North Shore University Hospital, PracticeMax and Ascension Michigan Report Data Breaches

North Shore University Hospital (NSUH) based in Manhasset, NY has reported a case wherein an ex-worker got access to protected health information (PHI) without a valid reason. 7,614 patients had been informed that a former worker viewed their PHI without consent.

It is unsure when NSUH noticed the unauthorized access to PHI. As per NSUH, it was determined on April 11, 2019 the occurrence of unauthorized access between October 2009 and February 2019. In the beginning, the employee was stopped from going to work while investigating the breach. Afterward, his/her employment was terminated as a result of unauthorized access. The breach report was submitted to the respective authorities, which requested a delay in giving notification letters so as not to block the investigation. NSUH mentioned it didn’t get any report of improper use of patient data and no charges were sent in against the ex-employee with respect to the unauthorized access.

PracticeMax

PracticeMax, a business management and IT solution business, recently advised the Maine Attorney General that a data breach has affected 165,698 people. PracticeMax stated it started having technical problems on May 1, 2021 and began looking into the likely security breach.

The forensic investigation affirmed that unauthorized people got access to its systems starting April 17, 2021 probably until May 5, 2021. The attackers got access to a server and possibly copied files that consist of patients’ PHI as well as those of the health plan members of its clients, prior to ransomware.

PracticeMax stated it issued breach notification letters on behalf of affected clients on October 19, 2021, but the review of the server wasn’t completed yet. The review was concluded on February 2, 2022, and affected clients got updates on February 14, 2022. The types of data stored on the server varied from one person to person and may contained names and Social Security numbers. PracticeMax explained that on March 4, 2022, it started mailing more notification letters to individuals who were not informed before.

According to the most recent website announcement, PracticeMax is still determining the safety of its systems and bettering present guidelines and processes, including imposing additional technical and administrative security steps.

Ascension Michigan

Ascension Michigan started telling 27,177 people about an incident of prolonged unauthorized access to electronic medical records. Ascension Michigan stated it immediately stopped the user’s access to the network upon being aware of the unauthorized access. The investigation of the incident revealed that the hacker had gotten access to patient records in the EHR system from October 15, 2015 up to September 8, 2021.

An audit of the unauthorized access was completed on November 30, 2021, and confirmed the exposure of these types of data: complete names, addresses, email addresses, dates of birth, telephone numbers, health insurance ID numbers and providers, health insurance data, dates of service, diagnoses, treatment-related records, and, in a number of cases, Social Security numbers.

Following the breach, Ascension Michigan examined its internal settings and modified its processes to better protect patient information. It also provided credit and identity theft protection monitoring services to affected individuals.

Patient Data Exposed in Ransomware Attacks on Family Christian Health Center & Jackson County Hospital

Family Christian Health Center (FCHC) based in Illinois has reported experiencing a ransomware attack last November 2021 that led to the breach of the protected health information (PHI) of 31,000 patients. The ransomware attack was discovered on November 30, 2021, and the investigation affirmed that the hackers initially acquired access to its IT systems on or approximately November 18, 2021.

The attackers breached FCHC’s old dental system that held the PHI of individuals who had gotten dental services before August 31, 2020. The system stored the patients’ names, dates of birth, driver’s license numbers, insurance card numbers, and duplicates of patients’ driver’s licenses and insurance cards. FCHC stated details regarding the dental care delivered, Social Security numbers, and credit card numbers of impacted dental patients were not exposed. The PHI of non-dental patients who got medical services in the period of December 5, 2016 to August 31, 2020, was likewise exposed. The information included names, addresses, birthdates, insurance identification numbers, and Social Security numbers.

FCHC and third-party IT companies worked jointly to check the breach. A forensic specialist was involved to know how the attackers obtained access to the network and to propose extra security options to stop more attacks. FCHC mentioned it has executed supplemental technical safeguards.

Patient Information Likely Exposed in Jackson County Hospital Attack

Jackson County Hospital located in Florida lately reported that unauthorized persons got access to selected systems inside its system and likely viewed or acquired the personal and health data of a number of patients. The security breach was noticed on or about January 9, 2022, when a number of systems became unavailable.

