PHI of 57,000 TriValley Primary Care Patients Possibly Exposed in Cyberattack

TriValley Primary Care based in Perkasie, PA has begun informing 57,596 patients concerning a cyberattack that resulted in the potential breach of their personal data and protected health information (PHI).

Suspicious activity was observed in its IT network on October 11, 2021. The healthcare company took action right away to protect its systems and block further unauthorized access. Third-party forensic professionals assisted in the conduct of an investigation to find out the nature and extent of the attack.

The investigation into the incident came to the conclusion on November 4 and though no proof of actual or attempted patient data misuse, unauthorized access and possible theft of protected health information cannot be overlooked. As a result, affected patients were told to stay alert for activities involving identity theft and fraud. The impacted persons were given free credit monitoring services.

An analysis of the files stored on the compromised systems affirmed that these types of patient information were probably exposed: Last and first name, sex, residence address, email address, telephone number, birth date, Social Security number, medical insurance policy/group plan number, group plan agency, claim details, medical background, diagnosis, treatment data, dates of service, laboratory test data, prescription details, medical account number, name of provider, and other facts included in the health records.

TriValley Primary Care stated it is aided by cybersecurity specialists to strengthen its cybersecurity guidelines, processes, and standards to lessen the risk of even more data breaches and the staff members will be given extra cybersecurity instruction.

Patients Do Not Know the Scope of Healthcare Cyberattacks and Information Breach

Armis, the unified asset visibility and security platform provider, had a new survey to investigate the status of cybersecurity in the healthcare sector and the security challenges that healthcare companies are now facing.

The study was done by Censuswide involving 400 IT experts at healthcare institutions all over the United States, and 2,000 American patients to acquire their ideas on cybersecurity and information breaches in the healthcare industry.

The survey established the growing cyber threat, with 85% of respondents stating cyber risk has expanded during the past 12 months. Ransomware groups have attacked the healthcare field in the past 12 months, and a lot of those attacks were successful. 58% of the participating IT specialists mentioned their corporation had encountered a ransomware attack in the last year.

13% of IT security professionals consider ransomware attacks as a source of concern, stating the majority are convinced that they could bring back data when an attack occurs. Nevertheless, data breaches that cause the loss of patient data were a big concern, with 52% of IT experts ranking data loss as a number one problem, with attacks on hospital operations considered as a key issue by 23% of healthcare IT professionals.

Guarding against cyberattacks is getting even more challenging because of the growing attack surface. Armis states there are already 430 million linked healthcare devices around the world, and that number will keep on rising. When questioned concerning the riskiest devices and systems, building systems like HVAC were the major issue s 54% of IT experts rated them as the main cybersecurity risk. Imaging machines were ranked as among the riskiest by 43% of survey participants, and then medicine dispensing devices (40%), check-in kiosks (39%), and vital sign tracking machines (33%). Though there is concern regarding the safety of these systems and medical gadgets, 95% of IT experts mentioned they assumed their interconnected systems and devices were patched and using the most up-to-date software program.

The growth in cyberattacks in the healthcare field is affecting healthcare decisions. 75% of IT specialists stated the latest attacks had a powerful effect on decision making and 86% of survey respondents mentioned their company had assigned a CISO; nonetheless, only 52% of survey participants mentioned their firm was putting more than enough finances to take care of IT safety.

The survey of patients showed 33 % had become the victim of a healthcare cyberattack, and though more or less one-half of patients (49%) stated they would change healthcare company if it suffered a ransomware attack, lots of patients are not aware of the scope of the latest cyberattacks and how often they are currently being documented. In 2018, healthcare data breach reports were sent at a rate of 1 each day. In the last 12 months, 7 months showed data breach reports of over 2 every day.

Even with comprehensive media reports regarding healthcare data breaches and vulnerabilities in healthcare devices, 61% of potential patients mentioned they didn’t learn about any healthcare cyberattacks during the past two years, evidently showing a lot of patients are uninformed of the threat of ransomware as well as other cyberattacks. Nonetheless, patients know the consequences those attacks might have, with 73% of prospective patients knowing a cyberattack can affect the quality of health care they are given.

When potential patients were asked concerning their privacy issues, 52% stated they were troubled that a cyberattack would stop hospital operations and will likely impact patient care, and 37% mentioned they were bothered about the confidentiality of information accessible via websites.

There undoubtedly seem to be trust concerns, as merely 23% of prospective patients claimed they relied on their healthcare service provider with their sensitive personal information. In comparison, 30% stated they depended on their best friend with that data.

$10 Million Reward Offered by the State Department for Information on REvil and DarkSide Ransomware Operations Leaders

People who have information associated with the REvil and DarkSide ransomware group leaders, or affiliates who carried out attacks, are being urged to come out. The U.S. State Department is offering a reward of as much as $10 million in exchange for details that points to the identification or whereabout of REvil/DarkSide ransomware groups leaders, with as much as $5 million paid for data that brings about the capture and sentencing of any person who conspired to take part or tried to get involved in a REvil/DarkSide ransomware attacks. The amount of the rewards offered in exchange for information undoubtedly shows how serious the United States is with its efforts to take the ransomware attackers to justice.

The effort to pressure the ransomware gangs seems to be somewhat effective. According to U.S. National Cyber Director Chris Inglis, there was a noticeable reduction in cyberattacks based in Russia. The DoJ states it is looking at a few more apprehensions associated with the REvil and DarkSide ransomware attacks in the upcoming weeks.

Worldwide Law Enforcement Efforts See Several Arrests

The United States isn’t just the nation that is focused on taking ransomware attackers to justice. An international law enforcement operation called GoldDust joined by 17 countries has lately led to the apprehension of 7 hackers thought to be engaged in the REvil and GandCrab ransomware attacks. The Europol, Eurojust, and INTERPOL-synchronized operation resulted in the arrest of two individuals in Romania, three people in South Korea, one person in Kuwait, and one in an unidentified European country, with the most current takedown happening on November 4 in Kuwait and Romania.

The three people in South Korea were formerly detained in February, April, and October because of their part in the GandCrab ransomware attacks, which is thought to be the forerunner of REvil/Sodinokibi. In 2018, the GoldDust operation began to be active and was started because of the GandCrab ransomware attacks.

