Reports on Increasing Healthcare Data Breaches in Q1 of 2024 and Decreasing Ransomware Attacks in 2024

Healthcare Data Breaches Increased by 53% From Q1 of 2024

Data compromises are 90% higher than in Q1 of 2023, as per the Data Breach Report in Q1 2024 published by the Identity Theft Resource Center (ITRC). In Q1 of 2024, 841 data breaches were publicly reported, which is higher than the 442 data breaches in Q1 of 2023. Although data breaches nearly doubled, the number of victims dropped by 72% compared to Q1 of 2023, and by 81% compared to the last quarter. The 841 data breaches affected 24,474,351 individuals.

In Q1 of 2023, the most attacked industry is healthcare; however, in Q1 of 2024, the healthcare industry is only number two with 124 breach notices and over 6 million breached records, following financial services with 224 breach notices and over 18 million breached records. The number of reported healthcare data breaches is 53% higher compared to Q1 of 2023 and 69.9% higher compared to Q1 of 2022. Nevertheless, the 6,071,259 victims in Q1 of 2024 is lower by 57.2% compared to Q1 of 2023 with 14,199,413 victims. The healthcare industry is number two on the top 10 list of breaches in Q1 of 2024 as Medical Management Resource Group (American Vision Partners) had 2.35 million breached records, following LoanDepot with over 16 million breached records. Still, healthcare leads the list with 6 of the 10 biggest data breaches in Q1 of 2024.

There were three times more companies affected by supply chain attacks in Q1 of 2024 than in Q1 of 2024, as 50 new attacks impacted 243 companies and affected the information of 7.5 million people. In Q1 of 2023, supply chain attacks impacted 73 entities and 11.4 million individuals. Cyberattacks were the number one reason for data breaches with 642 cases. Next are phishing/BEC/smishing attacks with 108 cases, and system and human error with 85 cases. It is currently more common for information regarding the cause of a data breach to be not included in notifications. In Q1 of 2024, 52.2% or 439 data breaches did not report the cause of the incident compared to 37.6% or 166 data breaches in Q1 of 2023. Over 66% of cyberattack-connected data breaches did not give details regarding the cause of the incident.

The increase in data breaches, especially when PHI is involved, is a real concern, but the number of victims affected, though still high, dropped, which is good. This may be because identity criminals have more targeted attacks, a tactic that is different from five or ten years ago. Businesses and individuals must use strong passwords and use Passkeys whenever possible.

More Cyberattacks But Less Ransomware Attacks

IT experts and security professionals think cyberattacks have increased as of 2023 based on the latest Keeper Security survey. The cybersecurity company surveyed 800 IT experts worldwide, and 92% stated they believe cyberattacks have gone up in the last year with 95% stating that cyberattacks are so advanced that they lack readiness to handle emerging threat vectors like fileless attacks (23%), unauthorized cloud control (25%), leveraged 5G networks (29%), deepfakes (30%), and AI-based attacks (35%). 40% of respondents stated that they experienced attacks from both external threat actors and insiders. The types of attacks that have become more frequent include phishing attacks (51%), malware attacks (49%), ransomware attacks (44%), and password attacks (31%). Most IT experts mentioned phishing and smishing attacks are becoming more difficult to identify because cybercriminals use generative AI.

2023 saw a spike in ransomware attacks, but attacks have dropped in 2024 as per the Israeli cybersecurity organization Cyberint. In 2023, victims of ransomware attacks increased by 55.5% as reported from 5,070 attacks. In Q1 of 2024, there were 1,048 reported attacks, which is 22% less than the 1,309 reported attacks in Q4 of 2023.

Cyberint gives some probable reasons for the drop. Law enforcement activity increased, which included two operations directed at two active ransomware groups, ALPHV and LockBit, that upset their campaigns. The disruption to LockBit operations was notably short, as the group claimed to have recreated its infrastructure within one week of the breakdown. In Q1 of 2024, 210 attacks were credited to LockBit demonstrating that the interruption was short-lived. The law enforcement operation in December 2023 took over parts of the infrastructure of the ALPHV group. Although the group stayed active, there were only 51 confirmed attacks in Q1 of 2024, which is less than the 109 attacks in Q4 of 2024. The ALPHV group likewise came back immediately and responded by removing limitations for affiliates, and urged attacks on the healthcare industry. The ALPHV group is deactivated now after the attack on Change Healthcare, but it is likely to rebrand and come back.

Cyberint additionally says that the lowering number of victims giving ransom payments made ransomware attacks less lucrative, so certain affiliates engage in other income sources. Information from the ransomware remediation company Coveware indicates that ransom payments dropped in Q4 of 2023, with just 29% of victims opting to give ransom payments. Ransom payments likewise fell to an average payment of $568,705 in Q4 of 2023, which is 33% less than the last quarter.

Although certain groups seem to have stopped their operations, a few new groups have surfaced. In Q1 of 2024, Cyberint monitored the appearance of 10 new ransomware groups. One is the RansomHub group that is seeking to extort Change Healthcare, and claims to have stolen data.

Although the decrease in ransomware attacks is good, it is still early to say if the decrease will go on or if it is only temporary. What is more sure is that, for a while at least, rans omware will likely still be one of the major cyber threats in healthcare.

OCR Clarifies Issues Associated With the Change Healthcare Cyberattack

The American Hospital Association (AHA) sent a letter to the Department of Health and Human Services asking for clarification regarding data breach notices in case it ends up that protected health information (PHI) was compromised. OCR reported that because of the effect of the Change Healthcare ransomware attack, Change Healthcare was promptly investigated to determine if it was HIPAA compliant. OCR Director Melanie Fontes Rainer mentioned in a “Dear Colleague” letter that while OCR is not prioritizing inspections of healthcare providers, business associates, and health plans that were linked to or affected by this attack, it is reminding organizations that have Change Healthcare and UHG as partners about their regulatory responsibilities, which include making sure that business associate agreements signed and that prompt breach notifications are sent to HHS and impacted persons as mandated by the HIPAA Regulations.

The AHA showed concern regarding Fontes Rainer’s report and wants clarity about the entities that should send notifications. The AHA stated in the letter that a covered entity like Change Healthcare is responsible for alerting OCR and the impacted people concerning a data breach, including in instances where Change Healthcare serves as a business associate. AHA’s question is about OCR’s requirement of the hospitals to send breach notices to HHS and impacted individuals, in case it is eventually confirmed that a breach happened. The AHA wants to clarify if hospitals and other organizations still need to send additional notifications when UnitedHealth Group and Change Healthcare already sent a notification. If that is so, it will confuse patients and entail unwanted expenses on hospitals on top of the suffering brought about by this attack.

After reading OCR’s letter, members of the Washington State Hospital Association (WSHA) have also expressed concern regarding the breach notification requirements. With regards to the business associate agreement and notification alerts mentioned in the letter, WSHA stated that OCR’s letter reminds hospitals they may get on top of this concern by going over how the different sets of responsibilities on their part and the part of Change Healthcare included in the BAAs they signed. For instance, these responsibilities include prompt breach notification and who gives the notification, indemnification, and insurance prerequisites.

Patients Report Fraudulent Calls After the Cyberattack on Change Healthcare

The Minnesota Hospital Association and Minnesota Attorney General have given alerts because scammers seem to be attacking patients impacted by the Change Healthcare ransomware attack. Individuals have said receiving phone calls from people professing to be staff from hospitals, pharmacies, and clinics who are providing refunds or requiring payment. Although these phone calls may suggest that information stolen during the attack is already being abused, it may only be opportunists exploiting the situation. Lou Ann Olson of the MHA advised all people to be cautious and be suspicious of scams. She told patients to speak to their healthcare company directly when they get a phone call, text, or email message associated with the Change Healthcare cyberattack.

Change Healthcare’s Recovery is Quite Slow

Cybersecurity specialists have criticized Change Healthcare because of its reaction to the cyberattack, which has prompted breakdowns lasting over 4 weeks. Though about 20 company services have already started again, over 100 remain offline. Although it’s not uncommon for a ransomware attack recovery to last a few weeks, the effect on healthcare companies is far-reaching because they use Change Healthcare’s systems a lot. Therefore, Change Healthcare must know about this and be ready to minimize the disruption.

It is a big concern that an organization that delivers such a crucial service took such a long time to recover its IT systems. In addition, it seems that the company had no backup plan that could be immediately put in place, as stated by Emsisoft threat analyst, Brett Callow. Other cybersecurity specialists have asked if proper backups were set up and if the incident response plan available was appropriately tested.

UnitedHealth Gives $2.5B Financial Support and Begins Working on $14M Claims Backlog

UnitedHealth Group has affirmed that it has set aside over $2.5 billion for healthcare companies impacted by the breakdowns at Change Healthcare. There will be software available for managing claims. The incident has affected providers at various levels; for that reason, temporary funding support is provided for free. Many companies, in particular smaller clinics, are having difficulties. Those who require additional help can gain access to these resources.

UHG additionally stated on March 22, 2024 that its largest clearinghouses will be back on the web on the following weekend. The backlog of over $14 billion in claims will begin to be processed afterward.

HSCC’s 5-Year Strategic Plan for Healthcare Cybersecurity and Greater NIST CSF and HCIP Coverage Plan

HSCC’s 5-Year Strategic Program for Enhancing Healthcare Cybersecurity

The number and severity of healthcare cyberattacks are growing each year. In 2023, about 740 healthcare data breach reports were submitted to the HHS’ Office for Civil Rights, and those breaches affected about 136 million persons, exceeding past records for the number of data breaches and the people impacted. It is obvious that cybersecurity in healthcare is in a critical state and when nothing changes, more unwanted data will be exposed in 2024.

The Health Sector Coordinating Council (HSCC), a public-private association representing 425 medical care sector entities and government organizations, recently revealed a 5-year strategic plan for the healthcare and public health sector at the ViVE 2024 conference. HSCC mentioned that cyberattacks and data breaches are happening because of the increased connection and remote use of digital health systems, the greatly distributed portability of health data, and the deficiency of competent healthcare cybersecurity experts. The sprawling and elevated difficulty of the connected healthcare ecosystem produces problems like unanticipated and poorly understood interdependencies; overreliance on vendor solutions; unidentified inherited security weaknesses; systems that fail to account for human factors that affect cybersecurity controls; and disparity between software programs and equipment lifecycles, and attackers are finding it way too easy to take advantage of the vulnerabilities.

The Health Industry Cybersecurity Strategic Plan (HIC-SP) seeks to enhance healthcare cybersecurity from the present critical condition to steady by 2029. HSCC mentioned that the cybersecurity standing of the healthcare industry was ranked critical in 2017 when the Health Care Industry Cybersecurity Task Force released a report on enhancing cybersecurity in the healthcare market. The HIC-SP builds on the suggestions given in the report and strives to enhance healthcare cybersecurity by enforcing foundational cybersecurity programs that deal with the operational, technological, and governance problems posed by substantial healthcare sector trends in the following five years.

HSCC has worked to set up existing industry trends that are probable to keep on over the subsequent 5 years, determined their probable impact on healthcare cybersecurity, and given tips for proactively handling those trends. The industry will likely go on to integrate rising technologies, is unlikely to handle current employees and management issues, and there is possibly to be continued instability in the healthcare supply chain. The HIC-SP analyzes how these and other developments may provide steady or surfacing cybersecurity issues, and recommendations are given about how the healthcare market and government ought to get ready for those improvements with cybersecurity principles and particular steps.

The purpose is to present C-Suite executives with actionable and measurable risk reduction actions in line with the present cybersecurity landscape and expected industry trends. Decision-makers in healthcare security can utilize the HIC-SP to advise decisions concerning cybersecurity investments and the implementation of particular cybersecurity steps, and given that the HIC-SP is modular, companies can use it to determine high-level goals and carry out objectives to deal with the areas that need the most attention.

The HSCC states the HIC-SP complements other endeavors to boost healthcare cybersecurity, for example, the HHS’ Healthcare Sector Cybersecurity Strategy that was announced in December 2023 and the voluntary healthcare cybersecurity performance targets published by the HHS in January, and together with its government contacts, the HSCC Cybersecurity Working Group is going to be working to attain the objectives of the plan using education and policy incentives and plans to introduce a set of measurable outcomes and metrics for accomplishment by the end of the year. By 2029, healthcare cybersecurity is expected to become ingrained as a public health and patient safety requirement, just like HIPAA compliance.

Increased NIST CSF and HCIP Protection Plan Associated with Reduced Cyber Insurance Premium Growth

Usage of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) enhances resilience to cyberattacks and the diminished risk is reflected in cyber insurance rates. According to a Healthcare Cybersecurity Benchmarking Study, healthcare providers that used the NIST CSF had lesser annual increases in their cyber insurance premium prices than healthcare companies that have not implemented the NIST CSF.

The study was a collaboration between KLAS Research, Censinet, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council. It involved 54 payer and provider organizations and 4 healthcare vendors in Q4 of 2023. Implementation of the NIST CSF signifies a higher level of preparedness and resiliency and consequently reduced risk for insurance companies. Healthcare providers that employ the NIST CSF as their main cybersecurity framework report that premium rate increases of one-third (6%) of the percentage reported by companies that have not adopted the NIST CSF (18%).

The report evaluates cybersecurity coverage, particularly coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and shows little has changed in the past 12 months with average NIST CSF insurance rising from 69% in 2023 to 72% in 2024, and average HICP coverage growing from 71% (2023) to 73% (2024). The range of average insurance coverage across the 5 NIST CSF core functions – identify, protect, detect, respond, recover – is from 65% to 75%. The minimum insurance is in the identify function and the maximum is in the respond function. This shows most healthcare providers that participated in the study were typically more reactive than proactive in their strategy for cybersecurity. Among all categories within the NIST CSF, supply chain risk management (identity) got the least coverage. This is a concern given the rate of third-party data breaches in healthcare. The study revealed that this is a major concern for insurance providers in setting higher premiums. Increased supply chain risk management coverage was related to lower increases in cyber insurance premium rates.

Average HCIP coverage was better, with many companies with email protection systems (84%) set up and cybersecurity oversight and governance (83%), however, there was just 50% coverage of medical device security and 60% coverage of data protection/loss prevention. 25 healthcare delivery providers also took part in 2023’s benchmarking study and their average NIST CSF and HCIP insurance coverage was bigger than other provider and payer companies. Those repeat organizations likewise had lesser increases in their cyber insurance premium prices compared to other healthcare companies, on average.

Benchmarking studies have confirmed that high program ownership by information security leaders leads to greater cybersecurity coverage. In all companies, average NIST CSF and HICP insurance was between 71% and 72%, although companies that designate data security leaders higher percentages of program ownership attained above-average cybersecurity insurance coverage, particularly in the HCIP areas of endpoint protection systems and data loss and loss protection.

HHS Addresses Healthcare Cyberattack with New Flexibilities for Victim Healthcare Providers

The Department of Health and Human Services (HHS) has referred to the Blackcat ransomware attack on UnitedHealth Group that operated Change Healthcare in February 2024. The attack impacted more than 100 of Change Healthcare’s systems, which affected the providers that use those systems for monitoring insurance coverage, applying for claims, and getting paid.

Some industry groups requested HHS to support their members, who are encountering serious cash flow problems because they cannot get payments without Change Healthcare’s programs. UnitedHealth Group has created a temporary financial assistance program to aid companies who were unable to collect payments, but industry groups have criticized this action due to the limited eligibility and laborious terms.

The HHS stated it identified the effect the cyberattack has on healthcare operations countrywide and that its priority is to support in organizing efforts to stop interruptions to care. The HHS is regularly contacting UnitedHealth Group leadership and it has clearly expressed that it expects UnitedHealth Group to ensure the continuity of procedures for all healthcare providers.

The HHS mentioned it has obtained multiple communications concerning the cash flow issues that resulted from the cyberattack as companies cannot file claims and collect payments, and stated that it is taking action to assist the requirements of the medical community. The HHS is coming up with new flexibilities and the Centers for Medicare and Medicaid Services (CMS) is leading the response and will be interacting with the healthcare community and giving help, as appropriate.

The HHS reported all impacted providers must know about the following flexibilities:

Medicare companies that have to switch the clearinghouses they use for claims processing because of the outages must get in touch with their Medicare Administrative Contractor (MAC) to enroll in new electronic data interchange (EDI). The MAC will release instructions to hasten the new EDI enrollment. The CMS has directed MACs to speed up the new EDI enrollment procedure and transfer all provider and facility requests into production to make sure they can invoice claims immediately.

The CMS will be giving guidance to Medicare Advantage (MA) companies and Part D sponsors requesting them to remove or relax previous authorization, other utilization management, and prompt submission of requirements in these system blackouts, and is encouraging MA plans to provide advance money to the providers most affected by the cyberattack on Change Healthcare. CHIP and Medicaid-managed care plans are likewise being urged to use a strategy that is allowed by the State.

Medicare providers need to call their MAC to know the exceptions, waivers, or extensions, or speak to CMS concerning quality reporting programs if they are having problems filing claims or other required notices or other submissions. The CMS has called all MACs and advised them that they need to accept paper submissions in case a supplier has to file claims in that technique due to the outages.

Providers got in touch with the CMS concerning the availability of sped-up payments like those released during the COVID-19 pandemic. A lot of payers have paid money when billing systems are not available, and the CMS calls on companies to make use of those possibilities; nonetheless, the HHS stated hospitals may submit faster payment requests to their respected servicing MACs for consideration.

The HHS emphasized that the attack on Change Healthcare is a reminder of the value of boosting cybersecurity strength in the entire healthcare ecosystem. In December 2023, the HHS released a concept paper explaining some of the steps the HHS plans to take to improve cybersecurity resilience. Those steps include voluntary cybersecurity performance objectives, working with Congress to create support and rewards for domestic hospitals to enhance cybersecurity, escalating accountability, HIPAA compliance, and improving communication using a one-stop shop. The HHS is urging all members of the healthcare ecosystem to look at cybersecurity with desperation, as Americans cannot deal with more interruptions to care.

Although providers and industry organizations have accepted the HHS response, the response is that the new flexibilities do not go far enough. The president of the American Medical Association, Jesse Ehrenfeld, M.D., said the new flexibilities released by the HHS are a welcome first step, but mentioned the CMS needs to identify that the financial issues many companies are experiencing are threatening the existence of their practices, including those that take care of the underserved. The AMA urges federal authorities to beat what has been set up and include monetary support like advanced doctor payments.

Servers Restored by LockBit Ransomware Group After Law Enforcement Takedown

In mid-February, the LockBit ransomware group affiliate portal, its data leak site, and 32 servers were seized after a worldwide law enforcement operation; nonetheless, the takedown seems short-lived, seeing that the LockBit data leak website is now re-established. The LockBit group has likewise put up a lengthy write-up regarding what occurred along with the group’s plans for future operations. The post clarifies that the seizure will not stop operations and that LockBit will continue with more ransomware attacks executed on the government sector.

Operation Cronos was a venture between law enforcement organizations in the United Kingdom, the United States, and Europe. A series of notices announced the accomplishment of the operation. LockBit source code, decryption keys, and cryptocurrency wallets were seized, and a decryptor was provided that would enable LockBit attack victims to retrieve their encrypted files. The National Crime Agency of UK likewise threatened to expose the identity of LockButSupp, believed to be the boss of the operation, although that data was not given. Instead, the leak site had a notice concerning the identity of LockBitSupp.

In the notice, the LockBit group mentioned that the campaign of the FBI and the other law enforcement bureaus that joined Operation Cronos were meant to intimidate and frighten the group into shutting down operations, however, the group was defiant and said the attacks would keep going, despite the takedown. The group boasted about the money it had made and stated that the wealth accumulated and the luxuries that could be bought did not bring nearly as much fulfillment as running the LockBit operation.

The LockBit group mentioned the FBI most likely used a PHP vulnerability, CVE-2023-3824, to acquire access to the servers of LockBit. It may not be this CVE, though something else such as 0-day for PHP. This is likely how the victims’ blog server, chat panel server, and administrator account were accessed. LockBitSupp stated the failure to patch was because of irresponsibility and personal negligence.

The LockBit group at the same time stated that backup servers that didn’t have PHP installed were not breached or taken and that the takedown was timed to stop the exposure of files stolen from Fulton County in Georgia during a ransomware attack last January, which can affect the result of the forthcoming U.S. Presidential election. The attack resulted in the theft of information from the county court and tax systems. Fulton County is the place that hears a lawsuit against Donald Trump and 18 codefendants over the supposed efforts to overturn the 2020 election.

In the write-up, LockBit mentioned the takedown was not as comprehensive as it seemed. Only about 1,000 ransomware decryptors were taken, yet its servers have close to 20,000, that the listing of LockBit affiliates that was obtained and posted does not consist of any real nicknames or monikers utilized in forums, and in reply to the attack, modifications would be done, for example decentralizing the hosting of its administrative panel, to make any attempted takedowns later even more difficult. The group additionally stated that the recovery took four days to finish due to an incompatibility with the most recent PHP version, which required an edited source code.

The LockBit group core members are believed to live in Russia, where privacy violations are tolerated so long as their activities align with the objectives of Russia and they do not carry out attacks inside Russia or in any of the Commonwealth of Independent States (CIS). Russia acts against threat actors that break those |operating rules. Recently, Russia said that three members of the SugarLocker ransomware gang were caught for attacks inside of Russia and CIS nations; nevertheless, no action will probably be taken against any LockBit group member.

The LockBit seizure has interrupted LockBit operations and harmed the group’s track record within the cybercriminal community. The long post detailing the attack and the steps that will be taken later on appears to be disaster control and an attempt to recover the reputational damage caused, but affiliates could now decide to move to a different ransomware-as-a-service operation. Only time will tell how quickly, and to what degree, LockBit can recover however it currently looks improbable that the group will be able to quickly return to its formerly held position as the most dangerous and high-profile ransomware gang.

Data Breaches Reported by Cooper Aerobics, Colorado Ophthalmology Associates, and Des Moines Orthopaedic Surgeons

Cooper Aerobics Announces 124K-Record Data Breach

Cooper Aerobics, representing Cooper Clinic, Cooper Aerobics Enterprises, and Cooper Medical Imaging, in Texas, has informed 124,341 persons about the exposure of some of their protected health information (PHI) in a cyberattack at the beginning of 2023. It is not mentioned in the notification letters when the attack happened. Following the investigation and file evaluation, Cooper Aerobics discovered on December 8, 2023, that files comprising the personal data and PHI of patients were possibly extracted from its system on February 3, 2023.

Patients were informed about the potential compromise of the following data elements: name, address, telephone number, email address, birth date, debit or credit card number (including financial account and routing number, expiration date), Social Security number, tax ID number, passport number, driver’s license or government ID, username and password, and health data (such as medical record/patient account number, prescription details, healthcare provider, and medical treatments), and medical insurance data.

Cooper Aerobics began informing the impacted persons on January 5, 2024 and stated it regularly examines and alters its procedures and internal controls to safeguard against unauthorized access and will still do so.

6,000 People Affected by Colorado Ophthalmology Associates Ransomware Attack

Colorado Ophthalmology Associates (COA) has lately reported a ransomware attack that was identified on November 14, 2023. Data extraction frequently occurs in ransomware attacks, yet the forensic investigation did not find any proof of data theft. COA stated that automated encryption was used in the attack. The electronic health record files for patient consultations or tests done from April 10, 2023, to November 14, 2023 were lost.

The forensic investigation revealed that the attack started on October 4, 2023, and stopped on November 14, 2023. The types of data compromised in the attack were restricted to names, addresses, birth dates, telephone numbers, email addresses, insurance details, dates of service, types of services, diagnoses, illnesses, prescription medications, examination results, medicines, other treatment details, and Social Security numbers. The incident report submitted to the HHS Office for Civil Rights indicated that up to 6,020 patients were impacted.

Data Breach at Des Moines Orthopaedic Surgeons in February 2023

Des Moines Orthopaedic Surgeons (DMOS) based in Iowa recently informed 307,864 present and past patients about the exposure of some of their PHI in a cyberattack more or less one year ago. DMOS mentioned that the incident happened on or about February 17, 2023, and permitted an unauthorized third party to view and/or steal files that contain the sensitive data of DMOS patients. DMOS stated the breach was because of the failure of one vendor.

DMOS noted it quickly controlled the threat and had third-party cybersecurity specialists check out the incident to find out the scope of the compromise. Based on the breach notification letters, DMOS spent a lot of time and effort evaluating the scope of the incident and finding out what data could have been accessed by unauthorized users. It was confirmed on December 6, 2023, after 10 months, that the patient data included PHI.

The types of information affected included names together with at least one of these: Social Security number, birth date, passports, driver’s license numbers, state ID numbers, direct deposit bank details, medical data, and medical insurance details. Notification letters were sent by mail on January 22, 2024, and those who had their Social Security numbers exposed were provided with credit monitoring and identity theft protection services for free.

67,000 Michigan Orthopaedic Surgeons Patients Affected by Email Account Breach

Michigan Orthopaedic Surgeons informed 67,477 patients that unauthorized individuals got access to some of their PHI held in an email account. The healthcare provider detected suspicious activity in the email account on or about June 29, 2023. A third-party forensic security firm investigating the incident had confirmed that an unauthorized individual accessed the email account from May 5, 2023 to June 21, 2023.

A complete analysis of the account was started, and protected health information was confirmed to be present in the account on October 20, 2023. The types of data differed from one person to another and might have included names along with at least one of these data: birth date of birth, Social Security number, username and password, financial account number, medical insurance details, and medical data, like diagnosis, laboratory results, and prescription details. Individual notices were sent by mail on December 19, 2023, and free credit monitoring services were provided to those whose Social Security numbers were compromised.

Bay Area Heart Center Affected by Business Associate Phishing Attack

Bay Area Heart Center located in St. Petersburg, FL has reported the exposure of patient information in a cyberattack that occurred at the law agency Bowden Barlow Law, P.A., its collections service provider. A worker at the law agency responded to a phishing email, giving the attacker access to a server of the law firm from November 17, 2023 to December 1, 2023. Bay Area Heart Center was informed concerning the data breach on December 27, 2023.

The investigation did not find any evidence that indicate the downloading of data, but the possibility of data theft cannot be excluded. The compromised data included names, full and partial Social Security Numbers, addresses, dates of service, limited claims information, and insurance policy numbers. Bay Area Heart Center’s breach notice mentioned that it takes patient privacy seriously and is equally disappointed about the compromise of its patient files through a third-party vendor. The medical practice is presently re-assessing its work relationship with Bowden Barlow Law. Bay Area Heart Center stated it has provided the impacted patients with membership to a credit monitoring service for one year.

Cyberattacks on CompleteCare Health Network, Keenan & Associates and Concentra

314,000 Patients Impacted by CompleteCare Health Network Cyberattack

CompleteCare Health Network, a health system providing patient care in southern New Jersey, reported the potential compromise of the protected health information (PHI) of 313,973 patients due to a ransomware attack in October 2023.

An unauthorized third party acquired access to CompleteCare Health Network’s computer system and tried to deploy ransomware for file encryption. CompleteCare Health Network mentioned it detected this sophisticated ransomware attack and blocked it on or about October 12, 2023. Third-party cybersecurity professionals investigated the ransomware attack to find out the details of the unauthorized activity, and if patient data was compromised. As per CompleteCare Health Network’s substitute breach notice, the health system has taken steps to stop the publishing or distribution of patients’ data. This statement seems to suggest the confirmed data exfiltration, and the ransom payment given to the threat group to stop their plan to expose the data.

CompleteCare Health Network performed an analysis of all files on the impacted systems and confirmed they contained PHI. The types of data affected differed from one patient to another and might have involved names, telephone numbers, addresses, and certain sensitive personal data and/or personal health data. Notification letters were mailed to the impacted people beginning on December 15, 2023. Every individual notification letter mentioned the exact types of information affected. CompleteCare Health Network stated there was no report received that suggest actual or attempted patient data misuse. However, as a safety measure, the affected persons were provided free credit monitoring and identity theft protection services.

Upon learning about the attack, CompleteCare Health Network immediately disabled the affected systems and started securing and improving its systems. Steps taken because of the breach include changing guidelines and procedures and system security software programs and going over how patient information is saved and managed. Since the ransomware attack, the system was monitored 24 hours a day by third-party cybersecurity professionals. CompleteCare Health Network has involved top cybersecurity providers to help with keeping track of its system for the long term.

Keenan & Associates Data Breach Impacts Over 1.5 Million People

The insurance broker Keenan & Associates based in Torrance, CA submitted a cybersecurity incident report to the Maine Attorney General that has impacted 1,509,616 people. Keenan & Associates is associated with AssuredPartners NL, one of the biggest brokerage companies in the U.S. The firm has clients in various fields, including education, healthcare, and the public sector.

The firm detected the cybersecurity incident on Sunday, August 27, 2023 upon noticing the disruption in some of its network servers. Action was quickly undertaken to control the attack and separate the impacted network servers. Third-party cybersecurity professionals investigated the incident to find out the nature and extent of the breach. Based on the forensic investigation, its internal systems were accessed at various times from August 21, 2023 to August 27, 2023. At that time, selected files were extracted from its systems. A number of those compromised files included personal information furnished by its clients together with several employee information. The analysis of those files revealed that they included names along with at least one of these data: birth date, passport number, Social Security number, driver’s license number, medical insurance data, and general health data.

Keenan & Associates stated supplemental security measures were implemented to improve network, system, and data security, and its security procedures will still be assessed to know whether action still must be taken to toughen cybersecurity protection. The attack was reported already to the Federal Bureau of Investigation (FBI), which has begun its investigation.

Although data theft was established, Keenan & Associates did not receive any report of attempted or actual misuse of the stolen information. As a safety measure, impacted persons were provided free credit monitoring, and identity theft protection services. There was no public mention of the names of the impacted clients, thus it is uncertain at this point if the breach is reportable as per HIPAA.

About 4 Million Concentra Patients Impacted by PJ&A Data Breach

Physical and occupational health provider, Concentra based in Texas, reported that it was impacted by the cyberattack on PJ&A, its transcription service provider. PJ&A already sent a breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicating that more or less 9 million patients were affected; but a few PJ&A clients, including Concentra, have decided to submit a breach report to OCR themselves.

On January 9, 2024, Concentra reported the compromise of the PHI of 3,998,162 patients because of the PJ&A cyberattack. Including this the total number of impacted persons is now up to around 14 million. This healthcare data breach is currently the biggest in 2023. That figure will probably increase further, though it is not known by how much because PJ&A has not publicly mentioned the clients that were affected nor the total number of healthcare records exposed because of the attack.

The medical transcription firm based in Nevada and the impacted clients are facing lawsuits because of the data breach. There are a minimum of 40 lawsuits already filed against PJ&A for negligence and not implementing reasonable and proper cybersecurity steps to secure sensitive health information from its clients. Several of the lawsuits made the impacted healthcare providers co-defendants.

According to Concentra, the data exposed includes complete names and at least one of these data: address, birth date, medical record number, admission diagnosis, hospital account number, and date(s) and time(s) of service. Many individuals also had their Social Security number exposed, the insurance data and clinical data from medical transcription records like lab and diagnostic test results, prescription drugs, the name of the treatment center, and the name of healthcare companies. It was not mentioned if credit monitoring and identity theft protection services were offered. Concentra has instructed the impacted people to keep track of their accounts carefully for indications of misuse of their data and to set a fraud alert on their credit records.

Hackers are targeting business associates of HIPAA-regulated entities because they usually keep huge amounts of sensitive information. A breach of this level normally raises concerns about the implementation of security measures questioning how the hackers could have gained access to a lot of data. Considering the high risk of cyberattacks, Concentra should have implemented network segmentation to make sure that in case of security breaches, hackers can only access limited information.

Data Breach Reported by HealthEC, Eye Physicians of Central Florida and Fallon Ambulance Service

PHI of 4.5 Million Individuals Exposed at HealthEC Data Breach

Analytics software vendor HealthEC based in Edison, New Jersey, has recently reported the exposure and potential theft of the protected health information (PHI) of 4,452,782 individuals in a cyberattack. HealthEC develops a platform for use by healthcare companies to identify high-risk patients, close care gaps, and recognize obstacles to optimal patient care. Over 1 million healthcare experts in 18 U.S. states utilize the platform.

HealthEC began sending data breach notification letters to the impacted persons on December 22, 2023; but the data breach happened a couple of months earlier. Based on the breach notification letters, unauthorized people accessed HealthEC’s systems from July 14, 2023 to July 23, 2023. The forensic investigation showed that files were extracted at that time.

HealthEC performed an analysis of the impacted files and confirmed that they included the PHI of its clients’ patients. HealthEC began sending notification letters to the impacted clients on October 26, 2023, including Corewell Health and Beaumont ACO in Michigan (1 million+ records) and MD Valuecare in Virginia (112,005 records). On December 21, 2023, the breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights indicating that 4.52 million individuals were affected.

The compromised data varied from one patient to another and might have included names together with at least one of these data: address, Social Security number, birth date, medical record number, diagnosis and diagnosis codes, prescription data, mental/physical condition, name of provider, subscriber number, beneficiary number, Medicare/Medicaid ID number, patient account number, patient ID number, and treatment cost details. HealthEC is giving the impacted persons free credit monitoring services. Security had been improved to avoid other data breaches later on.

HealthEC is the second company to encounter a data breach that has impacted over 1 million Corewell Health patients in 2023. Michigan Attorney General, Dana Nassel, is seeking the introduction of new legislation in the state requiring prompt notifications in case of a data breach, as in both cases that occurred, Michiganians waited a couple of months to find out that their sensitive health information was stolen.

Fallon Ambulance Service Data Breach Impacts Over 911,000 People

Legal counsel for Transformative Healthcare, a medical, transportation & logistics firm based in Newton, MA, has informed the HHS’ Office for Civil Rights that a data breach it encountered has impacted 911,757 people. The data breach impacted individuals who previously received services from Fallon Ambulance Services, Transformative Healthcare’s medical transportation arm in Massachusetts. In case of patient emergencies, Fallon is a responder in the greater Boston area. Fallon also provided administrative support for affiliated medical transportation firms.

Coastal Medical Transportation Systems acquired Fallon Ambulance Service in December 2022 and stopped business operations. To adhere to the legal requirements of data retention, Transformative Healthcare kept an archived copy of the data that was saved on the computer systems of Fallon. On or about April 21, 2023, Transformative Healthcare discovered unauthorized access to its archive. It took immediate action to secure the archive and began an investigation to find out the scope of the breach. As per the forensic investigation, an unauthorized third party accessed the archive on February 17, 2023 until April 22, 2023. At that time, the hacker copied files from the archive.

The process of reviewing the impacted files was completed on December 27, 2023. It was established that the files included names, addresses, Social Security numbers, medical data such as COVID-19 testing/ vaccination data, and data given to Fallon in association with a job application or application for work.

The information had already been removed from the archive. Fallon and Transformative Healthcare did not find any proof that suggests the misuse of data. Impacted patients received breach notification by mail on December 27, 2023, as well as credit monitoring and identity theft protection services.

31,000 People Impacted by Eye Physicians of Central Florida Cyberattack

Eye Physicians of Central Florida, PLLC, recently reported the exposure and potential theft of the PHI of 31,189 patients in a cyberattack. Eye Physicians of Central Florida, which is a division of Florida Pediatric Associates, found suspicious system activity on November 5, 2023. It took steps immediately to stop the unauthorized access to its network and started a forensic investigation to find out the nature and extent of the breach.

The investigation revealed unauthorized access to areas of its system that stored patient data. During the issuance of notification letters to the impacted persons on December 6, 2023, there was no proof found that indicated the actual or attempted patient data misuse; nevertheless, as a safety precaution, impacted persons were provided free credit monitoring and identity theft protection services.

The exposed data included names, addresses, birth dates, medical diagnosis and treatment data, names of providers, dates of service, patient ID numbers, procedure codes, treatment cost data, financial account data, state ID, medical insurance data, and/or prescription details.

Eye Physicians of Central Florida stated it is checking its present guidelines and procedures associated with data security and will suggest enhancements, as needed to strengthen security.

Data Breaches at Cardiovascular Consultants and ESO Solutions Impacts Over 3M Individuals

Cardiovascular Consultants Data Breach Impacts 484,000 People

Cardiovascular Consultants Ltd. based in Arizona has centers in Phoenix, Glendale, and Scottsdale. It submitted a data breach report to the HHS’ Office for Civil Rights that impacted the protected health information (PHI) of 484,000 persons.

Cardiovascular Consultants discovered suspicious activity within its computer network on September 29, 2023 and began implementing incident response and recovery processes. A third-party cybersecurity firm investigated the incident, which showed that unauthorized people got access to its network on approximately September 27, 2023.

Cardiovascular Consultants already confirmed that the hackers stole files that contain sensitive information and utilized ransomware to encrypt files on its network. The review of the compromised files showed that they contain patient information including names, dates of birth, mailing addresses, emergency contact data, driver’s license numbers, Social Security numbers, state ID numbers, insurance policy and guarantor facts, diagnosis and treatment details, and other data from healthcare or billing records.

The information of account guarantors was likewise saved on the breached sections of the system, which include names, birth dates, mailing addresses, email addresses, and phone numbers, as well as details regarding insurance policy holders/subscribers like names, phone numbers, mailing addresses, birth dates, insurance policy details, and, in certain instances, Social Security numbers.

Impacted persons were informed concerning the breach on December 2, 2023, and provided with free credit monitoring, identity theft protection, and fraud resolution services for two years. Cardiovascular Consultants has stated that supplemental security procedures were put in place to enhance its protection against cyberattacks.

2.7 Million Individuals Impacted by ESO Solutions Data Breach

ESO Solutions, a company providing software programs for hospitals, health systems, fire departments, and EMS agencies, has reported encountering a ransomware attack and file encryption in September 2023. ESO Solutions discovered suspicious activity inside its system on September 28, 2023, and immediately isolated its systems to stop further unauthorized network access.

Third-party digital forensics specialists investigated the ransomware attack to find out the scope of the unauthorized activity. The forensics staff reported on October 23, 2023 that the attackers got access to sections of its system that contain the personal data and PHI of 2.7 million people. The exposed data included names, birth dates, injury type and date, treatment type and date, and, in certain instances, Social Security numbers. After receiving a report on the attack, the Federal Bureau of Investigation and ESO Systems have worked together to investigate. The attackers issued a ransom demand but ESO Systems failed to restore the encrypted files using its backups.

ESO Systems informed its impacted clients and frequently contacted them to help them respond appropriately to the incident and offered to notify the patients of its clients. ESO Systems began sending notification letters by mail on December 12, 2023. Impacted persons have been provided with free credit monitoring and identity theft protection services via Kroll.

The healthcare providers listed below are confirmed to have been impacted:

  • Ascension – Ascension Providence Hospital in Waco
  • Baptist Memorial Health Care System – Mississippi Baptist Medical Center
  • Community Health Systems – Merit Health River Oaks and Merit Health Biloxi
  • CaroMont Health
  • ESO EMS Agency
  • Forrest Health – Forrest General Hospital
  • HCA Healthcare – Alaska Regional Hospital
  • Memorial Hospital at Gulfport Health System – Memorial Hospital at Gulfport
  • Providence St Joseph Health (also known as Providence) – Providence Alaska Medical Center and Providence Kodiak Island Medical Center
  • Tallahassee Memorial HealthCare – Tallahassee Memorial
  • Universal Health Services (UHS) – Desert View Hospital and Manatee Memorial Hospital

Considering that patient security and personal data are in danger, companies must not delay fortifying their cybersecurity measures. On a typical day, over 55,000 physical and digital resources are linked to organizational systems; 40% of these resources are not tracked – leaving gaps that can be exploited. Attackers are attacking these gaps. This incident shows that incorrect access to one device can result in problems for a company. This attack likewise shows the value of educating companies that resources include not only hardware or medical gadgets. Other assets that could be attacked consist of data artifacts, virtual assets, personal health data, and user access. It’s important for healthcare companies to not just check out cyber threats from a vulnerability viewpoint, but likewise consider assets aiding medical workflows or saving patient data. By having a detailed inventory of assets, companies can prioritize necessary controls and risk reduction strategies to help address and mitigate cyberattacks. Monitoring all resources for suspicious activities, and connection attempts, and assessing other facets of attempted access gives the level of visibility required to help set up precautionary policies.

To enhance their protection against ransomware attacks, healthcare companies of all types need to prioritize cyber exposure management to minimize all cyber asset risks, control vulnerabilities, prohibit threats, and safeguard the whole attack surface. Security and IT professionals should also look at integrating critical techniques into their cybersecurity programs, such as network segmentation, to boost healthcare cybersecurity. Separating a network is a big project that can last several years, nevertheless, it is the project that will achieve the most risk reduction in a healthcare system.

What’s important for these plans is the correct planning and knowing that a segmentation project is going to have the following phases:

  • discovery and inventory
  • behavioral and communication mapping
  • policy creation, prioritization, testing, implementation, and automation

A risk-based prioritization strategy where the traditional approach to segment lists according to manufacturer or type is set aside. Instead, companies can accomplish a significantly faster ROI by determining and separating critical vulnerable gadgets first to accomplish the greatest risk reduction upfront. Cybersecurity experts at healthcare companies must integrate these types of products and strategies immediately to help in stopping these types of attacks from affecting their companies directly, and for safeguarding them and their patients after an attack against a third-party supplier.

Welltok Data Breach Impacts 8,493,379 Individuals

The patient engagement company, Welltok, based in Denver, has reported that it was attacked by the Clop hacking group in May 2023. The group exploited a zero-day vulnerability (CVE-2023-34362) found in the MOVEit Transfer file transfer tool of Progress Software. Initially, the number of people who were affected by the Welltok data breach is unclear. However, the HHS’ Office for Civil Rights has updated the breach total and lists 8,493,379 individuals who were affected by the breach. The Welltok data breach is 2023’s fourth-biggest healthcare data breach. Topping the list is HCA Healthcare’s 11,270,000 record breach, followed by PJ&A’s 8,952,212 record breach, and MCNA Dental’s 8,923,662 record breach.

Welltok works with health plan companies and provides communication services for their subscribers using its platform. It also runs a voluntary online wellness program encouraging health plan subscribers to adopt a healthy lifestyle. Welltok transferred large datasets across the web using the MOVEit Transfer tool as part of the services it provides to health plans. As per Welltok, it received a notification from Progress Software on May 31, 2023, regarding a vulnerability affecting its platform and implemented the patch and mitigations that Progress Software recommended. The preliminary investigation revealed that its MOVEit Transfer server was not compromised. On July 26, 2023, Welltok was notified regarding a breach of its MOVEit Transfer server. On August 11, 2023, it was confirmed that the vulnerability had been exploited by the Clop group on May 30, 2023. The patch was released after this day. On August 26, 2023, data theft was likewise confirmed.

An analysis of the breached files showed that they included the information of health plan members like names, birth dates, addresses, and medical data. The Social Security numbers, Medicaid/Medicare IDs, and medical insurance data of certain individuals were also stolen. The substitute breach notification posted on Welltok’s website in October was likely seen only by persons who visited the website.

Welltok sent a notification to the Maine Attorney General regarding the data breach on behalf of the health plans of Stanford Health Care listed below indicating that the breach affected 1,648,848 individuals.

  • Lucile Packard Children’s Hospital Stanford
  • Packard Children’s Health Alliance
  • Stanford Health Care
  • Stanford Medicine Partners
  • Stanford Health Care Tri-Valley

Welltok sent another notification to the Maine Attorney General on behalf of Graphic Packaging International, LLC, and Premier Health in southwestern Ohio. With these two clients, the data of 426,812 people was compromised. As per the Welltok website notification, it is giving notifications on behalf of Trane Technologies Company LLC, Sutter Health, and group health plans sponsored by Trane U.S. Inc. or Trane Technologies Company LLC. Those entities were not part of the Maine Attorney General notification. Sutter Health based in Sacramento, CA previously stated that it was impacted by the Welltok security breach with 845,451 people affected.

St. Bernards Healthcare, Inc. based in Arkansas separately submitted a breach report to the Maine Attorney General stating that 89,556 individuals were affected. Corewell Health in southeast Michigan was likewise impacted by the Welltok data breach and stated roughly 1 million patients were impacted together with about 2,500 Priority Health members. Horizon Health, also known as Hospital & Medical Foundation of Paris, Inc., stated that 16,598 were impacted. The data of 78,692 health and wellness plan members of the International Paper Company Group were compromised. Other breach victims include the Faith Regional Health Services, Mass General Brigham Health Plan, The Guthrie Clinic, Blue Cross and Blue Shield of Minnesota, Blue Cross, Blue Plus, and Blue Shield of Alabama, Blue Cross and Blue Shield of Kansas.

This data breach is one more stark case of cybercriminals exploiting supply chain vulnerabilities. For a long time companies who create software tools have looked at cybersecurity as an expenditure as opposed to a functionality of conducting business. Greater research is required by Virgin Pulse per runtime security and vulnerability management.

The most recent tracking information from the cybersecurity company Emsisoft indicates the Clop hacking group conducted mass exploitation of the vulnerability to attack about 2,618 companies worldwide and steal the personal information of about 77 million people. Emsisoft stated the industries most impacted were education, healthcare, professional and financial services. Although the vulnerability exploitation occurred at the end of May, numerous companies have just recently affirmed they were impacted and those numbers will continue to increase. A lot of lawsuits were filed against the companies impacted and also Progress Software because of these data breaches. 58 lawsuits against Progress Software were combined into just one class action lawsuit in Federal court in Massachusetts in November since each one had the same claims. The U.S. Securities and Exchange Commission (SEC) likewise started investigating Progress Software because of the data breach.

As soon as a vulnerability is announced to the public, IT teams have less time to take action before cybercriminals exploit the vulnerability if they have not done so yet. To reduce the risk, taking away the affected software, or patching when offered, should be quickly done. Criminals take advantage of every opportunity when an organization is open to exposure.

BlackSuit Ransomware Threatens HPH Sector and Using Encryption Successfully in 75% of Ransomware Attacks

The Health Sector Cybersecurity Coordination Center (HC3) has released an analyst note regarding BlackSuit ransomware, which is a new ransomware group thought to present a valid threat to the healthcare and public health (HPH) sector.

Security researchers have seen some commonalities between Royal ransomware and BlackSuit ransomware. Royal ransomeware has been active in targeting the HPH industry just like the Conti ransomware group. BlackSuit has previously been employed in an attack on the HPH sector this October 2023, thus it is fair to believe that BlackSuit is going to be employed in more attacks. A medical scans and radiology services provider to over 1,000 hospitals located in 48 states was attacked.

Similar to a lot of other ransomware attacks, BlackSuit ransomware is employed in double extortion attacks, exfiltrating sensitive information before encrypting files. Ransoms should be paid to stop the exposure of the stolen information and to decrypt the coded files. To date, BlackSuit ransomware has just been employed in a few attacks; nonetheless, activity may be increased at any time.

BlackSuit ransomware is thought to be a private group instead of a ransomware-as-a-service operation. Its operation is believed to be managed by people with expertise in carrying out ransomware attacks because of relations with Royal and Conti. A number of cybersecurity researchers have thought that BlackSuit could be a rebrand of Royal ransomware, which carried out a big attack on a Texas city last May 2023 which drew the attention of media and police authorities. BlackSuit first showed up soon after that attack however Royal is still in operation, though BlackSuit was not broadly used thus far, that conclusion is not discounted.

There were Windows and Linux variants of BlackSuit discovered, and just like Royal ransomware, utilize OpenSSL’s AES for encryption. The ransomware utilizes intermittent encryption methods, which are more effective and encrypt files faster. Considering the low number of recognized attacks, it is hard to say which attack strategies are liked by the group. The distribution techniques that are probably utilized are email attachments that contain macros, downloading the ransomware in torrent files, malicious advertisements (malvertising), and distribution through other malware types like droppers, Trojans, and downloaders, which are frequently spread through compromised sites, phishing emails, and phony software updates.

The HC3 Analyst Note  explains the MITRE ATT&CK strategies employed by the Blacksuit group, Indicators of Compromise (IoCs), and suggested mitigations for strengthening defenses. HC3 has additionally suggested reporting any supposed ransomware attacks to the FBI Internet Crime Compliant Center (IC3)and area Federal Bureau of Investigation (FBI) field office.

Data Effectively Encrypted in 75% of Healthcare Ransomware Attacks

Sophos’ new report about healthcare cybersecurity shows that 75% of ransomware attacks on healthcare companies had implemented successful data encryption. Just 24% of surveyed healthcare companies had identified an ongoing attack and stopped it prior to encrypting files. Sophos states this is the best encryption rate and the cheapest rate of disruption observed by the company in the last 3 years. In 2022, healthcare companies stopped 34% of attacks prior to encrypting files.

The percentage of companies that were able to stop an attack prior to encryption is a good indication of security maturity. The healthcare industry only had a low disruption rate of 24%. In addition, this number is decreasing, which implies the industry is losing to cyber attackers and is progressively unable to discover and prevent an ongoing attack.

A lot of ransomware groups make use of double-extortion strategies, encrypting files after data extraction and demanding a ransom payment to decrypt files and stop the exposure of the stolen information. Healthcare ransomware attacks engaged in double extortion tactics increased to 37% compared to previous years. Ransomware attacks are still growing in complexity, threat actors are continually changing and enhancing their strategies, and attack time tables are accelerating, allowing system defenders less time to identify and stop cyberattacks. Sophos states the median time from the beginning of an attack to discovery has already dropped to merely 5 days. Most attacks are likewise planned to take place beyond office hours when workforce levels are smaller. Just 10% of attacks were carried out during normal work hours.

The complex nature of cyberattacks has taken longer recovery time. Just 47% of healthcare companies could recover from a ransomware attack in one week, in comparison to 54% in 2022. According to the Department of Health and Human Services’ Office for Civil Rights, there has been a 278% rise in ransomware attacks on healthcare companies in the last four years; nevertheless, Sophos’s information shows a small decrease in attacks, from 66% (2022) to 60% (2023). There’s likewise a big decrease in the number of healthcare companies giving ransom payments. In 2022, 61% of healthcare companies gave a ransom payment. In 2023, only 42% decided to pay the ransom.

The ransomware threat has become too complicated for many companies to handle on their own. All companies, particularly those in healthcare, must modernize their defensive method of cybercrime, going from being exclusively precautionary to actively tracking and examining warnings 24/7 and getting outside assistance such as managed detection and response (MDR.

Sophos advises building up defenses by utilizing security tools like end-point protection options with powerful anti-ransomware and anti-exploit capabilities, applying zero trust network access to avoid the misuse of breached credentials, utilizing adaptive systems that could respond immediately to attacks in progress to give system defenders additional time and to apply 24/7 threat discovery, investigation, and reaction, whether that is done in-house or through a specific MDR company.

It is additionally necessary to adopt good security practices, like updating software programs and patching immediately, routinely checking security tool settings, routinely backing up, restoring data using backups, and keeping an updated incident response plan.

Cyberattack on Prospect Medical Holdings, Mount Graham Regional Medical Center, and McLaren Health Care

On August 1, 2023, Prospect Medical Holdings based in Los Angeles, CA discovered suspicious activity in parts of its IT network. The company conducted a forensic investigation to figure out the nature and extent of the data breach, and it was established that on September 13, 2023, an unauthorized third party accessed part of its IT network from July 31 to August 3, 2023. In that period of time, the attacker accessed and/or obtained files that contained the data of a number of patients and workers.

The breached information belongs to patients from these facilities:

  • Foothill Regional Medical Center
  • Los Angeles Community Hospital
  • Los Angeles Community Hospital at Bellflower
  • Los Angeles Community Hospital at Norwalk
  • Southern California Hospital at Culver City
  • Southern California Hospital at Van Nuys
  • Southern California Hospital at Hollywood

Prospect Medical Holdings has additionally affirmed that 24,130 present and past workers and dependents from the Waterbury Health and Prospect Medical’s Eastern Connecticut Health Network (ECHN) facilities likewise had their data compromised. The breached data differed from one person to another and might have contained names along with at least one of these data: address, birth date, diagnosis, laboratory results, medicines, other treatment details, medical insurance data, name of provider/facility, treatment date(s), and financial data. A number of patients likewise had their driver’s license number and Social Security number compromised.

Patients began receiving notification regarding the data breach on September 29, 2023, and free credit monitoring and ID protection services were provided to people whose driver’s license number or Social Security number were compromised. Prospect Medical Holdings stated supplemental safety measures and technical security procedures were put in place to better secure and keep track of its systems.

The security incident has not yet been published on the HHS’ Office for Civil Rights breach website; nevertheless, the breach report was submitted to the Maine Attorney General indicating that 190,492 persons were impacted. Prospect Medical Holdings hasn’t revealed which group was responsible for the attack, however, the Rhysida ransomware group has stated that it was behind the attack.

Acquisition Deal in Jeopardy After the Cyberattack

The three Connecticut hospitals that were impacted by the attack are now with Yale New Haven Health under an acquisition agreement. Although the offer to get the facilities was decided in October 2022, that deal is now in doubt after the cyberattack. Yale New Haven Health has increasing issues concerning the purchase of the Waterbury Health and ECHN facilities because of the cyberattack and the declining condition of the facilities.

A representative of Yale New Haven Health stated a multi-party restoration plan was suggested to preserve the deal and that it is involved in conversations with Prospect Medical Holdings and is attempting to come to an agreement on a path onward. In case the deal pushes through, the medical facilities will be in danger of closure because they aren’t financially feasible, which would be devastating for the communities where the hospitals are located.

Up to 2.5 Million McLaren Health Care Patients Affected by Ransomware Attack

15-hospital health system, McLaren Health Care, based in Grand Blanc, Michigan, has reported that it suffered a ransomware attack and warned that the data contained in the stolen patient files could be exposed on the dark web.

The health system detected suspicious activity in its IT systems at the end of August, and it was later established that this was a ransomware attack. During the investigation, the computer network was disconnected from the web, which resulted in disruption throughout its medical facilities, though medical services were made available at all facilities and patient care was not affected

The ALPHV/BlackCat ransomware group professed that it was behind the attack and included McLaren Health Care on its dark web data leak website. ALPHV was created from the now-non-existent Conti ransomware group and is known for attacking medical care institutions. The group states it has exfiltrated over 6 terabytes of information during the attack and states the stolen information consists of the sensitive data of 2.5 million individuals. Though McLaren Health Care states all its networks are restored online, ALPHV states it still has access to the systems of McLaren Health Care via an active backdoor.

A representative for McLaren Health Care stated it is looking into reports of sensitive information being exposed on the dark web and claims cybersecurity experts have not seen any proof that indicates the group continues to access its IT systems. The potentially exposed data is still being reviewed by McLaren Health Care and will send notification letters to the impacted persons when that procedure is finished. At this point, there is no confirmation yet from McLaren Health Care regarding the number of affected patients.

Other healthcare companies that were recently posted in the group’s data leak website included Pain Care Specialists of Oregon, Prestige Senior Living, and MNGI Digestive Health. Data from MNGI Digestive Health was published on the ALPHV leak website after no ransom payment was made. Currently, there is no exposed McLaren Health Care information on the group’s leak website.

Cyberattack on Mount Graham Regional Medical Center

Mount Graham Regional Medical Center based in Safford, AZ, encountered a cyberattack that affected its network, including its data and communications programs. The medical center confirmed in a press release that it is looking into the matter to find out the scope of the event and if patient information was exposed.

A representative of the medical facility affirmed that it has notified law enforcement and third-party specialists were involved to help with the investigation. If the exposure or compromise of patient data is confirmed, the provider will mail notification letters without delay.

DHS Recommends Harmonizing Cyber Incidents Reports When Submitted to the Federal Government

The U.S. Department of Homeland Security (DHS) has submitted a report to Congress including recommendations about cyber
incidents reporting to the Federal government. Reports can be harmonized to better safeguard the critical infrastructure of the nation.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to create the requirements for the new cyber incident reporting. Presently, there’s a patchwork of cyber incident reporting requirements throughout the Federal government and the bigger ecosystem. A number of the reporting requirements are about national security, public safety, or economic security, and a few include investor, consumer, or privacy considerations.

To avert duplication and synchronize the reporting of cyber incidents, CIRCIA created a Cyber Incident Reporting Council (CIRC) to coordinate, de-conflict, and harmonize Federal incident reporting requirements and mandates the Secretary of the DHS to submit a report to Congress that determines duplicative reporting specifications, problems to synchronize, the actions the CISA Director wants to do to enable synchronization and suggested legislative revisions to deal with duplicative reporting.

The report contains a number of suggestions for lowering the present difficulty of submitting cyber incident reports, which includes using

  • a model definition for reportable cyber incidents
  • model timelines for reporting
  • ways to better align the content of cyber incident reports
    to move toward using a model reporting form that all federal agencies can adopt

At this time, there are 52 various cyber incident reporting specifications throughout the federal government that are in effect or are proposed. Various agencies got their own reporting specifications, mechanisms, timelines, and ways for understanding reports, and they usually employ various languages to define security events and have varying reporting thresholds.

Certain reporting entities are under more than one federal institution and need to submit a few reports concerning security events, which could be at a moment when they are dealing with and managing cyber events. For example, certain entities need to submit security incident report to the Federal Trade Commission (FTC) Breach Notification Rule as well as the final rule of the SEC on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, whereas there are 8 federal bureaus that demand the reporting of incidents with a cyber nexus for the financial services industry. In the healthcare industry, incidents may need to be reported to the HHS’ Office for Civil Rights, the Food and Drug Administration, and the FTC. The cyber events that require a number of reports may have resulted in breaches of various types of information in distinct systems, and although they may be categorized as individual data breaches they may all have happened during a similar cyber event. This double security incident reporting puts unneeded complexity.

The DHS has proposed that all federal agencies use a model definition of a reportable cyber event, a proposal for which is contained in the report that was created according to a number of suggested practices that are mandated by federal bureaus for describing a reportable cyber incident. The DHS proposes the use of the model by all federal bureaus, as long as is practicable.

The use of model timelines and triggers was likewise suggested, and the DHS proposed that model language be created for late public notifications concerning cyber incidents, for example, when delays are needed to avert alarming a threat actor about the detection of a breach. The DHS has additionally suggested that federal bureaus examine the probability of leveraging a model form for cyber incident reporting and integrating into the report form common data elements, web portals, and other submission systems to make the reporting process simple for reporting entities.

The DHS likewise proposes improving communication among federal agencies and improving present reporting systems, ideally including one portal for reporting security events. The DHS has likewise asked Congress to give the required funds and authority to federal bureaus to enable them to gather and share common information elements, as existing laws, may not allow the disclosure of all data, and for Congress to take away any legal or statutory hindrances that could stop the use of the proposed model provisions and forms.

Data Exposed in Prospect Medical Holdings and PurFood LLC Cyberattack

Medical Records from Prospect Ransomware Attack Appear on Dark Web

Health records exfiltrated during the latest ransomware attack on Prospect Medical Holdings are purportedly being sold on the dark web-based on social media information. The notice of the sale is viewed as a hint for Prospect Medical Holdings to immediately react to the ransom demands of hackers.

A ransomware attack on Prospect Medical Holdings health system last August 3 crippled the operations in 17 hospitals and 166 outpatient centers. Back then, the attackers were unidentified. Nonetheless, a notice appeared on the Rhysida dark leak website last week stating that it is responsible for the attack.

At the same time, the notice announced a public sale of the data stolen during the attack, which included over 500,000 driver’s licenses, Social Security Numbers, passports of employees and clients, patient files (profiles and medical backgrounds), legal and financial documents. It is said that the sale includes a 1.3TB SQL database and 1TB of unique files.

The notice came with a number of snapshots of the stolen information a few of which are confirmed as authentic by comparing the pictures to publicly accessible information, and a price tag of 50 Bitcoin ($1,298,340). The price tag included in the notice is meant to speed up a ransom payment.

It is unknown at the moment if the sale will continue or if Prospect Medical Holdings will agree to pay the ransom. A few services are still not available and employees in specific medical departments are using paper and pen for recording. A representative for Prospect Medical Holdings likewise gave the message that Prospect Medical is aware that unauthorized actors stole its data and is investigating the nature of the breach. When the investigation confirms the involvement of any protected health or personal data, the health system will send the proper notifications as outlined by applicable legislation. Since the investigation is in progress, additional data is still not available at this time, but Prospect Medical Holdings is taking all necessary steps to handle this incident.

PHI Exposed in Mom’s Meals Data Breach

PurFood LLC, the parent company of the Mom’s Meals home delivery meal service, has posted on its website a Notice of Data Event and submitted a Data Breach Notification to the Maine Attorney General after a cyberattack at the beginning of this year wherein personal data associated with 1,237,681 clients, workers, and contractors is thought to have been compromised.

PurFood LLC, doing business as Mom’s Meals, offers refrigerated ready-to-eat foods across the country to clients with particular nutritional needs. In addition to providing to private clients, the company works together with over 500 health plans, managed care companies, and other organizations to give access to meals for individuals covered by Medicare and Medicaid.

Based on a Notice of Data Event posted on its website, Mom’s Meals encountered a cyberattack from January 16, 2023 to February 22, 2023, that led to encryption of client, worker, and contractor information. An investigation into the cyberattack showed the use of data exfiltration software programs to transmit information from the servers of PurFood.

The investigation confirmed that the encrypted data contained personal data and PHI associated with a number of people. Nevertheless, there is no certainty that information was extracted, and the Notice of Data Event states that the organization has not seen any proof of the misuse or further disclosure of the personal info because of the Mom’s Meals data breach.

Nevertheless, the organization has submitted a Data Breach Notification to the Maine Attorney General and is informing potentially affected individuals through U.S. Mail. During the time of publication, the company name doesn’t appear on the HIPAA Breach Report. Nevertheless, based on the Data Breach Notification, the breach was recorded on July 10, 2023, which is when it was discovered.

What Data is Thought to be Taken From the Mom’s Meal Data Breach?

The data thought to have been stolen in the Mom’s Meal data breach consists of birth dates, account data, driver’s license numbers, payment card details, medical data, medical record numbers, Medicaid and Medicare identifiers, treatment details, diagnosis codes, meal categories and expenses, medical insurance details, patient ID numbers, and Social Security numbers.

To stop a recurrence of the incident, PurFood mentions in its breach notification letter that it implemented a couple of steps to reinforce its security system and is going over its current guidelines and procedures to recognize any extra measures and safety measures that might be required. It is furthermore offering credit monitoring, identity theft restoration, and fraud consultation services for one year.

People who get a breach notification letter associated with the Mom’s Meals data breach are encouraged to sign up for the credit monitoring services offered by the company, look at any communication from Medicare, Medicaid, or an insurance company to make sure the services were obtained (and report any differences), and keep an eye on their credit report, putting a freeze on the credit when they are worried about being an identity theft victim.

Data Breaches Reported by Seven Healthcare Providers

Johns Hopkins Investigation of Cyberattack and Data Breach

Johns Hopkins Health System and Johns Hopkins University are looking into a cyberattack and data breach that occurred on May 31, 2023
targeting a popular software program. Although there was no mention of the targeted tool in the attack, the date of the breach is the same as the date of the attacks on the MOVEit Transfer managed file transfer solution by Clop/FIN11.

The data breach investigation is still in progress, but the preliminary information suggests that sensitive personal data and financial details were affected, such as names, contact details, and health billing data. Affected individuals will receive notifications in the following weeks as soon as the entire scope of the breach is confirmed. Johns Hopkins has stated that it will provide credit monitoring services to impacted persons. Meanwhile, Johns Hopkins prompts all students, teachers, and their dependents to do something immediately to secure their personal data, such as completing the evaluation of their credit reports, statements, and accounts with strange activity, and getting an alert for fraud and credit freeze by a national credit bureau.

At this point, the number of individuals affected is still not clear.

PHI of 33,000 Maimonides Medical Center Patients Compromised in Cyberattack

Maimonides Medical Center located in Brooklyn, NY reported the unauthorized access to the protected health information (PHI) of around 33,000 patients that was saved on its systems. The medical center discovered the security breach on April 4, 2023 and immediately blocked the unauthorized access. The forensic investigation established the first access happened on March 18, 2023.

The analysis of impacted files showed that most persons just had their names, addresses, and selected clinical data compromised, for example, diagnoses and treatment data; nevertheless, for some people, their Social Security numbers were also compromised. Impacted persons were provided two years of free credit monitoring and identity theft protection services. The medical center hired third-party cybersecurity specialists to look at system security and be sure that enough safety measures were set up, and extra authentication steps were recently enforced.

iSpace Inc. Cyberattack Affects 24,400 Individuals About Data

iSpace, Inc., a company offering insurance eligibility services, has lately begun informing 24,382 people regarding a cyberattack it identified on February 5, 2023. In its notification letter sent to the California Attorney General on May 31, 2023, iSpace mentioned that the forensic team confirmed the occurrence of a system compromise and exfiltration of files from January 30 to February 5, 2023.

The evaluation of the affected files showed that they included names, birth dates, Social Security numbers, diagnosis details, medical insurance group/policy numbers, subscriber numbers, medical insurance data, and prescription details. During the issuance of notifications, there was no report of actual or attempted misuse of the impacted individuals’ data. iSpace stated it employed the assistance of security experts to examine its privacy and security guidelines and practices and will change them as necessary. The late issuance of notifications was because of the long scrutiny and data analysis process, which was finished on March 3, 2023, and the following confirmation of contact details.

Ransomware Attack at Richmond University Medical Center

Richmond University Medical Center (RUMC) located in West Brighton, NY has reported its complete recovery after encountering a ransomware attack in early May. The attack compelled the medical center to deactivate systems and initialize its emergency procedures, and so employees noted patient data by hand as systems were re-established. The investigation of the ransomware attack is in progress to find out the scope of patient information compromised. Affected individuals will receive notification letters after the completion of that process.

PHI of 181,700+ Great Valley Cardiology Patients Exposed

Commonwealth Health Physician Network-Cardiology, also known as Great Valley Cardiology based in Scranton, PA, has informed 181,764 present and past patients concerning a cyberattack and data breach it identified on April 13, 2023. The forensic investigation stated that the data possibly exposed during the attack contained names along with addresses, dates of birth, passport numbers, Social Security numbers, driver’s license numbers, credit/debit card and bank account details, diagnosis, prescription drugs, laboratory test results, and medical insurance/claims details.

Hackers initially acquired access to the systems of Great Valley Cardiology on February 2, 2023. It had access to the systems until April 14, 2023 when the healthcare provider secured its systems. The Department of Homeland Security notified the healthcare provider about the attack. Systems access was acquired due to a successful brute-force attack.

Impacted persons received free credit monitoring and identity theft protection services for two years as a safety measure, even though there was no misuse of patient data reported due to the data breach.

EpiSource Reports Data Breach

EpiSource, the medical coding vendor based in Gardena, CA has reported the potential exposure and compromise of the PHI of patients of its healthcare customers during a cyberattack on its Amazon Web Services (AWS) environment in February 2023.

EpiSource detected the cyberattack on its AWS account on February 20, 2023. The investigation affirmed that an unauthorized person accessed its AWS environment from February 19 to 21, 2023. The forensic investigation affirmed on April 20, 2023, the potential access and theft of health and personal data, such as names, birth dates, addresses, telephone numbers, medical record numbers, health plan ID numbers, provider data, diagnoses, and prescription drugs. EpiSource stated it has enhanced its security controls and tracking practices after the attack. Affected people received one year of free identity theft protection services.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website. Hence, the number of affected individuals is currently uncertain.

25K UPMC Patients Affected by Business Associate Data Breach

University of Pittsburg Medical Center (UPMC) has reported that around 25,000 patients were impacted by a data breach that occurred at a business associate offering billing and collection services. Intellihartx LLC encountered the data breach and sent notifications to the impacted UPMC patients. The breached information included names, Social Security numbers, addresses, and other personal data. Free credit monitoring services were provided to the victims. Intellihartx submitted the breach report to the Maine Attorney General indicating that 489,830 persons were affected.

EyeMed Vision Care and Maxim HealthCare Services Resolve Data Breach Lawsuit

Maxim HealthCare Services Offers to Settle Email Breach Lawsuit

Maxim HealthCare Services offered to settle all claims associated with a cyberattack and data security breach in 2020 wherein unauthorized people accessed several email accounts of employees. The compromise of email accounts happened from October 1, 2020, to December 4, 2020, however, the healthcare organization discovered the unauthorized access only in November 2021.

The analysis of the email accounts affirmed the inclusion of protected health information (PHI) like names, addresses, birth dates, telephone numbers, names of providers, medical histories, health conditions, treatment data, medical record numbers, patient account numbers, diagnosis codes, Medicaid/Medicare numbers, usernames/passwords, and a number of Social Security numbers. Maxim HealthCare Services reported to the HHS’ Office for Civil Rights that the breach affected 65,267 individuals.

In response to the data breach, the Wilson, et al. v. Maxim Healthcare Services Inc. lawsuit was filed in the Superior Court of the State of California County of San Diego that claimed Maxim HealthCare Services did not use proper security procedures to avert unauthorized access to patient information. Maxim HealthCare Services decided to resolve the lawsuit to steer clear of the uncertainty of trial and additional legal expenses. Maxim HealthCare Services does not admit all claims stated in the lawsuit and take the position there was no wrongdoing. The settlement offer is applicable to all persons who were advised that they were impacted by the breach and that their PHI was exposed.

According to the terms of the settlement, each class member can file claims up to as much as $5,000 for repayment of extraordinary expenses sustained due to the data breach, which include around three hours of lost time valued at $20 an hour. California Residents from October 1, 2020 to December 4, 2020, are eligible to get a fixed monetary benefit of around $100 which could be mixed with claims for repayment of extraordinary expenditures. All class members are entitled to get complimentary identity theft protection services for 12 months, irrespective of whether they file a claim.

The last day for filing an objection to or exclusion from the offered settlement is June 23, 2023. The last day for filing claims is July 24, 2023. The schedule of the final approval hearing is on July 28, 2023. Maxim HealthCare Services has put in place or will implement extra security procedures to avoid the same occurrences later on.

EyeMed Vision Care Pays $2.5 Million to Resolve Multistate Data Breach Investigation

EyeMed Vision Care is a vision insurance company owned by the Luxottica Group PIVA. In June 2020, the company encountered a data breach affecting 2.1 million patients’ PHI. An unauthorized person acquired access to the email account of an employee that included roughly 6 years of personal and medical data such as names, contact details, birth dates, vision insurance account/ID numbers, health diagnoses and conditions, treatment data, and Social Security numbers. The unauthorized entity then utilized the email account to send about 2,000 phishing emails.

State attorneys general are authorized to look into data breaches and can issue penalties to organizations that violate the HIPAA. State attorneys general in New Jersey, Oregon, and Florida launched a multi-state investigation into the data breach that occurred at EyeMed. Later, Pennsylvania also joined the multistate action. The state attorneys general wanted to confirm if the data breach was avoidable and if it was due to non-compliance with the HIPAA Security Rule and also state data protection regulations.

The investigation found data security breakdowns that violated HIPAA and state regulations. As per the HIPAA and state data protection regulations, entities that gather, retain, or process sensitive personal and medical data have to use technical, administrative, and physical safety measures to protect the confidentiality, availability, and integrity of that data. But EyeMed lacked those safety measures. The investigation showed a failure to be sure all individuals having access to PHI had a unique username and password. A number of EyeMed employees were identified to be using just one password for an email account that was utilized for communicating sensitive data, which includes PHI associated with vision benefits enrollment and insurance coverage.

As per the terms of the settlement, EyeMed consented to pay $2.5 million in financial penalties, which will be given to Florida, New Jersey, Oregon, and Pennsylvania. The terms of settlement additionally require EyeMed to be sure to comply with the HIPAA law, the state personal information protection acts, and the state consumer protection acts. EyeMed should be sure that it is not misrepresented to the extent that it keeps and secures the privacy, confidentiality, or security of consumer data.

The data security specifications of the settlement consist of the creation, implementation, and upkeep of a written data security plan; upkeep of sensible policies and procedures regulating the collection, usage, and maintenance of patient data; and maintenance of proper controls to handle access to all accounts that obtain and transfer sensitive data. ”New Jerseyans depended on EyeMed for their vision care and the company broke that trust with its poor PHI security measures. This is not only a monetary settlement, it’s also about changing companies’ conduct to better safeguard critical patient information.

The Office of the New York Attorney General furthermore looked into EyeMed concerning the data breach and signed another settlement agreement in 2022, which called on EyeMed to give $600,000 as a penalty. In October 2022, EyeMed and the New York Department of Financial Services (NYDFS) consented to a $4.5 million settlement to take care of the supposed violations of the NYDFS (Part 500) cybersecurity rules. The security issues included not restricting employee access rights to email accounts for nine workers, a partial setup of multifactor authentication, risk assessment problems, the insufficiency of an adequate data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General additionally had information security specifications, which includes the creation and upkeep of a complete data security program, encryption of information, penetration testing, and multi-factor authentication for every remote access and administrative provider.

HIPAA compliance investigations are different from that of the HHS’ Office for Civil Rights (OCR), which could likewise opt to call for civil monetary penalties for HIPAA violations. OCR didn’t issue any penalty CR as of May 2023 and the incident is noted as closed on the OCR breach website.



The Riskiest Connected Medical Devices and the New NIST CSF 2.0 Core Draft

Because of the Internet of Medical Things (IoMT), it is possible to connect a variety of medical devices to the Internet and operate, configure, and monitore them remotely. These devices can send medical information online to physicians enabling them to quickly take action to alter treatments. The data sent from the devices could be easily added to the electronic medical records. IoMT device usage is growing immensely as it is expected for smart hospitals to double the number of IoMT devices used to 7 million by 2026.

Although there are important benefits to using Internet-connected medical devices, such usage increases the attack surface significantly. There are vulnerabilities in IoMT devices being identified that malicious actors can potentially exploit to get access to the devices and their connected networks. Based on a 2022 FBI report, there is at least one unpatched critical vulnerability found in 53% of IoMT devices and other IoT devices.

Armis, an asset visibility and security company, conducted a detailed analysis of information compiled from medical and IoT devices to determine which IoMT and IOT devices carry the most risk. The Armis Asset Intelligence and Security Platform tracked the data from over 3 billion assets and found the following riskiest connected medical devices.

1. Nurse call systems – 39% of nurse call systems contain unpatched critical vulnerabilities while 48% contain other unpatched vulnerabilities. A malicious actor can exploit a critical vulnerability in a direct or indirect attack and the resulting effects will be critical or significant. In case hackers exploit the vulnerabilities in medical devices, they could access the systems to which the devices connect with, take sensitive information, or change the settings of the devices and put patients in danger.

2. Infusion pumps – 27% of analyzed infusion pumps have at least one unpatched critical flaw while 30% have other unpatched vulnerabilities

3. Medication dispensing systems – 4% of analyzed systems have unpatched critical flaws while 86% have other unpatched vulnerabilities. According to Armis, 32% of the analyzed medication dispensing systems were using unsupported versions of Windows. In all connected medical devices, 19% were using unsupported operating systems considering that IoMT devices usually outlive the lifespans of their operating systems.

IoT devices could likewise bring in substantial risks and give hackers an easy way to get a foothold in healthcare systems. Armis lists the following riskiest IoT devices:

1. IP cameras in healthcare environments – 56% of IP cameras contain unpatched critical vulnerabilities and 59% contain other unpatched vulnerabilities

2. Printers – 37% contain unpatched critical vulnerabilities and 30% contain other unpatched vulnerabilities

3. VoIP devices – 53% contain unpatched critical vulnerabilities and 2% contain other unpatched vulnerabilities

Developments in technology are important to enhance the speed and excellence of care delivery. The healthcare industry is facing a scarcity of care providers, but with more connected care, there is a bigger attack surface, states Mohammad Waqas, Armis’ Principal Solutions Architect for Healthcare. Securing medical and IoT-connected devices, even the building management systems by visual and continuous contextualized monitoring is important to ensuring patient safety.

The increasing volume of wireless, Internet- and network-connected devices and growing cybersecurity threats attacking the healthcare industry made the U.S. Food and Drug Administration (FDA) do something. Companies of medical devices will shortly be obligated to give details concerning the cybersecurity of their units in pre-market submissions to strengthen medical device cybersecurity. The requirements will include

  • a software bill of materials that will help identify and patch the vulnerable parts
  • cybersecurity steps to protect the devices and sensitive information
  • a security plan to address changes throughout the lifespan of the devices

Discussion Draft of NIST CSF 2.0 Core Released by NIST

The National Institute of Standards and Technology (NIST) is currently making changes to the NIST Cybersecurity Framework (CSF) 1.1 and will publish the full draft version 2.0 soon. It published a discussion draft that includes revisions to the Core elements of the Framework. NIST is soliciting feedback on improving the Framework prior to publishing the complete draft. The NIST CSF 2.0 Core addresses the results of the 6 Functions, 21 Categories, and 112 Subcategories and consists of a sample of possible new CSF 2.0 Informative Examples. Though the discussion draft is not yet finished and is just initial, it was released to enhance transparency and show the progress of the finished draft.

Changes were done to the NIST CSF 1.1 to enhance clarity, make sure a steady level of abstraction, deal with developments in technologies and risks, and enhance alignment with domestic and international cybersecurity criteria and procedures. NIST has gotten remarks that version 1.1 of the Framework remains effective at responding to cybersecurity risks yet felt a change was necessary to make it simpler for companies to handle present risks and upcoming cybersecurity issues more efficiently.

NIST got 92 written replies to its January 2023 CSF 2.0 concept paper, comments from working consultations and workshops, 134 written reactions to its February 2022 NIST Cybersecurity RFI, and recommendations at conventions, webinars, roundtables, and events all over the world. All responses were thought of when creating the updated Framework.

Particularly, NIST wants comments on whether the cybersecurity solutions shared in the discussion draft resolve the present difficulties encountered by companies, are in-line with current cybersecurity strategies and resources, and if the updates took care of the submitted feedback. NIST stated recommendations may also be submitted on any parts of the framework where additional enhancements could be made, which include the content, format, and extent of the implementation samples.

NIST has affirmed that other elements of the Framework will be updated and stated there is still a lot of work to do before the intended summer launch of the complete NIST CSF 2.0 draft.

Download and read the discussion draft here.


Feds Share Current Threat Intelligence on LockBit 3.0 Ransomware and $10.3 Billion Losses Due to Cybercrime

The Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA), issued a joint cybersecurity alert about LockBit 3.0 ransomware, also referred to as LockBit Black.

The LockBit ransomware gang has been active since September 2019. The group carried out more attacks compared to other ransomware operation in 2022. It has been approximated that LockBit ransomware is linked to about 40% of all ransomware attacks around the world. The group is thought to have done over 1,000 attacks on companies in the United States and has earned over $100 million in ransom.

LockBit as a ransomware-as-a-service operation gets affiliates to conduct attacks in exchange for a percentage of the ransom payments. The group uses double extortion tactics, which entails stealing files before encryption and issuing threats to expose or market the stolen information when there is no ransom payment. Victims are generally small- to medium-sized companies, though there had been attacks on large companies. The average ransom demand is about $85,000 per victim.

The ransomware is actively created and improved into LockBit 2.0 in 2021, then LockBit 3.0 in June 2022. LockBoit 3.0 has attributes comparable to that of BlackMatter ransomware, and it’s likely that a number of the same code was used. Preliminary access to victim systems is acquired through different strategies, which include buying access from preliminary access brokers, insider access, taking advantage of unpatched and zero-day vulnerabilities, Remote Desktop Protocol (RDP) exploitation, and phishing. Affiliates make use of

  • Stealbit – a customized data extraction tool
  • rclone – an open-source software for cloud storage management
  • MEGA – a publicly available file sharing services like to extract stolen information.

The group was responsible for the attacks on the following companies and others:

  • Continental – the German auto parts manufacturer
  • Advanced – the NHS vendor, which impacted 16 clients in the medical and social care market
  • Accenture – IT company
  • UK’s Royal Mail

In December 2022, an affiliate of LockBit attacked The Hospital for Sick Children (SickKids) located in Toronto. The group sent an apology to the victim and gave a free decryptor saying the group has kicked out the affiliate for breaking its agreements which forbid attacks on healthcare organizations where attacks may bring about death, such as cardiology centers, maternity hospitals, and neurosurgical departments. But the group permits attacks on pharmaceutical companies, plastic surgeons, and dentists. These guidelines aren’t always imposed, seeing that LockBit affiliates have carried out attacks on hospitals in past times and did not provide free decryptors, for example, the attack on France’s Center Hospitalier Sud Francilien (CHSF).