Third-party forensic professionals looked into the cyberattack and confirmed the exfiltration of limited patient data from its systems, such as names, addresses, dates of birth, phone numbers, Social Security numbers, healthcare histories, medical disorders/treatment details, patient account numbers, medical record numbers, diagnosis codes, Medicaid/Medicare numbers, financial account data, and usernames/passwords. At this point, Jackson County Hospital didn’t get any proof that indicates there was improper use of patient information nevertheless affected patients were cautioned to be wary and to examine their account statements and explanation of benefits statements for clues of fraudulent transactions.

Jackson County Hospital stated the cyber attack investigation is continuing and steps are being undertaken to boost security. Existing guidelines and procedures are being looked over and more administrative and technical safety measures will be applied to further safeguard the data in its systems.

The breach was reported to the HHS’ Office for Civil Rights however it’s not yet displayed on the breach site, thus it is still not clear how many people were impacted.

PHI Breaches Reported by Advent Health Partners and Loyola University Medical Center

Email accounts that held the protected health information (PHI) of patients were compromised at Advent Health Partners and Loyola University Medical Center.

Loyola University Medical Center

Loyola University Medical Center (LUMC) has informed 16,934 patients regarding the potential compromise of some of their PHI because an unauthorized person acquired access to a worker’s email account. On October 31, 2021, upon noticing suspicious activity with the email account, LUMC secured the account quickly and launched an investigation to find out the nature and extent of the attack.

The investigation showed the account had been accessed from October 29, 2021 to October 31, 2021, however, it wasn’t possible to find out whether any email messages or file attachments were viewed or obtained. There was no proof found that suggests actual or attempted improper use of patient data.

An analysis of the email messages within the account showed they included these types of patient data: Complete name, address, phone, birth date, email, and medical data like medical record number, ailments, prescription drugs, test data, healthcare facility, type of service and a number of health plan details.

Although the incident is considered to have a low risk of identity theft and fraud, impacted persons were offered a free 12-months membership to a credit monitoring and dark web monitoring service.

LUMC stated it has spent a considerable amount in cybersecurity and has a solid security program that consists of dedicated cybersecurity staff, assessment of security controls, and 24/7/365 tracking.

Advent Health Partners

Advent Health Partners based in Nashville, TN provides hospital groups with claims management services. It was found at the beginning of September 2021 that an unauthorized person had acquired access to selected employee email accounts. An investigation into the incident confirmed the magnitude and nature of the data breach. On December 8, 2021, a number of files in the breached email accounts were possibly accessed.

Advent Health Partners is provided with limited data sets for regular operational purposes linked to communications with medical insurance providers, and a number of that data was kept in email file attachments.

The company sent notifications to all impacted persons and provided a free membership to credit monitoring and identity theft protection services. Advent Health Partners stated it has evaluated and updated its security guidelines and has enforced more safety measures to enhance email security.

The HHS’ Office for Civil Rights breach portal has not yet exhibited the breach, and so it is presently uncertain how many people were impacted.

CISA Provides Companies With Mobile Device Cybersecurity Checklist

The Cybersecurity and Infrastructure Security Agency (CISA) has released new information for companies to help them safeguard mobile gadgets and securely access business resources employing mobile units.

The Enterprise Mobility Management (EMM) system checklist was designed to support businesses in the enforcement of guidelines to minimize vulnerabilities and obstruct threats that may endanger mobile devices and the business networks to which they link. The tips stated in the checklist are simple and easy for companies to put in place and can considerably strengthen mobile gadget security and enable mobile gadgets to be carefully utilized to access organization systems.

CISA endorses a security-targeted solution to mobile device control. If picking mobile devices that satisfy business specifications, analysis ought to be carried out to determine probable supply chain problems. The Mobile Device Management (MDM) system ought to be tweaked to update instantly to make certain it is continually using the most recent version of the software program and patches are employed on auto-pilot to correct identified vulnerabilities.

A policy must be enforced for trusting devices, restricting access to company resources when the device lacks the most current patch level, is not set up to enterprise criteria, is unlocked or rooted, and in case the device isn’t consistently supervised by the EMM.

Strong authentication settings should be used, such as strong passwords/PINs, with PINs containing at least 6 digits. When possible, fingerprint or face recognition ought to be activated. Two-factor authentication must be enforced for business networks that need a password/passcode as well as one added way of authentication like an SMS message, alternating password, or biometric input.