The past week, Europol made an announcement of the arrest of 12 persons in raids in Switzerland and Ukraine because of their supposed participation in ransomware attacks that involve the LockerGoga and other ransomware attacks. Those people are considered to have had expert functions in different phases of the attacks, starting from infiltration up to taking the cash and laundering the ransom payments amounting to millions.

In September, the Ukrainian National Police, a French National Gendarmerie, INTERPOL and Europol operation led to the arrest of 2 people thought to be affiliates of two prolific ransomware attacks. That ransomware operation likewise resulted in the seizure of $375,000 cash and luxury cars, and the freezing of $1.3 million of cryptocurrency.

Furthermore, a 30-month campaign, called Operation Cyclone, which engaged law enforcement services in several countries led to the capture of 6 people thought to be engaged in the Clop ransomware campaign, with those apprehensions happening in June 2021. The operation had conducted searches at 20 places and seized $185,00 cash and computer devices believed to have been employed in the attacks. The Clop ransomware group had performed a lot of attacks in the U.S., such as those on Stanford Medicine, the University of Colorado, the University of Maryland Baltimore, and the University of California.

Although these apprehensions will result in certain interruptions to the operations of ransomware gangs, they stand for just a portion of the people engaged in ransomware attacks, who may be quickly substituted. The key untouchable members of the ransomware campaigns are thought to be residing in Russia.

PHI Likely Compromised in Hacking Incidents at Three Healthcare Organizations

Hacker Gains Access to Server of New York Psychotherapy and Counseling Center

New York Psychotherapy and Counseling Center (NYPCC), which is a non-profit provider of mental health services, has reported a cyberattack that was detected in September 11, 2021.

The provider immediately took steps to protect its systems and stop more unauthorized access. It engaged a third-party cybersecurity company to carry out a forensic investigation to find out the nature and extent of the incident. NYPCC stated there was no breach of its electronic medical record system; nonetheless, it is believed that the attacker had accessed certain files on its server that included the protected health information (PHI) of patients.

An analysis of the files found on the server showed the potential compromise of these data: names, addresses, birth dates, dates of service, and Medicaid IDs. NYPCC mentioned it is determined to constantly review and update its security practices associated with the PHI of patients.

Impacted persons received notifications by mail and offers of free credit monitoring, identity monitoring, and other similar services to secure their data against any misuse.

NYPCC has reported the incident to the HHS’ Office for Civil Rights, however, there is no information yet on the OCR breach website, consequently, it is presently uncertain how many people were impacted.

Prairie Lakes Healthcare System Hacked

Prairie Lakes Healthcare System based in Watertown, S.D. has uncovered that an unauthorized person has acquired access to some of its IT systems.

The healthcare system discovered the incident on October 6, 2021, when parts of its network had encountered disruption. Quick action was undertaken to isolate the affected systems and stop more unauthorized access. A third-party cybersecurity company investigated the occurrence and helped with remediation efforts.

Prairie Lakes Healthcare explained all the impacted systems were already in operation; nonetheless, the security breach investigation is still in progress. At this point of the investigation, there is no proof of unauthorized access or patient data exfiltration. In case patient information is considered to have been breached, the company will send notification letters to the affected persons.

Unauthorized Network Access of the Urology Center of Colorado

The Urology Center of Colorado (TUCC) has found out that an unauthorized individual gained access to parts of its computer system. The security breach was discovered and blocked on September 8, 2021. An inquiry into the breach confirmed that the attack started the preceding day.

The compromised sections of its network were examined to know whether any patient information might have been accessed. TUCC said the assessment identified the exposure of the following types of protected health information: name, Social Security number, date of birth, address, email address, phone number, medical record number, diagnosis, treating physician, insurance company, treatment fee, and/or guarantor name.

TUCC stated it altered account passwords to stop further unauthorized access and it considered supplemental security steps to avoid further data breaches. As a safety precaution, TUCC is providing complimentary credit monitoring and identity protection services to impacted people.

TUCC already reported the incident to the HHS’ Office for Civil Rights, however, it has not appeared yet on the breach portal of OCR, consequently, it is currently uncertain how many individuals have been impacted.

PHI of 45,262 Desert Pain Institute Patients Possibly Exposed in Cyberattack

Baywood Medical Associates, dba Desert Pain Institute (DPI) located in Mesa, AZ, has found out that unauthorized persons acquired access to sections of its computer network containing patients’ protected health information (PHI).

The security breach was discovered and blocked by DPI on September 13, 2021, and a third-party cybersecurity firm was hired to help investigate and find out the nature and extent of the cyberattack. On October 15, 2021, the forensic investigators affirmed the proof found showing the attackers had gained access to areas of its network that stored patients’ PHI.

An analysis of the data on systems the hackers had accessed revealed that these data might have been accessed or exfiltrated: Complete names, addresses, birth dates, Social Security numbers, driver’s license/state-issued ID card numbers, tax identification numbers, military identification numbers, medical data, medical insurance policy number, and financial account numbers. The types of information possibly exposed differed from one patient to another.

Since the breach was discovered on September 13 up to the date of sending notifications, there is no proof found to suggest any attempted or actual patient data misuse; nevertheless, affected persons were cautioned to watch out for signs of identity theft and fraud and to register for the free credit monitoring services, which are being given.

DPI reported that it has improved security options for its computer systems and servers, which consists of new end-point tracking tools to determine unauthorized activity.

The Department of Health and Human Services’ Office for Civil Rights breach portal has no report of the breach yet. However, the breach report given to the Maine attorney general indicated that 45,262 persons had their protected health information potentially exposed.

Securing Legacy Systems and Devices for HIPAA Compliance

The Department of Health and Human Services’ Office for Civil Rights has informed HIPAA-covered entities to evaluate the security of their legacy IT programs and devices.

A legacy system refers to any system that includes one or more parts that were replaced by more recent technology and hit end-of-life. Whenever software programs and devices hit end-of-life, support also ends, and there will be no more patches issued to resolve identified vulnerabilities. That’s why legacy systems and devices are prone to cyberattacks.