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center released a threat alert analyst  regarding LockBit 3.0 in December 2022 after knowing about attacks on the Healthcare and Public Healthcare (HPH) industry, and irrespective of the group’s statements, HC3 is convinced LockBit 3.0 presents a danger to the HPH industry. The Joint Cybersecurity advisory  from CISA, the FBI, and MS-ISAC gives information on the most recent tactics, techniques, and procedures (TTPs) linked to the group, Indicators of Compromise (IoCs) technical data for system defenders, and advised mitigations for enhancing cybersecurity stance.

FBI: $10.3 Billion Losses Due to Cybercrime Depicts 49% Increase in 2022

The Federal Bureau of Investigation (FBI) has shared its 2022 Internet Crime Report. According to the report, Cybercrime in 2022 resulted in $10.3 billion losses, higher by 49% or $3.4 billion than in 2021, even though complaints decreased by 5% or 800,944. In the last 5 years, the FBI Internet Crime Complaint Center (IC3) had seen over $27.6 billion in losses from 3.26 million complaints.

According to FBI’s report, ransomware attacks decreased by 36% year-over-year. There were 3,729 complaints received in 2021 compared to 2,385 complaints received in 2022. Even with this decrease, the FBI states that ransomware still presents a substantial risk, particularly to the healthcare industry, which is number one of the 16 critical infrastructure industries targeted by ransomware attacks in 2022 and pretty much saw a rise in complaints. Healthcare companies filed 210 ransomware complaints with IC3 in 2022, whereas it filed only 148 in 2021.

The FBI has noticed more double extortion tactics used in ransomware attacks, in which the attacker steals data before file encryption and demands a payment to get the decryption keys and to stop the exposure or sale of the stolen information. LockBit was linked to 149 reported ransomware attacks; ALPHV/BlackCat was lined to 114 attacks, while Hive was linked to 87 attacks.

A number of cybercriminal groups that have conducted ransomware attacks in the past have turned to extortion-only attacks. That is, stealing data and demanding ransom without encrypting files. The FBI’s records indicate extortion attacks have stayed flat, escalating just a little bit from 39,360 complaints (2021) to 39,416 complaints (2022).

Phishing is still one of the most popular attack methods with 300,497 incident reports, though phishing attacks droppped by 7% year over year. Even with that decrease, phishing continues to be the most prevalent crime type when it comes to victim count with 58,859 complaints, whereas non-delivery/non-payment has 51,679 complaints.

Business email compromise (BEC) placed 9th out of all types of crimes when it comes to complaints; however it placed 2nd when it comes to reported losses. In 2022, the cost sustained due to BEC attacks totals $2,742,354,049. BEC attacks grew by 9% year-over-year though losses due to frauds decreased by 14.5%. BEC was overtaken this year by investment frauds, which had $3,311,742,206 reported losses, higher by 127% than in 2021. The FBI reports an unparalleled escalation in crypto investment tactics in 2022 when it comes to both number of victim count and losses.

There was a significant escalation in tech assistance for scams in 2022, which went up to 3rd place when it comes to losses. Tech assistance scam complaints increased by 36% year-over-year with 32,538 complaints and deficits due to these incidents increased by about 132% or $806,551,993.

The FBI pointed out the importance of reporting cases of cybercrime of any type. Verified assistance will be given to attempt to recoup losses. The IC3 Recovery Asset Team (RAT) got a 73% success rate in freezing money and limiting losses. From $590.62 million in reported deficits throughout 2,838 cases$433.30 million in cash has been froze .

Increasing Cyber Attacks on RDP, Cloud Databases and Third-Party Vendors

Malicious actors use various ways to acquire preliminary access to victims’ systems. However, in 2022, cybercriminal gangs seemed to concentrate on attacking cloud databases and Remote Desktop Protocol, stated by cyber insurance company Coalition. RDP is a very common way for initial access brokers (IABs) and ransomware groups to acquire access to the networks of victims. RDP is certainly the most frequently employed remote-scanning by threat actors. In 2022, RDP scanning traffic was quite high as information gathered from Coalition’s honeypots showing RDP scans was 37.67% of all observed scans. Every time a new vulnerability is discovered in RDP, scans escalate as threat actors hurry to select targets that may be attacked.

Ransomware is still a major problem. In 2022, the groups more and more attacked cloud databases, particularly MongoDB and Elasticsearch databases, a significant number of which were snagged by ransomware groups. The team found 2,846 Elasticsearch databases and 68,423 MongoDB databases attacked by ransomware in 2022.

The reports of new software vulnerabilities continue to grow in the last 6 years. 2022 had over 23,000 new common IT vulnerabilities and exposures (CVEs) identified, the greatest number among all the years thus far. Coalition forecasts this trend will carry on in 2023 and expects over 1,900 new CVEs appearing every month – a 13% expected increase from 2022. Every month, Coalition is looking at an average of 155 critical vulnerabilities and 270 high-severity vulnerabilities and explained that companies must be cautious and be updated on patching and immediately deal with the security breaks.

With a lot of vulnerabilities currently being reported, patching is a big concern. Considering the many vulnerabilities that need to be resolved by security teams, patching is usually slow-moving, and that allows hackers to have more chances to take advantage of the vulnerabilitites. Immediate patching is important, since most of the newly exposed CVEs are taken advantage of by cybercriminals in 30 days of publicizing the vulnerabilities. The most number is exploited in 90 days. Exploitation could happen unbelievably fast. For example, attackers exploited CVE-2022-40684, the Fortinet vulnerability, in just 2 days after making the public announcement.

Malicious actors usually concentrate on exploiting a small set of vulnerabilities. If they find new vulnerabilities that could be exploited, they are likely to follow their proven exploits and strike as many businesses they can. Although the objective of security teams is to make sure to patch all vulnerabilities immediately, it’s an almost impossible job considering the big number of reported vulnerabilities. The biggest gains can come by putting patching first and making sure the most frequently exploited vulnerabilities are patched first of all. The Cybersecurity and Infrastructure Security Agency (CISA) keeps a listing of identified exploited vulnerabilities, and every year publishes a listing of the most frequently exploited vulnerabilities. All the listed vulnerabilities must be given priorty and patched first.

It is a challenge to effectively prioritize patching because it isn’t always obvious which vulnerabilities are going to be exploited. IT teams usually evaluate vulnerabilities with the CVSS severity score and Exploit Prediction Scoring System (EPSS), still this data is not always readily available at first disclosure of vulnerabilities. Coalition has circumvented this issue by creating the Coalition Exploit Scoring System (CESS) to rate vulnerabilities. CESS utilizes deep learning models that could forecast the CVSS score for a vulnerability according to its description, the possibility of developing an exploit fast according to past availability of exploit for CVEs, and the possibility of using the exploit against Coalition policyholders by recreating earlier attacks.

With a lot of vulnerabilities to deal with, systems frequently remain unpatched for many years, so big swaths of the web are unprotected. Leaders in charge of securing the network require the most appropriate and useful data to take action – and they require an efficient way to prioritize which CVEs to react to. The Coalition has tried to offer that required circumstance and the CVSS/CESS framework to aid cybersecurity frontrunners and practitioners to make educated choices regarding their digital risk and respond immediately to threatening vulnerabilities.

Healthcare Companies Most Frequently Affected by 3rd Party Data Breaches

Attacks on business associates of healthcare companies have gone up to the point that they exceed the number of attacks on healthcare companies. Besides a rise in cyberattacks on third-party vendors, the effect and damage resulting from those attacks have likewise gone up, as per the latest report by Black Kite, a vendor risk management firm.

Every year, Black Kite’s Third-Party Breach Reports evaluates the effect of third-party cyberattacks and data breaches. This 2023, there were 63 third-party breaches analyzed along with the 298 companies impacted. The report stated a doubling of the effect and damage resulting from those breaches. In 2021, about 2.46 companies were impacted by third-party breaches. The number of impacted companies grew to about 4.73 per breach in 2022.

In 2022, 40% of attacks on third parties resulting in data breaches was due to unauthorized system access. Black Kite states that these kinds of attacks grew to such high numbers because of remote workers that makes it possible for cybercriminals to exploit vulnerabilities. 27% of 2022’s third-party breaches involved the use of ransomware; but there was a slight decrease in year-over-year cyberattacks. Black Kite states that the decrease was because of the reduced Russian sanctions, which cut down the Russian cybercriminals’ capability to execute ransomware attacks. The following are the other causes of data breaches: unsecured servers (9.5% of data breaches), earrings (6.3%), phishing (3.2%), and malware (3.2%).

Other notable results reported by Black Kite is an increase in the time of issuing breach notifications to affected companies. There was about 50% increase to the average year-over-year time, which is 108 days from the date of discovering the attack. With the late notifications, cybercriminals get more time to steal and misuse data, causing more problems. The most targeted third parties are technical service vendors (30%) followed by vendors of healthcare services and software services. Healthcare providers were typical third-party breach victims (34.9% in 2022), followed by finance and government (each at 14%).

Global business ecosystems are becoming more complicated, with every company becoming more affected by the cybersecurity mode of their third party vendors. The fact is a company’s attack surface is bigger than the things it can control. Therefore, it is important to assess and keep track of your extended ecosystem to identify vulnerabilities and do something to avoid problems.

OIG Finds Vulnerability Management and Remediation Inadequacies at Alabama VA Medical Center

The VA Office of Inspector General (OIG) examined the data security at Tuscaloosa VA Medical Center located in Alabama and found inadequacies in three out of the four evaluated security control sections. The OIG inspection included contingency planning, configuration management, security management, and access controls, with inadequacies found in configuration management, access controls, and security management.

Configuration management controls are needed to spot and handle security functions for all hardware and software parts of a data system. OIG discovered inadequacies in database scans, vulnerability management, and remediation. The Office of Information and Technology (OIT) regularly scans for vulnerabilities, and when OIG and OIT utilized similar vulnerability-scanning tools, OIT did not discover all vulnerabilities. OIG found 119 critical-risk vulnerabilities that OIT couldn’t identify. OIG additionally found 301 vulnerabilities that were not mitigated in the expected 30- or 60-days. There were 134 critical-risk vulnerabilities determined on 14% of devices, and there were 134 high-risk vulnerabilities identified on 46% of devices. One high-risk vulnerability was not patched for 7 years.

A number of devices were found to be lacking crucial security patches, which were accessible but were not applied, which put VA systems in danger of unauthorized access, modification, or breakdown. Although database scans are done each quarter, OIT just provided scans for 50 % of the databases, because it could not access all databases as a result of port-filtering problems. Without the finished scans, OIT wouldn’t know of security control flaws that can affect the security position of databases.

Security management settings were evaluated, and OIG discovered one deficiency: a number of actionable plans and milestones were not found or didn’t have adequate information to be actionable. Four access control inadequacies were discovered associated with network segmentation, environmental controls, audit and monitoring controls, and emergency power.

Network segmentation is necessary for medical devices and special-purpose systems, which ought to be put on singled-out systems for protection. A number of network segments that included medical and special-purpose systems didn’t have the required network segmentation controls. 19 network segments made up of 221 medical devices and special-purpose systems didn’t have access control lists used, which permitted any user to gain access to those devices. Logs must be monitored to assess the efficiency of security controls, identify attacks, and investigate at the time of or following any attacks. 50 % of the databases of the Tuscaloosa VAMC were missing. The missing records were for the databases that were not put through vulnerability scanning.

A number of communication rooms were lacking temperature or humidity adjustments, which can have a considerable negative effect on the accessibility of systems, and uninterruptible power supplies were likewise found to be gone, meaning infrastructure equipment would stop to work in power imbalances or outages, bringing about the interruption of information flow and interruption to network resources access.

OIG created 8 recommendations to deal with the inadequacies, 6 to the assistant secretary for data and technology and chief data officer associated with the security problems, and 2 to the Tuscaloosa VAMC director, who needs to make sure communication rooms have enough environmental adjustments and uninterruptible power resources for infrastructure equipment.