About 54,000 Patients Impacted by Ransomware Attack at OSF HealthCare

The not-for-profit Catholic health system based in Peoria, IL, OSF HealthCare, started sending notifications to 53,907 patients regarding a cyberattack that was identified on April 23, 2021.

OSF HealthCare stated upon awareness of the breach, it took action to avoid continuing unauthorized access and engaged a third-party forensic specialist to do an investigation into the attack to find out the magnitude of the breach. The investigator affirmed the attackers got access to its systems first on March 7, 2021 and possibly had continuing access until April 23, 2021.

OSF HealthCare mentioned the attackers accessed a number of files on its system that were associated with patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center. As of August 24, the investigators confirmed that the following types of patient data might have been exposed:

Names, contact details, birth dates, driver’s license numbers, Social Security numbers, state/government ID numbers, treatment data, diagnosis data and codes, physician names, hospital units, dates of service, prescription details, medical record numbers, and Medicare/Medicaid or other health insurance details.

A part of patients additionally had financial account data, credit/debit card details, or credentials for an online financial account compromised.

People who had their Social Security number or driver’s license number was exposed in the attack have been provided complimentary credit monitoring and identity protection services via Experian. OSF HealthCare states it has enforced further safeguards and technical security measures to avoid other attacks.

OSF HealthCare published a substitute breach notice on its website, which did not mention the nature of the cyberattack. But this seems to be a ransomware attack plus information theft that potentially occurred 7 months earlier.

Databreaches.net reports that it was informed about the publication of stolen information on a dark web leak website in June and notified OSF HealthCare concerning the patient data exposure. A ransomware operation recognized as Xing Team professed it was responsible for the cyberattack and uploaded information to its dark web leak site that contained patients’ protected health information. Databreaches.net explained that the site listing was viewed above 350,000 times, according to the site counter.

K and B Surgical Center & Healthpointe Medical Group Alert Patients Regarding Hacking Incidents

K and B Surgical Center located in Beverley Hills, CA found out that an unauthorized individual acquired access to its computer system. The healthcare company detected the security breach on March 30, 2021, and a third-party forensic investigation affirmed the breach of its network from March 25 to March 30.

As soon as K and B Surgical Center discovered the breach, it took steps to avoid the attacker from further accessing its compuer system. It started an investigation to identify the magnitude of the breach. On April 27, 2021, the investigation came to the conclusion that the attacker acquired access to areas of the system that comprised the protected health information (PHI) of patients.

Data analysis was conducted on the breached servers to know which types of data were breached and which patients were impacted. K and B Surgical Center stated in its breach notification letters issued on September 3, 2021 that it just obtained the complete list of affected patients on July 27.

The types of information that the attacker possibly viewed and/or exfiltrated included the following: Names, telephone numbers, addresses, driver’s license numbers, diagnoses, treatment and prescription details, names of provider, Medicare/Medicaid numbers, patient IDs, laboratory test data, medical insurance data, and treatment expense details. Upon issuance of breach notification letters, there were no reports obtained concerning any incidents of actual or attempted improper use of patient information caused by the security breach.

Altogether, there were 14,772 individuals that received the notification letters. K and B Surgical Center has provided the affected individuals 12 months of free credit monitoring and identity theft restoration services as a safety measure against identity theft and fraud.

Following the security incident, passwords were altered for all user accounts, VPN connections, and email accounts. K and B Surgical Center also installed new anti-virus security systems and threat monitoring programs on all computers. The employees were retrained about security, its Security Rule risk analysis was updated, and regular security audits will be carried out to check potential vulnerabilities.

Healthpointe Medical Group Informs Patients Regarding Hacking Incident

Healthpointe Medical Group based in Portland, OR has informed some patients regarding a hacking incident and the compromise of their protected health information.

Healthpointe uncovered suspicious activity on selected servers on or around June 9, 2021 and promptly took steps to secure its IT systems. A top-rated computer forensics agency investigated the nature and magnitude of the breach. On July 7, 2021, the investigation report revealed the attacker had obtained access to files or folders that had patient records. An evaluation of those files and directories was finished on July 27 and affirmed they included names, addresses, and Social Security numbers. Healthpointe began sending notification letters to affected people in late August.

Healthpointe has done a company-wide password reset, updated its firewalls, broadened the use of multi-factor authentication, and did other steps to improve its security practices. Affected persons were advised they can get a year of identity theft protection services via IDX free of charge and will get protected by a $1 million identity theft insurance policy.

Patient Data Compromised Via Walgreens’ Covid-19 Test Registration System

The personal information of people who had taken a COVID-19 test at a Walgreens pharmacy was exposed online because of vulnerabilities found in its COVID-19 test registration system.

It is presently uncertain how many persons were impacted, even though they may well be in the millions considering the number of COVID-19 testing Walgreens has done beginning April 2020. It is uncertain when the site got the vulnerabilities, however, they date back to at least March 2021 when Interstitial Technology PBC consultant Alejandro Ruiz identified them. He found a security problem when a relative had a COVID-19 test completed at Walgreens. Ruiz got in touch with Walgreens to advise them concerning the data exposure, however, said the firm had no response.

Ruiz talked to Recode regarding the problem. Two security specialists affirmed the security vulnerabilities. Recode mentioned the problem to Walgreens, and the organization stated they routinely evaluate and integrate more security improvements when considered either needed or appropriate. Nevertheless, till September 13, 2021, the vulnerabilities were not yet resolved.

Recode says that utilizing the Wayback Machine, which consists of an archive of the Web, blank test confirmations dating back to July 2020 may be viewed, suggesting the vulnerabilities were existing since that time.

Based on the security experts, the vulnerabilities were caused by the basic mistakes in the Walgreens’ Covid-19 test scheduling registration system. After a patient fills up an online form, they are provided a 32-digit ID number as well as the generation of an appointment request form, which includes the unique 32-digit ID number in the web link. Anybody who has that link will be able to access the form. No authentication is necessary to access the page.