Healthcare companies must be mindful of the date when support won’t be available. They must develop a plan to change obsolete software programs and devices; nonetheless, there are usually legitimate reasons for still using legacy systems and products.

Legacy systems could still function well and be customized to a company’s business design, therefore there may be an unwillingness to switch to current systems that have support. Changing to a current system might necessitate time, money, and human assets that aren’t readily available, or it might mean that replacing a legacy system would disrupt critical services, affect information integrity, or make ePHI inaccessible.

HIPAA-covered entities must make sure that all software programs, systems, and gadgets are always patched and updated, however in healthcare, there are usually competing goals and commitments. When the choice is made to keep on utilizing legacy systems and devices, it is crucial to consider security and implement safeguards to make sure that those systems and gadgets won’t be hacked. That is particularly crucial when it’s possible to use legacy systems and devices to access, hold, create, retain, receive, or transfer electronic protected health information (ePHI).

Continuing to use legacy software and devices does not violate HIPAA Rules, as long as compensating controls are put in place to make sure ePHI is secured. If security considerations are overlooked when using legacy systems, that is a violation of the HIPAA Rules.

There are many legacy systems used in the healthcare field that need protection. Healthcare companies should have complete knowledge of the legacy systems that are used in their company. If the IT team is not aware of the use of legacy systems, there won’t be compensating controls implemented to make sure they are properly secured.

It is important to create a detailed inventory that lists all legacy systems and devices and to do a security risk analysis on every system and device. It is required by the HIPAA Security Rule that covered entities and their business associates should perform a correct and complete evaluation of the likely risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI, which include ePHI found in legacy systems.

Risks should be determined, prioritized, and addressed to minimize them to a low and tolerable level. Mitigations consist of updating to a supported system or version, getting a vendor that offers extended support, moving the system to a secured cloud-based option, or separating the system from the network.

When HIPAA-covered entities decide to keep a legacy system, current security controls must be toughened, or compensating controls must be applied. OCR states consideration must be given to the problems of upkeep, as they may offset the advantages of continually using the legacy system and there must be plans to eventually remove and replace the legacy system.

For the time being, OCR recommends these controls to enhance security:

  • Improve system activity checks and audit recording to identify unauthorized activity, with particular attention given to security settings, authentication events, and ePHI access.
  • Limit legacy system access to a small number of users.
  • Reinforce authentication prerequisites and access controls.
  • Limit the legacy system from executing functions or actions that aren’t really essential
  • Make certain to perform backups of the legacy system, particularly when improved or compensating controls affect previous backup solutions.
  • Create contingency plans that take into account a higher probability of failure.
  • Carry out aggressive firewall regulations.
  • Use secure anti-malware programs.

Put Cybersecurity First This Cybersecurity Awareness Month

The theme of the fourth week of Cybersecurity Awareness Month is “Cybersecurity First.” The focus is on getting businesses to know about the requirement for cybersecurity procedures to deal with vulnerabilities in products, procedures, and people.

Cybersecurity Tips for Organizations

One study states 64% of firms around the world have suffered some sort of cyberattack and the rate at which attacks are happening is growing. It is important for businesses to make sure that cybersecurity steps are integrated when making apps, goods, or new services and for cybersecurity to be thought of at the design phase. Safeguards must be integrated into products from the beginning. Cybersecurity should never be an afterthought.

Businesses must have a complete understanding of their IT environment and what assets should be secured. An inventory ought to be made for all resources and the location of all sensitive information must be known. A plan then has to be created to safeguard those assets, which ought to include overlapping layers of protection utilizing technologies like firewalls, antivirus software, spam filters, web filters, endpoint detection systems, encryption tools, and backup solutions. Patch management is likewise crucial. Software and firmware program updates must be employed quickly, with priority given to patching the major vulnerabilities.

Businesses need to embrace a mentality of a cyber breach being unavoidable, which means they must know how they will react to an attack if it happens. A business continuity plan needs to be created and tried. The plan must include emergency procedures while systems and data are not accessible, the restoration of systems and information, communication with stakeholders, compliance, and reporting breaches to proper authorities. Having an incident response plan ready makes certain the organization can still work in the event of a cyber breach and it will considerably accelerate the recovery time period and help to lower breach costs.

FBI Boosts Awareness of the Ransomware Threat

The Federal Bureau of Investigation (FBI) is raising awareness of the risk from ransomware. A ransomware attack can result in the encryption of files making them inaccessible. The attacker issues a ransom demand in exchange for the keys to decrypt data files, though there are no assurances that files will be recovered after the ransom payment. It is likewise typical for sensitive information to be stolen prior to file encryption, and the attacker threatens to publish or sell the information when the victim doesn’t pay the ransom.

Computer and systems access is acquired by taking advantage of vulnerabilities, performing brute force attacks to determine weak passwords, and in most cases, by means of phishing emails. Hyperlinks are contained in emails, which lead users to sites that asked for the users’ login credentials or install files that contain malware. Quite often, emails have attachments with macros and other scripts for downloading malware so that the attackers get persistent access to equipment and systems.

The FBI suggested steps suggested to steer clear of ransomware attacks such as updating software, using patches immediately, using anti-malware solutions on all devices, backing up files on a regular basis and keeping backups off the internet, and teaching employees about identifying phishing emails as well as other risks.

It is vital for employees to have security awareness training. Cybercriminals often target employees, so employees ought to get security awareness training in the process of onboarding. They should be given the tools needed to keep their organizations secure including regular training.

Healthcare CISOs Need Government Support to Manage Increased Cyber Threats

The College of Healthcare Information Management Executives (CHIME) and Association for Executives in Healthcare Information Security (AEHIS) has conducted a new survey involving Chief Information Security Officer (CISO) members. The results presented the effect of cybersecurity occurrences on the healthcare sector and the requirement for government assistance to take care of the threats.

Cybercriminals have been targeting the healthcare sector, however, attacks surged throughout the pandemic. 67% of survey respondents stated their company had encountered a security event in the last 12 months with nearly half stating they were had suffered a phishing attack. The most often used security exploits in cyberattacks are malware ransomware, phishing and business email compromise (BEC) attacks, hacking, and insider threats.

