EyeMed Vision Care and Maxim HealthCare Services Resolve Data Breach Lawsuit

Maxim HealthCare Services Offers to Settle Email Breach Lawsuit

Maxim HealthCare Services offered to settle all claims associated with a cyberattack and data security breach in 2020 wherein unauthorized people accessed several email accounts of employees. The compromise of email accounts happened from October 1, 2020, to December 4, 2020, however, the healthcare organization discovered the unauthorized access only in November 2021.

The analysis of the email accounts affirmed the inclusion of protected health information (PHI) like names, addresses, birth dates, telephone numbers, names of providers, medical histories, health conditions, treatment data, medical record numbers, patient account numbers, diagnosis codes, Medicaid/Medicare numbers, usernames/passwords, and a number of Social Security numbers. Maxim HealthCare Services reported to the HHS’ Office for Civil Rights that the breach affected 65,267 individuals.

In response to the data breach, the Wilson, et al. v. Maxim Healthcare Services Inc. lawsuit was filed in the Superior Court of the State of California County of San Diego that claimed Maxim HealthCare Services did not use proper security procedures to avert unauthorized access to patient information. Maxim HealthCare Services decided to resolve the lawsuit to steer clear of the uncertainty of trial and additional legal expenses. Maxim HealthCare Services does not admit all claims stated in the lawsuit and take the position there was no wrongdoing. The settlement offer is applicable to all persons who were advised that they were impacted by the breach and that their PHI was exposed.

According to the terms of the settlement, each class member can file claims up to as much as $5,000 for repayment of extraordinary expenses sustained due to the data breach, which include around three hours of lost time valued at $20 an hour. California Residents from October 1, 2020 to December 4, 2020, are eligible to get a fixed monetary benefit of around $100 which could be mixed with claims for repayment of extraordinary expenditures. All class members are entitled to get complimentary identity theft protection services for 12 months, irrespective of whether they file a claim.

The last day for filing an objection to or exclusion from the offered settlement is June 23, 2023. The last day for filing claims is July 24, 2023. The schedule of the final approval hearing is on July 28, 2023. Maxim HealthCare Services has put in place or will implement extra security procedures to avoid the same occurrences later on.

EyeMed Vision Care Pays $2.5 Million to Resolve Multistate Data Breach Investigation

EyeMed Vision Care is a vision insurance company owned by the Luxottica Group PIVA. In June 2020, the company encountered a data breach affecting 2.1 million patients’ PHI. An unauthorized person acquired access to the email account of an employee that included roughly 6 years of personal and medical data such as names, contact details, birth dates, vision insurance account/ID numbers, health diagnoses and conditions, treatment data, and Social Security numbers. The unauthorized entity then utilized the email account to send about 2,000 phishing emails.

State attorneys general are authorized to look into data breaches and can issue penalties to organizations that violate the HIPAA. State attorneys general in New Jersey, Oregon, and Florida launched a multi-state investigation into the data breach that occurred at EyeMed. Later, Pennsylvania also joined the multistate action. The state attorneys general wanted to confirm if the data breach was avoidable and if it was due to non-compliance with the HIPAA Security Rule and also state data protection regulations.

The investigation found data security breakdowns that violated HIPAA and state regulations. As per the HIPAA and state data protection regulations, entities that gather, retain, or process sensitive personal and medical data have to use technical, administrative, and physical safety measures to protect the confidentiality, availability, and integrity of that data. But EyeMed lacked those safety measures. The investigation showed a failure to be sure all individuals having access to PHI had a unique username and password. A number of EyeMed employees were identified to be using just one password for an email account that was utilized for communicating sensitive data, which includes PHI associated with vision benefits enrollment and insurance coverage.

As per the terms of the settlement, EyeMed consented to pay $2.5 million in financial penalties, which will be given to Florida, New Jersey, Oregon, and Pennsylvania. The terms of settlement additionally require EyeMed to be sure to comply with the HIPAA law, the state personal information protection acts, and the state consumer protection acts. EyeMed should be sure that it is not misrepresented to the extent that it keeps and secures the privacy, confidentiality, or security of consumer data.

The data security specifications of the settlement consist of the creation, implementation, and upkeep of a written data security plan; upkeep of sensible policies and procedures regulating the collection, usage, and maintenance of patient data; and maintenance of proper controls to handle access to all accounts that obtain and transfer sensitive data. ”New Jerseyans depended on EyeMed for their vision care and the company broke that trust with its poor PHI security measures. This is not only a monetary settlement, it’s also about changing companies’ conduct to better safeguard critical patient information.

The Office of the New York Attorney General furthermore looked into EyeMed concerning the data breach and signed another settlement agreement in 2022, which called on EyeMed to give $600,000 as a penalty. In October 2022, EyeMed and the New York Department of Financial Services (NYDFS) consented to a $4.5 million settlement to take care of the supposed violations of the NYDFS (Part 500) cybersecurity rules. The security issues included not restricting employee access rights to email accounts for nine workers, a partial setup of multifactor authentication, risk assessment problems, the insufficiency of an adequate data minimization strategy, and inaccurate submissions of compliance with Part 500 for four years. The settlements with NYDFS and the New York Attorney General additionally had information security specifications, which includes the creation and upkeep of a complete data security program, encryption of information, penetration testing, and multi-factor authentication for every remote access and administrative provider.

HIPAA compliance investigations are different from that of the HHS’ Office for Civil Rights (OCR), which could likewise opt to call for civil monetary penalties for HIPAA violations. OCR didn’t issue any penalty CR as of May 2023 and the incident is noted as closed on the OCR breach website.



The Riskiest Connected Medical Devices and the New NIST CSF 2.0 Core Draft

Because of the Internet of Medical Things (IoMT), it is possible to connect a variety of medical devices to the Internet and operate, configure, and monitore them remotely. These devices can send medical information online to physicians enabling them to quickly take action to alter treatments. The data sent from the devices could be easily added to the electronic medical records. IoMT device usage is growing immensely as it is expected for smart hospitals to double the number of IoMT devices used to 7 million by 2026.

Although there are important benefits to using Internet-connected medical devices, such usage increases the attack surface significantly. There are vulnerabilities in IoMT devices being identified that malicious actors can potentially exploit to get access to the devices and their connected networks. Based on a 2022 FBI report, there is at least one unpatched critical vulnerability found in 53% of IoMT devices and other IoT devices.

Armis, an asset visibility and security company, conducted a detailed analysis of information compiled from medical and IoT devices to determine which IoMT and IOT devices carry the most risk. The Armis Asset Intelligence and Security Platform tracked the data from over 3 billion assets and found the following riskiest connected medical devices.

1. Nurse call systems – 39% of nurse call systems contain unpatched critical vulnerabilities while 48% contain other unpatched vulnerabilities. A malicious actor can exploit a critical vulnerability in a direct or indirect attack and the resulting effects will be critical or significant. In case hackers exploit the vulnerabilities in medical devices, they could access the systems to which the devices connect with, take sensitive information, or change the settings of the devices and put patients in danger.

2. Infusion pumps – 27% of analyzed infusion pumps have at least one unpatched critical flaw while 30% have other unpatched vulnerabilities

3. Medication dispensing systems – 4% of analyzed systems have unpatched critical flaws while 86% have other unpatched vulnerabilities. According to Armis, 32% of the analyzed medication dispensing systems were using unsupported versions of Windows. In all connected medical devices, 19% were using unsupported operating systems considering that IoMT devices usually outlive the lifespans of their operating systems.

IoT devices could likewise bring in substantial risks and give hackers an easy way to get a foothold in healthcare systems. Armis lists the following riskiest IoT devices:

1. IP cameras in healthcare environments – 56% of IP cameras contain unpatched critical vulnerabilities and 59% contain other unpatched vulnerabilities

2. Printers – 37% contain unpatched critical vulnerabilities and 30% contain other unpatched vulnerabilities

3. VoIP devices – 53% contain unpatched critical vulnerabilities and 2% contain other unpatched vulnerabilities

Developments in technology are important to enhance the speed and excellence of care delivery. The healthcare industry is facing a scarcity of care providers, but with more connected care, there is a bigger attack surface, states Mohammad Waqas, Armis’ Principal Solutions Architect for Healthcare. Securing medical and IoT-connected devices, even the building management systems by visual and continuous contextualized monitoring is important to ensuring patient safety.