CISA suggests using good app protection, which includes only downloading applications from reliable app vendors, separating organization applications, decreasing PII kept in apps, turning off sensitive permissions, restraining OS/app synchronization, and vetting company-designed applications.

Network communications need to be secured by turning off unnecessary network radios (Bluetooth, NFC, Gps Wi-fi) if not used, deactivating user certificates, and merely utilizing safe communication software and protocols for instance a VPN for linking to the business network.

Mobile devices ought to be safeguarded always. A Mobile Threat Defense (MTD) system must protect against harmful applications that could damage applications and operating systems and locate incorrect settings. Devices must just be charged employing the proper chargers and cables, and the lost device functionality needs to be turned on to make sure the devices are wiped once a specific number of erroneous login tries (10 for instance). It is likewise necessary to safeguard critical business systems and keep them from being accessed from mobile gadgets as a result of the danger of transmitting malware.

The checklist provided by CISA mobile device cybersecurity is downloadable on this page.

Vulnerabilities Discovered in Philips IntelliBridge, Efficia and Patient Information Center Patient Monitors

Five vulnerabilities were identified that have an effect on on the following products:

the IntelliBridge EC 40 and EC 80 Hub, Philips Patient Information Center iX, and Efficia CM series patient monitors.

IntelliBride EC 40 and EC 80 Hub

Two vulnerabilities were found that impact C.00.04 and earlier versions of the IntelliBridge EC 40 and EC 80 Hub. An unauthorized individual could exploit the vulnerabilities with success and be able to execute software, modify system configurations, and update/see files that might consist of unidentifiable patient data.

CVE-2021-32993 – The first vulnerability is a result of the use of hard-coded credentials within the software program for its own inbound authentication, outbound communication to external components, or the encryption of internal files.

CVE-2021-33017 – The second vulnerability concerns an issue with authentication bypass. Although the regular access path of the product calls for authentication, a substitute path was determined that does not need authentication.

Both vulnerabilities were designated a CVSS v3 severity score of 8.1 out of 10.

Philips has not released a fix to address the vulnerabilities, however expects to correct the vulnerabilities before 2021 concludes. For the time being, Philips advises just using the devices within Philips authorized specs, and just utilizing Philips-authorized software program, software setting, security settings and system services. The gadgets must be physically or logically separated from the hospital system.

Patient Information Center iX and Efficia CM Series Patient Monitors

Three vulnerabilities were discovered to have an effect on the Philips Patient Information Center iX and Efficia CM series patient monitors. The vulnerabilities can be taken advantage of to obtain access to patient information and to execute a denial-of-service attack. Though exploitation has a low attack difficulty, the vulnerabilities may merely be exploited through an adjacent network.

The vulnerabilities have an impact on these Philips products:

  1. Patient Information Center iX (PIC iX): Versions B.02, C.02, C.03
  2. Efficia CM Series: Revisions A.01 to C.0x and 4.0

Vulnerable models of the PIC iX do not properly confirm input to ascertain if the input has the attributes to be processed securely and properly. The vulnerability is monitored as CVE-2021-43548 and has an assigned CVSS severity rating of 6.5 out of 10.

A hard-coded cryptographic key was utilized meaning encrypted data may be retrieved from vulnerable models of the PIC iX. The vulnerability is tagged as CVE-2021-43552 and was given a 6.1 CVSS score.

A broken or risky cryptographic algorithm indicates sensitive information can be compromised in communications between Efficia CM Series and PIC iX patient monitors. The vulnerability is monitored as CVE-2-21-43550 with a 5.9 CVSS score.

CVE-2021-43548 has been fixed in PIC iX C.03.06 and patches to repair the other two vulnerabilities are going to be available by the end of 2022.

To minimize the possibilities for vulnerabilities exploitation, the devices ought to only be employed according to Philips authorized specs, which consist of physically or logically separating the products from the hospital’s local area network, and making use of a firewall or router that could have access control lists limiting access in and out of the patient monitoring network for only needed ports and IP addresses.

Philips-released hardware has Bitlocker Drive Encryption activated by default and this must not be deactivated. Before disposal, NIST SP 800-88 media sanitization rules need to be implemented. Patient data is not put in archives automatically, therefore when archives are exported that consist of patient records, the data need to be saved safely with good access controls.