Cyberattacks can cause patient safety concerns. One new study reveals mortality rates, medical issues and the length of hospital stays
increase after a ransomware attack. The survey established the effect on patient safety, as 15% of survey respondents reports a patient safety problem following a cyberattack, and 10% stated they were compelled to redirect patients to other hospitals after an attack.

More attacks mean greater costs. Over 80% of surveyed CISOs claimed increased costs connected with cyberattacks last year. 20% of survey respondents mentioned a 50% increase in costs in the past year. One of six reported doubled costs. Aside from remediation costs, the cost of cyber insurance policies also increased because of the greater threat of cyberattacks.

Without a doubt, the situation will probably worsen as there are a number of rising threats of big concern, like the surge in IoT and other linked devices, growing remote staffing, supply chain risks, API security problems, and risks connected with 3rd party consumer health applications.

Cybersecurity funding has always been a problem in medical care, however, the higher costs have worsened the situation and a lot of CISOs are having difficulties.

The survey revealed that healthcare companies need additional help addressing the growing threat of attacks. Congress is looking at various ways to enhance protection against cyberattacks for critical infrastructures, such as healthcare. However CHIME and AEHIS state that medical care is usually left out, although the healthcare sector is one of the most attacked and most vulnerable critical infrastructures.

40% of respondents stated that they need assistance like grants or government assistance to boost cybersecurity. One-third stated that the guidance and expertise of cyber professionals of regional extension centers, and 16.7% stated they would profit from closer associations with government authorities like CISA and the FBI.

52% of survey respondents stated they had registered at an Information Sharing and Analysis Organization (ISAO) or Information Sharing & Analysis Center (ISAC), however, additional guidance is required, as 10% of respondents stated they were uncertain when it was appropriate to reveal threat details. When assistance is given, it must be conveyed more appropriately. For example, 45% of respondents stated they were uninformed of 405(d) recommendations that the HHS published.

Based on this survey, it is obvious that healthcare companies will need a number of tools to deal with the risks to the provision of patient care. More resources, training, and ongoing assistance for the healthcare sector are necessary.

Centers to Secure Critical Infrastructure and Public Health Launched by MITRE

MITRE announced two new companies that were assigned to deal with crucial healthcare challenges and enhance cybersecurity to better safeguard critical infrastructure.

MITRE is a nonprofit company that deals with federally financed research and development centers to assist government institutions in defense, healthcare, homeland security, cybersecurity, and other industries. MITRE Labs was founded in 2020 in association with the reorganization of MITRE, with the new unit tasked with driving innovations in applied science and advanced technology to improve the potential of American scientific and economic leadership.

Two new companies were established now within MITRE Labs – The Cyber Infrastructure Protection Innovation Center and the Clinical Insights Innovation Cell.

The Cyber Infrastructure Protection Innovation Center was created to link the gap in technology between the public and private sector and make sure the industrial control systems, operational technology, and cyber-physical systems of critical infrastructure institutions are secured.

Cybercriminal gangs and nation-state actors are performing attacks on critical infrastructure, as shown by the recent cyberattacks on the meat processor JBS, Colonial Pipeline, and a Florida water treatment plant. These cyberattacks can have a debilitating effect on economic security, national security, and the health and safety of all people in America.

Critical infrastructure is generally managed and maintained by private firms. The new Cyber Infrastructure Protection Innovation Center is supposed to work across industry and government to have more knowledge about the cyber threats confronted by the critical infrastructure industry and to know practical measures that can be done by operators of critical infrastructure to enhance security against cyber threats.

The Clinical Insights Innovation Cell was started to gather frontrunners from the private and public sector to help deal with critical healthcare problems and aims to provide clinical and data science leadership, information, and innovative artificial intelligence approaches.

The Clinical Insights Innovation Cell team is composed of data scientists, doctors, informaticists, and specialists in the fields of artificial intelligence, digital health, and clinical research trials, and has the objective of creating a new system of performing clinical trials so that health systems are more dependable and resilient.

MITRE Labs has made a substantial improvement to broaden MITRE’s effect, inspire revolutionary disruption, speed up risk-taking and discovery, and provide technical functionality, mentioned MITRE Labs’ Charles Clancy. These new groups will allow us to move faster, be bolder, and take action as better associates for protecting our nation’s critical infrastructure and using clinical and genomic data to deal with the challenges of infectious disease and the promise of precision medicine.

Ransomware Attack on Johnson Memorial Health’s Network

Johnson Memorial Health has reported a ransomware attack last October 1, 2021 resulting in the encryption of files that sabotaged its IT systems. Emergency procedures were quickly enforced and staff members manually recorded patient data and wrote prescriptions up to the time systems were restored.

Ransomware groups usually obtain systems access some time, perhaps weeks or months, before ransomware deployment. At that time, they go laterally inside networks to obtain access to many systems they possibly can prior to deploying the ransomware; however, not at all times.

The ransomware attack on Johnson Memorial Healthcare happened really fast. As per Dr. David Dunkle, Johnson Memorial Health’s President and CEO, the attackers acquired access to its IT systems at 10:31 p.m. on October 1 and deployed ransomware at 10:33 p.m., which is 2 minutes later. The hospital’s IT team discovered abnormal activity at about 10:40 p.m. and de-activated its network at 10:45 p.m. to limit the resulting problems.

The attackers issued a ransom demand, however, Dunkie did not give any ransom payment. An investigation is currently ongoing to find out the scope of the encryption and the particular systems and data files affected.

Dr. Dunkie stated that Johnson Memorial Health continued to provide medical care to patients. Surgeries and consultations continued as usual but with no computer access, patient registration may be delayed. Ambulances were diverted to other hospitals to lessen the load on the hospital staff. The investigation is just in its beginning stages and the extent of affected patient information is still presently unknown.

This is the third report of a ransomware attack in Indiana by a healthcare provider. Last week, Schneck Medical Center in Seymour reported a ransomware attack. Eskenazi Health based in Indianapolis also reported a ransomware attack last August. There seems to be no relationship between the attacks.

Do Your Part, #BeCyberSmart This National Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, which highlights the importance of cybersecurity for the whole month. Resources will be available to help institutions enhance their security posture by means of adopting best practices in cybersecurity and building up employees’ security awareness.