The increasing volume of wireless, Internet- and network-connected devices and growing cybersecurity threats attacking the healthcare industry made the U.S. Food and Drug Administration (FDA) do something. Companies of medical devices will shortly be obligated to give details concerning the cybersecurity of their units in pre-market submissions to strengthen medical device cybersecurity. The requirements will include

  • a software bill of materials that will help identify and patch the vulnerable parts
  • cybersecurity steps to protect the devices and sensitive information
  • a security plan to address changes throughout the lifespan of the devices

Discussion Draft of NIST CSF 2.0 Core Released by NIST

The National Institute of Standards and Technology (NIST) is currently making changes to the NIST Cybersecurity Framework (CSF) 1.1 and will publish the full draft version 2.0 soon. It published a discussion draft that includes revisions to the Core elements of the Framework. NIST is soliciting feedback on improving the Framework prior to publishing the complete draft. The NIST CSF 2.0 Core addresses the results of the 6 Functions, 21 Categories, and 112 Subcategories and consists of a sample of possible new CSF 2.0 Informative Examples. Though the discussion draft is not yet finished and is just initial, it was released to enhance transparency and show the progress of the finished draft.

Changes were done to the NIST CSF 1.1 to enhance clarity, make sure a steady level of abstraction, deal with developments in technologies and risks, and enhance alignment with domestic and international cybersecurity criteria and procedures. NIST has gotten remarks that version 1.1 of the Framework remains effective at responding to cybersecurity risks yet felt a change was necessary to make it simpler for companies to handle present risks and upcoming cybersecurity issues more efficiently.

NIST got 92 written replies to its January 2023 CSF 2.0 concept paper, comments from working consultations and workshops, 134 written reactions to its February 2022 NIST Cybersecurity RFI, and recommendations at conventions, webinars, roundtables, and events all over the world. All responses were thought of when creating the updated Framework.

Particularly, NIST wants comments on whether the cybersecurity solutions shared in the discussion draft resolve the present difficulties encountered by companies, are in-line with current cybersecurity strategies and resources, and if the updates took care of the submitted feedback. NIST stated recommendations may also be submitted on any parts of the framework where additional enhancements could be made, which include the content, format, and extent of the implementation samples.

NIST has affirmed that other elements of the Framework will be updated and stated there is still a lot of work to do before the intended summer launch of the complete NIST CSF 2.0 draft.

Download and read the discussion draft here.


Feds Share Current Threat Intelligence on LockBit 3.0 Ransomware and $10.3 Billion Losses Due to Cybercrime

The Federal Bureau of Investigation (FBI), the Multi-State Information Sharing & Analysis Center (MS-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA), issued a joint cybersecurity alert about LockBit 3.0 ransomware, also referred to as LockBit Black.

The LockBit ransomware gang has been active since September 2019. The group carried out more attacks compared to other ransomware operation in 2022. It has been approximated that LockBit ransomware is linked to about 40% of all ransomware attacks around the world. The group is thought to have done over 1,000 attacks on companies in the United States and has earned over $100 million in ransom.

LockBit as a ransomware-as-a-service operation gets affiliates to conduct attacks in exchange for a percentage of the ransom payments. The group uses double extortion tactics, which entails stealing files before encryption and issuing threats to expose or market the stolen information when there is no ransom payment. Victims are generally small- to medium-sized companies, though there had been attacks on large companies. The average ransom demand is about $85,000 per victim.

The ransomware is actively created and improved into LockBit 2.0 in 2021, then LockBit 3.0 in June 2022. LockBoit 3.0 has attributes comparable to that of BlackMatter ransomware, and it’s likely that a number of the same code was used. Preliminary access to victim systems is acquired through different strategies, which include buying access from preliminary access brokers, insider access, taking advantage of unpatched and zero-day vulnerabilities, Remote Desktop Protocol (RDP) exploitation, and phishing. Affiliates make use of

  • Stealbit – a customized data extraction tool
  • rclone – an open-source software for cloud storage management
  • MEGA – a publicly available file sharing services like to extract stolen information.

The group was responsible for the attacks on the following companies and others:

  • Continental – the German auto parts manufacturer
  • Advanced – the NHS vendor, which impacted 16 clients in the medical and social care market
  • Accenture – IT company
  • UK’s Royal Mail

In December 2022, an affiliate of LockBit attacked The Hospital for Sick Children (SickKids) located in Toronto. The group sent an apology to the victim and gave a free decryptor saying the group has kicked out the affiliate for breaking its agreements which forbid attacks on healthcare organizations where attacks may bring about death, such as cardiology centers, maternity hospitals, and neurosurgical departments. But the group permits attacks on pharmaceutical companies, plastic surgeons, and dentists. These guidelines aren’t always imposed, seeing that LockBit affiliates have carried out attacks on hospitals in past times and did not provide free decryptors, for example, the attack on France’s Center Hospitalier Sud Francilien (CHSF).

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center released a threat alert analyst  regarding LockBit 3.0 in December 2022 after knowing about attacks on the Healthcare and Public Healthcare (HPH) industry, and irrespective of the group’s statements, HC3 is convinced LockBit 3.0 presents a danger to the HPH industry. The Joint Cybersecurity advisory  from CISA, the FBI, and MS-ISAC gives information on the most recent tactics, techniques, and procedures (TTPs) linked to the group, Indicators of Compromise (IoCs) technical data for system defenders, and advised mitigations for enhancing cybersecurity stance.

FBI: $10.3 Billion Losses Due to Cybercrime Depicts 49% Increase in 2022

The Federal Bureau of Investigation (FBI) has shared its 2022 Internet Crime Report. According to the report, Cybercrime in 2022 resulted in $10.3 billion losses, higher by 49% or $3.4 billion than in 2021, even though complaints decreased by 5% or 800,944. In the last 5 years, the FBI Internet Crime Complaint Center (IC3) had seen over $27.6 billion in losses from 3.26 million complaints.

According to FBI’s report, ransomware attacks decreased by 36% year-over-year. There were 3,729 complaints received in 2021 compared to 2,385 complaints received in 2022. Even with this decrease, the FBI states that ransomware still presents a substantial risk, particularly to the healthcare industry, which is number one of the 16 critical infrastructure industries targeted by ransomware attacks in 2022 and pretty much saw a rise in complaints. Healthcare companies filed 210 ransomware complaints with IC3 in 2022, whereas it filed only 148 in 2021.

The FBI has noticed more double extortion tactics used in ransomware attacks, in which the attacker steals data before file encryption and demands a payment to get the decryption keys and to stop the exposure or sale of the stolen information. LockBit was linked to 149 reported ransomware attacks; ALPHV/BlackCat was lined to 114 attacks, while Hive was linked to 87 attacks.

A number of cybercriminal groups that have conducted ransomware attacks in the past have turned to extortion-only attacks. That is, stealing data and demanding ransom without encrypting files. The FBI’s records indicate extortion attacks have stayed flat, escalating just a little bit from 39,360 complaints (2021) to 39,416 complaints (2022).

Phishing is still one of the most popular attack methods with 300,497 incident reports, though phishing attacks droppped by 7% year over year. Even with that decrease, phishing continues to be the most prevalent crime type when it comes to victim count with 58,859 complaints, whereas non-delivery/non-payment has 51,679 complaints.

Business email compromise (BEC) placed 9th out of all types of crimes when it comes to complaints; however it placed 2nd when it comes to reported losses. In 2022, the cost sustained due to BEC attacks totals $2,742,354,049. BEC attacks grew by 9% year-over-year though losses due to frauds decreased by 14.5%. BEC was overtaken this year by investment frauds, which had $3,311,742,206 reported losses, higher by 127% than in 2021. The FBI reports an unparalleled escalation in crypto investment tactics in 2022 when it comes to both number of victim count and losses.

There was a significant escalation in tech assistance for scams in 2022, which went up to 3rd place when it comes to losses. Tech assistance scam complaints increased by 36% year-over-year with 32,538 complaints and deficits due to these incidents increased by about 132% or $806,551,993.

The FBI pointed out the importance of reporting cases of cybercrime of any type. Verified assistance will be given to attempt to recoup losses. The IC3 Recovery Asset Team (RAT) got a 73% success rate in freezing money and limiting losses. From $590.62 million in reported deficits throughout 2,838 cases$433.30 million in cash has been froze .

Increasing Cyber Attacks on RDP, Cloud Databases and Third-Party Vendors

Malicious actors use various ways to acquire preliminary access to victims’ systems. However, in 2022, cybercriminal gangs seemed to concentrate on attacking cloud databases and Remote Desktop Protocol, stated by cyber insurance company Coalition. RDP is a very common way for initial access brokers (IABs) and ransomware groups to acquire access to the networks of victims. RDP is certainly the most frequently employed remote-scanning by threat actors. In 2022, RDP scanning traffic was quite high as information gathered from Coalition’s honeypots showing RDP scans was 37.67% of all observed scans. Every time a new vulnerability is discovered in RDP, scans escalate as threat actors hurry to select targets that may be attacked.

Ransomware is still a major problem. In 2022, the groups more and more attacked cloud databases, particularly MongoDB and Elasticsearch databases, a significant number of which were snagged by ransomware groups. The team found 2,846 Elasticsearch databases and 68,423 MongoDB databases attacked by ransomware in 2022.

The reports of new software vulnerabilities continue to grow in the last 6 years. 2022 had over 23,000 new common IT vulnerabilities and exposures (CVEs) identified, the greatest number among all the years thus far. Coalition forecasts this trend will carry on in 2023 and expects over 1,900 new CVEs appearing every month – a 13% expected increase from 2022. Every month, Coalition is looking at an average of 155 critical vulnerabilities and 270 high-severity vulnerabilities and explained that companies must be cautious and be updated on patching and immediately deal with the security breaks.

With a lot of vulnerabilities currently being reported, patching is a big concern. Considering the many vulnerabilities that need to be resolved by security teams, patching is usually slow-moving, and that allows hackers to have more chances to take advantage of the vulnerabilitites. Immediate patching is important, since most of the newly exposed CVEs are taken advantage of by cybercriminals in 30 days of publicizing the vulnerabilities. The most number is exploited in 90 days. Exploitation could happen unbelievably fast. For example, attackers exploited CVE-2022-40684, the Fortinet vulnerability, in just 2 days after making the public announcement.

Malicious actors usually concentrate on exploiting a small set of vulnerabilities. If they find new vulnerabilities that could be exploited, they are likely to follow their proven exploits and strike as many businesses they can. Although the objective of security teams is to make sure to patch all vulnerabilities immediately, it’s an almost impossible job considering the big number of reported vulnerabilities. The biggest gains can come by putting patching first and making sure the most frequently exploited vulnerabilities are patched first of all. The Cybersecurity and Infrastructure Security Agency (CISA) keeps a listing of identified exploited vulnerabilities, and every year publishes a listing of the most frequently exploited vulnerabilities. All the listed vulnerabilities must be given priorty and patched first.

It is a challenge to effectively prioritize patching because it isn’t always obvious which vulnerabilities are going to be exploited. IT teams usually evaluate vulnerabilities with the CVSS severity score and Exploit Prediction Scoring System (EPSS), still this data is not always readily available at first disclosure of vulnerabilities. Coalition has circumvented this issue by creating the Coalition Exploit Scoring System (CESS) to rate vulnerabilities. CESS utilizes deep learning models that could forecast the CVSS score for a vulnerability according to its description, the possibility of developing an exploit fast according to past availability of exploit for CVEs, and the possibility of using the exploit against Coalition policyholders by recreating earlier attacks.

With a lot of vulnerabilities to deal with, systems frequently remain unpatched for many years, so big swaths of the web are unprotected. Leaders in charge of securing the network require the most appropriate and useful data to take action – and they require an efficient way to prioritize which CVEs to react to. The Coalition has tried to offer that required circumstance and the CVSS/CESS framework to aid cybersecurity frontrunners and practitioners to make educated choices regarding their digital risk and respond immediately to threatening vulnerabilities.

Healthcare Companies Most Frequently Affected by 3rd Party Data Breaches

Attacks on business associates of healthcare companies have gone up to the point that they exceed the number of attacks on healthcare companies. Besides a rise in cyberattacks on third-party vendors, the effect and damage resulting from those attacks have likewise gone up, as per the latest report by Black Kite, a vendor risk management firm.

Every year, Black Kite’s Third-Party Breach Reports evaluates the effect of third-party cyberattacks and data breaches. This 2023, there were 63 third-party breaches analyzed along with the 298 companies impacted. The report stated a doubling of the effect and damage resulting from those breaches. In 2021, about 2.46 companies were impacted by third-party breaches. The number of impacted companies grew to about 4.73 per breach in 2022.

In 2022, 40% of attacks on third parties resulting in data breaches was due to unauthorized system access. Black Kite states that these kinds of attacks grew to such high numbers because of remote workers that makes it possible for cybercriminals to exploit vulnerabilities. 27% of 2022’s third-party breaches involved the use of ransomware; but there was a slight decrease in year-over-year cyberattacks. Black Kite states that the decrease was because of the reduced Russian sanctions, which cut down the Russian cybercriminals’ capability to execute ransomware attacks. The following are the other causes of data breaches: unsecured servers (9.5% of data breaches), earrings (6.3%), phishing (3.2%), and malware (3.2%).

Other notable results reported by Black Kite is an increase in the time of issuing breach notifications to affected companies. There was about 50% increase to the average year-over-year time, which is 108 days from the date of discovering the attack. With the late notifications, cybercriminals get more time to steal and misuse data, causing more problems. The most targeted third parties are technical service vendors (30%) followed by vendors of healthcare services and software services. Healthcare providers were typical third-party breach victims (34.9% in 2022), followed by finance and government (each at 14%).

Global business ecosystems are becoming more complicated, with every company becoming more affected by the cybersecurity mode of their third party vendors. The fact is a company’s attack surface is bigger than the things it can control. Therefore, it is important to assess and keep track of your extended ecosystem to identify vulnerabilities and do something to avoid problems.

OIG Finds Vulnerability Management and Remediation Inadequacies at Alabama VA Medical Center

The VA Office of Inspector General (OIG) examined the data security at Tuscaloosa VA Medical Center located in Alabama and found inadequacies in three out of the four evaluated security control sections. The OIG inspection included contingency planning, configuration management, security management, and access controls, with inadequacies found in configuration management, access controls, and security management.

Configuration management controls are needed to spot and handle security functions for all hardware and software parts of a data system. OIG discovered inadequacies in database scans, vulnerability management, and remediation. The Office of Information and Technology (OIT) regularly scans for vulnerabilities, and when OIG and OIT utilized similar vulnerability-scanning tools, OIT did not discover all vulnerabilities. OIG found 119 critical-risk vulnerabilities that OIT couldn’t identify. OIG additionally found 301 vulnerabilities that were not mitigated in the expected 30- or 60-days. There were 134 critical-risk vulnerabilities determined on 14% of devices, and there were 134 high-risk vulnerabilities identified on 46% of devices. One high-risk vulnerability was not patched for 7 years.

A number of devices were found to be lacking crucial security patches, which were accessible but were not applied, which put VA systems in danger of unauthorized access, modification, or breakdown. Although database scans are done each quarter, OIT just provided scans for 50 % of the databases, because it could not access all databases as a result of port-filtering problems. Without the finished scans, OIT wouldn’t know of security control flaws that can affect the security position of databases.

Security management settings were evaluated, and OIG discovered one deficiency: a number of actionable plans and milestones were not found or didn’t have adequate information to be actionable. Four access control inadequacies were discovered associated with network segmentation, environmental controls, audit and monitoring controls, and emergency power.

Network segmentation is necessary for medical devices and special-purpose systems, which ought to be put on singled-out systems for protection. A number of network segments that included medical and special-purpose systems didn’t have the required network segmentation controls. 19 network segments made up of 221 medical devices and special-purpose systems didn’t have access control lists used, which permitted any user to gain access to those devices. Logs must be monitored to assess the efficiency of security controls, identify attacks, and investigate at the time of or following any attacks. 50 % of the databases of the Tuscaloosa VAMC were missing. The missing records were for the databases that were not put through vulnerability scanning.

A number of communication rooms were lacking temperature or humidity adjustments, which can have a considerable negative effect on the accessibility of systems, and uninterruptible power supplies were likewise found to be gone, meaning infrastructure equipment would stop to work in power imbalances or outages, bringing about the interruption of information flow and interruption to network resources access.

OIG created 8 recommendations to deal with the inadequacies, 6 to the assistant secretary for data and technology and chief data officer associated with the security problems, and 2 to the Tuscaloosa VAMC director, who needs to make sure communication rooms have enough environmental adjustments and uninterruptible power resources for infrastructure equipment.

Patients of Rehoboth McKinley Christian Health Care to Get Paid Up to $4,000 for Data Breach

A New Mexico federal judge has approved Rehoboth McKinley Christian Health Care Services’ proposed settlement to take care of claims associated with a February 2021 cyberattack. The settlement will pay affected individuals up to a maximum of $4,000 per person for out-of-pocket expenses sustained and lost time in response to the data breach.

Rehoboth McKinley Christian Health Care Services manages a 60-bed acute care hospital and outpatient clinics and offers home health care services in Arizona and New Mexico. The provider detected a security breach in February 2021. The investigation confirmed that unauthorized persons got access to its system from January 21 to February 5, 2021. The attackers accessed the protected health information (PHI) of around 191,000 patients, which include names, contact details, Social Security numbers, health data, and medical insurance data. Patients received notification concerning the data breach last May 2021.