82% Of Healthcare Providers Have Encountered an IoT Cyberattack during the Past 18 Months

Medigate and CrowdStrike conducted a new study that featured the magnitude to which threat actors are targeting healthcare Internet of Things (IoT) devices and gives warning regarding the troubled condition of IoT security in the healthcare field.

The quantity of IoT devices being utilized in healthcare has gone up substantially in recent years as connected health drives a trend in the delivery of health care. Healthcare organizations are progressively reliant on IoT devices to do a variety of important functions, and although the devices provide massive clinical rewards, cybersecurity must be taken into consideration.

Cyber threat actors have unfairly targeted healthcare companies for a number of years because of the great value of healthcare information, the simplicity at which it may be monetized, and the reasonably bad cybersecurity protection in healthcare in comparison to other industries. The fast usage of IoT devices has caused a big growth in the attack surface which gives cyber actors much more chances to carry out attacks. Additionally, IoT devices frequently have weaker cybersecurity adjustments compared to other devices and could offer an easy access point into healthcare systems.

The research involved a survey of healthcare companies to find out what risks they have experienced in the last 18 months. 82% of surveyed healthcare companies stated they have encountered no less than one form of IoT cyberattack during the past 18 months. 34% of survey participants mentioned the attackers used ransomware. The scenario will probably grow worse since the number of IoT devices in healthcare is increasing. Based on the report, spending money on connected medical devices has been forecasted to grow at a CAGR of 29.5% until 2028.

One of the primary issues with protecting IoT devices is insufficiency in tracking all connected devices, considering that this is particularly weak in the healthcare sector. IoT security threats may be handled and minimized to an acceptable level, however, if healthcare providers have no visibility into the IoT devices that hook up to the internet, important security enforcement systems cannot function at the necessary levels.

Healthcare institutions should have a clear visualization of the security posture of every device and be mindful of network standing, place, and device usage. There can be 100 or even more devices being used, therefore monitoring those devices and the protection status of each one could be a big problem and will just worsen as the number of devices rises.

The researchers make a number of suggestions regarding enhancing IoT security, such as endpoint detection and response (EDR), network segmentation, and orchestrated visibility, and permitting attacks to be quickly secured. It is additionally essential to make sure insurance policies get enough coverage.

HDOs should have a complete understanding of their overall connected landscapes, or else, threat intelligence can’t be correctly processed or linked to the appropriate devices, and remediations won’t give the sought-after impact. Processes that constantly enhance visibility and its orchestration, EDR, and containment capacity should be set up, or these extra defense layers cannot do their maximum intended levels.

To be able to scale the provision of connected health, the researchers point out security and asset management procedures need to converge. The researchers suggest making a common reference foundation, not just to modernize current infrastructure where feasible but to make certain the performance of long-term investments in layered capacities.

127,000 NorthCare Patients’ PHI Potentially Exposed Due to Ransomware Attack

NorthCare, a mental health clinic based in Oklahoma City, OK, suffered a ransomware attack last June 2021 that resulted in the compromise of patients’ protected health information (PHI).

NorthCare discovered suspicious system activity on June 1, 2021, the moment ransomware was employed for file encryption. The investigation of the ransomware attack affirmed the system breach on May 29, 2021. The threat actors immediately deployed ransomware to block access to files and issued a ransom demand in exchange for the keys to decrypt data files.

Northcare immediately took steps to control the impact of the attack and although it wasn’t possible to stop file encryption, the health clinic could restore its network and data using backups even without giving any ransom payment.

The attackers had accessed areas of the network that stored the protected health information of patients. Although the investigators did not confirm any data exfiltration, NorthCare is supposing the threat actors got access to patient information. The types of information possibly exposed in the attack were the patients’ full names, birth dates, addresses, Social Security numbers, and medical diagnoses.

After the attack, third-party forensics specialists helped with the investigation as well as remediation work. Northcare already notified the Federal Bureau of Investigation and is working together with technical professionals to strengthen the security of its network and restrict its access.

Considering that the attackers possibly accessed and acquired protected health information, NorthCare has provided identity monitoring, identity theft restoration, and fraud consultation services to persons affected by the breach for 12 months for free.

The breach notification received by the Maine attorney general revealed that the ransomware attack potentially affected the protected health information of 127,883 patients.