The pages simply consist of a patient’s name, type of test, booking schedule and location in the seen part, however by means of the developer tools screen of an internet browser, other data can be accessed, such as date of birth, address, email address, phone number, and gender identity. Considering that the OrderID and the name of the facility that conducted the test are also contained in the information, it is possible to view the test result, at least at one of Walgreens’ lab partners’ test result sites.

An active page may be seen by an unauthorized person if making use of a computer of somebody who had set a test through their Internet history. An employer, for instance, can see the data in case the page was used on a work computer. The information would likewise be viewable to the third-party ad trackers existing on the Walgreens appointment confirmation pages. Researchers take note that the confirmation pages include ad trackers from Adobe, Facebook, Akami, Dotomi, Google, Monetate, and InMoment, all of which may possibly access private details.

The links of all confirmation pages are similar besides the unique 32-digit code contained in a “query string”. The researchers stated there are probably millions of active booking confirmation pages since Walgreens has been doing COVID-19 tests at about 6,000 websites throughout the United States for nearly 18 months.

The researchers mentioned a hacker can make a bot crank out 32-digit identification numbers, add them to web links, and then identify active pages. Thinking about the number of digits in the link would be a lengthy task, although it is not impossible.

Any firm that made such simple errors in an app that manages health care data is one that does not think about security seriously, mentioned Ruiz to Recode. It’s simply one more example of a big company that prioritizes its income over data privacy.

Password Recommendations by NCSC

There are updates to UK’s NCSC password recommendation. This new strategy satisfies the password strength requirements and is still user-friendly.

There are several schools of thought with regards to making passwords, however, all are dependent on the assumption that passwords must be adequately complex to make sure they are not quickly guessed, not just by humans, but the algorithms employed by hackers during their brute force attacks.

Every year, there are lists published of the worst passwords that are put together from credentials compromised in data breaches. These listings clearly show that certain people are not very good at selecting passwords. For instance, “password,” “12345678,” and “qwertyuiop” are passwords that are often included in the lists. Because of the risk of users making weak passwords, a lot of companies currently have minimum prerequisites for password difficulty, however, that doesn’t always suggest that strong passwords shall be set.

The Issue with the Need for Password Complexity

Usually, the minimum specifications for password difficulty are to have a minimum of a number, one lower- and upper-case letter, and usually a special character. Including these elements results in harder to guess passwords – at least in theory. In reality, people bypass these requirements by using passwords like “Passw0rd!” or “Qwertyuiop1!” that satisfy complexity prerequisites although are still unbelievably weak and very prone to brute force attacks.

From a security viewpoint, all accounts must have a unique password that should never be employed for several accounts. Passwords must preferably be made up of random numbers, letters, and characters and be adequately long – at least 8 characters. The problem is that although these random difficult passwords are tough and will be resilient to brute force attacks, they are likewise virtually difficult for the majority of people to recall since the average individual has around 100 passwords.

The National Institute of Standards and Technology (NIST) showcased this problem in its most recent password guidance (SP 800-63B), and advises the usage of passphrases instead of passwords, since the length of a passphrase of, for example, 16 characters, provides the necessary difficulty while still user-friendly.

Currently, the National Cyber Security Centre (NCSC), part of the UK Government Communications Headquarters (GCHQ) has advised a new strategy for making passwords that bring together safety with functionality.

NCSC Password Advice

The NCSC’s proposed password is in contrast to the recommended arbitrary complexity password. Complex passwords containing numbers, lower- and upper-case letters, and special characters are usually not complex and offer a false sense of protection. This is because the character combinations chosen by end-users are typically not random. There are hints that a lot of people utilize so that passwords are easy to recall and satisfy password complexity specifications, and those hints are well-known to hackers. For instance, changing an E with a 3, a 1 with an exclamation mark, an O with a zero, or a 5 with an S.

There are also letters and numbers combinations that are more typical than others, and those more typical combinations are integrated into the password guessing tools of hackers. It’s counterintuitive that the observance of these complexity prerequisites leads to using more predictable passwords.

The NCSC password advice puts sufficient complexity and at the same time makes passwords quick to recall. The recommendation is to use 3 random words to create a password. Using 3 random words results in passwords that are reasonably long, adequately complex, yet quick to recall.

This three random word strategy of creating passwords is effective in a number of various ways:

  • Length – Passwords are typically lengthier
  • Novelty – Encourages using words that were not considered in the past
  • Impact – The technique is simple to describe
  • Usability – It is easy to come up with three words and keep them in mind

NCSC’s technical director Dr. Ian Levy explains that the traditional password advice to recall several complex passwords is just silly. By adopting this recommendation, people are less vulnerable to cybercriminals and people should create such passwords for their vital accounts, and consider using a password manager.

The last piece of advice is crucial, as the tactic of utilizing 3 random words doesn’t work if unique passwords must be made for 100 online accounts. Using 3 random words isn’t a panacea that resolves the problem of recalling many passwords in just one stroke and utilizing it together with secure storage.

The goal of the most recent NCSC password recommendations is not to fix the password issue totally, but just to improve password variety – which is, minimizing the number of passwords that are guessed by inexpensive and effective search algorithms, driving an attacker to perform several search algorithms (or utilize inefficient algorithms) to get a handy number of passwords.

The Most Effective Password Strategy

Based on the NCSC password recommendations, the most effective password strategy is to create a password made of 3 random words and to utilize a password manager. With a password manager, users can create absolutely random strings of letters, numbers, and characters that are extremely complex, yet users don’t need to remember them. The passwords are saved in encrypted form within a safe password vault and are going to be auto-filled whenever a user wants. It’s not necessary to remember or type the passwords. These tools are quite secure, and a lot of work under the zero-knowledge design, which means even the developer of the password manager doesn’t get access to the password vaults.

All that a user must do is to create a protected, master password for the password vault and establish 2-factor authentication. The technique of utilizing 3 random words will work nicely for the master password that gives access to user’s vault of really random, lengthy complex passwords.