The United States Department of Homeland Security Cybersecurity and the National Cyber Security Alliance launched Cybersecurity Awareness Month in 2004 to increase understanding of the value of cybersecurity. Every year, there is a different theme, though the general purpose is similar – To enable men and women and the companies they work for to enhance cybersecurity so that it is more difficult for hackers and con artists to be successful.

The October, the focus is bettering education regarding cybersecurity guidelines, increasing awareness of the digital dangers to privacy, inspiring companies, and people to put in place tougher safety measures to secure sensitive information, and showcasing the value of security awareness training.

The general theme of this 2021 is – “Do Your Part, #BeCyberSmart.” It is centered on talking about the significance of every person doing his part in cybersecurity and safeguarding systems and sensitive information from attackers and cybercriminals. All through October, the National Cyber Security Alliance along with its partners are going to have programs to increase awareness of particular areas of cybersecurity. Each week has the following theme:

  • Week 1 of October: Be Cyber Smart.
  • Week 2 of October: Fight the Phish!
  • Week 3 of October: Explore. Experience. Share.
  • Week 4 of October: Cybersecurity First

Cybersecurity Awareness month begins week one with the subject of “Be Cyber Smart.” Recommended cybersecurity practices will be featured to safeguard the great amounts of personal and business information that are kept on Internet-linked systems.

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), this timeless theme urges people and institutions to do their part in safeguarding their area of cyberspace, emphasizing personal liability and the value of taking active steps to boost cybersecurity.

Highlighted in week one are the best practices that organizations and consumers must be putting into action such as

  • Setting up strong passwords at all times
  • Employing multi-factor authentication on accounts
  • Updating and patching software promptly
  • Creating backup copies to make sure data are recoverable in case of a ransomware attack or any detrimental cyberattack.

Since Cybersecurity Awareness Month started, the key role of cybersecurity in the country’s security and economy had been elevated. This October, President Biden announced the beginning of Cybersecurity Awareness Month in a White House statement, emphasizing the commitment to carry out the best practices to protect internet-connected devices, systems, and technology from cyber threats whether at home, work, school, or any place that the internet is accessed. . All Americans must conscientiously secure their sensitive information and enhance their cybersecurity awareness by taking on this 2021’s theme: “Do Your Part. Be Cyber Smart.”

U.S. Vision Subsidiary Announces Hacking Incident Impacting 180,000 Persons

USV Optical Inc., a U.S. Vision Inc. subsidiary, has reported that unauthorized people have acquired access to some servers and systems that contained patients’ protected health information (PHI). The data breach was discovered on May 12, 2021, with the following forensic investigation affirming that the attackers got access to its systems for nearly a month between April 20, 2021 and May 17, 2021, during which its systems were made secure.

Third-party computer forensics experts are still investigating the breach to find out the full scope and extent of the attack, however, have come to the conclusion that unauthorized persons possibly accessed and exfiltrated patient information during the attack.

It was confirmed that these types of personnel and patient information were compromised: Names of patients, eyecare insurance data, and eyecare insurance application and/or claims details. A part of the people may likewise have had this information exposed: Address, birth date, and/or other personal identifiers. There is no report received thus far of any instances of attempted or actual improper use of personal data and PHI due to the security incident.

The data breach was already reported to the Department of Health and Human Services’ Office for Civil Rights as impacting 180,000 people. The healthcare provider is sending breach notifications to those persons together with instructions on steps to do by breach victims to secure their identities, in case they consider those steps to be suitable.

USV Optical stated it worked hard to check and respond to the incident and is presently working to determine and inform possibly affected individuals. An analysis is being done of guidelines associated with data protection and these are going to be improved to better secure patient information.

This is the second big data breach that an eye care provider reported in the last couple of days. Simon Eye Management lately announced that it encountered an email security breach wherein the PHI of 144,000 people was compromised.

LifeLong Medical Care & Beaumont Health Patients Impacted by Data Breaches at Business Associates

LifeLong Medical Care, a Californian healthcare company serving patients in Contra Costa, Marin, and Alameda Counties, has informed selected patients who had their protected health information (PHI) affected in a ransomware attack on Netgain Technologies, its third-party vendor.

Netgain Technologies uncovered a data breach on November 24, 2020 involving ransomware. An internal investigation into the breach confirmed on February 25, 2021 that the attackers acquired access to data containing the data of its customers. The attackers first of all compromised its systems on November 15, 2020.

LifeLong Medical Care mentioned it began a thorough investigation into the security breach and found out on August 9, 2021 that the personal information and protected health information of patients were accessed and/or exfiltrated from Netgain’s network. Impacted patients had their entire name compromised in addition to one or more of the following data elements: Social Security number, date of birth, patient cardholder number, and/or treatment and diagnosis details.

Affected people started to be advised concerning the breach on August 24, 2021, 9 months right after the breach took place. LifeLong Medical Care stated it doesn’t know of any instances of identity theft or incorrect use of patient information because of the incident nevertheless has advised patients whose Social Security number was breached to get no-cost credit monitoring services.

LifeLong Medical Care expressed in its August 24, 2021 breach notification letter that it is fully committed to the safety of information, and is cooperating with third-party vendors to strengthen security and oversight.

The HHS’ office for Civil Rights breach site has yet to report the incident, thus it is not clear yet how many individuals were affected at this period.

Beaumont Health Patients’ PHI Compromised Due to the January 2021 Accellion Data Breach

Beaumont Health, the premier healthcare service provider in Michigan, publicized on August 27, 2021 that the PHI of a number of of its patients was compromised in the attack on Accellion in January 2021. Beaumont Health mentioned it was informed by Goodwin Proctor LLP on February 5, 2021 that patient records were exposed in the attack. Goodwin Proctor had employed the Accellion File Transfer Appliance for transmitting sizeable files among clients, one of which was Beaumont Health.

Goodwin Proctor had acquired files that contain the personal data and PHI of patients of Beaumont Health in association with the legal services furnished by the law company. The breach investigation established that information on the Accellion appliance was saved by the threat actor on January 20, 2021 after taking advantage of a vulnerability. The threat actor, who had a connection with the Clop ransomware gang, then tried to extort cash to avoid the release/vending of the stolen files.

Beaumont Health stated “Goodwin advised Beaumont involving the Accellion security incident following finding out that the data stolen by the threat actor may have included Beaumont patient details. Beaumont eventually carried out its own independent examination of the data affected by the Accellion incident and uncovered on June 28, 2021 that the affected details comprised some patient health data of several Beaumont patients.

The PHI of roughly 1,500 patients was impacted in the breach, which contained patient names, procedure names, physician names, dates of service and internal medical record numbers.

Beaumont Health mentioned it has not acquired any reports of misuse of that details, the same is true with Goodwin Proctor. Goodwin Proctor issued notification letters to impacted persons on behalf of Beaumont Health beginning on August 27, 2021. Goodwin Proctor stated it has stopped its use of the Accellion File Transfer Appliance and is today further assessing its data security policies and operations.

This is the most current in a sequence of data breaches to have an effect on Beaumont Health. In late 2019, Beaumont Health found out a 20-month insider data breach that affected 1,182 patients, documented a phishing attack in April 2020 that impacted 112,000 patients, and an additional phishing-related breach was noted in July 2020 as impacting 6,000 people.

FBI & CISA Warning of Greater Risk of Ransomware Attacks over Labor Day Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have given an alert to all public and private sector institutions regarding the elevated risk of ransomware attacks during times when offices are usually closed, like long holiday weekends.

Although a lot of employees are going to be having a long weekend break because of Labor Day, this is a period when threat actors are generally very active. The small staff numbers at the time of holidays and weekends make it more unlikely that their attacks will be discovered and hindered. The CISA and the FBI revealed in the alert that they have seen a rise in extremely impactful ransomware attacks happening on holiday seasons and weekends, and gave several cases of threat actors performing attacks during holiday breaks in the United States in 2021.

Lately, the Sodinokibi/REvil ransomware actors carried out an attack on the Kaseya remote monitoring and management tool during the Fourth of July 2021 weekend break. The attack impacted lots of companies which include countless managed service providers and their downstream clients.

At the time of the Memorial Day weekend in May 2021, the same attackers performed a ransomware attack on JBS Foods, which affected the firm’s food production amenities in the United States, which stopped all production. JBS Foods paid for the $11 million ransom demand to obtain the keys for decrypting files and avoid the exposure of information stolen during the attack.

Before the Mother’s Day weekend break in May, the DarkSide ransomware gang performed its attack on the Colonial Pipeline that caused the closing of the fuel pipeline serving the Eastern Seaboard for one week. Colonial Pipeline had paid a $4.4 million ransom payment to speed up attack recovery.

The ransomware threat actors associated with the cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have stopped their operations, however, threat actors seldom stay inactive for very long. It is typical for them to appear with a new ransomware campaign after a time of apparent inactivity. There are additionally numerous other ransomware attackers that are presently very active that may attempt to make the most of the absence of crucial employees over the holiday break.

The ransomware attackers responsible for the Conti, LockBit, PYSA, RansomEXX/Defray777, Zeppelin, and Crysis/Phobos/Dharma ransomware variants were all active throughout the last month and attacks concerning those ransomware variants have usually been reported to the FBI in the last 4 weeks.

Though neither CISA nor the FBI has found any particular threat intelligence to suggest ransomware or another cyberattack will happen through the Labor Day weekend, according to the attack trends to date this 2021, there is a greater risk of a big cyberattack taking place.

As a result, the FBI and CISA are informing security teams to be particularly heedful and to make sure that they are thorough in their network defense routines, take part in preemptive threat hunt on their sites, adhere to recommended cybersecurity and ransomware guidelines, and carry out the proposed mitigations to minimize the risk of ransomware attacks and other cyberattacks.

Those mitigations consist of:

  • Create an offline backup copy of files and testing backups to make certain it’s possible to restore information
  • Not visiting suspicious links in email messages
  • Protect and keep track of RDP connections
  • Upgrade operating systems and software applications and check vulnerabilities
  • Use tough passwords
  • Utilize multi-factor authentication
  • Protect networks by employing segmentation, blocking traffic, and scanning ports
  • Safeguard user accounts
  • Create an incident response program
    Suggested guidelines, mitigations, and information are detailed in the advisory, which is accessible on this page.

Study Shows Magnitude of Cybersecurity Vulnerabilities at Big Pharmaceutical Companies

Reposify, an external attack surface management platform provider, has posted the results of research about security vulnerabilities at pharmaceutical companies which reveals the great majority of pharma companies have unsolved vulnerabilities that are placing sensitive information and internal systems at risk of exposure.

The study was performed to evaluate the frequency of breaches of services, unpatched CVEs, sensitive platforms, and other security problems. Data assessed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report was compiled over a two-week time period in March 2021 and included 18 of the top pharmaceutical firms around the world and over 900 of their subsidiaries.

Pharmaceutical firms keep substantial amounts of sensitive personal information and extremely important drugs and vaccine research information. Because of that, they are an appealing target for cybercriminals. Throughout the COVID-19 pandemic, nation-state hackers focused on pharma and biotech companies to obtain access to sensitive COVID-19 studies and vaccine development information.

Based on IBM Security/Ponemon Institute’s 2020 Cost of a Data Breach Report, pharma and biotech companies had an increased rate of security cases in 2020. 53% of the incidents were due to malicious activity. On average, the cost of a pharmaceutical data breach in 2020 was $5.06 million while the average time it takes to detect and control a breach was 257 days.

Because the pandemic brought about a rush to level up and digitize, the digital footprints of pharmaceutical firms have expanded even more creating a lot of new blind spots that attackers can and did quickly exploit to gain access to confidential, highly sensitive information.

In 2020, numerous mergers and acquisitions have happened as bigger pharmaceutical companies bought smaller firms in the industry. These smaller companies were usually focused on quick development and flexibility, which frequently meant inadequate resources were spent on cybersecurity. M&A transactions consequently had bigger possibilities to bring in serious security risks.

Reposify researchers examined 2020 M&A transactions and discovered in 70% of instances, the newly obtained subsidiary had a bad effect on the parent company’s security posture. The vulnerabilities presented were frequently significant, or in certain cases, lots of sensitive data compromised and unpatched solutions.

The researchers examined the incidence of key problems which are obvious externally and could possibly be exploited by cybercriminals, such as misconfigured databases and cloud solutions and unpatched vulnerabilities in software programs. The high severity security problems per organization had a median number of 269, while critical severity issues per organization had a median of 125.

Important information from the report consists of:

  • 92% of pharmaceutical firms had a minimum of one exposed database that was possibly leaking information.
  • 76% had a compromised RDP service.
  • 69% of exposed services found were categorized as being a component of the unofficial network perimeter.
  • 50% of pharma companies had a compromised FTP with unknown authentication.
  • 46% of pharma companies had a compromised SMB service.

Pharmaceutical firms need to solidify their security and make it harder for attackers to acquire a footing in their systems, explains Reposify. This initiative should start with getting a clear perspective of their outside attack surface and constant tracking and removal of risky attack vectors. The report additionally pointed out the significance of doing pre-acquisition cybersecurity research, such as mapping and investigation of the acquisition target’s outside attack surface.

Gastroenterology Consultants Informs Patients Regarding January 2021 Ransomware Attack

Gastroenterology Consultants, PA experienced a ransomware attack on January 10, 2021 that involved the encryption of sensitive information. The company sent notifications to patients possibly impacted by the attack to advise them about the potential access or exposure of their protected health information (PHI) in the attack.

Gastroenterology Consultants, the biggest partnership GI practice based in Houston, TX, started an investigation of the ransomware attack and took action to block the threat actors from accessing its network and recover affected information. The company uploaded a substitute breach notice to its website on March 19, 2021 telling patients concerning the attack. There is no evidence found that suggests the attacker accessed or exfiltrated any patient information in the attack.

Attacks like this usually require sending breach notification letters, because although there is no evidence of data theft, it is typically impossible to exclude unauthorized PHI access with 100% certainty. In cases like this, instead of identifying the specific patients impacted by the attack, the provider decided to inform all patients who had their PHI likely compromised. Gastroenterology Consultants submitted a breach report to the Maine Attorney General with information that 162,163 breach notifications were sent.

Right after commencing a comprehensive data mining process to find out particularly whether any patient or worker had any sensitive personal data or PHI compromised, the provider discovered that reviewing thousands of records one by one wasn’t cost-effective. Hence, even though there is no proof of any unauthorized usage of patient or worker information, Gastroenterology Consultants have thought it best to mail notices to all workers and patients explaining the particular type of data potentially compromised.

The files possibly breached were made ready by employees to accomplish patient processing. The records included certain PHI, and less than 50 had compromised Social Security numbers. Those people were given complimentary credit monitoring services, just like employees who had their sensitive information potentially accessed.

The Average Payment for Ransom Demands Dropped by 38% in Q2 of 2021

As per the recent report by ransomware incident response organization Coveware, there is a 38% decline in the average ransom paid by victims of attacks from Q1 to Q2, 2021. Quarter 2’s average ransom payment of $136,576 indicates a 40% lower median payment of $47,008.

One of the major components that reduced ransom payments is a lesser incidence of attacks by two main ransomware groups, Ryuk and Clop. The two are regarded for their huge ransom demands. As opposed to many attacks being executed by one or two groups, there is currently a rising number of differing ransomware-as-a-service brands that usually require reduced ransom payments. In Q2, Sodinokibi (REvil) was the busiest RaaS operation doing 16.5% of attacks. The other ransomware groups activities are as follows: Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk was just accountable for 3.7% of attacks and 3.3% of attacks for Clop.

Currently, the Sodinokibi gang has become silent subsequent to the Kaseya attack and seems to have been closed; nevertheless, the group has de-activated operations before only to reactivate with another ransomware variant. Even though the operators have retired, the affiliates that perform the attacks previously are possibly to just turn to a substitute RaaS operation therefore attack volume might not be impacted.

The most well-known vectors employed in attacks have been varying in the last couple of months. In Q1 of 2021, there was a rise in brute force attacks on Remote Desktop Protocol (RDP) while software vulnerabilities exploitation along with phishing attacks is going down. In Q2, RDP compromises and application vulnerability exploits equally diminished and email phishing went up, as phishing and RDP compromises right now are just as prevalent. The software program vulnerabilities exploitation is the attack vector chosen for specific attacks on big businesses, and those attacks are generally done only by the most innovative RaaS operations with high operating funds that permit them to obtain one-day exploits or purchase access to huge networks.

In Q2, over 75% of ransomware attacks were on companies with less than 1,000 staff. The reason is, these smaller firms are unlikely to invest in security awareness training for staffing and email security to prohibit phishing attacks. They are additionally more probable to reveal RDP online. Small firms are likewise more inclined to outsource security to MSPs. MSPs continue to be a big target, as an attack on an MSP can enable the attacker to then target all MSP’s customers.

The report has shown a drop in the efficiency of double extortion practices. This is where prior to file encryption, sensitive data are copied. Ransom demand is issued in exchange for the decryption key and an extra payment is demanded to stop the publicity or selling of stolen information. In Q2, 81% of attacks involve data exfiltration before encrypting files, higher than Q1’s 76%.

Nonetheless, payment to make sure of data removal is currently more improbable. In 2020, 65% of victims that could recover data from backups files compensated the attackers to avert the posting of stolen information, however, in Q2 of 2021 the percent was merely 50%.

The most hit industries in quarter 2 were the professional services (13.3%), healthcare (10.8%), and the public sector (16.2%). Coveware proposes that these sectors might not be particularly targeted, rather they are merely the least difficult to attack. For example, the number of attacks on law companies went up but that was mainly a result of the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately made use of by law agencies.

Coveware reports that the normal recovery time from a ransomware attack decreased by 15% in Q2, with victims normally experiencing 23 days of outages subsequent to an attack; nonetheless, this was ascribed to a rise in data-only attacks in which there’s no material business disruption.

Senate Introduces Cyber Incident Notification Act of 2021

The Cyber Incident Notification Act of 2021 is a draft government breach notification bill circulated by a bipartisan group of senators last June. This bill requires all government agencies, contractors, and companies regarded as essential to U.S. national security to submit to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) a report of data breaches and security occurrences within 24 hours of discovery. On July 21, there was an amended bill officially presented in the Senate.

Senators Mark Warner (D-VA), Susan Collins (R-ME), and Marco Rubio (R-FL) introduced the bill. Now, there are 12 more senators from both parties that have included their names in the bill.

The bill is going to deal with a few of the important concerns that have emerged in the aftermath of the latest cyberattacks that affected U.S. critical infrastructures, such as the SolarWinds Orion supply chain attack as well as the ransomware attacks on Colonial Pipeline and JBS.

The SolarWinds breach showed how extensive the domino effects of these attacks could be, impacting hundreds or actually thousands of organizations linked to the preliminary target, according to Sen. Warner. Depending on voluntary reporting is not enough to safeguard critical infrastructure. There should be a programmed federal standard so that any time essential sectors of the economy are impacted by a breach, the national government’s full resources may be used to respond to and hold off its effect.

The goal of the new law is to make sure of prompt federal government knowledge of cyber-attacks that present a risk to national security, as the bill allows the creation of a typical operating picture of cyber threats at the national level.

Security incidents that necessitate the issuance of notifications to CISA include those that:

  • Involve or are presumed to involve a nation-state, an Advanced Persistent Threat (APT) actor, or a transnational organized crime group.
  • Can hurt U.S. national security interests, international relations, or the American economy.
  • Have important national consequences, such as affecting civil liberties, public confidence, or public health and safety of U.S. citizens.
  • Has possibilities of affecting CISA systems.
  • Have ransomware involvement

When reporting a security event or cyber threat, companies must include the following details: a description of the incident, the systems and networks impacted, an estimate of the date of occurrence of the incident, provide data regarding any exploited vulnerabilities, any tactics, techniques, and procedures (TTPs) identified. Actionable cyber threat data will be given to the government and private sector organizations and the public to enable taking immediate action to counter risks. The bill provides CISA 48 hours to take action on reports of an attack and request details regarding the security event.

To encourage companies to submit data breach reports, the bill consists of liability protections for breached entities to secure against possible lawsuits that may crop up from sharing security breaches and permits anonymized personal information to be used when submitting breach reports.

The bill calls for the Department of Homeland Security to operate with the help of other federal institutions to create a set of reporting requirements and to balance those criteria with the regulatory specifications in place during the date of enactment.

The inability to report a security event to CISA can be penalized, pending the decision of the Administrator of the General Services Administration. The highest financial penalty is going to be 0.5% of gross income for the prior fiscal year. Another likely sanction is the elimination from federal contracting itineraries.

According to Sen. Rubio, it is crucial that American companies act promptly as soon as an attack happens. The longer a cyberattack is not reported, the more problems it may cause. Making sure of immediate reporting will help safeguard the health and safety of many Americans and will enable the government to locate those accountable.

U.S. Government Introduces New One-Stop Ransomware Site

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have reported the introduction of a new online resource that will work as a one-stop-shop giving facts to assist the public and private sector establishments cope with the escalating ransomware threat.

The new learning resource – StopRansomware.gov – is an interagency resource that offers instruction on ransomware security, identification, and response in just one place.

The new resource gives general facts concerning ransomware, such as what ransomware is and how cybercriminals use it to extort cash from public and private sector companies. Detailed data is given on how companies could enhance their security position and protect against attacks, which include ransomware best practices, bad practices to steer clear of, cyber hygiene ideas, FAQs, and training tools.

The site has a newsroom with the most recent ransomware-associated advice, together with notifications from CISA, the Department of Treasury, the FBI, and other government agencies regarding the ever-changing strategies, techniques, and methods that cybercriminals use in their attacks.

Ransomware attack victims can file a report of the attacks via the website to either CISA, the FBI, or the United States Secret Service, with the attack report automatically transmitted to all relevant agencies to make sure that the breach is explored, threat details is shared, and steps are undertaken to determine the perpetrators and have them taken to court.

Companies are being prompted to make use of the new resource to know the danger of ransomware, minimize risk and, in case of an attack, know what actions to undertake to control the harm brought about and make sure the quickest possible recovery.

Cybercriminals have launched attacks on critical infrastructure, small companies, hospitals, police authorities, educational institutions, and more. These attacks specifically affect Americans’ everyday life and the safety of our country. Department of Homeland Security Secretary Alejandro Mayorkas urges every entity all over the country to utilize this new resource to discover how to secure themselves from ransomware and cut down their cybersecurity risk.

Lake County Health Department Informs 25,000 Patients Regarding Two Data Breaches

The Lake County Health Department in Illinois made an announcement that it has experienced two data breaches that possibly affected the personal data and protected health information (PHI) of about 25,000 patients.

The first data breach happened in 2019 when a Lake County Health worker routed an unencrypted email message from their email account at work to an internal employee’s personal email. With the email was an attached spreadsheet containing medical record requests from December 2016 until June 2019. The requests were made via a third-party firm that managed the release of data requests on behalf of the Lake County Health Department. The spreadsheet contained the names of 24,241 patients together with dates pertinent to the vendor.

On July 22, 2019, Lake County Health found out about the breach; nevertheless, notification letters were sent to impacted patients only on July 2021. The almost two-year delay was because Lake County Health officers did not think the notification letters were necessary, since no PHI was compromised; but the Department of Health and Human Services did not agree with that analysis and demanded the issuance of notification letters because PHI might have been exposed.

Another data breach was identified on May 14, 2021 that concerned a Google spreadsheet comprising names, birth dates, email addresses, telephone numbers, and 705 individuals’ COVID-19 vaccination status. The spreadsheet was kept in the employee’s personal Google Drive account. Although Google Drive may be HIPAA compliant if used in healthcare in conjunction with other G Suite services, personal Google accounts are not HIPAA-compliant. Google can view the data in personal Google accounts and utilizes that data to offer customized services and adverts. All impacted people were senior citizens who had looked for data on COVID-19 vaccinations. Those people have already received notifications.

Although both privacy incidents ended in the exposure of patient data, Lake County Health mentioned internal risk checks were done and there is no evidence found that suggests unauthorized individuals acquired any exposed information or misused it.

Since the data breach, Lake County Health Department has enforced measures to avoid identical breaches later on, such as encrypting all email messages and improving monitoring.