Medical AI Database Made up of More Than 800 Million Records Exposed On the Web

Security researcher Jeremiah Fowler and Website Planet discovered an unsecured database that belongs to Deep6.ai, an American medical AI platform provider. The database had more than 800 million files of patients and doctors and can be accessed online by any person without asking for a password.

Deep6.ai has created AI-based software that could be utilized on raw data to determine people with medical ailments that are not stated in their medical files. The software program is especially helpful for searching individuals who fit the conditions for clinical tests and can considerably reduce the time to locate appropriate trial participants.

The database included 68.53 GB of files and had 886,521,320 documents, the majority of which were related to persons in America. Although a few of the information was encrypted, physician notes and doctor data were in plain text and may be seen by anybody.

Fowler and Website Planet discovered the following information in the dataset: Date, document type, physician note, encounter IDs, patient IDs, uuid, noteId, patient type, note type, date of service, and specific note text. Physician notes comprised details of patients’ health problems, treatment, medicines, and in a number of cases, details regarding patients’ household, emotional and social concerns.

The dataset included three parts: A concept index made up of 21 million records that disclosed lab test results and medicines; a patient index that contain 422 million records that revealed internal patient logging and tracking procedures, though patient names were not kept in plain text; and a provider index, which contained 89,000 details that revealed doctor names, internal patient ID numbers, record locations and .CSV files, and other possibly sensitive details, with files stating where information is saved.

Besides compromising the information to anybody who can connect on the Internet, the database was additionally vulnerable to a ransomware attack. After exploring the database, Fowler and Website Planet were able to learn the database belonged to Deep6.ai. Adhering to responsible disclosure protocols, Deep6.ai was informed and the database was quickly protected. It is uncertain for how long the database was exposed on the internet and whether any person viewed the records during that time.

About 54,000 Patients Impacted by Ransomware Attack at OSF HealthCare

The not-for-profit Catholic health system based in Peoria, IL, OSF HealthCare, started sending notifications to 53,907 patients regarding a cyberattack that was identified on April 23, 2021.

OSF HealthCare stated upon awareness of the breach, it took action to avoid continuing unauthorized access and engaged a third-party forensic specialist to do an investigation into the attack to find out the magnitude of the breach. The investigator affirmed the attackers got access to its systems first on March 7, 2021 and possibly had continuing access until April 23, 2021.

OSF HealthCare mentioned the attackers accessed a number of files on its system that were associated with patients of OSF HealthCare Little Company of Mary Medical Center and OSF HealthCare Saint Paul Medical Center. As of August 24, the investigators confirmed that the following types of patient data might have been exposed:

Names, contact details, birth dates, driver’s license numbers, Social Security numbers, state/government ID numbers, treatment data, diagnosis data and codes, physician names, hospital units, dates of service, prescription details, medical record numbers, and Medicare/Medicaid or other health insurance details.

A part of patients additionally had financial account data, credit/debit card details, or credentials for an online financial account compromised.

People who had their Social Security number or driver’s license number was exposed in the attack have been provided complimentary credit monitoring and identity protection services via Experian. OSF HealthCare states it has enforced further safeguards and technical security measures to avoid other attacks.

OSF HealthCare published a substitute breach notice on its website, which did not mention the nature of the cyberattack. But this seems to be a ransomware attack plus information theft that potentially occurred 7 months earlier.

Databreaches.net reports that it was informed about the publication of stolen information on a dark web leak website in June and notified OSF HealthCare concerning the patient data exposure. A ransomware operation recognized as Xing Team professed it was responsible for the cyberattack and uploaded information to its dark web leak site that contained patients’ protected health information. Databreaches.net explained that the site listing was viewed above 350,000 times, according to the site counter.

K and B Surgical Center & Healthpointe Medical Group Alert Patients Regarding Hacking Incidents

K and B Surgical Center located in Beverley Hills, CA found out that an unauthorized individual acquired access to its computer system. The healthcare company detected the security breach on March 30, 2021, and a third-party forensic investigation affirmed the breach of its network from March 25 to March 30.

As soon as K and B Surgical Center discovered the breach, it took steps to avoid the attacker from further accessing its compuer system. It started an investigation to identify the magnitude of the breach. On April 27, 2021, the investigation came to the conclusion that the attacker acquired access to areas of the system that comprised the protected health information (PHI) of patients.