The Charlie et al. versus Rehoboth McKinley Christian Health Care Services lawsuit was submitted on behalf of Leona Garcia Lacey, Alicia Charlie, Darrell Tsosie, and a small child, which has a representing guardian Gary Hicks. Allegedly, Rehoboth McKinley Christian Health Care Services was unable to apply proper safety measures to avert unauthorized access to their PHI and furthermore unnecessarily delayed sending notifications to impacted patients.

The lawsuit claimed Rehoboth McKinley Christian Health Care Services did not follow the New Mexico and Arizona consumer protection laws, and had claims of negligence, breach of implied contract, breach of fiduciary duty, and intrusion upon seclusion. However, the judge rejected the claims for breach of implied contract, intrusion upon seclusion, and the violation of the Arizona Consumer Fraud Act. Rehoboth McKinley Christian Health Care Services had contended that there was no actionable obligation to safeguard the plaintiffs’ information, however, U.S. District Court Judge Steven C. Yarbrough decided that Rehoboth McKinley Christian Health Care Services had a duty of ordinary care to the plaintiffs with regards to the retention of their private data and didn’t show that lost time recovery in relation to the breach wasn’t allowed under state legislation.

As per the conditions of the settlement, the 191,009 people in the class may file claims for as much as $500 to compensate for standard out-of-pocket expenditures, which may include around 4 hours of lost time valued at $15 hourly. Standard expenditures include bank charges, long-distance telephone charges, cell phone and data costs, postage, fuel for local travel, credit report charges, and credit monitoring and identity theft insurance services. Claims could likewise be filed for documented outstanding out-of-pocket expenditures as much as $3,500. Unlike a lot of settlements which are compensated pro rata according to the number of claims, this arrangement will pay the entire $4,000 for all class members. Class members will likewise be given 2 years of free credit monitoring services. Rehoboth McKinley Christian Health Care Services has additionally consented to improve data protection. A final fairness hearing will be on May 24, 2022.

Password Management Errors Discovered at U.S. Department of the Interior

The Office of Inspector General of the U.S. Department of the Interior (DOI OIG) has observed poor password management and enforcement procedures at the Department of the Interior resulting in heightened risk for its critical IT systems. These fundamental password blunders are very typical in the healthcare sector and make it overly easy for threat actors to acquire initial access to systems to launch ransomware attacks as well as other nefarious functions.

A check up was performed on the password difficulty required by the department to know whether its password management and enforcement procedures were useful and could possibly stop malicious actors from employing brute force tactics to acquire unauthorized account access. The DOI OIG discovered a number of password management weak spots and a lot of weak passwords. 4.75% of accounts were protected utilizing variations of ‘password’, which can be cracked immediately by a threat actor. Password-1234 was employed to secure 478 different, unrelated accounts. Five of the 10 most reused passwords have the term password and the number string 1234.

Although the DOI had followed minimum requirements for password difficulty, these guidelines were outdated and not fit anymore for its purpose. There were additionally numerous cases of users using passwords that satisfied those requirements yet were nevertheless quite weak, for example, Changeme$12345 and P@s$w0rd. Without time limits set on passwords, even somewhat complex passwords are weak to brute force attacks. Moreover, with unused accounts that were not deactivated promptly, 6,000 accounts were put at risk.

DOI OIG conducted tests to crack passwords and was able to do so within 90 minutes. DOI rightly guessed about 16% of the passwords. Overall, the test were conducted on 85,944 department passwords. 18,174 passwords or 21% were guessed correctly, which include 288 passwords for accounts with elevated privileges and 362 accounts owned by senior government staff. Besides these password management problems, the DOI did not regularly use multi-factor authentication. The DOI OIG inspection showed 89% of high-value assets didn’t use multi-factor authentication even though it is required for 15 years now. Additionally, when told to show records of which accounts had implemented multi-factor authentication, there was no list presented.

The DOI OIG stated that the ransomware attack on Colonial Pipeline in 2021, which led to the shutdown of the gas pipeline to the Eastern Seaboard of the U.S. creating substantial disruption to nearly half of the country’s fuel source, happened because of the compromise of one password. The password management errors discovered by DOI OIG are very prevalent throughout federal, state, and local governments as well as public and private companies.

The DOI OIG made a number of suggestions for enhancing password management and enforcement, such as

  • monitoring MFA
  • making sure it is used for all accounts
  • establishing new minimum prerequisites for password difficulty consistent with the most recent password suggestions of the National Institute of Standards and Technology (NIST SP 800-63)
  • applying controls to track, limit, and avoid setting often used, expected, or exposed passphrases and passwords
  • making sure to disable inactive accounts promptly

Immediate Patching Recommended to Repair Critical Netgear, Citrix, and Zoho ManageEngine Vulnerabilities

Vulnerabilities were found in Citrix solutions, Zoho ManageEngine products, and Netgear routers that need quick patching. An APT actor is actively exploiting one Citrix vulnerability, and it is probable that there will be attempts to take advantage of the Netgear and Zoho vulnerabilities on devices without patching.

Active Exploitation of Citrix ADC and Citrix Gateway Vulnerabilities

In the middle of December, companies that utilize the Citrix ADC load balancing and/or Citrix Gateway remote access solutions were encouraged to quickly upgrade to the most recent software versions to repair two critical vulnerabilities, CVE-2022-27518 and CVE-2022-27510. The National Security Agency (NSA) and the Health Sector Cybersecurity Coordination Center (HC3) gave security warnings concerning the vulnerabilities. A Chinese APT actor is known to exploit one vulnerability to execute remote code on vulnerable servers.

According to a new scan by Fox-IT, in spite of active exploitation, a number of servers are still vulnerable. The majority of those servers are found in the U.S. For several weeks now, one vulnerability is being actively targeted. Therefore, all companies that have not applied the most recent version yet must do so right away and likewise check for probable exposure. These are the security advisories from the NSA and HC3

Immediate Patching Required for Critical Zoho ManageEngine Vulnerability

Zoho is informing all customers of its ManageEngine Password Manager Pro, PAM360, along with Access Manager Plus solutions to use the latest version of the software immediately to correct a critical SQL injection vulnerability. CVE-2022-47523 can be taken advantage of by an enemy to acquire unauthenticated access to the after-sales database and accomplish customized questions.

The patches, introduced at the end of December, put appropriate validation and escape of special characters to stop vulnerability exploitation. Users ought to update to Access Manager Plus v4309 and Password Manager Pro v12210, PAM360 v 5801.

Nation-state threat actors have previously exploited ManageEngine vulnerabilities. A Chinese APT actor is believed to have influenced the 2021 vulnerability on Internet-facing servers, as pointed out in a security alert from CISA and the FBI, therefore taking advantage of the recently disclosed vulnerability may be expected. Approximately 11,000 servers control the impacted tools and will be vulnerable when not upgraded to the newest versions.

High-Severity Vulnerability Discovered in Netgear Routers

Netgear has given a security advisory concerning a high-severity pre-authentication buffer overflow a weakness impacting a lot of versions of its routers, which can be taken advantage of by an enemy to bring about a denial-of-service condition. The vulnerability is monitored as PSV-2019-0104 with a CVSS v3 severity score of 7.4.

The vulnerability impacts the RAX35, RAX40, R6400v2, R6400v3, R6900P, R7000, R7000P, R7960P, and R8000P routers. End users ought to upgrade the software program immediately to avoid taking advantage of the vulnerability. The chosen firmware versions are the following:

  • R6400v2 + R6700v3 – Version
  • RAX40 + RAX35 – Version
  • R6900P + R7000P – Version
  • R7000 – Version
  • R7960P + R8000P – Version


Lake Charles Memorial Health System and FoundCare Cyberattacks Impact Almost 285,000 Patients

Southwest Louisiana Health Care System, Inc. recently announced the compromise of the protected health information (PHI) of approximately 269,752 Lake Charles Memorial Health System patients. The Louisiana healthcare system’s security team detected suspicious activity on October 21, 2022 and took steps to deal with the occurrence and look into the potential breach. It was confirmed on October 25 that an unauthorized entity got access to the system. The forensic investigators stated that the attack began on October 20 to October 21, 2022 and the attackers stole patient records from the system.

The analysis of the extracted files confirmed they included data such as names, addresses, birth dates, patient ID numbers, medical record numbers, medical insurance data, payment details, and limited clinical data. A number of Social Security numbers were likewise breached. The health system sent breach notification letters to impacted persons on December 23, 2022, and offered free credit monitoring and identity theft protection services to those who had their Social Security numbers exposed.

Southwest Louisiana Health Care System didn’t reveal the precise method of the cyberattack, however, the Hive ransomware group professed to be behind the attack. Although Hive is well-known for employing ransomware for file encryption, the group claims to have only extracted patient records. It did not encrypt the files and issued a ransom demand asking for payment to make sure to delete the stolen information. Payment doesn’t seem to have been given because the Hive group began leaking the stolen information last month.

FoundCare Email Account Breach Affects 14,000 Patients

The federally qualified health center known as FoundCare Inc. based in Palm Springs, FL has reported that unauthorized persons have acquired access to its email account and possibly viewed or acquired email messages and files containing the PHI of 14,194 patients.

The health center detected suspicious activity in its email account on September 2, 2022, and engaged a third-party digital forensics agency to investigate. FoundCare stated it confirmed on October 18, 2022, that the breached files contained patient information. The analysis of those records and checking of patient contact details were done. Currently, FoundCare is sending notification letters to the impacted persons. Information compromised during the cyberattack included the following: names, dates of birth, email addresses, addresses, Social Security numbers, credit card numbers, passport numbers, other government ID numbers, medical insurance details, health conditions, internal patient identifiers, diagnoses, and treatment data. FoundCare mentioned that most of the affected persons only had minimal medical data compromised.

FoundCare has applied the following extra security procedures because of the breach:

  • using multifactor authentication for all end users
  • stopping basic authentication steps
  • including an alert to all emails coming from new email addresses
  • giving employees regular phishing awareness training


Data Breaches Reported by NYC Health + Hospitals, Polsinelli PC, Hawaiian Eye Center, and The Elizabeth Hospice

NYC Health + Hospitals Warns Patients Concerning Loss of Device With PHI

NYC Health + Hospitals reports a faulty hard drive that stored the protected health information (PHI) of 2,174 patients was found to be gone from a visual field testing device situated at its NYC Health + Hospitals/Woodhull facility in Brooklyn, NY. Since the drive can’t be located it was not possible to confirm if the records on the device could be accessed, nevertheless, it was stated that the device comprised patients’ names, birth dates, visual field test data, and medical record numbers.

As a result of the breach, NYC Health + Hospitals has re-trained employees on its policy for the right chain of custody for devices comprising PHI when those units are taken out of service. Moreover, a new policy was applied that calls for PHI to be taken from visual testing devices consistently. The training was additionally enhanced to ensure all employees are aware of the need to promptly notify officials about potential breaches of PHI.

Unauthorized System Access Discovered by Missouri Law Firm

Law company Polsinelli PC based in Kansas City, MO, which offers hospitals corporate legal services, states that unauthorized individuals viewed files that had patient records on September 9, 2022, from two locations. A third-party cybersecurity firm investigated the breach and confirmed that the breach did not affect its network and main document repository; nonetheless, the files that were accessed included some patient data, such as names, addresses, birth dates, health insurance details, patient account numbers, medical record numbers, very limited clinical data, and Social Security numbers. St. Luke’s Health Brazosport patients are found to have been affected.

Individuals whose Social Security numbers were impacted got offers of credit monitoring and identity theft protection services. Nevertheless, the law agency believes that no compromised information will be utilized for identity theft or fraud. The HHS Office for Civil Rights already received the breach report, which indicated that 1,220 persons were affected.

Patient Information Exposed Due to Hawaiian Eye Center Cyberattack

Hawaiian Eye Center located in Wahiawa, HI recently began informing a number of patients that unauthorized individuals accessed some of their PHI that was saved on a server. It was discovered on November 2, 2022 that the server was unresponsive. Upon investigation, it was confirmed that an unauthorized individual accessed the server and the network. The attackers also exfiltrated files from the system that contain patient data.

Those files included names, birth dates, addresses, email addresses, driver’s license numbers, Social Security numbers, medical record numbers, and medical insurance data. The eye center informed the impacted persons and offered them single-bureau credit monitoring services. It also engaged third-party cybersecurity professionals to perform an evaluation of its security procedures and systems and implemented appropriate upgrades to avoid more breaches later on.

It is presently uncertain how many persons were impacted.

Insider Data Breach at The Elizabeth Hospice

nonprofit hospice, The Elizabeth Hospice, manages facilities in Carlsbad, Escondido, Temecula, and San Diego, CA. It found out that an ex-employee was sending email messages from her email account at work to a private account when she was working at the hospice. An analysis of the email messages was finished on November 14, 2022. It confirmed that they included first and last names, admission and discharge dates, basic health data, and patient account numbers. The Elizabeth Hospice stated it did not know of any actual or attempted patient data misuse. Still, affected individuals were instructed to be wary and monitor unauthorized activity in their accounts and statements.

It is presently unknown how many people were impacted.

Patients’ PHI Affected by CommonSpirit Health Ransomware Attack and Suncoast Skin Solutions Data Breach

CommonSpirit Health has reported the exposure and potential theft of the protected health information (PHI) of about 623,774 patients because of a
ransomware attack in October 2022. CommonSpirit Health initially announced that it encountered a cyberattack last October 4, 2022, and is posting frequent updates on its site as soon as addtional information regarding the attack is available. The provider discovered the attack on October 2, 2022 and the investigation confirmed that the attackers got access to areas of its system from September 16 to October 3.

The most recent update, released on December 1, 2022, stated that the persons responsible for the attack viewed the information of patients who got healthcare services previously, or affiliates of those persons, from Franciscan Medical Group and/or Franciscan Health (known today as Virginia Mason Franciscan Health) located in Washington state, which includes patients of St. Anne Hospital (previously Highline Hospital), St. Joseph Hospital, St. Michael Medical Center (previously Harrison Hospital), St. Anthony Hospital, St. Elizabeth Hospital, St. Clare Hospital, and St. Francis Hospital.

The breached information consists of names, internal patient IDs, addresses, telephone numbers, and birth dates. CommonSpirit Health mentioned that the breach had no impact on Dignity Health, TriHealth, Centura Health, or Virginia Mason Medical Center facilities.

75,992-Record Data Breach Reported by Suncoast Skin Solutions

Suncoast Skin Solutions based in a Lutz, FL is a medical and cosmetic dermatology practice network. It just began informing its patients about a cyberattack that it discovered on or about July 14, 2021. The network took prompt action to control the attack. Third-party forensics specialists investigated the incident and confirmed the nature and extent of the data breach.

The investigation was completed on October 21, 2022. It was confirmed that the files on the system included patient information accessed during the attack. Nevertheless, the attack did not affect its electronic medical record system. Initial analysis identified the types of data impacted, which was finished on November 8, 2021. That analysis showed that only old patient information was affected.

Suncoast began issuing notification letters to impacted persons on November 28, 2022. Based on the breach notification letter submitted to the Maine Attorney General by Suncoast, the long delay in sending notification letters was because of the nature and volume of the impacted information. The data mining procedure began in December 2021, and it was completed in October 2022. Suncoast stated that in the beginning, so as to follow the HIPAA Breach Notification Rule, it issued a media notice about the data breach on January 7, 2022 and posted it on its website.

The potentially compromised information included names, birth dates, clinical data, doctor’s records, and some treatment data. Credit monitoring services were provided to impacted persons. Suncoast sent the breach report to the HHS’ Office for Civil Rights in July indicating that 57,730 persons were impacted. The new notification sent to the Maine Attorney General shows that 75,992 persons were impacted.

Feds Release Guidance on Responding and Minimizing Impact of DDoS Attacks

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently given guidance for federal and private organizations on the reduction and mitigation of distributed Denial of Service (DDoS) attacks.

These attacks are carried out to overload apps and websites with traffic, therefore rendering them inaccessible and stopping legitimate users from getting access to that service. A Denial of Service (DoS) attack leads to a network resource overload that affects all bandwidth, hardware, and software, protocol resource overloads affect the available session or connection sources, and application resource overloads utilize all compute or storage assets.

With DDoS attacks, the traffic originates from several devices that are acting together. They may entail big amounts of traffic and have the probability to trigger hardware troubles. Botnets or slave armies of malware-attacked devices are frequently utilized to execute DDoS attacks at scale, and they are much more prevalent because of the big increase in IoT devices. The botnets are frequently rented out to threat actors, therefore, enabling unskilled individuals to carry out DDoS attacks.

These attacks may be temporary; however, continuous attacks can considerably interrupt critical services, leading to substantial remediation expenses and significant reputational harm. These attacks are just concerned with creating disruption and do not involve getting access to systems or data theft; nevertheless, cybercriminal groups are known to carry out DDoS attacks to distract IT teams at the same time an attack is carried out on another portion of the network. With the focus of security groups focused elsewhere, there is less chance that data exfiltration, malware download, or ransomware deployment will be noticed. It is consequently essential that any response to a DDoS attack does not lead to the neglect of other security monitoring.

Stopping and Minimizing the Effect of DDoS Attacks

What is important to protecting against DDoS attacks and minimizing their severity is preparation. All vital assets and services that are accessible to the public Internet should be identified, with those applications and services prioritized. It is important to implement web application firewalls to secure the most critical assets. Cybersecurity protocols must be implemented, including hardening servers and patching immediately. Understanding how users connect to the services and knowing any chokepoints can make it less difficult to carry out mitigations to stop interruption to key stuff.

Think about enlisting in a DDoS protection service, ideally, a dedicated DDoS protection service, because those offered by ISPs are not as strong and may not safeguard against bigger attacks. These services enable the identification of the source of the attack and will reroute traffic somewhere else. Managed Service Providers can probably assist and provide DDoS protection, which includes giving custom network edge defense services.

Do something to avoid single points of failure, for example, having a high-value asset hosted on a single node. Load balancing throughout multiple loads is recommended. It is additionally important to create an incident response plan, particularly for DDoS attacks. All stakeholders ought to keep in mind their duties through all phases of an attack to make sure a quick and efficient response is possible. You should likewise develop a business continuity plan to make certain that business operations can carry on in the event of an attack, and tabletop exercises must be done to check those plans.

Steps to Take During an Attack

In the event of an alleged attack, like when there is network latency, slow application performance, abnormally high traffic, or the unavailability of websites, technical experts ought to be contacted for support. Check with your ISP to find out if they have an outage, and understand the nature of the attack, like where the traffic is originating from and which apps are being targeted. This will let you to employ targeted mitigations and work with service providers to block the attack immediately.

Although an attack may target a particular application, keep track of other network assets, as they may be concurrently attacked. Specific mitigations for dealing with DDoS attacks are mentioned in the MS-ISAC Guide to DDoS Attacks.

Recovering from a DDoS Attack

Following an attack, continue monitoring all network resources, learn from the response, and revise your incident response plan appropriately to correct any facet of the response plan that didn’t run efficiently. You must furthermore make sure you proactively keep an eye on your network and create a baseline of normal activity since this will enable you to quickly identify ongoing attacks in the future.

Check Point Report Reveals 69% Increase in Healthcare Cyberattacks

The 2022 Mid-Year Report of Check Point has shown that the healthcare sector got the highest percentage increase in cyberattacks among all industries. Cyberattacks in the first half of 2022 are higher by 69% than in 2021. Healthcare currently holds the fifth-highest record in the number of attacks per week, next to the sectors of education, military/government, ISP/MSP, and communications.

According to Check Point’s report, cyberattacks in 2022 have become completely established as a state-level weapon, having seen an unprecedented increase in state-sponsored attacks during the first half of 2022 because of the continuous war in Ukraine. In addition, there’s a significant rise in hacktivism or the employment of private individuals for an ‘IT Army’ for executing attacks. Check Point states the after-effects of this are expected to be experienced by governments and businesses around the world.

The power of cyberattacks to impact day-to-day lives is very clear. In 2022, attacks on TV stations stopped broadcasting, and attacks on critical infrastructure and government units disrupted important services. A lot of these attacks were done in Ukraine, however, this is a global problem. The attack on Costa Rica upset services throughout the country, which include healthcare, and it wasn’t a singled-out incident, with the same attack impacting Peru soon after. Cyberattacks with a nationwide effect could become more prevalent. In education, the ransomware attack on Lincoln College compelled it to shut down after 157 years, and many ransomware attacks on healthcare companies have resulted in serious interruptions to medical services.

There are more cybercriminal groups undertaking attacks for monetary gain on specific companies as nation-state-level attackers. The Conti ransomware operation, because of Costa Rica’s decision not to give ransom payment, wanted to depose the government by inciting a revolution. A number of cybercriminal organizations now have hundreds of people and have incomes of millions to billions of dollars. In a number of instances, these organizations operate like real companies, with a few even getting physical property, and running at that level becomes hard without some support from the governments of the nations where they are located. There has additionally been a pattern that cyber criminals don’t use ransomware entirely, and rather, choose to do plain extortion or data theft and demand a ransom payment. This is what the Lapsus$, Karakurt, and RansomHouse threat groups are doing.

Check Point’s information reveals a 42% increase in cyberattacks around the world from January to June of 2022. The following lists the gathered statistics:

  • 23% of business networks experienced attacks with multipurpose malware
  • 15% were attacked with crypto miners
  • 13% experienced infostealer infections
  • 12% experienced mobile attacks
  • 8% experienced ransomware attacks

Attacks on the healthcare sector increased by 69% with 1,387 attacks on companies per week on average.

In the Americas, Emotet has become the most frequent malware threat after law enforcement took it down in January 2021 which halted the attacks. Emotet is being employed in 8.6% of malware attacks in the first half of 2022, with an extensive selection of malware variants now being employed, such as XMRig (1.9%), Remcos (2.3%), and Formbook (4.2%).

High-profile vulnerabilities are still being exploited to acquire access to business networks, such as the Apache Log4j RCE vulnerability (CVE-2021-44228), the F5 BIG IP RCE vulnerability (CVE-2022-1388), and the Atlassian Confluence RCE vulnerability (CVE-2022-26134).

Check Point has predicted the attack trends for the rest of the year according to recognized trends in the first half of 2022. Ransomware is likely to be a more fragmented ecosystem, the deactivation of macros will see more varied email infection chains used, hacktivism is predicted to change, and attacks on the crypto and blockchain platforms are anticipated to go up.

Check Point recommends the following cybersecurity improvements:

  • installing updates and patches on a regular basis
  • installing anti-ransomware solutions
  • implementing a prevention-first strategy and approach
  • collaborating with the police and national cyber authorities
  • improving education regarding cyber threats
  • preparing by employing and testing incident response programs that can be
  • instantly followed in case of a successful attack

Study Reveals Businesses Are Not Ready for Increasing Cyberattacks

Businesses are seeing the value of cybersecurity and the need to spend more on cybersecurity because threats are changing at a fast rate. The challenge for companies is making sure that their defenses enable them to block the actions of cybercriminals, however, the rate at which data breaches are reported indicates a lot of companies are having difficulties keeping up.

To know how to secure their companies, IT leaders must understand how cybercriminals are breaking defenses. Then, they can decide about the security options they need to spend on that will give good ROI with regards to security.

Keeper Security lately performed a survey on 516 IT decision-makers in the United States to learn how cybersecurity is changing and where companies are purchasing cybersecurity resources. Keeper released the survey results in its U.S. Cybersecurity Census Report for 2022. The report talks about the risks that companies face and the tactics they may follow to better handle cyber threats and to stay ahead of the cyber criminals that are attacking their networks.

Businesses Making Cybersecurity a Key Priority

According to the survey, 71% of companies had new hires in cybersecurity over the last 12 months. But despite more skilled employees, businesses worry that they can’t keep pace with the quick-changing cyber threat landscape.

U.S. company experiences about 42 cyberattacks per year and IT leaders forecast that attacks will grow in the following 12 months. Most of the respondents stated they believe in their capability to protect against cyber threats and that they have the needed cybersecurity tools to guard against attacks, although a majority of surveyed companies encountered a successful cyberattack last year. IT chiefs additionally state that identifying and responding to cyberattacks now takes longer.

The Effect of Cyberattacks on Businesses

31% of companies stated they had suffered a successful cyberattack causing interrupted partner/customer operations. The same number said that attacks brought about stolen financial data. 28% mentioned that the attacks resulted in reputational damage, and the same number also mentioned stolen corporate data. About 25 % said the attacks disrupted the supply chain as well as the trading/business operations. There is a significant financial effect on businesses because of the attacks. The average cost of successful attacks to businesses is $75,000 per case. More or less 4 in 10 companies said that the cost to resolve attacks is over $100,000.

Lacking Technology to Fight Cyberattacks

Although the confidence in cybersecurity defenses was high, the survey showed the technology being employed to protect against attacks was lacking the necessary tools. About 33% of companies have no management system for IT secrets, for example, database passwords, privileged credentials, and API keys. 84% of survey respondents were worried regarding hard-coded credentials in source code, nevertheless, 25% of companies didn’t have any software program to remove them.

58% of Americans today work remotely, yet over 25% of businesses mentioned they have no remote connection management system set up allowing their remote workers to access their IT infrastructure securely.

The survey also discovered identity and access management vulnerabilities. Merely 44% of businesses stated they have employees guidelines on regulating passwords and access management. Three out of 10 companies allow their workers to set and handle their own passwords and confessed that employees often share their passwords. Just 26% of companies said they own a highly advanced framework for visibility and controling identity security.

The laissez-faire method of access management show that there’s more to do to protect businesses and their workers. The following lists the major areas of security that companies plan to spend on in the following 12 months:

  • security awareness training (54%)
  • developing a culture of compliance (50%)
  • password management (48%)
  • enhancing visibility to identify network threats (44%)
  • infrastructure secrets management (42%)
  • passwordless authentication (42%)
  • use a zero-trust and zero-knowledge strategy to security (32%)

Although it is good to see numerous companies making cybersecurity the main priority, the survey showed too little transparency regarding cyberattacks at lots of businesses. 48% of IT leaders admitted that they knew about a cyberattack but didn’t report it to the appropriate authority. This shows a need to develop a culture of trust, responsibility, and responsiveness to stop cyber criminals from thriving.

25% of Healthcare Companies Completely Halted Operations Due to Ransomware Attack

Ransomware attacks still trouble the healthcare sector. The attacks interrupt services because vital IT systems are being shut down. Having no access to electronic health records (EHR) may result in patient safety problems, and it is typical to redirect emergency patients to other hospitals right away after attacks and to postpone appointments.

Lately, cybersecurity company Trend Micro performed a study to look at the effect ransomware attacks have on healthcare companies. The study was participated by 145 companies and IT decision-makers within the industry. Sapio Research did a more substantial worldwide study on the ransomware threat participated by 2,958 IT security decision-makers in 26 nations.

Trend Micro’s study shows that 25% of all data breaches today are due to ransomware. From 2017 to 2021, ransomware attacks went up by 109%, and there’s a 13% year-over-year increase in attacks in 2022. These attacks are causing a serious effect on healthcare companies, which are actively attacked by a number of ransomware groups.

57% of healthcare companies stated they had encountered a ransomware attack in the last 3 years. 86% of healthcare companies that experienced a ransomware attack had operational shutdowns because of the attack. 25% of companies that encountered an attack were compelled to totally stop operations. 60% mentioned that certain business functions were interrupted as a result of an attack.

The time to recover from these attacks may be substantial, with healthcare companies facing interruption to their services for prolonged time periods. 56% of companies that participated in the survey stated it took a few days to recoup from the ransomware attack, with 24% indicating it took a few weeks to completely bring back operations following an attack.

Stealing data is now prevalent in ransomware attacks with attackers issuing threats to post or sell the stolen information in case the ransom is not paid. This strategy has become so profitable that a number of cybercriminal groups have left ransomware completely and only steal data and issue threats to publish when payment is not given. 60% of surveyed companies stated sensitive information was stolen and exposed by the threat actors, with the information theft and leakage resulting in reputational ruin, compliance problems, and increasing costs of the investigation, remediation, and clean-up.

The research signifies healthcare companies are proactively countering the threat and improving their security. 95% of surveyed companies mentioned they are patching immediately to handle software vulnerabilities, 91% have put in place extra controls to stop malicious email attachments from landing in inboxes, and adopted enhanced detectors and response solutions for their network (NDR) and endpoints (EDR) is increasing, just like the usage of extended detection and response (XDR) tools.

There is additionally great concern regarding supply chains. 43% of survey respondents stated their partners turned them into more appealing targets for attacks, 43% stated they lack awareness throughout the ransomware attack chain making them more susceptible to attacks. 36% stated the insufficiency of visibility throughout attack surfaces made them a much bigger target.

Nevertheless, the survey showed a number of security gaps. For example, 17% of survey respondents didn’t have any remote desktop controls ready, in spite of RDP vulnerabilities frequently being taken advantage of to obtain initial access to healthcare systems. There is substantial room for development regarding threat intelligence sharing, as 30% confessed to not discussing threat information with partners, 46% never give threat intelligence to suppliers or the broader ecosystem, and one-third (33%) mentioned they never share any data with the authorities.

Merely 51% of companies utilize NDR, 50% employ EDR, and 43% utilize XDR, with just 46% of companies tracking living-of-the-land strategies like the malicious usage of tools including PsExec and MimiKatz. Just 42% claim they could identify initial access and only 32% could identify lateral movement.

In the healthcare industry, ransomware could have a possibly very real and very harmful physical effect. Operational outages endanger patient lives. So healthcare companies must get better at recognition and response and share with their partners the relevant intelligence to protect their supply chains.

Cybersecurity Awareness Month Celebration This October

Cybersecurity Awareness Month is being celebrated this October. For 19 years, the government and industry have collaborated to increase awareness of cybersecurity in America. This effort is headed by the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA).

This year’s Cybersecurity Awareness Month theme is “See Yourself in Cyber.” The emphasis is on the steps that all people must take to enhance cybersecurity. In the past years, the four weeks in October have different themes. This 2022, instead of having a different theme every week, the emphasis for each week is going to be one of the four key behaviors that should be adopted by everyone. Just practicing the four fundamentals of cybersecurity will significantly enhance a person’s and a company’s security posture.

  • Implementing multifactor authentication – Enhance access controls by putting additional authentication criteria besides a password. MFA could prevent granting access to accounts utilizing stolen credentials.
  • Employing a password manager and requiring strong passwords – All accounts must have strong, unique passwords to be tough against brute force attacks. Use a password manager to generate passwords and keep them safely in an encrypted password vault.
  • Keeping software up to date – Make certain software is updated and implement patches immediately to fix known vulnerabilities.
  • Identifying and reporting phishing attacks- Understand the indicators of phishing, the warning indicators in email messages, SMS messages, social media content, and phone calls that could suggest a phishing attempt, and report phishing attempts.

Enhancing Cybersecurity Awareness in the Healthcare Industry

Lots of cyberattacks succeed because of errors by staff members and not knowing the fundamental facets of cybersecurity. Based on the 2022 Verizon Data Breach Investigations Report, 82% of 2021’s data breaches were prompted by humans. Enhancing employees’ security awareness by centering on the above-mentioned behaviors will help improve security and stop data breaches.

Training in security awareness is a necessity for HIPAA Security Rule compliance. The administrative safety measures of the HIPAA Security Rule (45 CFR § 164.308 (a)(5)(i)) demand that all HIPAA-covered entities train their employees about internal security guidelines and procedures.

HIPAA-covered entities must follow a risk-based strategy when creating training courses and must teach cybersecurity fundamentals and consider the most essential behaviors that could minimize risk. The HHS’ Office for Civil Rights has given guidance https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html on the included aspects of cybersecurity in its cybersecurity newsletters every quarter.

The Security Rule calls for covered entities to carry out a security awareness and training program for all employees. A covered entity’s training program must be continuous, changing, and flexible to teach employees how to address new cybersecurity threats. OCR additionally emphasized the necessity of training employees, including management staff and senior officers.

Cybersecurity Awareness Month is the perfect time to emphasize security reminders and create a program for sending these reminders on a regular basis. OCR recommends including security reminders in its cybersecurity newsletters, and doing phishing simulations for employees. HIPAA-covered entities must consider employing a mechanism that enables employees to quickly report attempts at phishing and suspicious emails to their security teams.

Multifactor authentication is a powerful extra protection for enhancing access controls to prevent using stolen credentials to access accounts. This Cybersecurity Awareness month is the perfect time to speed up plans to execute multifactor authentication to all accounts in case it is not yet implemented by MFA. Phishing campaigns are being done that permit some types of multifactor authentication to be circumvented. To safeguard against the attacks to bypass MFA, MFA implementation must use an option that facilitates Fast ID (FIDO) v2.0 and certificate-dependent authentication.

Brute force attacks usually become successful because of employees using weak passwords or using passwords on several accounts. HIPAA-covered entities must implement their password guidelines, and make compliance with those guidelines less difficult for workers by providing a business password manager. Password managers may propose really random, complicated passwords, and significantly boost password security and management.

It is quick to concentrate on technical defenses for securing ePHI and stopping unauthorized access, however, the significance of training can’t be over-emphasized. Making sure all workers know about the previously mentioned key behaviors and are doing good cyber hygiene will truly improve the cybersecurity defenses of the whole company.

Medical Device Cybersecurity Prerequisites Removed from FDA Reauthorization Bill

The House of Representatives approved the U.S Food and Drug Administration (FDA) user fee reauthorization bill in June along with the new provisions necessitating medical device producers to keep track of and deal with postmarket cybersecurity vulnerabilities found in their units, to make sure that medical devices have labels of a software bill of materials and can get patches to provide cybersecurity for the complete lifecycle of the units. The bill was approved with a 392-28 vote; nonetheless, those cybersecurity demands have been removed.

The FDA’s authorization to receive fees from the healthcare industry to perform third-party reviews of drugs and medical devices will end on September 30, and as time runs out, the FDA gave in to the demand of Senate republicans and removed the new cybersecurity prerequisites for medical device companies. If the FDA’s 5-year authorization will not be renewed, the FDA estimated that it can only proceed with its review activities for about 5 weeks prior to its funds being depleted. The FDA reauthorization was part of a non-permanent spending bill that is already approved and will allow the FDA and the Federal government to get funding until December 16, 2022.

Energy and Commerce Committee Chairman Frank Pallone, Jr. (D-NJ) stated that the House approved a user fee reauthorization package on time with astounding bipartisan support. Following the House approval of its user fee package, the leaders of bipartisan Energy and Commerce and HELP wanted to include a lot of essential policy sections including the Continuing Resolution. Sadly, Senate Republican leadership did not approve these policy agreements.

U.S. Senators Richard Burr (R-NC) and Patty Murray (D-WA), and Chair and Ranking Member of the Senate Committee on Health, Education, Labor, and Pensions (HELP), made a statement regarding the reauthorization of the FDA user fee programs to make sure that FDA could carry on its crucial work and will not have to distribute pink slips. Nevertheless, there is extra work for this Congress to provide the types of reforms families must see from FDA, from the industry, and from the mental health and pandemic readiness work. The senators affirmed their commitment to moving forward with that work and the inclusion of strong, bipartisan laws in a strong year-end package.

The taking away of the cybersecurity prerequisites is a disappointment however not shocking. Healthcare companies must not wait for
changes and must make sure that they proactively determine and deal with vulnerabilities present in medical devices to protect the security of their systems, confidentiality of information, and patient security.

Michigan Law Company and Medical Imaging Companies Report Breaches of Patient Data

The Michigan law firm, Warner Norcross and Judd LLP, has distributed breach notification letters to 255,160 people telling them about a security breach in October 2021 resulting in the potential access and exfiltration of files containing their personal data and protected health information (PHI). The breach was discovered on October 22, 2021. In the substitute breach notification, there was no mention of when, and for how long, unauthorized persons got access to its systems.

A digital forensics company helped to investigate the nature and magnitude of the data breach and conducted a programmatic and manual evaluation of the files on the affected areas of its network. The assessment showed that the files held information like names, dates of birth, government-issued IDs, driver’s license numbers, Social Security numbers, annual compensation amounts, benefit contribution details, credit or debit card numbers, debit card or credit card PINs, financial account or routing numbers, patient account numbers, passport numbers, health data, and life insurance policy data.

The Michigan Law company sent notification letters to impacted people in August and provided details on tips that persons can do to decrease the risk of identity theft and fraud, however it would seem that credit monitoring and identity theft protection services are not available. The law company stated it is going to take steps to enhance security to stop other security breaches.

Medical Imaging Firms Announces PHI Breach

Gateway Diagnostic Imaging, a company operating 12 medical imaging centers in North Texas, and Radiology Ltd, a medical imaging organization based in Tucson, AZ, have recently began alerting a number of patients regarding a breach of systems that held patient records. The data breach was noticed on December 24, 2021, and the following forensic investigation confirmed that unauthorized people acquired access to its systems between December 17 and December 24, 2021.

The data on the compromised systems comprised data like names, Social Security numbers, birth dates, addresses, medical insurance details, patient account numbers, medical record numbers, physician names, dates of service, and details associated with the radiology services received.

As a safety measure against identity theft and fraud, the firm offered to the affected persons a complimentary 12-month membership to the credit monitoring and identity theft protection service of Equifax Credit Watch Gold. Additional safeguards are also being enforced to avoid more security breaches, and improvements were made to its monitoring features.

The breach is not posted yet on the HHS’ Office for Civil Rights Breach portal so it is currently not clear how many people were impacted.

LastPass Data Breach Results in Theft of Source Code

LastPass, the provider of the most popular password management solution in the world, announced a cyberattack and information breach. As reported by LastPass, there are about 30 million users of its password manager tool around the world, including 85,000 business customers. Notifications were sent to clients to notify them regarding the cyberattack and offer reassurances that although a number of company data were stolen because of the attack, users’ password vaults were not affected and the cyberattack did not result in any problems to its products or services.

Based on the notice released two weeks ago, LastPass found out that an unauthorized individual had acquired access to one programmer’s account, which allowed the attacker access to the LastPass creator’s environment. LastPass stated steps were quickly taken to control the attack and stop continuing unauthorized access, with the forensic investigation verifying the attackers stole sections of its source code and some exclusive LastPass technical data.

Just like the case with a lot of other password management tools, LastPass operates under the zero-knowledge model, meaning it got no access to its end users’ encrypted password vaults. Only individual end users could access their password vaults using the master password and doing multi-factor authentication validations (if MFA is enabled). Karim Toubba, LastPass CEO, mentioned that there’s no evidence that the incident permitted any access to end user information or encrypted password vaults, thus, users don’t have to alter their master passwords.

LastPass stated it is presently analyzing further mitigation methods and will be taking steps to reinforce the protection of its environment. This is not LastPass’ first experience of a cyberattack. In 2015, the company encountered an attack in which hackers had obtained the usernames of selected customers, along with their hashed master passwords. LastPass enforced a password reset as a preventative measure. Since only hashed passwords were stolen, just the end users who had set weak master passwords were at risk.

LastPass users were also targeted in a credential stuffing campaign. LastPass cautioned its users in late 2021 that it had discovered strange, attempted login activity and had seen a slight increase in security notifications associated with user accounts. The investigation affirmed this was because of credential stuffing attacks, where threat actors utilize usernames and passwords compromised in third-party data breaches to try to get access to accounts on other systems. These attacks can just succeed when passwords are reused on multiple accounts. When a unique master password is employed for an account, it will be safeguarded against credential stuffing attacks.

Cyberattacks on password managers are fairly unusual and though such an attack can possibly permit a threat actor to gain access to a user’s password vault, password managers remain recommended and could significantly enhance password security. All end users of password managers ought to make sure they pick a long, complicated, and unique password or passphrase for their password manager account. They should use multi-factor authentication. For even more security, consider utilizing the secure password manager’s username generator, when that feature is available.

Data Breaches Announced by the Onyx Technologies, San Diego American Indian Health Center, and New Jersey Department of Health

Onyx Technologies located in Largo, MD, a firm providing IT and Consulting Services and a vendor of Independent Care Health Plan (iCare), lately advised 96,814 health plan members concerning the likely exposure of some of their protected health information (PHI).

Onyx learned on June 28, 2022 that unauthorized persons had accessed its computer systems and may have obtained access to the PHI of iCare members, such as names, birth dates, addresses, telephone numbers, iCare member ID numbers, Medicare ID Numbers, dates of service, and names of the provider.

Onyx stated that an evaluation of its computer networks was quickly carried out, and a security agency helped with the analysis. Systems access was recovered on July 7, 2022. As per Onyx, a server may have been taken out or accessed starting on March 29, 2022 and ending on June 28, 2022. On July 15, 2022, the security company discovered that certain information associated with members might have been viewed.

Onyx mentioned it didn’t uncover any proof that indicates any of the impacted data was identified. Impacted persons were provided complimentary two-year credit monitoring and identity theft protection services.

27,367 Individuals Affected by San Diego American Indian Health Center Breach

San Diego American Indian Health Center has informed 27,367 present and past patients that unauthorized people acquired access to areas of its network and exfiltrated files that contain some of their PHI.

The health center discovered the security breach on May 5, 2022, and took prompt steps to safeguard the system and avoid further unauthorized access. The investigation by a digital forensics agency affirmed on July 22, 2022 the compromise of patient information, such as names, driver’s license numbers, state identification card numbers, tribal ID card numbers, medical details, medical insurance data, dates of birth, and Social Security numbers.

San Diego American Indian Health Center stated it is not aware of any actual or attempted misuse of patient data. Impacted persons have been given free credit monitoring and identity protection services and action had been undertaken to strengthen security to stop more data breaches.

New Jersey Department of Health Warns Patients Concerning Vendor Data Breach

The New Jersey Department of Health, Division of Behavioral Health Services lately reported on the theft of the protected health information of a number of patients of Trenton Psychiatric Hospital and the Anne Klein Forensic Center in a security incident that occurred at a vendor offering the hospitals medical translation and dictation services.

Unauthorized people obtained access to sections of the vendor’s systems and extracted files that contained the PHI of patients. The vendor advised the NJ Department of Health concerning the information breach on June 30, 2022. It is presently unclear which vendor was affected, the types of data exposed, and the number of persons impacted by the data breach. The affected hospitals will inform the patients directly when they are impacted.