Ransomware Attack on Home Healthcare Service Provider Impacts 753,000 People

Personal Touch Holding Corp based in Lake Success, NY is a home healthcare services provider. The company is notifying 753,107 patients concerning a potential breach of their protected health information (PHI).

Personal Touch Holding Corp manages approximately 30 Personal Touch Home Care subsidiaries in over six U.S. states. On January 27, 2021, Personal Touch learned it encountered a cyberattack that involved its private cloud. The attackers encrypted the business files of Personal Touch stored in the
cloud along with those of 29 of its indirect and direct subsidiaries.

The investigation into the incident is still in progress. At this time, it is uncertain how much PHI was affected; nevertheless, it is likely that the attackers acquired information kept in its private cloud before deploying the ransomware.

A review of its cloud storage showed that these patient data might have been breached during the attack: names, phone numbers, addresses, birth dates, Social Security numbers, financial data, such as credit card numbers, check copies, bank account details, health treatment data, medical record numbers, medical insurance card, and health plan benefit numbers.

Employee details were likewise affected, such as names, contact details, birth dates, Social Security numbers (like spouse and dependent Social Security numbers), passport numbers, driver’s license numbers, birth certificates, demographic details, background and credit reports, company usernames and passwords, individual email addresses, insurance cards, fingerprints, retirement benefits details, health, and welfare plan benefit numbers, health treatment details, check copies, and other financial data required for payroll.

Upon uncovering the breach, Personal Touch sought outside counsel and involved independent forensics professionals to help investigate the incident. The company has also alerted the FBI, the state attorneys general, and the HHS’ Office for Civil Rights. Advanced monitoring and detection software had been implemented as well.

This is Personal Touch subsidiaries’ second ransomware attack after a little over one year. The first attack was in January 2020 when Personal Touch reported the compromise of the PHI of patients of 16 subsidiaries due to a ransomware attack on Crossroads Technologies, its cloud vendor. Personal Touch used Crossroads Technologies’ cloud to host electronic health records. There were 156,400 breached medical records because of that ransomware attack.

More Health Insurance Companies Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare companies to report they have been impacted by the Accellion ransomware attack is increasing, with two of the most recent victims such as Trillium Community Health Plan and Arizona Complete Health.

At the end of December, unauthorized people exploited zero-day vulnerabilities in Accellion’s old File Transfer Appliance platform and stole information from its customers before downloading CLOP ransomware.

Trillium Community Health Plan recently informed 50,000 of its members that protected health information (PHI) like names, dates of birth, addresses, health insurance ID numbers, and diagnosis and treatment data was taken by the people that launched the attack and the information was published on the internet between January 7 and January 25, 2021.

Trillium mentioned it has currently halted using Accellion, has taken out all data files stored in its systems, and has taken steps to minimize the threat of future attacks, which include going over its data-sharing processes. Trillium is providing affected members complimentary credit monitoring and identity theft protection services for 12 months.

Arizona Complete Health has advised 27,390 of its plan members regarding the data breach and the types of information that were compromised. The health plan also discontinued utilizing Accellion and took out its files from its systems and provided its plan members credit monitoring and identity theft protection services for 12 months free.

Previously, the supermarket and pharmacy firm Kroger based in Ohio announced that it was impacted by the attack, and the PHI of 368,000 clients were exposed. The University of Colorado and Southern Illinois University School of Medicine likewise mentioned they were affected.

Lawsuits Filed Against Accellion and its Customers

Several lawsuits have currently been filed against Accellion and its customers because of the breach. Centene Corp. has filed a legal case against Accellion alleging it failed to comply with several provisions of its business associate agreement (BAA). The cyberattack led to the theft of the PHI of a substantial number of its health plan members. Centene thinks it is going to suffer from considerable costs due to the breach and has made a request to the courts to order Accellion to abide by the stipulations of its BAA and pay for all breach-related costs. Cenene stated in the lawsuit that the attackers obtained 9 gigabytes of its data.

A federal lawsuit was also filed against Kroger because of the breach. The lawsuit, which seeks class-action status, claims that Kroger was negligent and had complete awareness of the potential security concerns with the legacy file transfer solution, but did not upgrade to a safer solution even after being advised by Accellion. Kroger gave its clients credit monitoring and identity theft protection services for 2 years; nevertheless, since names, addresses, birth dates, medical information, and Social Security numbers were compromised, 2 years is not regarded as enough to safeguard Kroger customers from identity theft and fraud.

Data Breaches at Agency for Community Treatment Services, Leon Medical Centers and Proliance Surgeons

Agency for Community Treatment Services, Inc. (ACTS) based in Tampa, FL is informing some patients about the potential comprimise of some of their protected health information (PHI) due to a cyberattack in October 21, 2020.

The security breach was discovered on October 23 upon deployment of the ransomware (|occurred}. The hackers acquired access to portions of the ACTS server and data networks and did file encryption to block access. Systems had to be taken offline to stop unauthorized access. To find out the scope of the breach, third-party computer forensic specialists investigated the matter .

Though it’s possible that there was unauthorized data access, the investigators did not find any proof to indicate the access or exfiltration of patient information. ACTS mentioned that this was because of the attackers making considerable efforts to hide their malicious activity. The attackers may consequently have accessed or gotten information saved on the breached systems.

The assessment of the compromised systems revealed that they held patient names, birth dates, Social Security numbers, and medical data that contain data such as diagnoses, treatment information, and health insurance data associated with the services obtained by patients from 2000 and 2013.

ACTS could bring back the encrypted data using backups and no ransom was paid. It took steps after the incident to reinforce security and avoid other attacks. Since patient information may have been exposed, ACTS is giving all affected people complimentary credit monitoring and identity theft protection services.

Conti Ransomware at Leon Medical Centers Attacked

Leon Medical Centers, a network of 8 medical centers in Miami and Hialeah in Florida, encountered a Conti ransomware attack. The attackers stole the protected health information of patients prior to the deployment of ransomware and issued a ransom demand with a threat to publish the stolen information of patients.

The attackers claimed the stolen data included names of patients, addresses, diagnoses, treatment data, medical insurance details, patient images and Social Security numbers. They assert to have obtained the PHI of over 1 million patients, though Leon Medical Centers debunked that statement and said the amount of stolen information was very overstated.

The attack happened before December 22, 2020 and Leon Medical Centers is still looking into the incident. At this time it is not clear precisely what data was stolen and how many patients were impacted.

Proliance Surgeons Announce Corporate Website Breach

The corporate website of Proliance Surgeons based in Seattle, WA suffered a breach resulting in the likely theft of payment card information. The surgical practice explained in a December 23, 2020 breach notice that attackers had accessed the website between November 13, 2019 to June 24, 2020. During that time frame, the attackers possibly accessed and gotten cardholder names, card numbers, zip codes, and expiry dates. No other PHI was compromised. The breach only affected individuals who paid for services on the internet, not persons who paid in person or over the phone.

The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections. Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.

New Offerings Introduced by Atlantic.Net for U.S. SMBs During the COVID-19 Pandemic

The HIPAA-compliant cloud service provider Atlantic.Net introduced two new projects on November 15, 2020. The goal of the projects is to assist small- to medium-sized businesses (SMBs) at this period of the Covid-19 pandemic.

Despite the difficulties during the pandemic, SMBs are attempting to employ more long term remote workers with minimal budgets, which has consequently put pressure on their IT and cloud services platforms. To help companies make it through the challenges, Atlantic.Net has introduced two new offerings. The first provides the business with new cloud VPS customers having two times the resources than what was provided in the past, for zero cost.

In the beginning, this new offering is available to all Atlantic.net cloud plans around the Orlando data center. There will be automatic upgrades to the features of the next price cloud plan. Atlantic.Net is considering to make this offer available in the seven worldwide data centers in the following couple of weeks.

The second offering will give new users an automatic upgrade of Atlanic.Net’s Free Server promotion. Instead of getting just 1 GB, users will get 2GB. The upgrade will be given for one year at no extra cost.

COVID 19 has put IT and cloud services systems under serious stress considering that remote work is growing bigger and more permanent. So as to help companies, Atlantic.Net is offering companies even more flexibility with their cloud solutions. Hopefully, not only the small to mid-size businesses of America can benefit from the offerings, but also the country’s healthcare providers that need audit-ready and HIPAA compliant cloud solutions for about half the cost.

Atlantic.net is a top provider of cloud services to countless numbers of developers and SMB clients in over 100 countries. Some of the valued clients of Atlantic.net include NASA, Hilton, Lenovo, and Newegg. Atlantic.Net is additionally a major provider of HIPAA-compliant cloud solutions to the healthcare sector in the United States, providing scalable cloud computing through the seven international data centers located in San Francisco, New York, Dallas, London, Orlando, Toronto, and Ashburn.

See the information on the most recent cloud offerings of Atlantic.Net including the pricing structure on this page

Unsecured Broadvoice Databases Had 350 Million Data, Health Information Included

Comparitech security researcher Bob Diachenko has identified an open bunch of databases owned by the Voice over IP (VoIP) telecommunications supplier Broadvoice. The data of greater than 350 million consumers are kept in the databases.

The compromised Elasticsearch cluster was found on October 1, 2020, when the Shodan.io search engine indexed the database collection. There were 10 libraries of data discovered in the Elasticsearch cluster. The biggest cluster comprised of 275 million documents and had information like caller names, telephone numbers, and site of callers, in addition to other sensitive information. One database was discovered to include transcribed voicemail communications that involved an array of sensitive records like data about financial loans and prescribed medicines. Above 2 million voicemail recordings were contained in that subset of information, 200,000 of which had transcriptions.

The voicemails had information such as phone numbers, caller names, internal identifiers, voicemail box identifiers, and the transcripts contained personal details including complete names, dates of birth, telephone numbers, and other information. Voicemails kept at health clinics such as specifics of prescribed medications and medical operations. Details related to loan requests were likewise exposed, coupled with several insurance policy numbers.

Diachenko informed Broadvoice regarding the breached Elasticsearch cluster and the provider took quick action to stop any unauthorized access. Broadvoice CEO Jim Murphy stated that they knew on October 1 that a security expert got access to a subset of b-hive data files. The data files were located in an accidentally unprotected storage service on September 28 and were made secure again on October 2. Diachenko verified on October 4, 2020 that the Elasticsearch cluster is no longer exposed.

Right now, Broadvoice believes there was no misuse of information. A third-party forensics agency is analyzing the data and will present more data and new reports to clients and associates.

Broadvoice sent a breach report to authorities and is inspecting the breach. It is at this time unknown if any person besides Diachenko discovered and viewed the databases.

Though almost all of the databases included just some data, cybercriminals would consider it invaluable and utilize it to very easily target consumers of Broadvoice in phishing campaigns. The information in the database can be utilized to convince clients that they were talking to Broadvoice, and they can be misled into disclosing more sensitive information or sending fraudulent payments.

People whose data was written in the voicemail transcripts can be most vulnerable, as the extra data may be employed to set up convincing and effective phishing campaigns.

Comparitech researchers have in the past explained that persons are consistently checking for unsecured databases and that they are normally identified within hours of being disclosed. Their research revealed that initiatives were made to get access to their Elasticsearch honeypot within just 9 hours of the information being exposed. As soon as databases are spidered by search engines for example Shodan and BinaryEdge attacks take place in a few minutes.

Comparitech researchers browse the internet to determine exposed records and give breach reports to the owners of the databases. Their purpose is to have the information secured and all pertinent parties advised right away to limit the probable damage created.

Updated Security and Privacy Controls Guidance for Data Systems and Organizations Issued by NIST

The National Institute of Standards and Technology (NIST) just published the updated guidance about Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

Since 2013, NIST updated the guidance for the first time. It is a total redevelopment instead of just a minimal update. NIST mentioned that the new guidance is going to give a solid framework for securing companies and systems – which include the personal privacy of men and women – in the 21st century.

Years of effort had been put in the development of the updated guidance. It is the first detailed list of security and privacy settings that could be utilized to control risk for establishments of any industry and size, and all varieties of systems – including industrial control systems, supercomputers, and Internet of Things (IoT) devices.

This is the very first catalog to be published around the world that consists of privacy and security controls. The guidance can help safeguard companies from different threats and risks, such as cyberattacks, natural disasters, human error, privacy risks, infrastructure failures, and foreign intelligence agencies attacks. The controls specified in the guidance can help companies take a proactive and organized approach to secure very important systems, resources and services and will ascertain having the required toughness to secure the national and economic security interests of America.

The guidance is designed to assist government institutions and third-party contractors to satisfy the specifications of the Federal Information Security Management Act and it is going to be compulsory for government institutions to execute the new specifications included in the new guidance. The guidelines are not mandatory for private sector companies, however, NIST is encouraging the private sector to use the new recommendations to deal with privacy and security concerns.

The following lists a number of key updates to the new guidance:

  • New, ‘state-of-the-practice’ controls to secure critical and top-grade assets. The updates were determined by the most recent information on threat intelligence and cyber-attack and are going to enhance cyber resiliency, develop a protected system design, security and privacy control and responsibility.
  • Data security and privacy controls were incorporated into a seamless, blended control catalog for systems and companies.
  • Controls are currently based on the outcome, with the entity in charge of carrying out the controls taken out from the document. The updated guidance centers on the security outcome from employing the controls.
  • Requirements were incorporated for supply chain risk management with the advice given on the integration of those standards all through an organization.
  • The guidance features next-generation privacy and security controls and includes how-to-use guidelines.
  • Control selection procedures were segregated from the controls so that different communities of interest can find it easier to use the controls.
  • Information of content relationships was enhanced, making clear the relationship between controls and requirements and the connection between privacy and security
    controls.
  • NIST Fellow and co-author of the guidance Ron Ross explained that the controls give a practical and organized approach to making sure that critical systems, elements, and services are adequately dependable and have the required resilience to protect the national security and economic
    interests of America.

Zoom Makes Settlement with NY Attorney General Over Privacy and Security Problems

Zoom got to an arrangement with the New York Attorney General’s office and has determined to carry out better privacy and security controls for its teleconferencing system. New York Attorney General Letitia James started an investigation into Zoom after experts discovered several privacy and security concerns with Zoom early this year.

Zoom has become one of the most well-liked teleconferencing programs at the time of the COVID-19 crisis. In March, over 200 million people were taking part in Zoom conferences with usership increasing by 2,000% in the interval of only three months. As more persons use the platform more often, problems in the system began to appear.

Meeting participants began to report incidents of uninvited individuals joining and troubling private conferences. Many of these “Zoombombing” attacks made meeting participants racially mistreated and harassed based on religion and sexuality. There were additionally a number of documented instances of uninvited people joining meetings and showing pornographic pictures.

Then security experts began discovering privacy and security problems with the system. Zoom explained on its web page that Zoom meetings were safeguarded with end-to-end encryption, however, it was found that Zoom had utilized AES 128 bit encryption instead of AES 256 bit encryption, and so its end-to-end encryption promise was untrue. Zoom was additionally found to have issued encryption keys via data centers in China, even if meetings were happening between end people in the U.S.A.

Zoom utilized Facebook’s SDK for iOS to permit end-users of the iOS mobile application to sign in via Facebook, which suggested that Facebook was supplied with technical information associated with users’ devices whenever they launched the Zoom application. While Zoom did say in its privacy policy that third-party apps may gather details about users, information was found to have been transferred to Facebook even if users hadn’t utilized the Facebook login with Zoom. There were additionally privacy problems connected with the LinkedIn Sales Navigator function, which permitted meeting participants to see the LinkedIn information of other meeting attendees, even if they had taken measures to stay anonymous by using pseudonyms. The Company Directory function of the program was found to defy the privacy of certain users by leaking personal details to other users when they had a similar email domain.

Zoom reacted immediately to the privacy and security problems and fixed most in a couple of days of discovery. The company additionally announced that it was ceasing all improvement work to focus on privacy and security. Zoom likewise enacted a CISO Council and Advisory Board to target privacy and security and Zoom lately made an announcement that it has obtained the start-up company Keybase, which is going to help to apply end-to-end encryption for Zoom conferences.

As per the terms of the arrangement with the New York Attorney General’s office, Zoom agreed to employ an extensive information security program to make sure its users are secured. The program is going to be monitored by Zoom’s head of security. The firm has likewise agreed to do a complete security risk evaluation and code review and will resolve all identified security problems with the system. Privacy controls will additionally be implemented to safeguard free accounts, like those utilized by schools.

As per the terms of the settlement, Zoom should continue to evaluate privacy and security and use more protections to provide its users with better control of their privacy. Action should additionally be taken to control profane activity on the system.

Zoom Security Problems Makes It Unsuitable for Medical Use

Zoom and other teleconferencing platforms have increased in popularity during the COVID-19 crisis as businesses and consumers use it for communication whilst working from home. However, in the last few days, there were a number of issues identified in the Zoom security and there were questions regarding its suitability for medical use.

Researchers Uncovered Zoom Security Problems

A number of Zoom security issues and privacy concerns were identified in the last few days. Apparently, the macOS installer uses malware-like techniques to install the Zoom app without the users giving a final confirmation. This method could possibly be exploited and used for malware delivery.

Zoom’s macOS client version has two zero-day vulnerabilities identified, which could enable a local user to elevate privileges and acquire root privileges, without having an administrator password. He could then access the microphone and webcam to intercept and capture Zoom meetings.

Zoom’s feature that makes it simpler for business users to locate other people within the organization was furthermore leaking information such as the profile photos, email addresses, and statuses of users. The Company Directory function automatically adds individuals to a user’s list of contacts if they have the same email address domain. A number of users reported that strangers were added to their contact lists after signing up using their personal email addresses.

There were additionally a lot of reported incidents of Zoom-bombing. Uninvited persons were able to join meetings by guessing meeting IDs using brute force tactics. The FBI lately publicized an alert after a surge in hijacking attacks. People have reported hacking of Zoom meetings, abuses of meeting participants, and showing pornography using the screen share feature.

There are some news as well about the sharing of users’ background information with Facebook through the Facebook SDK. This is true even for users who have no Facebook accounts.

Zoom Doesn’t Offer End-to-End Encryption

The Intercept reported that Zoom’s implementation of end-to-end encryption doesn’t cover video meetings. According to Zoom’s spokesperson, it is not possible at this time to implement E2E encryption on Zoom video meetings. Zoom video meetings employ both TCP and UDP, but only UDP connections are encrypted.

The data encryption used is the same as the technique used to secure communications involving an HTTPS website and a web browser. With transport encryption, information that is moving from client to client is secured using encryption on communications between meeting participants. However Zoom’s audio and video content are not encrypted.

Zoom explained that although it is possible to access unencrypted users’ data, there are layers of protection set up to safeguard the privacy of users. First, any person including Zoom personnel cannot directly access any information revealed during meetings, which includes – but not restricted to – the audio, video and the chat content material of the meetings. Most importantly, Zoom does not mine individual data or peddle any user data to anyone.

Researchers at University of Toronto’s Citizen Lab research team discovered that the encryption and decryption keys of video conferences were sent to China. A scan indicates that China has five servers and the United States has 68 that evidently operate the identical Zoom server software program just like the Beijing server. We believe that keys were dispersed across these servers. A company mainly serving the North American customers that sometimes sell encryption secrets via the servers in China is possibly worrisome, presented contemplating that Zoom might be lawfully required to reveal these keys to people in Cina.”

Zoom announced in April 3, 2020 that its servers were already whitelisted for use in other areas as a possible backup bridge to make sure that its service is maintained, and that the servers were just utilized in very minimal instances. The problem has been fixed and Zoom announced that the vulnerabilities did not affect Zoom for Government.

Google Issued an $8 Million GDPR Penalty

The Swedish Data Protection Authority (DPA) charged Google a 75 million kroner ($7.8 million) GDPR fine over the failure to carry out the right-to-be-forgotten’ requests received from EU citizens to remove web pages from its search engine listings.

The right to be forgotten in the EU exists before GDPR. It was first covered in EU legislation in 2014 subsequent to a ruling by the European Court of Justice regarding the case, Google Spain SL, Google Inc versus Agencia Española de Protección de Datos, Mario Costeja González. The law mandates search engines to remove links to freely accessible webpages that are seen in search results created from a search of an individual’s name, in case that individual requests the removal of the listing and when particular conditions are satisfied.

GDPR strengthened the right to be forgotten. Upon receipt of a request from a citizen in EU who wants to exercise the right to be forgotten, provided the request does not clash with the right of freedom of expression and information, deletion of personal data must immediate where the data are no longer required for their original processing intent, or the data subject has taken his permission and there isn’t any other legal basis for processing.

Google has gotten innumerable requests from EU folks to remove content and had fulfilled roughly 45% of the requests.

The Swedish DPA performed an audit of Google in 2017 to evaluate how Google was dealing with requests to delist links indexed by its search engine and ordered Google to delist a number of webpages.

In 2018, the Swedish DPA reviewed the audit and found out that Google did not delist all the search results written in the order. The GDPR fine pertains to two listings that Google was directed to delist. In one case, Google’s understanding of the web pages that had to be removed was found to be too narrow. In the second case, Google did not remove the search result listing without undue delay.

The Swedish DPA additionally discovered that when Google delists web URLs, website owners receive notifications alerting them regarding the removal of the information from its listings and data is given regarding who made the request. These notices make sure that website owners know about the delisting, however, doing so simply allows the website owners to republish the delisted content using a different URL.

The Swedish DPA stated that this approach undercuts the usefulness of the right to be forgotten. Google does not have a legitimate basis for informing website owners any time removing search result listings, and in addition, gives people unreliable information regarding the use of the request form.

Google disagrees with the decision and plans to appeal regarding the financial penalty. The EU law requires the filing of the appeal within 3 weeks.

iland Secure Cloud Console Revision Enhances Visibility of Worldwide BaaS Environments

iland has reported that it has updated and improved its Secure Cloud Console using Veeam Cloud Connect to give more visibility and handle backups from multiple locations for big businesses and managed service providers (MSPs).

The revision gives big businesses and MSPs just one pane of glass view and enables universal cloud backups. Clients receive more granularity that enables them to take advantage of real-time information over several accounts and provides them more control over several tenants without additional work or permissions.

iland also simplified storage management with increased chances for self-service, enabling clients to reallocated assets and get more new tenants. The upgrade makes it possible for international MSPs and businesses to give backup-as-a-service in house and, by means of one interface, take care of several repositories and places.

The iland BAAS Insider Protection function is an air-gapped storage for information that gives security against internal and external hazards, which include ransomware attacks. Clients can already see the status of multiple-tenant environments by means of just one view and change Veeam Cloud Connect tenant names and passwords without difficulty from any place. The whole portfolio of Veeam cloud-based backup solutions is now being controlled from just one, specific console.

With these most recent updates, iland is making it simple for channel and IT business clients to provide backup services around the globe with a basic, quick-to-use typical interface,” stated iland senior vice president of business development. Dante Orsini.

The most recent improvements to iland Secure Cloud Backup using Veeam Cloud Connect have already been presented throughout all 10 data centers of iland. New clients could avail a complimentary 30-day trial which comes with 5TBs of information.

LabCorp Website Error Exposed Patients’ Personal and Health Data

TechCrunch researchers discovered a security error in a website that is used for hosting LabCorp’s internal customer relationship management system. Although the system has password protection, the researchers identified an error in the back-end system where patient records are taken. The error permitted patient data access even without a password and the web URL was indexed by search engines.

Google had cached just one document that contains a patient’s health data. However, the researchers were able to see other patient records with health data just by modifying the document number in the web URL.

The researchers analyzed sample documents to find out what types of information were compromised. The documents primarily included data of patients who had undergone tests at the Integrated Oncology specialty testing unit of LabCorp. The documents contained the following personal data: names and birth dates, laboratory test results and diagnostic information, and Social Security numbers of some patients.

TechCrunch researchers made an effort to find out how many documents could be accessed on the website by using computer commands. They used commands that would return information regarding the files’ properties, instead of opening the files and accessing the patient data. The analysis showed that approximately 10,000 documents were potentially accessible.

TechCrunch alerted LabCorp concerning the challenge and the clinical laboratory network took the server offline while fixing the error. Google has not yet removed the cached link of the exposed document, but the page is not active anymore and patient data is not viewable.

This is LabCorp’s second serious security incident in the last 12 months. In March 2019, LabCorp patients’ records were compromised in the American Medical Collection Agency (AMCA) breach involving 26 million records. Initially, it was thought that 7.7 million LabCorp patients were affected. However, the breach report submitted to the HHS’ Office for Civil Rights indicated that about 10,251,7847 LabCorp patients were impacted.

$1.6 Million HIPAA Penalty Paid By Texas Health and Human Services Commission

The Department of Health and Human Services’ Office for Civil Rights (OCR) issued a $1.6 million civil monetary penalty (CMP) to Texas Health and Human Services Commission (TX HHSC) for a number of Health Insurance Portability and Accountability Act (HIPAA) Rules violations.

TX HHSC, as a state agency, runs supported living centers, manages nursing and childcare centers, gives substance abuse and mental health services and supervises many state projects for people requiring assistance, like people having intellectual and physical handicaps.

OCR started an investigation after the Department of Aging and Disability Services (DADS) submitted a breach report. DADS is a state agency that became TX HHSC in September 2017. According to the June 11, 2015 DADS report to OCR, a security incident resulted in the online exposure of 6,617 people’s electronic protected health information (ePHI). The data exposed included names, diagnoses, treatment details, addresses, Social Security numbers and Medicaid numbers.

The cause of data exposure was the migration from a private to a public server of an internal CLASS/DBMD software. A defect in the software application permitted ePHI access online without any validation. A Google search can lead to finding and accessing private and highly sensitive data.

TX HHSC could not present documentation to show compliance with three crucial HIPAA Rules provisions. Hence, OCR declared that the TX HHSC violated the following four HIPAA rules.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Inability to perform a detailed organization-wide risk analysis to determine all risks to PHI integrity, confidentiality and availability
  • 45 C.F.R. § 164.502(a) – The previously mentioned failures caused an impermissible disclosure of 6,617 persons’ ePHI.
  • 45 C.F.R. § 164.312(a)(1) – Inability to use access controls. No credential is required to access ePHI included in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Inability to use audit controls that logged user access on the public server, which kept TX HHSC from identifying the person that accessed ePHI within the application at the time of exposure.

HIPAA determines financial penalties according to the level of culpability. OCR established that TX HHSC’s violations was not considered willful neglect and involved reasonable cause, which is the second penalty tier. For every one of the HIPAA violations mentioned above, the minimum penalty is $1,000 to a maximum financial penalty of $100,000 annually. TX HHSC’s risk analysis problems, access controls issues, and audit control failures covered the years 2013 to 2017, therefore the total penalty of $1.6 million.

Covered entities should know who could access PHI under their care at all times. There should be no worries that somebody could discover the private health data by means of a Google search.”

The first HIPAA penalty report was in March 2019 during which it seemed that TX HHSC and OCR reached a settlement concerning the HIPAA violations. The 86th Legislature of the State of Texas had decided to accept the settlement; nonetheless, it would seem that the suggested settlement was declined. OCR gave a Notice of Proposed Determination on July 29, 2019.

TX HHSC didn’t debate the findings of OCR’s Notice of Proposed Determination and chose to give up their right to a hearing. OCR obtained the CMP from TX HHSC on October 25, 2019.

This is the number two HIPAA penalty OCR announced this week. A couple of days ago, OCR declared getting a $3 million settlement with the University of Rochester Medical Center to solve HIPAA violations associated with the missing unencrypted devices filled with ePHI.

There are 7 HIPAA penalties issued in 2019 totaling $9,949,000 with the TX HHSC CMP as the seventh.

HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Continue reading “HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns”

Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials

A phishing campaign has been spotted that misuses Google Translate to make the phishing webpage seem to be an official login page for Google.

The phishing emails in the campaign are similar to several other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body almost identical to the messages sent by Google when a user’s Google account has been accessed from an unknown device or place.  The messages contain the Google logo and the text, “A user has just signed in to your Google Account from a new Windows appliance. We are transmitting you this electronic mail to confirm that it is you.”

Below the text is a clickable button with the text “Consult the activity.” Clicking the link will direct the user to a website that has a spoofed Google login box. If identifications are entered, they will be sent to the scammer.  

The electronic mails are sent from a Hotmail account – facebook_secur@hotmail.com – which is the first warning sign that the electronic mail notification is a fraud. On desktop browsers, the URL that users are directed to is obviously not official. A further indication that this is a fraud.

Nevertheless, the scam will not be so clear to any user on a mobile appliance. If the button in the electronic mail is clicked, the user will be directed to a phishing webpage that is served through Google Translate. The visible part of the URL in the address bar begins with translate.googleusercontent.com/translate, which makes the URL seem genuine. The use of Google Translate may be adequate to see the electronic mails bypass mobile safety defenses and the evidently official Google domain is likely to fool a lot of users into thinking the webpage is genuine.

If the user enters their Google identifications in the login box, an electronic mail is generated which transmits the identifications to the attacker. The user is then redirected to a bogus Facebook login page where the attackers also try to get the user’s Facebook login identifications.

The second attempt to phish for login identifications is easier to identify as fake as an old login box for Facebook is used. However, but at that point, the user’s Google account will already have been compromised.

The scam was recognized by Larry Cashdollar at Akamai.

IDenticard PremiSys Access Control System Vulnerabilities Found

ICS-CERT has issued a warning in relation to three high severity weaknesses in the IDenticard PremiSys access control system. All varieties of PremiSys software before version 4.1 are affected by the flaws.

If the weaknesses are effectively targeted it might result in full access being obtained to the system with administrative rights, theft of confidential information included in backups, and access being gained to details. The weaknesses might be targeted from a distant place and require a low level of expertise to abuse. Details of the weaknesses have been publicly disclosed.

The maximum severity weakness CVE-2019-3906 is related to hard-coded identifications which allow complete admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain complete access to the system with administrative rights. The weakness has been given a CVSS v3 base score of 8.8.

User identifications and other confidential data saved in the system are encrypted; nevertheless, a weak method of encryption has been applied which could probably be cracked resulting in the disclosure and theft of information. The weakness (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.

Backup files are saved by the system as encrypted zip files; nevertheless, the password needed to unlock the standbys is hard-coded and cannot be altered. There is a chance a hacker could get access to the backup files and view/steal information. The weakness (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.

Tenable’s Jimi Sebree identified and reported the faults.

IDenticard has tackled the hard-coded identifications weakness (CVE-2019-3906). Users must run an update to bring the software up to date with type 4.1 to tackle the weakness. IDenticard is presently developing a solution for the other two faults. A software update tackling those weaknesses is due to be released in February 2019.

As a temporary measure mitigation, NCCIC advises limiting and checking access to Port 9003/TCP, placing the system behind a firewall and making sure the access control system can’t be logged onto the Internet. If distant access is possible, secure methods must be used for access, including an up-to-date VPN.

Latest Speedup Linux Backdoor Trojan Used in Widespread Attacks

Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.

The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.

As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.

A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.

The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.

Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.

The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.

Xvideos Sextortion Scam Threatens to Disclose Porn Viewing Habits

An xvideos sextortion cheat threatens to uncover users’ porn viewing habits to friends, family, and work partners.

The scammer announces to have recorded the user through the webcam while they viewed matter on the xvideos adult website. The electronic mail is made more credible by the addition of the user’s password in the message body.

The scammer announces to have gained access to the electronic mail receiver’s computer and installed a keylogger. The malware permitted information to be obtained from the appliance, including the websites that the user has visited. Moreover, the malware permitted access to be gained to the computer’s microphone and webcam.

The scammer announces to have recorded audio and video footage while the user visited the common adult website, xvideos. That footage was utilized to create a “double screen video” with one half of the screen displaying the webcam footage while the other displays the adult matter that was being seen at the time.

The user is told that the malware fitted on the computer permitted contacts to be harvested from Facebook, Messenger, and the user’s electronic mail account. The user is advised to make a payment of $969 in Bitcoin to avoid the video from being emailed to every contact.

The scammer proposes that proof that the video is actual can be obtained; however, requesting proof will see the video transmitted to 6 of the user’s contacts.

The Bitcoin address supplied in the electronic mail demonstrates that 11 people have made payments totaling 0.959 Bitcoin – Around $3,272 – therefore it is obvious that some people either trust the danger is actual or they are not wishing to take a chance.

These cheats are easy to create and only require a list of electronic mail addresses and passwords, which can be easily bought on underground markets and forums. The passwords used in the electronic mails are actual and come from earlier data breaks.

The passwords might be old, but they will no doubt be identified. Users who don’t practice good password hygiene might find their present password is supplied, adding to the realism of the cheat. These kinds of sextortion cheats are becoming progressively common. They are also extremely effective. A similar cheat was recognized in December which also used old passwords and had similar threats. The Bitcoin wallet used in that cheat showed over $50,000 in payments were made in a week.

Latest Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued the latest cybersecurity framework for medical devices. Medical device sellers, healthcare suppliers, and other healthcare industry stakeholders that implement the voluntary framework will be able to improve the safety of medical appliances throughout their lifecycle.

The HSCC is a union of private sector crucial healthcare infrastructure units that have associated with the government to find and mitigate dangers and exposures facing the healthcare sector. The group includes over 200 healthcare industry and government companies. Collectively they work on developing strategies to tackle present and evolving cybersecurity challenges encountered by the healthcare sector.

Over 80 companies contributed to the growth of the Medical Appliance and Health IT Joint Security Plan (JSP), which builds on commendations made by the Healthcare Industry Cybersecurity Task Force founded by the Division of Health and Human Services after the passing of the Cybersecurity Information Sharing Law of 2015.

“It is vital for medical device producers and health IT sellers to take into account the JSP’s voluntary framework and its related plans and templates all through the lifecycle of medical devices and health IT as doing so is expected to lead to better security and therefore better products for patients,” clarified HSCC.

Cybersecurity controls can be tough to incorporate into existing procedures. Companies often fail to know how vital safety controls are, and when considering how to increase cybersecurity many don’t know where to begin or have inadequate resources to dedicate to the job. The framework assists by providing direction on how to create a safety policy and procedures that ally with and integrate into present procedures.

HSCC is urging companies to commit to applying the JSP as it is thought that by doing so patient security will be enhanced.

The JSP can be adopted by companies of all sizes and stages of maturity and assists them to increase cybersecurity of medical devices by tackling main challenges. A lot of big producers have already generated similar cybersecurity programs to the JSP, therefore it is likely to be of most use for small to medium-sized firms that lack consciousness of the steps to take to improve cybersecurity and those with fewer resources to dedicate to cybersecurity.

The JSP uses safety by design rules and identifies shared responsibilities between industry stakeholders to synchronize safety standards, risk assessment methods, reporting of weaknesses, and improve information sharing between appliance producers and healthcare suppliers. The JSP covers the whole lifecycle of medical appliances, from development to deployment, management, and end of life. The JSP contains numerous recommendations including the inclusion of cybersecurity measures during the design and development of medical appliances, handling product complaints linked to cybersecurity events, alleviation of post-market weaknesses, managing safety risk, and decommissioning appliances at end of life.

The Medical Appliance and Health IT Joint Security Plan can be downloaded on this link.

Apple IOS Vulnerability Allows Hackers to Spy on FaceTime Calls

A severe Apple IOS vulnerability has been noticed that lets people to gain access to both the microphone and the front-facing camera on Apple appliances by manipulating a fault in FaceTime. Further, the fault even lets microphone/camera access if the call is not replied. The fault has prompted several safety experts to advise Apple device proprietors to stop using FaceTime until the fault is rectified.

To manipulate the fault, a user would require to use FaceTime to call another individual with an iOS appliance. Before the call is replied, the users would need to add themselves as additional contacts to Group FaceTime. As soon as that has occurred, the persons being called would have their microphones turned on and the callers could listen to what is occurring in the room, even when the call is not replied.

If the individual being called was to silent the call (by pressing the power button) the front-facing camera would also be triggered, providing the caller video footage and audio.

Safety specialists have cautioned that it does not matter whether the call is replied, just by calling a person it is possible to listen to what is occurring in the room and see everything in the camera’s field of view. Although this might prove distressing for some FaceTime users, it might also result in serious harm. Compromising footage might be recorded and utilized for extortion.

Several cases of this happening have been posted on social media networks and it is obvious that this Apple IOS vulnerability is being actively abused. Apple is conscious of the problem and has announced that a solution will be issued later this week. Until such time, Apple appliance owners have been instructed to inactivate FaceTime through appliance settings. If FaceTime is inactivated, the vulnerability cannot be abused.

0Patch Micropatches Issued to Respond to 3 Zero-Day Windows Bug

0Patch has issued a micropatch to tackle three zero-day Windows bugs that have yet to be tackled by Microsoft, including a zero-day distant code execution vulnerability in the Windows Contacts app.

The 0Patch platform allows micropatches to be swiftly dispersed, applied, and unconcerned to/from running procedures without having to restart computers or even restart procedures. The platform is still in beta, even though checking and fine-tuning is nearly at an end. 0Patch has already issued several micropatches to tackle zero-day weaknesses in Microsoft products to assist companies temporarily alleviate vulnerabilities until a complete patch is issued.

The latest round of repairs tackles three lately found vulnerabilities in Microsoft products.

The first patch tackles a fault named AngryPolarBear which was identified by safety researcher SandboxEscaper who circulated a proof-of-concept exploit for the vulnerability in December. Although the vulnerability doesn’t allow distant code execution, an attacker might leverage the weakness to overwrite main system files, which might be utilized in DoS attacks.

The vulnerability lets a local unprivileged procedure to get a selected system file on a weak appliance overwritten in the context of a Windows Error Reporting XML file. The PoC lets the XML file to be substituted with a hard link to the selected target. An attacker will not have much influence over the matter of the XML file but might abuse the fault to corrupt the vital system file pci.sys, and thus avoid the system from booting. The patch halts the XML file from being erased.

The second patch also tackles another vulnerability identified by SandboxEscaper, which has been named readfile. A PoC exploit was also distributed in December. This vulnerability is present in the Windows Installer and might let an attacker get confidential information. The vulnerability can be abused by an unprivileged procedure and lets random files to be read – in the case of the PoC, the desktop.ini file.

The third patch tackles a vulnerability in the Windows Contacts app which, if abused, might result in distant code execution on a vulnerable appliance. The vulnerability fault was identified by ZDI researcher John Page who submitted the fault to Microsoft, which surpassed the 90-day window for delivering a repair. Microsoft has announced that it will not be delivering a repair to rectify the fault, so while micropatches are envisioned to be provisional repairs, this one is likely to be perpetual.

The vulnerability is present in the way that .Contact and .VCF contact information is saved and processed on Windows Vista to Windows 10 OSes. The vulnerability lets the formation of a contact file that has a malevolent payload in a sub-directory, which will be run when the user clicks the link in the contact file.

The Micropatches are supplied via the 0Patch platform which can be fitted free of cost. The Micropatches have been developed for Windows 10 and Windows 7 (for the second two vulnerabilities). Support at 0Patch must be contacted for patches for other susceptible Windows types.