There are low-cost or even free password managers. For instance, Bitwarden offers a safe, open-source password manager tool that is free. The individual premium package is only $10 a year. Despite the low cost, very few still use it.

If companies and people start to use a password manager and use the most recent NCSC password recommendations, there will be a substantial improvement in password security and usability.

4,400 Individuals Impacted by Wisconsin Dermatology Practice Reports Data Breach

Forefront Management, LLC and Forefront Dermatology, S.C. based in Manitowoc, WI found out on June 4, 2021 that unauthorized persons had obtained access to its system and possibly viewed personal and confidential staff and patient data.

The impacted systems were promptly taken off the internet to block unauthorized persons from further accessing the network. An investigation was started to identify the nature and extent of the breach. On June 24, 2021, Forefront confirmed that selected files kept on its system had been viewed and the hacker possibly acquired the personal data of a small number of Forefront workers, such as their names and Social Security numbers. According to the results of the investigation, the first breach of the network happened on May 28, 2021 and the hacker possibly accessed it until June 4, 2021.

Throughout the investigation, Forefront confirmed that the unauthorized person likewise accessed files that contained the personal data and protected health information (PHI) of a small number of present and past Forefront patients.

Patient data possibly exposed during the breach included names, addresses, birth dates, patient account numbers, health record numbers, medical insurance member ID numbers, dates of service, names of provider, and/or medical and clinical treatment data.

Forefront submitted a breach summary to state attorneys general indicating that 4,431 people were impacted by the breach. Although there is no hint that any misuse of data in the files, Forefront is giving impacted persons a free membership to TransUnion’s myTrueIdentity Credit Monitoring Service for 12 months.

Forefront stated that it is improving its security standards to help avoid the occurrence of the same incident in the future.

Data Breach of W Health MyChart Portal and Jones Family Dental Computers

University of Wisconsin Hospitals and Clinics Authority has announced a breach of its Epic MyChart website which impacted 4,318 patients of UW Health. The hospital detected strange activity in the website and launched an investigation on April 20, 2021, to find out the nature and magnitude of the data breach.

The investigation continued until May 4, 2021, and confirmed that unauthorized persons got access to the website for approximately 4 months, starting from December 27, 2020 up to April 13, 2021.

UW Health stated the person had accessed the MyChart patient website homepage which shows clinical data including dates of hospital admission, consultation reminders, care team, subject lines of emails from health providers, and requests to see new test results data. Pages were furthermore viewed that contained some patient consultation and admission dates, demographic data like names, addresses, telephone numbers, and email addresses, medical insurance and claims data, diagnoses, prescription drugs, and test results. Breach notification letters were mailed to impacted patients beginning on June 18, 2021.

UW Health also took the necessary steps to strengthen security like increasing password security, employing 2-factor authentication for the MyChart portal access, disabling accounts that were non-active for 15 months, and improving its tracking processes.

Hacking of the Jones Family Dental Computers

Jones Family Dental based in Ashland, OR, reported a hacking incident that potentially compromised the protected health information (PHI) of 6,493 present and past patients. An investigation was started after the recognition of suspicious computer activity, which showed that an unauthorized person accessed its computers from April 15, 2021 to April 18, 2021.

It cannot be determined if the computers with patient data were accessed, however, the likelihood cannot be eliminated. The practice doesn’t think any patient information was viewed or exfiltrated; nevertheless, it sent notification letters to impacted persons as a safety measure.

Patient data on the computer system during the breach contained these data elements: name, birth date, address, driver’s license number, treatment records, medical history, diagnostic data, and/or health/dental insurance details.

Security guidelines and procedures are under review and will be revised to stop the same breaches down the road.

Over 3.2 Million People Impacted by 20/20 Hearing Care Network Data Breach

The 20/20 Hearing Care Network has begun informing millions of present and previous members regarding the potential compromise or deletion of some of their protected health information (PHI).

On January 11, 2021, the provider detected suspicious activity in its AWS cloud storage account and immediately took steps to stop the hacker from further accessing the account. An investigation was started to find out the nature and extent of the data breach. Third-party forensics specialists who helped investigate confirmed the unauthorized access of the S3 buckets hosted in AWS, the download of data in those buckets, and the deletion of all files in the S3 buckets.

The forensic investigators affirmed at the end of February that certain data that was downloaded and deleted from the AWS storage account contained the PHI of several or all health plan members. Although data theft was ascertained, it wasn’t possible to know accurately which data was accessed or deleted from the S3 buckets. The potentially obtained types of data included names, birth dates, Social Security numbers, member ID numbers, and medical insurance data.

Beginning on or approximately May 28, 2021, 20/20 Hearing Care Network sent notification letters to all people possibly impacted by the breach. As a safety measure against improper use of member data, a number of impacted persons were provided with free credit monitoring and identity theft protection services.

In a breach notice, 20/20 mentioned that although there was confirmed data theft, it is convinced there was no misuse of member information. The report submitted with the Maine Attorney General categorizes this breach as ‘insider wrongdoing’.

Right after the security breach, 20/20 performed a tougher review of guidelines and procedures and took steps to strengthen security to avoid the same breaches later on.

The breach report was filed with the Maine Attorney General as impacting around 3,253,822 people, making this one of the biggest healthcare data breaches to be uncovered this 2021.

TitanHQ’s WebTitan OTG (on-the-go) Now Available for Chromebooks

TitanHQ has launched its latest version of its top-rated DNS filtering software program – WebTitan Cloud. It is a cloud-based cybersecurity program that enables users to stop web-based threats, regulate Internet access, and have complete visibility of the activities of their online users.

The most recent product, WebTitan Cloud 4.16, consists of DNS Proxy 2.06, which can filter users in the Azure Active Directory, and also directory incorporation for Active Directory and on-premise AD. TitanHQ has additionally introduced the expansion of WebTitan Cloud to offer security for Chromebooks.

The brand new Chromebook filtering solution – WebTitan OTG (on-the-go) for Chromebooks – allows educational organizations to implement filtering controls for BYOD and keep students safe when utilizing devices issued by the school.

According to TitanHQ CEO, Ronan Kavanagh, this brand new product launched after an intensive first quarter. The introduction of WebTitan Cloud 4.16 delivers remarkable new safety capabilities for our clients. After having considerable progress in 2020, TitanHQ wants these product innovations and new features to make 2021 yet another outstanding year for TitanHQ.

Protecting Chromebooks with WebTitan OTG (on-the-go)

Chromebook usage has been growing considerably, particularly in the education field. Chromebooks are the most affordable way for learners to gain access to the web and online learning solutions, however, controls must be put in place to adhere to state and federal regulations like the Children’s Internet Protection Act (CIPA).

WebTitan OTG for Chromebooks enables administrators to make sure students could only access safe, filtered internet information in-class and at home. The product may be utilized to implement Safe Search, prohibit accessing age-inappropriate or harmful web material, and Chromebooks may be closed down to stop the circumvention of blocking settings. Administrators additionally get on-demand data regarding internet access and could see locations, information accessed, attempts of viewing restricted material, which includes live views of internet activity.

Main Features of WebTitan OTG for Chromebooks

  • Affordable web filtering for educational institutions.
  • Quick to set up and manage remotely.
  • Complete reporting on all Chromebook end users and locations.
  • User level guidelines.
  • No extra on-premises hardware necessary.
  • No slow & costly VPNs or Proxies needed.
  • Chromebooks may be shut down to prevent circumvention.
  • Speedy, easy to customize & accurate DNS filtering.

Ransomware Attack on Home Healthcare Service Provider Impacts 753,000 People

Personal Touch Holding Corp based in Lake Success, NY is a home healthcare services provider. The company is notifying 753,107 patients concerning a potential breach of their protected health information (PHI).

Personal Touch Holding Corp manages approximately 30 Personal Touch Home Care subsidiaries in over six U.S. states. On January 27, 2021, Personal Touch learned it encountered a cyberattack that involved its private cloud. The attackers encrypted the business files of Personal Touch stored in the
cloud along with those of 29 of its indirect and direct subsidiaries.

The investigation into the incident is still in progress. At this time, it is uncertain how much PHI was affected; nevertheless, it is likely that the attackers acquired information kept in its private cloud before deploying the ransomware.

A review of its cloud storage showed that these patient data might have been breached during the attack: names, phone numbers, addresses, birth dates, Social Security numbers, financial data, such as credit card numbers, check copies, bank account details, health treatment data, medical record numbers, medical insurance card, and health plan benefit numbers.

Employee details were likewise affected, such as names, contact details, birth dates, Social Security numbers (like spouse and dependent Social Security numbers), passport numbers, driver’s license numbers, birth certificates, demographic details, background and credit reports, company usernames and passwords, individual email addresses, insurance cards, fingerprints, retirement benefits details, health, and welfare plan benefit numbers, health treatment details, check copies, and other financial data required for payroll.

Upon uncovering the breach, Personal Touch sought outside counsel and involved independent forensics professionals to help investigate the incident. The company has also alerted the FBI, the state attorneys general, and the HHS’ Office for Civil Rights. Advanced monitoring and detection software had been implemented as well.

This is Personal Touch subsidiaries’ second ransomware attack after a little over one year. The first attack was in January 2020 when Personal Touch reported the compromise of the PHI of patients of 16 subsidiaries due to a ransomware attack on Crossroads Technologies, its cloud vendor. Personal Touch used Crossroads Technologies’ cloud to host electronic health records. There were 156,400 breached medical records because of that ransomware attack.

More Health Insurance Companies Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare companies to report they have been impacted by the Accellion ransomware attack is increasing, with two of the most recent victims such as Trillium Community Health Plan and Arizona Complete Health.

At the end of December, unauthorized people exploited zero-day vulnerabilities in Accellion’s old File Transfer Appliance platform and stole information from its customers before downloading CLOP ransomware.

Trillium Community Health Plan recently informed 50,000 of its members that protected health information (PHI) like names, dates of birth, addresses, health insurance ID numbers, and diagnosis and treatment data was taken by the people that launched the attack and the information was published on the internet between January 7 and January 25, 2021.

Trillium mentioned it has currently halted using Accellion, has taken out all data files stored in its systems, and has taken steps to minimize the threat of future attacks, which include going over its data-sharing processes. Trillium is providing affected members complimentary credit monitoring and identity theft protection services for 12 months.

Arizona Complete Health has advised 27,390 of its plan members regarding the data breach and the types of information that were compromised. The health plan also discontinued utilizing Accellion and took out its files from its systems and provided its plan members credit monitoring and identity theft protection services for 12 months free.

Previously, the supermarket and pharmacy firm Kroger based in Ohio announced that it was impacted by the attack, and the PHI of 368,000 clients were exposed. The University of Colorado and Southern Illinois University School of Medicine likewise mentioned they were affected.

Lawsuits Filed Against Accellion and its Customers

Several lawsuits have currently been filed against Accellion and its customers because of the breach. Centene Corp. has filed a legal case against Accellion alleging it failed to comply with several provisions of its business associate agreement (BAA). The cyberattack led to the theft of the PHI of a substantial number of its health plan members. Centene thinks it is going to suffer from considerable costs due to the breach and has made a request to the courts to order Accellion to abide by the stipulations of its BAA and pay for all breach-related costs. Cenene stated in the lawsuit that the attackers obtained 9 gigabytes of its data.

A federal lawsuit was also filed against Kroger because of the breach. The lawsuit, which seeks class-action status, claims that Kroger was negligent and had complete awareness of the potential security concerns with the legacy file transfer solution, but did not upgrade to a safer solution even after being advised by Accellion. Kroger gave its clients credit monitoring and identity theft protection services for 2 years; nevertheless, since names, addresses, birth dates, medical information, and Social Security numbers were compromised, 2 years is not regarded as enough to safeguard Kroger customers from identity theft and fraud.

Data Breaches at Agency for Community Treatment Services, Leon Medical Centers and Proliance Surgeons

Agency for Community Treatment Services, Inc. (ACTS) based in Tampa, FL is informing some patients about the potential comprimise of some of their protected health information (PHI) due to a cyberattack in October 21, 2020.

The security breach was discovered on October 23 upon deployment of the ransomware (|occurred}. The hackers acquired access to portions of the ACTS server and data networks and did file encryption to block access. Systems had to be taken offline to stop unauthorized access. To find out the scope of the breach, third-party computer forensic specialists investigated the matter .

Though it’s possible that there was unauthorized data access, the investigators did not find any proof to indicate the access or exfiltration of patient information. ACTS mentioned that this was because of the attackers making considerable efforts to hide their malicious activity. The attackers may consequently have accessed or gotten information saved on the breached systems.

The assessment of the compromised systems revealed that they held patient names, birth dates, Social Security numbers, and medical data that contain data such as diagnoses, treatment information, and health insurance data associated with the services obtained by patients from 2000 and 2013.

ACTS could bring back the encrypted data using backups and no ransom was paid. It took steps after the incident to reinforce security and avoid other attacks. Since patient information may have been exposed, ACTS is giving all affected people complimentary credit monitoring and identity theft protection services.

Conti Ransomware at Leon Medical Centers Attacked

Leon Medical Centers, a network of 8 medical centers in Miami and Hialeah in Florida, encountered a Conti ransomware attack. The attackers stole the protected health information of patients prior to the deployment of ransomware and issued a ransom demand with a threat to publish the stolen information of patients.

The attackers claimed the stolen data included names of patients, addresses, diagnoses, treatment data, medical insurance details, patient images and Social Security numbers. They assert to have obtained the PHI of over 1 million patients, though Leon Medical Centers debunked that statement and said the amount of stolen information was very overstated.

The attack happened before December 22, 2020 and Leon Medical Centers is still looking into the incident. At this time it is not clear precisely what data was stolen and how many patients were impacted.

Proliance Surgeons Announce Corporate Website Breach

The corporate website of Proliance Surgeons based in Seattle, WA suffered a breach resulting in the likely theft of payment card information. The surgical practice explained in a December 23, 2020 breach notice that attackers had accessed the website between November 13, 2019 to June 24, 2020. During that time frame, the attackers possibly accessed and gotten cardholder names, card numbers, zip codes, and expiry dates. No other PHI was compromised. The breach only affected individuals who paid for services on the internet, not persons who paid in person or over the phone.

The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections. Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.

New Offerings Introduced by Atlantic.Net for U.S. SMBs During the COVID-19 Pandemic

The HIPAA-compliant cloud service provider Atlantic.Net introduced two new projects on November 15, 2020. The goal of the projects is to assist small- to medium-sized businesses (SMBs) at this period of the Covid-19 pandemic.

Despite the difficulties during the pandemic, SMBs are attempting to employ more long term remote workers with minimal budgets, which has consequently put pressure on their IT and cloud services platforms. To help companies make it through the challenges, Atlantic.Net has introduced two new offerings. The first provides the business with new cloud VPS customers having two times the resources than what was provided in the past, for zero cost.

In the beginning, this new offering is available to all Atlantic.net cloud plans around the Orlando data center. There will be automatic upgrades to the features of the next price cloud plan. Atlantic.Net is considering to make this offer available in the seven worldwide data centers in the following couple of weeks.

The second offering will give new users an automatic upgrade of Atlanic.Net’s Free Server promotion. Instead of getting just 1 GB, users will get 2GB. The upgrade will be given for one year at no extra cost.

COVID 19 has put IT and cloud services systems under serious stress considering that remote work is growing bigger and more permanent. So as to help companies, Atlantic.Net is offering companies even more flexibility with their cloud solutions. Hopefully, not only the small to mid-size businesses of America can benefit from the offerings, but also the country’s healthcare providers that need audit-ready and HIPAA compliant cloud solutions for about half the cost.

Atlantic.net is a top provider of cloud services to countless numbers of developers and SMB clients in over 100 countries. Some of the valued clients of Atlantic.net include NASA, Hilton, Lenovo, and Newegg. Atlantic.Net is additionally a major provider of HIPAA-compliant cloud solutions to the healthcare sector in the United States, providing scalable cloud computing through the seven international data centers located in San Francisco, New York, Dallas, London, Orlando, Toronto, and Ashburn.

See the information on the most recent cloud offerings of Atlantic.Net including the pricing structure on this page

Unsecured Broadvoice Databases Had 350 Million Data, Health Information Included

Comparitech security researcher Bob Diachenko has identified an open bunch of databases owned by the Voice over IP (VoIP) telecommunications supplier Broadvoice. The data of greater than 350 million consumers are kept in the databases.

The compromised Elasticsearch cluster was found on October 1, 2020, when the Shodan.io search engine indexed the database collection. There were 10 libraries of data discovered in the Elasticsearch cluster. The biggest cluster comprised of 275 million documents and had information like caller names, telephone numbers, and site of callers, in addition to other sensitive information. One database was discovered to include transcribed voicemail communications that involved an array of sensitive records like data about financial loans and prescribed medicines. Above 2 million voicemail recordings were contained in that subset of information, 200,000 of which had transcriptions.

The voicemails had information such as phone numbers, caller names, internal identifiers, voicemail box identifiers, and the transcripts contained personal details including complete names, dates of birth, telephone numbers, and other information. Voicemails kept at health clinics such as specifics of prescribed medications and medical operations. Details related to loan requests were likewise exposed, coupled with several insurance policy numbers.

Diachenko informed Broadvoice regarding the breached Elasticsearch cluster and the provider took quick action to stop any unauthorized access. Broadvoice CEO Jim Murphy stated that they knew on October 1 that a security expert got access to a subset of b-hive data files. The data files were located in an accidentally unprotected storage service on September 28 and were made secure again on October 2. Diachenko verified on October 4, 2020 that the Elasticsearch cluster is no longer exposed.

Right now, Broadvoice believes there was no misuse of information. A third-party forensics agency is analyzing the data and will present more data and new reports to clients and associates.

Broadvoice sent a breach report to authorities and is inspecting the breach. It is at this time unknown if any person besides Diachenko discovered and viewed the databases.

Though almost all of the databases included just some data, cybercriminals would consider it invaluable and utilize it to very easily target consumers of Broadvoice in phishing campaigns. The information in the database can be utilized to convince clients that they were talking to Broadvoice, and they can be misled into disclosing more sensitive information or sending fraudulent payments.

People whose data was written in the voicemail transcripts can be most vulnerable, as the extra data may be employed to set up convincing and effective phishing campaigns.

Comparitech researchers have in the past explained that persons are consistently checking for unsecured databases and that they are normally identified within hours of being disclosed. Their research revealed that initiatives were made to get access to their Elasticsearch honeypot within just 9 hours of the information being exposed. As soon as databases are spidered by search engines for example Shodan and BinaryEdge attacks take place in a few minutes.

Comparitech researchers browse the internet to determine exposed records and give breach reports to the owners of the databases. Their purpose is to have the information secured and all pertinent parties advised right away to limit the probable damage created.

Updated Security and Privacy Controls Guidance for Data Systems and Organizations Issued by NIST

The National Institute of Standards and Technology (NIST) just published the updated guidance about Security and Privacy Controls for Information Systems and Organizations (NIST SP 800-53 Revision 5).

Since 2013, NIST updated the guidance for the first time. It is a total redevelopment instead of just a minimal update. NIST mentioned that the new guidance is going to give a solid framework for securing companies and systems – which include the personal privacy of men and women – in the 21st century.

Years of effort had been put in the development of the updated guidance. It is the first detailed list of security and privacy settings that could be utilized to control risk for establishments of any industry and size, and all varieties of systems – including industrial control systems, supercomputers, and Internet of Things (IoT) devices.

This is the very first catalog to be published around the world that consists of privacy and security controls. The guidance can help safeguard companies from different threats and risks, such as cyberattacks, natural disasters, human error, privacy risks, infrastructure failures, and foreign intelligence agencies attacks. The controls specified in the guidance can help companies take a proactive and organized approach to secure very important systems, resources and services and will ascertain having the required toughness to secure the national and economic security interests of America.

The guidance is designed to assist government institutions and third-party contractors to satisfy the specifications of the Federal Information Security Management Act and it is going to be compulsory for government institutions to execute the new specifications included in the new guidance. The guidelines are not mandatory for private sector companies, however, NIST is encouraging the private sector to use the new recommendations to deal with privacy and security concerns.

The following lists a number of key updates to the new guidance:

  • New, ‘state-of-the-practice’ controls to secure critical and top-grade assets. The updates were determined by the most recent information on threat intelligence and cyber-attack and are going to enhance cyber resiliency, develop a protected system design, security and privacy control and responsibility.
  • Data security and privacy controls were incorporated into a seamless, blended control catalog for systems and companies.
  • Controls are currently based on the outcome, with the entity in charge of carrying out the controls taken out from the document. The updated guidance centers on the security outcome from employing the controls.
  • Requirements were incorporated for supply chain risk management with the advice given on the integration of those standards all through an organization.
  • The guidance features next-generation privacy and security controls and includes how-to-use guidelines.
  • Control selection procedures were segregated from the controls so that different communities of interest can find it easier to use the controls.
  • Information of content relationships was enhanced, making clear the relationship between controls and requirements and the connection between privacy and security
  • NIST Fellow and co-author of the guidance Ron Ross explained that the controls give a practical and organized approach to making sure that critical systems, elements, and services are adequately dependable and have the required resilience to protect the national security and economic
    interests of America.

Zoom Makes Settlement with NY Attorney General Over Privacy and Security Problems

Zoom got to an arrangement with the New York Attorney General’s office and has determined to carry out better privacy and security controls for its teleconferencing system. New York Attorney General Letitia James started an investigation into Zoom after experts discovered several privacy and security concerns with Zoom early this year.

Zoom has become one of the most well-liked teleconferencing programs at the time of the COVID-19 crisis. In March, over 200 million people were taking part in Zoom conferences with usership increasing by 2,000% in the interval of only three months. As more persons use the platform more often, problems in the system began to appear.

Meeting participants began to report incidents of uninvited individuals joining and troubling private conferences. Many of these “Zoombombing” attacks made meeting participants racially mistreated and harassed based on religion and sexuality. There were additionally a number of documented instances of uninvited people joining meetings and showing pornographic pictures.

Then security experts began discovering privacy and security problems with the system. Zoom explained on its web page that Zoom meetings were safeguarded with end-to-end encryption, however, it was found that Zoom had utilized AES 128 bit encryption instead of AES 256 bit encryption, and so its end-to-end encryption promise was untrue. Zoom was additionally found to have issued encryption keys via data centers in China, even if meetings were happening between end people in the U.S.A.

Zoom utilized Facebook’s SDK for iOS to permit end-users of the iOS mobile application to sign in via Facebook, which suggested that Facebook was supplied with technical information associated with users’ devices whenever they launched the Zoom application. While Zoom did say in its privacy policy that third-party apps may gather details about users, information was found to have been transferred to Facebook even if users hadn’t utilized the Facebook login with Zoom. There were additionally privacy problems connected with the LinkedIn Sales Navigator function, which permitted meeting participants to see the LinkedIn information of other meeting attendees, even if they had taken measures to stay anonymous by using pseudonyms. The Company Directory function of the program was found to defy the privacy of certain users by leaking personal details to other users when they had a similar email domain.

Zoom reacted immediately to the privacy and security problems and fixed most in a couple of days of discovery. The company additionally announced that it was ceasing all improvement work to focus on privacy and security. Zoom likewise enacted a CISO Council and Advisory Board to target privacy and security and Zoom lately made an announcement that it has obtained the start-up company Keybase, which is going to help to apply end-to-end encryption for Zoom conferences.

As per the terms of the arrangement with the New York Attorney General’s office, Zoom agreed to employ an extensive information security program to make sure its users are secured. The program is going to be monitored by Zoom’s head of security. The firm has likewise agreed to do a complete security risk evaluation and code review and will resolve all identified security problems with the system. Privacy controls will additionally be implemented to safeguard free accounts, like those utilized by schools.

As per the terms of the settlement, Zoom should continue to evaluate privacy and security and use more protections to provide its users with better control of their privacy. Action should additionally be taken to control profane activity on the system.

Zoom Security Problems Makes It Unsuitable for Medical Use

Zoom and other teleconferencing platforms have increased in popularity during the COVID-19 crisis as businesses and consumers use it for communication whilst working from home. However, in the last few days, there were a number of issues identified in the Zoom security and there were questions regarding its suitability for medical use.

Researchers Uncovered Zoom Security Problems

A number of Zoom security issues and privacy concerns were identified in the last few days. Apparently, the macOS installer uses malware-like techniques to install the Zoom app without the users giving a final confirmation. This method could possibly be exploited and used for malware delivery.

Zoom’s macOS client version has two zero-day vulnerabilities identified, which could enable a local user to elevate privileges and acquire root privileges, without having an administrator password. He could then access the microphone and webcam to intercept and capture Zoom meetings.

Zoom’s feature that makes it simpler for business users to locate other people within the organization was furthermore leaking information such as the profile photos, email addresses, and statuses of users. The Company Directory function automatically adds individuals to a user’s list of contacts if they have the same email address domain. A number of users reported that strangers were added to their contact lists after signing up using their personal email addresses.

There were additionally a lot of reported incidents of Zoom-bombing. Uninvited persons were able to join meetings by guessing meeting IDs using brute force tactics. The FBI lately publicized an alert after a surge in hijacking attacks. People have reported hacking of Zoom meetings, abuses of meeting participants, and showing pornography using the screen share feature.

There are some news as well about the sharing of users’ background information with Facebook through the Facebook SDK. This is true even for users who have no Facebook accounts.

Zoom Doesn’t Offer End-to-End Encryption

The Intercept reported that Zoom’s implementation of end-to-end encryption doesn’t cover video meetings. According to Zoom’s spokesperson, it is not possible at this time to implement E2E encryption on Zoom video meetings. Zoom video meetings employ both TCP and UDP, but only UDP connections are encrypted.

The data encryption used is the same as the technique used to secure communications involving an HTTPS website and a web browser. With transport encryption, information that is moving from client to client is secured using encryption on communications between meeting participants. However Zoom’s audio and video content are not encrypted.

Zoom explained that although it is possible to access unencrypted users’ data, there are layers of protection set up to safeguard the privacy of users. First, any person including Zoom personnel cannot directly access any information revealed during meetings, which includes – but not restricted to – the audio, video and the chat content material of the meetings. Most importantly, Zoom does not mine individual data or peddle any user data to anyone.

Researchers at University of Toronto’s Citizen Lab research team discovered that the encryption and decryption keys of video conferences were sent to China. A scan indicates that China has five servers and the United States has 68 that evidently operate the identical Zoom server software program just like the Beijing server. We believe that keys were dispersed across these servers. A company mainly serving the North American customers that sometimes sell encryption secrets via the servers in China is possibly worrisome, presented contemplating that Zoom might be lawfully required to reveal these keys to people in Cina.”

Zoom announced in April 3, 2020 that its servers were already whitelisted for use in other areas as a possible backup bridge to make sure that its service is maintained, and that the servers were just utilized in very minimal instances. The problem has been fixed and Zoom announced that the vulnerabilities did not affect Zoom for Government.

Google Issued an $8 Million GDPR Penalty

The Swedish Data Protection Authority (DPA) charged Google a 75 million kroner ($7.8 million) GDPR fine over the failure to carry out the right-to-be-forgotten’ requests received from EU citizens to remove web pages from its search engine listings.

The right to be forgotten in the EU exists before GDPR. It was first covered in EU legislation in 2014 subsequent to a ruling by the European Court of Justice regarding the case, Google Spain SL, Google Inc versus Agencia Española de Protección de Datos, Mario Costeja González. The law mandates search engines to remove links to freely accessible webpages that are seen in search results created from a search of an individual’s name, in case that individual requests the removal of the listing and when particular conditions are satisfied.

GDPR strengthened the right to be forgotten. Upon receipt of a request from a citizen in EU who wants to exercise the right to be forgotten, provided the request does not clash with the right of freedom of expression and information, deletion of personal data must immediate where the data are no longer required for their original processing intent, or the data subject has taken his permission and there isn’t any other legal basis for processing.

Google has gotten innumerable requests from EU folks to remove content and had fulfilled roughly 45% of the requests.

The Swedish DPA performed an audit of Google in 2017 to evaluate how Google was dealing with requests to delist links indexed by its search engine and ordered Google to delist a number of webpages.

In 2018, the Swedish DPA reviewed the audit and found out that Google did not delist all the search results written in the order. The GDPR fine pertains to two listings that Google was directed to delist. In one case, Google’s understanding of the web pages that had to be removed was found to be too narrow. In the second case, Google did not remove the search result listing without undue delay.

The Swedish DPA additionally discovered that when Google delists web URLs, website owners receive notifications alerting them regarding the removal of the information from its listings and data is given regarding who made the request. These notices make sure that website owners know about the delisting, however, doing so simply allows the website owners to republish the delisted content using a different URL.

The Swedish DPA stated that this approach undercuts the usefulness of the right to be forgotten. Google does not have a legitimate basis for informing website owners any time removing search result listings, and in addition, gives people unreliable information regarding the use of the request form.

Google disagrees with the decision and plans to appeal regarding the financial penalty. The EU law requires the filing of the appeal within 3 weeks.

iland Secure Cloud Console Revision Enhances Visibility of Worldwide BaaS Environments

iland has reported that it has updated and improved its Secure Cloud Console using Veeam Cloud Connect to give more visibility and handle backups from multiple locations for big businesses and managed service providers (MSPs).

The revision gives big businesses and MSPs just one pane of glass view and enables universal cloud backups. Clients receive more granularity that enables them to take advantage of real-time information over several accounts and provides them more control over several tenants without additional work or permissions.

iland also simplified storage management with increased chances for self-service, enabling clients to reallocated assets and get more new tenants. The upgrade makes it possible for international MSPs and businesses to give backup-as-a-service in house and, by means of one interface, take care of several repositories and places.

The iland BAAS Insider Protection function is an air-gapped storage for information that gives security against internal and external hazards, which include ransomware attacks. Clients can already see the status of multiple-tenant environments by means of just one view and change Veeam Cloud Connect tenant names and passwords without difficulty from any place. The whole portfolio of Veeam cloud-based backup solutions is now being controlled from just one, specific console.

With these most recent updates, iland is making it simple for channel and IT business clients to provide backup services around the globe with a basic, quick-to-use typical interface,” stated iland senior vice president of business development. Dante Orsini.

The most recent improvements to iland Secure Cloud Backup using Veeam Cloud Connect have already been presented throughout all 10 data centers of iland. New clients could avail a complimentary 30-day trial which comes with 5TBs of information.

LabCorp Website Error Exposed Patients’ Personal and Health Data

TechCrunch researchers discovered a security error in a website that is used for hosting LabCorp’s internal customer relationship management system. Although the system has password protection, the researchers identified an error in the back-end system where patient records are taken. The error permitted patient data access even without a password and the web URL was indexed by search engines.

Google had cached just one document that contains a patient’s health data. However, the researchers were able to see other patient records with health data just by modifying the document number in the web URL.

The researchers analyzed sample documents to find out what types of information were compromised. The documents primarily included data of patients who had undergone tests at the Integrated Oncology specialty testing unit of LabCorp. The documents contained the following personal data: names and birth dates, laboratory test results and diagnostic information, and Social Security numbers of some patients.

TechCrunch researchers made an effort to find out how many documents could be accessed on the website by using computer commands. They used commands that would return information regarding the files’ properties, instead of opening the files and accessing the patient data. The analysis showed that approximately 10,000 documents were potentially accessible.

TechCrunch alerted LabCorp concerning the challenge and the clinical laboratory network took the server offline while fixing the error. Google has not yet removed the cached link of the exposed document, but the page is not active anymore and patient data is not viewable.

This is LabCorp’s second serious security incident in the last 12 months. In March 2019, LabCorp patients’ records were compromised in the American Medical Collection Agency (AMCA) breach involving 26 million records. Initially, it was thought that 7.7 million LabCorp patients were affected. However, the breach report submitted to the HHS’ Office for Civil Rights indicated that about 10,251,7847 LabCorp patients were impacted.

$1.6 Million HIPAA Penalty Paid By Texas Health and Human Services Commission

The Department of Health and Human Services’ Office for Civil Rights (OCR) issued a $1.6 million civil monetary penalty (CMP) to Texas Health and Human Services Commission (TX HHSC) for a number of Health Insurance Portability and Accountability Act (HIPAA) Rules violations.

TX HHSC, as a state agency, runs supported living centers, manages nursing and childcare centers, gives substance abuse and mental health services and supervises many state projects for people requiring assistance, like people having intellectual and physical handicaps.

OCR started an investigation after the Department of Aging and Disability Services (DADS) submitted a breach report. DADS is a state agency that became TX HHSC in September 2017. According to the June 11, 2015 DADS report to OCR, a security incident resulted in the online exposure of 6,617 people’s electronic protected health information (ePHI). The data exposed included names, diagnoses, treatment details, addresses, Social Security numbers and Medicaid numbers.

The cause of data exposure was the migration from a private to a public server of an internal CLASS/DBMD software. A defect in the software application permitted ePHI access online without any validation. A Google search can lead to finding and accessing private and highly sensitive data.

TX HHSC could not present documentation to show compliance with three crucial HIPAA Rules provisions. Hence, OCR declared that the TX HHSC violated the following four HIPAA rules.

  • 45 C.F.R. § 164.308(a)(1 )(ii)(A) – Inability to perform a detailed organization-wide risk analysis to determine all risks to PHI integrity, confidentiality and availability
  • 45 C.F.R. § 164.502(a) – The previously mentioned failures caused an impermissible disclosure of 6,617 persons’ ePHI.
  • 45 C.F.R. § 164.312(a)(1) – Inability to use access controls. No credential is required to access ePHI included in its CLASS/DBMD
  • 45 C.F.R. § 164.312(b) – Inability to use audit controls that logged user access on the public server, which kept TX HHSC from identifying the person that accessed ePHI within the application at the time of exposure.

HIPAA determines financial penalties according to the level of culpability. OCR established that TX HHSC’s violations was not considered willful neglect and involved reasonable cause, which is the second penalty tier. For every one of the HIPAA violations mentioned above, the minimum penalty is $1,000 to a maximum financial penalty of $100,000 annually. TX HHSC’s risk analysis problems, access controls issues, and audit control failures covered the years 2013 to 2017, therefore the total penalty of $1.6 million.

Covered entities should know who could access PHI under their care at all times. There should be no worries that somebody could discover the private health data by means of a Google search.”

The first HIPAA penalty report was in March 2019 during which it seemed that TX HHSC and OCR reached a settlement concerning the HIPAA violations. The 86th Legislature of the State of Texas had decided to accept the settlement; nonetheless, it would seem that the suggested settlement was declined. OCR gave a Notice of Proposed Determination on July 29, 2019.

TX HHSC didn’t debate the findings of OCR’s Notice of Proposed Determination and chose to give up their right to a hearing. OCR obtained the CMP from TX HHSC on October 25, 2019.

This is the number two HIPAA penalty OCR announced this week. A couple of days ago, OCR declared getting a $3 million settlement with the University of Rochester Medical Center to solve HIPAA violations associated with the missing unencrypted devices filled with ePHI.

There are 7 HIPAA penalties issued in 2019 totaling $9,949,000 with the TX HHSC CMP as the seventh.