. Although this might prove distressing for some FaceTime users, it might also result in serious harm. Compromising footage might be recorded and utilized for extortion.

Several cases of this happening have been posted on social media networks and it is obvious that this Apple IOS vulnerability is being actively abused. Apple is conscious of the problem and has announced that a solution will be issued later this week. Until such time, Apple appliance owners have been instructed to inactivate FaceTime through appliance settings. If FaceTime is inactivated, the vulnerability cannot be abused.

773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Continue reading “773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale”