U.S. Vision Subsidiary Announces Hacking Incident Impacting 180,000 Persons

USV Optical Inc., a U.S. Vision Inc. subsidiary, has reported that unauthorized people have acquired access to some servers and systems that contained patients’ protected health information (PHI). The data breach was discovered on May 12, 2021, with the following forensic investigation affirming that the attackers got access to its systems for nearly a month between April 20, 2021 and May 17, 2021, during which its systems were made secure.

Third-party computer forensics experts are still investigating the breach to find out the full scope and extent of the attack, however, have come to the conclusion that unauthorized persons possibly accessed and exfiltrated patient information during the attack.

It was confirmed that these types of personnel and patient information were compromised: Names of patients, eyecare insurance data, and eyecare insurance application and/or claims details. A part of the people may likewise have had this information exposed: Address, birth date, and/or other personal identifiers. There is no report received thus far of any instances of attempted or actual improper use of personal data and PHI due to the security incident.

The data breach was already reported to the Department of Health and Human Services’ Office for Civil Rights as impacting 180,000 people. The healthcare provider is sending breach notifications to those persons together with instructions on steps to do by breach victims to secure their identities, in case they consider those steps to be suitable.

USV Optical stated it worked hard to check and respond to the incident and is presently working to determine and inform possibly affected individuals. An analysis is being done of guidelines associated with data protection and these are going to be improved to better secure patient information.

This is the second big data breach that an eye care provider reported in the last couple of days. Simon Eye Management lately announced that it encountered an email security breach wherein the PHI of 144,000 people was compromised.

LifeLong Medical Care & Beaumont Health Patients Impacted by Data Breaches at Business Associates

LifeLong Medical Care, a Californian healthcare company serving patients in Contra Costa, Marin, and Alameda Counties, has informed selected patients who had their protected health information (PHI) affected in a ransomware attack on Netgain Technologies, its third-party vendor.

Netgain Technologies uncovered a data breach on November 24, 2020 involving ransomware. An internal investigation into the breach confirmed on February 25, 2021 that the attackers acquired access to data containing the data of its customers. The attackers first of all compromised its systems on November 15, 2020.

LifeLong Medical Care mentioned it began a thorough investigation into the security breach and found out on August 9, 2021 that the personal information and protected health information of patients were accessed and/or exfiltrated from Netgain’s network. Impacted patients had their entire name compromised in addition to one or more of the following data elements: Social Security number, date of birth, patient cardholder number, and/or treatment and diagnosis details.

Affected people started to be advised concerning the breach on August 24, 2021, 9 months right after the breach took place. LifeLong Medical Care stated it doesn’t know of any instances of identity theft or incorrect use of patient information because of the incident nevertheless has advised patients whose Social Security number was breached to get no-cost credit monitoring services.

LifeLong Medical Care expressed in its August 24, 2021 breach notification letter that it is fully committed to the safety of information, and is cooperating with third-party vendors to strengthen security and oversight.

The HHS’ office for Civil Rights breach site has yet to report the incident, thus it is not clear yet how many individuals were affected at this period.

Beaumont Health Patients’ PHI Compromised Due to the January 2021 Accellion Data Breach

Beaumont Health, the premier healthcare service provider in Michigan, publicized on August 27, 2021 that the PHI of a number of of its patients was compromised in the attack on Accellion in January 2021. Beaumont Health mentioned it was informed by Goodwin Proctor LLP on February 5, 2021 that patient records were exposed in the attack. Goodwin Proctor had employed the Accellion File Transfer Appliance for transmitting sizeable files among clients, one of which was Beaumont Health.

Goodwin Proctor had acquired files that contain the personal data and PHI of patients of Beaumont Health in association with the legal services furnished by the law company. The breach investigation established that information on the Accellion appliance was saved by the threat actor on January 20, 2021 after taking advantage of a vulnerability. The threat actor, who had a connection with the Clop ransomware gang, then tried to extort cash to avoid the release/vending of the stolen files.

Beaumont Health stated “Goodwin advised Beaumont involving the Accellion security incident following finding out that the data stolen by the threat actor may have included Beaumont patient details. Beaumont eventually carried out its own independent examination of the data affected by the Accellion incident and uncovered on June 28, 2021 that the affected details comprised some patient health data of several Beaumont patients.

The PHI of roughly 1,500 patients was impacted in the breach, which contained patient names, procedure names, physician names, dates of service and internal medical record numbers.

Beaumont Health mentioned it has not acquired any reports of misuse of that details, the same is true with Goodwin Proctor. Goodwin Proctor issued notification letters to impacted persons on behalf of Beaumont Health beginning on August 27, 2021. Goodwin Proctor stated it has stopped its use of the Accellion File Transfer Appliance and is today further assessing its data security policies and operations.

This is the most current in a sequence of data breaches to have an effect on Beaumont Health. In late 2019, Beaumont Health found out a 20-month insider data breach that affected 1,182 patients, documented a phishing attack in April 2020 that impacted 112,000 patients, and an additional phishing-related breach was noted in July 2020 as impacting 6,000 people.

FBI & CISA Warning of Greater Risk of Ransomware Attacks over Labor Day Weekend

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have given an alert to all public and private sector institutions regarding the elevated risk of ransomware attacks during times when offices are usually closed, like long holiday weekends.

Although a lot of employees are going to be having a long weekend break because of Labor Day, this is a period when threat actors are generally very active. The small staff numbers at the time of holidays and weekends make it more unlikely that their attacks will be discovered and hindered. The CISA and the FBI revealed in the alert that they have seen a rise in extremely impactful ransomware attacks happening on holiday seasons and weekends, and gave several cases of threat actors performing attacks during holiday breaks in the United States in 2021.

Lately, the Sodinokibi/REvil ransomware actors carried out an attack on the Kaseya remote monitoring and management tool during the Fourth of July 2021 weekend break. The attack impacted lots of companies which include countless managed service providers and their downstream clients.

At the time of the Memorial Day weekend in May 2021, the same attackers performed a ransomware attack on JBS Foods, which affected the firm’s food production amenities in the United States, which stopped all production. JBS Foods paid for the $11 million ransom demand to obtain the keys for decrypting files and avoid the exposure of information stolen during the attack.

Before the Mother’s Day weekend break in May, the DarkSide ransomware gang performed its attack on the Colonial Pipeline that caused the closing of the fuel pipeline serving the Eastern Seaboard for one week. Colonial Pipeline had paid a $4.4 million ransom payment to speed up attack recovery.

The ransomware threat actors associated with the cyberattacks on Colonial Pipeline, JBS Foods, and Kaseya have stopped their operations, however, threat actors seldom stay inactive for very long. It is typical for them to appear with a new ransomware campaign after a time of apparent inactivity. There are additionally numerous other ransomware attackers that are presently very active that may attempt to make the most of the absence of crucial employees over the holiday break.

The ransomware attackers responsible for the Conti, LockBit, PYSA, RansomEXX/Defray777, Zeppelin, and Crysis/Phobos/Dharma ransomware variants were all active throughout the last month and attacks concerning those ransomware variants have usually been reported to the FBI in the last 4 weeks.

Though neither CISA nor the FBI has found any particular threat intelligence to suggest ransomware or another cyberattack will happen through the Labor Day weekend, according to the attack trends to date this 2021, there is a greater risk of a big cyberattack taking place.

As a result, the FBI and CISA are informing security teams to be particularly heedful and to make sure that they are thorough in their network defense routines, take part in preemptive threat hunt on their sites, adhere to recommended cybersecurity and ransomware guidelines, and carry out the proposed mitigations to minimize the risk of ransomware attacks and other cyberattacks.

Those mitigations consist of:

  • Create an offline backup copy of files and testing backups to make certain it’s possible to restore information
  • Not visiting suspicious links in email messages
  • Protect and keep track of RDP connections
  • Upgrade operating systems and software applications and check vulnerabilities
  • Use tough passwords
  • Utilize multi-factor authentication
  • Protect networks by employing segmentation, blocking traffic, and scanning ports
  • Safeguard user accounts
  • Create an incident response program
    Suggested guidelines, mitigations, and information are detailed in the advisory, which is accessible on this page.

Study Shows Magnitude of Cybersecurity Vulnerabilities at Big Pharmaceutical Companies

Reposify, an external attack surface management platform provider, has posted the results of research about security vulnerabilities at pharmaceutical companies which reveals the great majority of pharma companies have unsolved vulnerabilities that are placing sensitive information and internal systems at risk of exposure.

The study was performed to evaluate the frequency of breaches of services, unpatched CVEs, sensitive platforms, and other security problems. Data assessed for the Pharmaceutical Industry: 2021: The State of the External Attack Surface Report was compiled over a two-week time period in March 2021 and included 18 of the top pharmaceutical firms around the world and over 900 of their subsidiaries.

Pharmaceutical firms keep substantial amounts of sensitive personal information and extremely important drugs and vaccine research information. Because of that, they are an appealing target for cybercriminals. Throughout the COVID-19 pandemic, nation-state hackers focused on pharma and biotech companies to obtain access to sensitive COVID-19 studies and vaccine development information.

Based on IBM Security/Ponemon Institute’s 2020 Cost of a Data Breach Report, pharma and biotech companies had an increased rate of security cases in 2020. 53% of the incidents were due to malicious activity. On average, the cost of a pharmaceutical data breach in 2020 was $5.06 million while the average time it takes to detect and control a breach was 257 days.

Because the pandemic brought about a rush to level up and digitize, the digital footprints of pharmaceutical firms have expanded even more creating a lot of new blind spots that attackers can and did quickly exploit to gain access to confidential, highly sensitive information.

In 2020, numerous mergers and acquisitions have happened as bigger pharmaceutical companies bought smaller firms in the industry. These smaller companies were usually focused on quick development and flexibility, which frequently meant inadequate resources were spent on cybersecurity. M&A transactions consequently had bigger possibilities to bring in serious security risks.

Reposify researchers examined 2020 M&A transactions and discovered in 70% of instances, the newly obtained subsidiary had a bad effect on the parent company’s security posture. The vulnerabilities presented were frequently significant, or in certain cases, lots of sensitive data compromised and unpatched solutions.

The researchers examined the incidence of key problems which are obvious externally and could possibly be exploited by cybercriminals, such as misconfigured databases and cloud solutions and unpatched vulnerabilities in software programs. The high severity security problems per organization had a median number of 269, while critical severity issues per organization had a median of 125.

Important information from the report consists of:

  • 92% of pharmaceutical firms had a minimum of one exposed database that was possibly leaking information.
  • 76% had a compromised RDP service.
  • 69% of exposed services found were categorized as being a component of the unofficial network perimeter.
  • 50% of pharma companies had a compromised FTP with unknown authentication.
  • 46% of pharma companies had a compromised SMB service.

Pharmaceutical firms need to solidify their security and make it harder for attackers to acquire a footing in their systems, explains Reposify. This initiative should start with getting a clear perspective of their outside attack surface and constant tracking and removal of risky attack vectors. The report additionally pointed out the significance of doing pre-acquisition cybersecurity research, such as mapping and investigation of the acquisition target’s outside attack surface.

Gastroenterology Consultants Informs Patients Regarding January 2021 Ransomware Attack

Gastroenterology Consultants, PA experienced a ransomware attack on January 10, 2021 that involved the encryption of sensitive information. The company sent notifications to patients possibly impacted by the attack to advise them about the potential access or exposure of their protected health information (PHI) in the attack.

Gastroenterology Consultants, the biggest partnership GI practice based in Houston, TX, started an investigation of the ransomware attack and took action to block the threat actors from accessing its network and recover affected information. The company uploaded a substitute breach notice to its website on March 19, 2021 telling patients concerning the attack. There is no evidence found that suggests the attacker accessed or exfiltrated any patient information in the attack.

Attacks like this usually require sending breach notification letters, because although there is no evidence of data theft, it is typically impossible to exclude unauthorized PHI access with 100% certainty. In cases like this, instead of identifying the specific patients impacted by the attack, the provider decided to inform all patients who had their PHI likely compromised. Gastroenterology Consultants submitted a breach report to the Maine Attorney General with information that 162,163 breach notifications were sent.

Right after commencing a comprehensive data mining process to find out particularly whether any patient or worker had any sensitive personal data or PHI compromised, the provider discovered that reviewing thousands of records one by one wasn’t cost-effective. Hence, even though there is no proof of any unauthorized usage of patient or worker information, Gastroenterology Consultants have thought it best to mail notices to all workers and patients explaining the particular type of data potentially compromised.

The files possibly breached were made ready by employees to accomplish patient processing. The records included certain PHI, and less than 50 had compromised Social Security numbers. Those people were given complimentary credit monitoring services, just like employees who had their sensitive information potentially accessed.

The Average Payment for Ransom Demands Dropped by 38% in Q2 of 2021

As per the recent report by ransomware incident response organization Coveware, there is a 38% decline in the average ransom paid by victims of attacks from Q1 to Q2, 2021. Quarter 2’s average ransom payment of $136,576 indicates a 40% lower median payment of $47,008.

One of the major components that reduced ransom payments is a lesser incidence of attacks by two main ransomware groups, Ryuk and Clop. The two are regarded for their huge ransom demands. As opposed to many attacks being executed by one or two groups, there is currently a rising number of differing ransomware-as-a-service brands that usually require reduced ransom payments. In Q2, Sodinokibi (REvil) was the busiest RaaS operation doing 16.5% of attacks. The other ransomware groups activities are as follows: Conti V2 (14.4%), Avaddon (5.4%), Mespinoza (4.9%), and Hello Kitty (4.5%). Ryuk was just accountable for 3.7% of attacks and 3.3% of attacks for Clop.

Currently, the Sodinokibi gang has become silent subsequent to the Kaseya attack and seems to have been closed; nevertheless, the group has de-activated operations before only to reactivate with another ransomware variant. Even though the operators have retired, the affiliates that perform the attacks previously are possibly to just turn to a substitute RaaS operation therefore attack volume might not be impacted.

The most well-known vectors employed in attacks have been varying in the last couple of months. In Q1 of 2021, there was a rise in brute force attacks on Remote Desktop Protocol (RDP) while software vulnerabilities exploitation along with phishing attacks is going down. In Q2, RDP compromises and application vulnerability exploits equally diminished and email phishing went up, as phishing and RDP compromises right now are just as prevalent. The software program vulnerabilities exploitation is the attack vector chosen for specific attacks on big businesses, and those attacks are generally done only by the most innovative RaaS operations with high operating funds that permit them to obtain one-day exploits or purchase access to huge networks.

In Q2, over 75% of ransomware attacks were on companies with less than 1,000 staff. The reason is, these smaller firms are unlikely to invest in security awareness training for staffing and email security to prohibit phishing attacks. They are additionally more probable to reveal RDP online. Small firms are likewise more inclined to outsource security to MSPs. MSPs continue to be a big target, as an attack on an MSP can enable the attacker to then target all MSP’s customers.

The report has shown a drop in the efficiency of double extortion practices. This is where prior to file encryption, sensitive data are copied. Ransom demand is issued in exchange for the decryption key and an extra payment is demanded to stop the publicity or selling of stolen information. In Q2, 81% of attacks involve data exfiltration before encrypting files, higher than Q1’s 76%.

Nonetheless, payment to make sure of data removal is currently more improbable. In 2020, 65% of victims that could recover data from backups files compensated the attackers to avert the posting of stolen information, however, in Q2 of 2021 the percent was merely 50%.

The most hit industries in quarter 2 were the professional services (13.3%), healthcare (10.8%), and the public sector (16.2%). Coveware proposes that these sectors might not be particularly targeted, rather they are merely the least difficult to attack. For example, the number of attacks on law companies went up but that was mainly a result of the attack by the Clop ransomware group on Accellion File Transfer Appliances, which were disproportionately made use of by law agencies.

Coveware reports that the normal recovery time from a ransomware attack decreased by 15% in Q2, with victims normally experiencing 23 days of outages subsequent to an attack; nonetheless, this was ascribed to a rise in data-only attacks in which there’s no material business disruption.

Senate Introduces Cyber Incident Notification Act of 2021

The Cyber Incident Notification Act of 2021 is a draft government breach notification bill circulated by a bipartisan group of senators last June. This bill requires all government agencies, contractors, and companies regarded as essential to U.S. national security to submit to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) a report of data breaches and security occurrences within 24 hours of discovery. On July 21, there was an amended bill officially presented in the Senate.

Senators Mark Warner (D-VA), Susan Collins (R-ME), and Marco Rubio (R-FL) introduced the bill. Now, there are 12 more senators from both parties that have included their names in the bill.

The bill is going to deal with a few of the important concerns that have emerged in the aftermath of the latest cyberattacks that affected U.S. critical infrastructures, such as the SolarWinds Orion supply chain attack as well as the ransomware attacks on Colonial Pipeline and JBS.

The SolarWinds breach showed how extensive the domino effects of these attacks could be, impacting hundreds or actually thousands of organizations linked to the preliminary target, according to Sen. Warner. Depending on voluntary reporting is not enough to safeguard critical infrastructure. There should be a programmed federal standard so that any time essential sectors of the economy are impacted by a breach, the national government’s full resources may be used to respond to and hold off its effect.

The goal of the new law is to make sure of prompt federal government knowledge of cyber-attacks that present a risk to national security, as the bill allows the creation of a typical operating picture of cyber threats at the national level.

Security incidents that necessitate the issuance of notifications to CISA include those that:

  • Involve or are presumed to involve a nation-state, an Advanced Persistent Threat (APT) actor, or a transnational organized crime group.
  • Can hurt U.S. national security interests, international relations, or the American economy.
  • Have important national consequences, such as affecting civil liberties, public confidence, or public health and safety of U.S. citizens.
  • Has possibilities of affecting CISA systems.
  • Have ransomware involvement

When reporting a security event or cyber threat, companies must include the following details: a description of the incident, the systems and networks impacted, an estimate of the date of occurrence of the incident, provide data regarding any exploited vulnerabilities, any tactics, techniques, and procedures (TTPs) identified. Actionable cyber threat data will be given to the government and private sector organizations and the public to enable taking immediate action to counter risks. The bill provides CISA 48 hours to take action on reports of an attack and request details regarding the security event.

To encourage companies to submit data breach reports, the bill consists of liability protections for breached entities to secure against possible lawsuits that may crop up from sharing security breaches and permits anonymized personal information to be used when submitting breach reports.

The bill calls for the Department of Homeland Security to operate with the help of other federal institutions to create a set of reporting requirements and to balance those criteria with the regulatory specifications in place during the date of enactment.

The inability to report a security event to CISA can be penalized, pending the decision of the Administrator of the General Services Administration. The highest financial penalty is going to be 0.5% of gross income for the prior fiscal year. Another likely sanction is the elimination from federal contracting itineraries.

According to Sen. Rubio, it is crucial that American companies act promptly as soon as an attack happens. The longer a cyberattack is not reported, the more problems it may cause. Making sure of immediate reporting will help safeguard the health and safety of many Americans and will enable the government to locate those accountable.

U.S. Government Introduces New One-Stop Ransomware Site

The Department of Justice and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have reported the introduction of a new online resource that will work as a one-stop-shop giving facts to assist the public and private sector establishments cope with the escalating ransomware threat.

The new learning resource – StopRansomware.gov – is an interagency resource that offers instruction on ransomware security, identification, and response in just one place.

The new resource gives general facts concerning ransomware, such as what ransomware is and how cybercriminals use it to extort cash from public and private sector companies. Detailed data is given on how companies could enhance their security position and protect against attacks, which include ransomware best practices, bad practices to steer clear of, cyber hygiene ideas, FAQs, and training tools.

The site has a newsroom with the most recent ransomware-associated advice, together with notifications from CISA, the Department of Treasury, the FBI, and other government agencies regarding the ever-changing strategies, techniques, and methods that cybercriminals use in their attacks.

Ransomware attack victims can file a report of the attacks via the website to either CISA, the FBI, or the United States Secret Service, with the attack report automatically transmitted to all relevant agencies to make sure that the breach is explored, threat details is shared, and steps are undertaken to determine the perpetrators and have them taken to court.

Companies are being prompted to make use of the new resource to know the danger of ransomware, minimize risk and, in case of an attack, know what actions to undertake to control the harm brought about and make sure the quickest possible recovery.

Cybercriminals have launched attacks on critical infrastructure, small companies, hospitals, police authorities, educational institutions, and more. These attacks specifically affect Americans’ everyday life and the safety of our country. Department of Homeland Security Secretary Alejandro Mayorkas urges every entity all over the country to utilize this new resource to discover how to secure themselves from ransomware and cut down their cybersecurity risk.

Lake County Health Department Informs 25,000 Patients Regarding Two Data Breaches

The Lake County Health Department in Illinois made an announcement that it has experienced two data breaches that possibly affected the personal data and protected health information (PHI) of about 25,000 patients.

The first data breach happened in 2019 when a Lake County Health worker routed an unencrypted email message from their email account at work to an internal employee’s personal email. With the email was an attached spreadsheet containing medical record requests from December 2016 until June 2019. The requests were made via a third-party firm that managed the release of data requests on behalf of the Lake County Health Department. The spreadsheet contained the names of 24,241 patients together with dates pertinent to the vendor.

On July 22, 2019, Lake County Health found out about the breach; nevertheless, notification letters were sent to impacted patients only on July 2021. The almost two-year delay was because Lake County Health officers did not think the notification letters were necessary, since no PHI was compromised; but the Department of Health and Human Services did not agree with that analysis and demanded the issuance of notification letters because PHI might have been exposed.

Another data breach was identified on May 14, 2021 that concerned a Google spreadsheet comprising names, birth dates, email addresses, telephone numbers, and 705 individuals’ COVID-19 vaccination status. The spreadsheet was kept in the employee’s personal Google Drive account. Although Google Drive may be HIPAA compliant if used in healthcare in conjunction with other G Suite services, personal Google accounts are not HIPAA-compliant. Google can view the data in personal Google accounts and utilizes that data to offer customized services and adverts. All impacted people were senior citizens who had looked for data on COVID-19 vaccinations. Those people have already received notifications.

Although both privacy incidents ended in the exposure of patient data, Lake County Health mentioned internal risk checks were done and there is no evidence found that suggests unauthorized individuals acquired any exposed information or misused it.

Since the data breach, Lake County Health Department has enforced measures to avoid identical breaches later on, such as encrypting all email messages and improving monitoring.

OIG Survey Reports Insufficient Oversight of Cybersecurity of Networked Medical Devices in Hospitals

The HHS’ Office of Inspector General (OIG) has done an audit to find out the level to which the Medicare Accreditation Organizations (AOs) and Centers for Medicare and Medicaid Services (CMS) demand healthcare providers implement a cybersecurity strategy for networked devices and the strategies utilized to evaluate the cybersecurity of networked medical devices.

Cybersecurity controls are necessary to safeguard medical devices that are linked to the web, internal hospital systems, or other medical devices. With no such controls, unauthorized individuals could access the devices and cause harm to patients. Networked medical devices can include MRIs, ultrasound, computed tomography, endoscopy, and nuclear medicine systems, in addition to systems that connect with clinical lab analyzers like laboratory data systems. OIG reported that a big hospital may have approximately 85,000 medical devices linked to its system.

These devices are typically isolated from other systems, they could link to a similar system as the electronic health record (EHR) system. When there are inadequate cybersecurity controls, they may be possibly vulnerable to an attack that may affect critical healthcare systems. Although there were no identified instances of cyberattacks carried out particularly to cause problems to patients, patients may unintentionally be hurt as a consequence of an attack done for other motives. In Germany in 2020, a patient passed away due to a ransomware attack. With no access to hospitals, the patient was brought to another facility and died prior to getting treatment.

The CMS has some cybersecurity prerequisites for hospitals but depends on state survey organizations and Medicare accreditation organizations (AOs) to examine Medicare-partner hospitals. Those surveys are done once in 3 years. The Social Security Act calls for AOs’ survey protocols to be comparable to or stricter than those by CMS.

For the study, OIG provided written interview questions to the CMS and performed phone interviews with 4 AOs. The study showed the CMS survey protocol doesn’t include cybersecurity specifications for networked medical devices and AOs don’t ask hospitals to use cybersecurity programs addressing networked medical devices.

OIG found that AOs at times assess selected facets of device cybersecurity. The study showed two AOs had equipment servicing specifications, which may give minimal information about medical device cybersecurity. In case hospitals determined networked device cybersecurity in their emergency-preparedness risk checks, AOs would evaluate their mitigation programs; but the majority of hospitals didn’t determine device cybersecurity in the risk assessments regularly. AOs might additionally look at networked devices when evaluating hospital safety measures for medical record privacy. Neither the CMS nor the AOs had any programs to revise their survey prerequisites, later on, to include networked devices or cybersecurity in general.

OIG has proposed the CMS to determine and apply a way of managing the cybersecurity of networked medical devices in its quality supervision of hospitals, in consultation with HHS and other partners. CMS agreed with the proposition and is thinking about more ways to properly highlight the value of implementing cybersecurity on networked medical devices by healthcare providers.

OIG recommended a number of ways that the CMS can enhance its monitoring and evaluation of medical device cybersecurity. For instance, the CMS can utilize language as it looks at cybersecurity being part of maintaining device security during operating situations, emphasize the risk that unsecured medical devices linked to the EHR can be a threat to protected health information (PHI), and may additionally tell hospitals to comply with HIPAA specifications, such as the HIPAA Security Rule. The CMS can additionally advise surveyors to inquire hospitals whether they have cybersecurity of networked devices in place when they conducted their hazard vulnerability analyses.

NIST Creates Critical Software Definition for U.S. Government Agencies

President Biden’s Cybersecurity Executive Order calls for all government institutions to re-assess their process to cybersecurity, establish new techniques of checking software, and employ advanced security strategies to lower risk, for instance, multi-factor authentication, encryption for data in transit and at rest, and employing a zero-trust approach to safety.

One of the initial demands of the Executive Order was to get the National Institute of Standards and Technology (NIST) to issue a definition of critical software that the Cybersecurity and Infrastructure Security Agency (CISA) is going to employ to make a listing of all software programs included in the Executive Order and for developing security regulations that federal agencies need to comply with when acquiring and implementing the software. These actions will help to protect against cyberattacks like the SolarWinds Orion supply chain attack that led to the access of the networks of various government agencies by state-sponsored Russian cyber attackers.

The Executive Order expected NIST to release its critical software definition in 45 days. NIST required suggestions from the private and public industry and many government agencies when defining what critical software truly is.

One of the objectives of the EO is to support in creating a security standard for critical software solutions utilized throughout the Federal Government. The status of software as EO-critical will subsequently push for added activities, such as how the Federal Government buys and deals with deployed critical software.”

NIST described critical software as software or software dependencies that have at least one of the following features:

  1. Software created to operate with upgraded privileges or employed to handle privileges.
  2. Software with direct or privileged access to network or computer assets.
  3. Software developed to regulate access to files or functional technology.
  4. Software that executes a function vital to trust.
  5. Software that runs outside of common trust boundaries with privileged access.

The earlier mentioned definition concern all software programs, whether it is crucial to devices or hardware parts, stand-alone application, or cloud-based software utilized for or deployed in production systems or employed for operational requirements. That definition addresses an extensive selection of software programs, like security tools, operating systems, access management applications, hypervisors, network monitoring software, web browsers, and other software program made by private providers and offered to federal agencies, or software designed internally by government agencies for use in federal networks, which include government off-the-shelf application.

NIST has proposed for federal agencies to primarily concentrate on carrying out the demands of the Executive Order on standalone, on-premises software program that has critical security capabilities or has substantial potential to produce problems when compromised. Then, federal agencies ought to go onto other categories of application, for example web-based software, software that manages data access, and software elements in boot-level and operational technology software.

NIST has publicized a record of EO-critical software program, though CISA will release a more detailed completed checklist soon.

Ransomware Attack on Reproductive Biology Associates, UF Health Central Florida and Georgia Hospital System

The fertility clinic Reproductive Biology Associates in Georgia has reported a ransomware attack in April that allowed attackers to exfiltrate files made up of the personal data and protected health information (PHI) of roughly 38,000 patients.

The attackers acquired access to a file server that contains embryology information on April 7, 2021, and used ransomware to encrypt data files on April 16, 2021. The records included the sensitive data of patients of Reproductive Biology Associates along with its affiliate My Egg Bank North America. The compromised PHI included complete names, addresses, Social Security numbers, lab test data, and data associated with the handling of human tissue.

The breach investigation ended on June 7, 2021. Although there is no formal confirmation of the ransom payment, Reproductive Biology Associates stated the attackers had all the stolen data deleted and all encrypted information was already restored.

Reproductive Biology Associates is continually monitoring the web and dark websites for evidence of misuse of the stolen information. Impacted persons received offers of free credit monitoring and identity theft protection services. A third-party cybersecurity company also helped enhance the security of its systems to avoid other attacks.

UF Health Ransomware Attack Affects Patient Care

UF Health Central Florida experienced a ransomware attack on May 31, 2021 that impacted Leesburg Hospital and The Villages Regional Hospital. After the attack, the healthcare provider enforced emergency downtime procedures and continued to provide care to patients, though staff members used pen and paper to record patient information.

After more than 2 weeks since the attack occurred, the hospitals still implement EHR downtime procedures as UF Health works on restoring its systems and impacted information. Now, the attack is negatively impacting patient care.

As per the latest report on WESH 2 News, staff at the impacted hospitals mentioned they still cannot access the EHR, cannot get medication details, and cannot confirm whether patients have certain allergies. Employees are likewise encountering delays obtaining laboratory reports. Employees at the hospital talked to reporters and mentioned a number of patients were getting one medication if a different one was requested, and medicines that are due are not available. One employee expressed concern that something might happen in case they administer a medication that was believed to be ordered but wasn’t.

It is presently uncertain if UF Health expects to give the ransom payment and if patient data was stolen. A UF Health spokesperson cannot confirm the date when systems will be re-established.

Georgia Hospital System Encounters Ransomware Attack

St. Joseph’s/Candler (SJ/C) hospital system based in Savannah, GA reported a ransomware attack on June 17, 2021. The attack blocked access to computer systems and so the hospital implemented emergency protocols. Staff is currently using pen and paper to log patient information.

The attack was discovered immediately and action was undertaken to isolate systems to restrict the problems caused; nevertheless, it is still premature to say which patient information, if any, was impacted and if the attackers acquired patient information before the ransomware encrypted files.

SJ/C stated that it is continuing patient care operations using set-up backup procedures and other downtime measures. The hospital doctors, nurses and personnel are prepared to deliver care during these types of circumstances and are dedicated to doing everything possible to offset disruption and offer continuous patient care.

Avaddon Ransomware Operation Shuts Down and Gives Decryption Keys

The Avaddon ransomware-as-a-service operation was stopped on June 11 and the threat group gave to all its victims the decryption keys. Bleeping Computer was given an email containing a password and a hyperlink to a password-protected ZIP file. The file contained the private keys for 2,934 of Avaddon’s ransomware attack victims. The keys were verified as genuine by Emsisoft and Coveware, with the former currently having given a free decryptor that may be utilized by all Avaddon ransomware attack victims to decrypt their documents.

Avaddon is a fairly new ransomware-as-a-service operation that began in March 2020. The threat group behind the operation got affiliates to carry out attacks and provided them with a site through which they can create copies of the ransomware to do their own cyberattacks. All ransoms created were then distributed to the affiliate as well as the RaaS operator.

It is common for RaaS operations to instantly cease and release the keys for victims that have not yet given payment, however, the timing of the deactivation indicates the RaaS operator may have gotten anxious with the elevated focus of government authorities and law enforcement agencies on ransomware gangs.

After the JBS and Colonial Pipeline ransomware attacks, the White House instructed the Department of Justice to centralize its efforts on ransomware investigations and consider attacks similar to terrorist attacks. Deputy press secretary Karine Jean-Pierre of the White House mentioned that it would likewise be giving the message that responsible states ought not to foster ransomware criminals and that it will be engaging with the Russian government to persuade it to take action against ransomware groups that operate in the country.

The G7 nations furthermore committed to doing something on ransomware attacks and released a statement calling on Russia and other nations possibly harboring ransomware gangs to make a move to distinguish, disrupt, and make individuals accountable for performing ransomware attacks, abusing virtual currency for ransom laundering, and conduct other cybercrimes. President Biden is likewise anticipated to talk to Vladimir Putin at the Geneva summit on June 16 concerning ransomware groups operating from Russia.

Right after the DarkSide ransomware attack on Colonial Pipeline that interrupted fuel supplies to the eastern seaboard, the DarkSide ransomware gang stated it was shutting down. The REvil and Avaddon gangs released a joint declaration saying they were changing their regulations and won’t allow their affiliates to perform ransomware attacks on critical infrastructure companies, governments, healthcare companies, and educational organizations. It would look like that this was not sufficient for the Avaddon ransomware group. It remains to be seen whether the operation has been shut down completely or if the operator of the ransomware is simply laying low for some time. It isn’t unusual for ransomware operations to stop then rebrand and begin their attacks a couple of weeks or months later.

Emsisoft threat analyst Brett Callow explained to Bleeping Computer that the present actions by law enforcement have made some attackers worried; this is the outcome. Let’s wish others will go down too.

IT Security Company COO is Facing Lawsuit Due to Cyberattack on Georgia Medical Center

The Chief Operating Officer of an IT security company has been sued over a financially inspired cyberattack on Gwinnett Medical Center located in Lawrenceville, GA in September 2018.

Vikas Singla, 45 years old, of Marietta, GA is the COO of Securolytics, a network security firm in the metro-Atlanta region. On June 8, 2021, a federal grand jury indicted Singla for allegedly getting access to the systems of the healthcare organization, disrupting its phone and network printer services, and stealing information from a Hologic R2 digitizing gadget.

The Department of Justice stated that the attack was performed, in part, for financial gain and commercial gain. Based on court documents a minimum of 10 protected computers were ruined in the incident. It is uncertain if Singla, or his IT firm, had any prior business partnership with Gwinnett Medical Center and the reason why the healthcare provider was targeted.

Singla was indicted in the U.S. District Court for the Northern District of Georgia on June 10, 2021 and was charged with 17 counts of causing intentional damage to a protected computer and one count of acquiring records from a secured computer. Singla is looking at a maximum sentence of 10 years in jail for each of the intentional damage to a protected computer counts and up to a jail term of 5 years for the theft of data count.

It is believed that Singla did not act alone. Based on the indictment, Singla was assisted and abetted by other people, though they haven’t been named. Singla pleaded not guilty to the allegations and has been freed on bond. There is no trial date yet.

Criminal disruptions of hospital computer networks could have terrible outcomes, mentioned Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. It is the department’s commitment to hold responsible anyone who endangers the lives of individuals by destroying computers that are needed in the work of our health care system.

This attack on a hospital not merely could have had devastating effects, but patients’ personal PHI was also compromised stated Special Agent in Charge Chris Hacker of the FBI’s Atlanta Field Office. The FBI and our law enforcement partners are driven to hold liable, those who purportedly put patients’ health and safety in danger while compelled by greed.

Third-Party Phishing Attack Affects Approximately 34,862 Lafourche Medical Group Patients

Urgent care center operator Lafourche Medical Group based in Louisiana has notified 34,862 patients concerning a security breach that possibly affected some of their protected health information (PHI).

Lafourche Medical Group found out on March 30, 2021 that an external accountant had responded to a phishing email that spoofed one of the company owners of Lafourche Medical Group and revealed login credentials to the hacker. The compromised credentials were utilized to obtain access to the group’s Microsoft 365 account.

A third-party IT firm assisted with the investigation, however, uncovered no evidence that suggests the compromise of its on-premise systems or cloud-based electronic medical record system; nonetheless, the credentials might have been employed to see or get data from its Microsoft 365 environment, which included a few patient information. Due to the size of the email system, it was impossible to know all potential patient data that might have been contained in the system, reported in the substitute breach notice of Lafourche Medical Group.

Clinical information wasn’t breached; nevertheless, emails were employed to communicate selected patient data for invoicing and other clinic purposes. The types of information frequently transmitted through email include names, addresses, e-mail addresses, dates of birth, dates of service, telephone numbers, medical record numbers, insurance and health plan beneficiary numbers, guarantor names, diagnoses, treating specialist names, and lab test results.

A more powerful vetting process was put in place for business associates and a third-party IT firm was employed to re-evaluate its computer system and security steps and to endorse best practices for enhancing data safety. A number of measures were already enforced to enhance security, including strengthening the firewall and spam and malware filters, employing stricter password policies, incorporating multi-factor authentication for mobile access, and retraining the employees on cybersecurity, social engineering, and phishing.

Breach of Records at LogicGate and Hoboken Radiology

The risk and compliance company LogicGate has discovered a security breach that resulted in the potential compromise of the protected health information (PHI) of 47,035 people.

LogicGate explained in breach notification letters that an unauthorized individual gained access to credentials for its Amazon Web Services cloud storage servers which are used to store backup files of customers that use its Risk Cloud platform.

The Risk Cloud Platform is employed by organizations to identify and deal with compliance risks and take care of information protection and security requirements. All backup files kept in AWS S3 buckets are coded, however, the attacker had used stolen credentials to decrypt information. The backup records included customer information that was loaded to their Risk Cloud environment before February 23, 2021. LogicGate stated it failed to determine any decrypt events connected with clients’ saved attachments.

It is presently uncertain if the attacker exfiltrated any customer information and there was no information published regarding the way the credentials were acquired.

Hoboken Radiology Notifies Patients About Potential Breach of Medical Photos and PHI

Hoboken Radiology based in New Jersey has begun sending notifications to patients regarding a security breach that happened between June 2, 2019 and December 1, 2020. In a recent press release, Hoboken Radiology stated it obtained a notification on November 3, 2020 regarding suspicious activity on its medical imaging server.

Third-party cybersecurity professionals were employed to inspect the incident and determine if any patient data had been acquired by unauthorized individuals. The investigation is still in progress, however, it was confirmed that there were suspicious relationships from an external source during the earlier mentioned dates. The impacted server comprised patient information which could have possibly been viewed or obtained by unauthorized persons.

An analysis of files on the server confirmed they included a variety of patient data such as names, genders, dates of birth, treatment dates, referring physician names, patient ID numbers, accession numbers, medical photos, and a description of those pictures. There were no compromised Social Security numbers, payment card information, financial details, and medical insurance data.

Although it was established that there was an unauthorized access to the server, no proof was identified that indicates the actual or attempted improper use of patient information. Policies, procedures, and processes associated with storage of and access to personal records are being evaluated and will be kept up to date to better take care of patient records down the road.

Hoboken Radiology already reported the breach to the proper authorities however there is no publication of the information on the HHS’ Office for Civil rights portal, therefore it is uncertain specifically how many people were affected.

FBI Warns About Ongoing Conti Ransomware Attacks on Healthcare Organizations and First Responders

The Federal Bureau of Investigation (FBI) has published a TLP:WHITE Flash alert concerning serious Conti ransomware attacks aimed at healthcare providers and first responder systems. According to the FBI, the Conti ransomware gang by now had attacked 16 healthcare providers and first responder networks within the United States.

Aside from healthcare organizations, the ransomware gang likewise tried to execute ransomware attacks on emergency medical support, 911 dispatch centers, municipalities, and law enforcement agencies. The attacker is widely recognized to have carried out cyberattacks on 400 organizations all over the world, including the most current attacks on Ireland’s Department of Health (DoH) and Health Service Executive (HSE). To date, the attacker had a total of 290 victims within the United States.

Conti ransomware is deemed to be operated by the Wizard Spider, a cybercrime group in Russia, and functions as a ransomware-as-a-service (RaaS) operation. The ransomware group is known to have attacked big firms asking for large ransom amounts of up to $25 million. The ransom demanded from each victim depends on the extent of the encryption and the determined ability of the victim to pay.

Just like many ransomware attacks today, before file encryption, the Conti ransomware gang exfiltrates sensitive data and uses it to threaten the victims saying it will sell or publish the stolen information if the ransom is not paid. Within 8 days, the victims must pay the ransom. Even if the victims do not make contact with the gang, the gang contacts them by using encrypted email like ProtonMail or Voice Over Internet Protocol (VOIP) services within 2-8 days of threatening them into paying.

Attacks usually start with phishing emails having weaponized hyperlinks or email attachments or using compromised Remote Desktop Protocol (RDP) credentials. Prior to deploying the Emotet botnet, the hackers employed malicious Word documents that have loaded PowerShell scripts, at first to stage Cobalt Strike after that to create the Emotet Trojan within the system, which allowed the attacker to transfer their ransomware payload. The threat group is similarly widely recognized to use the TrickBot Trojan in their attacks. From the initial compromise up to the ransomware deployment, it typically takes 4 days to 3 weeks, and frequently, the ransomware payload is created using dynamic link libraries (DLLs).

The threat group employs living-off-the-land techniques for advance privileges and move laterally on the internal networks, just like Mimikatz and Sysinternals. Right after files encryption, the gang normally remains inside the network and beacons out using Anchor DNS. The ransomware gang utilizes remote access tools to signal local and international VPS systems to posts 80, 443, 8443, typically using port 53 for persistence. Ongoing indicators of attacks include the creation of new accounts and usage of tools such as Sysinternals, along with disabled sensors and nonstop HTTP and DNS beacons.

The FBI does not support paying ransoms since it isn’t an assurance that data will be retrieved or stolen information will not be offered for sale or posted. The FBI has cautioned all Conti ransomware attack affected individuals to reveal information about the attacks such as boundary records showing chats between international IP addresses, Bitcoin wallet information, benign samples of encrypted files and/or decryptor files.

The FBI has published these mitigations to be used for protecting against Conti as well as any ransomware attack:

  1. Consistently back up data, verify backups, and keep backups on air-gapped systems.
  2. Keep a few copies of sensitive and exclusive data on servers that are segregated physically and aren’t available from the systems where data is found.
  3. Execute system segmentation.
  4. Use multi-factor authentication.
  5. Employ patches and update systems, software programs, and firmware as soon as possible.
  6. Use strong passwords and consistently modify network systems and accounts passwords.
  7. Remove links in incoming email communications.
  8. Attach email banners in each incoming email coming from outside sources.
  9. Do regular user account evaluations for accounts having administrator privileges.
  10. Just use secure networks and never connect using public Wi-Fi networks.
  11. Use a VPN equipped with remote access.
  12. Make certain that all personnel get regular security awareness training.

Michigan Man Charged With Theft and Sale of PII of UPMC Workers

A Michigan guy has pleaded guilty to hacking into the human resource databases of the University of Pittsburgh Medical Center in 2013 and 2014 and stealing 65,000 UPMC workers’ personally identifiable information (PII) and W-2 information.

Justin Sean Johnson, 30 years old, of Detroit, MI, was a Federal Emergency Management Agency (FEMA) IT professional also called as The DearthStar and Dearthy Star on darknet forums. After 6 years of hacking the databases and vending stolen records, Johnson was accused by a federal grand jury in Pittsburgh and was detained for aggravated identity theft, conspiracy and wire fraud.

Johnson at first hacked into UPMC’s Oracle PeopleSoft HR database in December 2013 and accessed the PII of 23,500 UPMC workers. Between January 2014 and February 2014, Johnson viewed the data source several times per day and downloaded PII. Johnson then sold the stolen information on darknet marketplaces like AlphaBay to crooks who utilized the records in 2014 to file lots of fake 1040 tax returns.

Based on a Department of Justice press release, the scheme brought about approximately $1.7 million fraudulent tax refunds being paid by the IRS. The tax refunds were converted to Amazon.com gift cards that were employed to buy high-value products that were delivered to Venezuela. Johnson was compensated roughly $8,000 in Bitcoin for the stolen UPMC workers’ data.

Besides the robbery and selling of UPMC worker PII, between 2014 to 2017 Johnson stole and marketed about 90,000 sets of PII on darknet forums. That data was later utilized to do identity theft and bank fraud.

Johnson recently confessed to 2 counts of a 43-count indictment and currently is waiting for sentencing. Johnson will have a maximum of 5 years jail term and will pay a fine of up to $250,000, along with a compulsory 24-months in prison and a penalty of as much as $250,000 for aggravated identity theft.

The U.S. Secret Service Special Agent in Charge Timothy Burke stated that the healthcare industry has come to be an appealing target of hackers seeking to update personal information and use it for fraud, and so the Secret Service is determined to detect and arrest those that do crimes against our Nation’s critical systems for their personal benefit.

Three other people have pleaded guilty to crimes done relating to the scheme. Maritza Maxima Soler Nodarse from Venezuela pleaded guilty in 2017 to committing conspiracy to defraud the United States with regards to the processing of falsified tax refunds. Yoandy Perez Llanes of Cuba pleaded guilty in 2017 to buying Amazon.com gift cards to launder the funds. Justin. A. Tollefson from Spanaway, WA pleaded guilty in 2017 to using stolen identities to file fake income tax returns.

CISA Publishes Guidance on Expelling Attackers from Systems After the SolarWinds Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has released guidance on expelling threat actors from systems compromised in the SolarWinds Orion supply chain attacks and, which include following breaches of Active Directory and M365 environments.

The attacks were ascribed to threat actors associated with the Russian Foreign Intelligence Service (SVR). After getting network access via the update process of SolarWinds Orion, the threat actor chose targets of interest for more compromise and overlooked multi-factor authentication solutions and shifted laterally into Microsoft 365 settings by exposing federated identity solutions. A lot of the targets picked for additional compromise include government agencies and bureaus and critical infrastructure corporations, even though private sector companies may additionally have encountered more comprehensive compromises.

The guidance is applicable to expelling threats from on-premises and cloud environments and comprises a 3-phase remediation strategy. CISA remarks that malicious compromises are distinct to every single victim, thus careful thought should be given to every step and the guidance then implemented to the distinct environment of every breached company to guarantee success.

All three phases are necessary to totally evict an attacker from on-premises or cloud settings, therefore cutting corners should never be used. Failing to observe all steps can lead to extensive, long-term unseen Advanced Persistent Threat (APT) activity, extended theft of information, and crumbling of public faith in victims’ sites.

The guidance gives the strategy for evicting attackers from a network, nevertheless will never offer precise information regarding the needed steps to be undertaken.

Any attempt to expel an adversary from the system calls for a pre-eviction step, an eviction stage, and a post-eviction step. The pre-eviction stage refers to affirming tactics, techniques, and procedures (TTTPs) connected with the attacks and thoroughly checking out the true extent of the breach. In the course of the remediation process, action will be considered to strengthen security and develop more resilient systems; nonetheless, the eviction method is difficult, labor-intensive, and will involve business networks to be detached from the world wide web for 3-5 days.

A complete risk assessment needs to be performed before any eviction effort to fully grasp the likely effects on critical business capabilities. There will possibly be an interruption to business procedures, and so it is important that the remediation attempts are appropriately prepared, the effect on the business is entirely known, and suitable resources are provided to reduce disruption.

After finishing all eviction steps, organizations go into the post-eviction step which consists of validating that the attacker has been expelled. This stage involves combining detection components, setting up endpoint forensics and detection tools for intense collection, and retaining vigilance, with actions undertaken over the 60 days subsequent to finishing the eviction step.

Extended caution is essential because this threat actor has shown extraordinary persistence with follow-on action.

CISA’s Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise – is available on this page.

CaptureRx Ransomware Attack Impacts Multiple Healthcare Provider Clients

CaptureRx provides 340B administrative services to healthcare companies in San Antonio, TX and it reported a ransomware attack that led to the stealing of files that include its customers’ patients protected health information (PHI).

The provider found out about the security incident on February 19, 2021. A breach investigation confirmed on February 6, 2021 that unauthorized persons obtained access to patient files with sensitive data. CaptureRx conducted an analysis of the stolen files, which was completed on March 19, 2021. Then, the provider sent breach notifications to the impacted healthcare company clients starting on March 30 up to April 7, 2021.

Since the attack, CaptureRx has made efforts together with the healthcare providers affected to notify all the men and women whose data was compromised. The attackers potentially accessed the following types of data: names, birth dates, and prescription records. For a number of patients, their medical record numbers were affected as well.

CaptureRx had established security solutions to secure that the privacy of healthcare data, nevertheless the attackers still successfully circumvented that protection. Soon after the attack, the provider analyzed and enhanced its policies and protocols. The employees also acquired supplemental training to lessen the possibility of more security breaches in the future.

It is unclear at this time how many of CaptureRx’s healthcare firm clients nor the total number of individuals impacted by the breach. The breach affected the following medical providers:

  • Thrifty Drug Stores (Thrifty White) has an undetermined number of patients at this time
  • Faxton St. Luke’s Healthcare based in New York, also a Mohawk Valley Health System affiliate, takes care of 17,655 patients.
  • Gifford Health Care based in Randolph, VT takes care of 6,777 patients.

CaptureRx claimed the breach investigation report didn’t come across any evidence that points to any real or attempted misuse of the stolen information; even so, the affected persons are advised to keep an eye on their account and explanation of benefits statements to check for fraudulent orders.