Data analysis was conducted on the breached servers to know which types of data were breached and which patients were impacted. K and B Surgical Center stated in its breach notification letters issued on September 3, 2021 that it just obtained the complete list of affected patients on July 27.

The types of information that the attacker possibly viewed and/or exfiltrated included the following: Names, telephone numbers, addresses, driver’s license numbers, diagnoses, treatment and prescription details, names of provider, Medicare/Medicaid numbers, patient IDs, laboratory test data, medical insurance data, and treatment expense details. Upon issuance of breach notification letters, there were no reports obtained concerning any incidents of actual or attempted improper use of patient information caused by the security breach.

Altogether, there were 14,772 individuals that received the notification letters. K and B Surgical Center has provided the affected individuals 12 months of free credit monitoring and identity theft restoration services as a safety measure against identity theft and fraud.

Following the security incident, passwords were altered for all user accounts, VPN connections, and email accounts. K and B Surgical Center also installed new anti-virus security systems and threat monitoring programs on all computers. The employees were retrained about security, its Security Rule risk analysis was updated, and regular security audits will be carried out to check potential vulnerabilities.

Healthpointe Medical Group Informs Patients Regarding Hacking Incident

Healthpointe Medical Group based in Portland, OR has informed some patients regarding a hacking incident and the compromise of their protected health information.

Healthpointe uncovered suspicious activity on selected servers on or around June 9, 2021 and promptly took steps to secure its IT systems. A top-rated computer forensics agency investigated the nature and magnitude of the breach. On July 7, 2021, the investigation report revealed the attacker had obtained access to files or folders that had patient records. An evaluation of those files and directories was finished on July 27 and affirmed they included names, addresses, and Social Security numbers. Healthpointe began sending notification letters to affected people in late August.

Healthpointe has done a company-wide password reset, updated its firewalls, broadened the use of multi-factor authentication, and did other steps to improve its security practices. Affected persons were advised they can get a year of identity theft protection services via IDX free of charge and will get protected by a $1 million identity theft insurance policy.

Patient Data Compromised Via Walgreens’ Covid-19 Test Registration System

The personal information of people who had taken a COVID-19 test at a Walgreens pharmacy was exposed online because of vulnerabilities found in its COVID-19 test registration system.

It is presently uncertain how many persons were impacted, even though they may well be in the millions considering the number of COVID-19 testing Walgreens has done beginning April 2020. It is uncertain when the site got the vulnerabilities, however, they date back to at least March 2021 when Interstitial Technology PBC consultant Alejandro Ruiz identified them. He found a security problem when a relative had a COVID-19 test completed at Walgreens. Ruiz got in touch with Walgreens to advise them concerning the data exposure, however, said the firm had no response.

Ruiz talked to Recode regarding the problem. Two security specialists affirmed the security vulnerabilities. Recode mentioned the problem to Walgreens, and the organization stated they routinely evaluate and integrate more security improvements when considered either needed or appropriate. Nevertheless, till September 13, 2021, the vulnerabilities were not yet resolved.

Recode says that utilizing the Wayback Machine, which consists of an archive of the Web, blank test confirmations dating back to July 2020 may be viewed, suggesting the vulnerabilities were existing since that time.

Based on the security experts, the vulnerabilities were caused by the basic mistakes in the Walgreens’ Covid-19 test scheduling registration system. After a patient fills up an online form, they are provided a 32-digit ID number as well as the generation of an appointment request form, which includes the unique 32-digit ID number in the web link. Anybody who has that link will be able to access the form. No authentication is necessary to access the page.

The pages simply consist of a patient’s name, type of test, booking schedule and location in the seen part, however by means of the developer tools screen of an internet browser, other data can be accessed, such as date of birth, address, email address, phone number, and gender identity. Considering that the OrderID and the name of the facility that conducted the test are also contained in the information, it is possible to view the test result, at least at one of Walgreens’ lab partners’ test result sites.

An active page may be seen by an unauthorized person if making use of a computer of somebody who had set a test through their Internet history. An employer, for instance, can see the data in case the page was used on a work computer. The information would likewise be viewable to the third-party ad trackers existing on the Walgreens appointment confirmation pages. Researchers take note that the confirmation pages include ad trackers from Adobe, Facebook, Akami, Dotomi, Google, Monetate, and InMoment, all of which may possibly access private details.

The links of all confirmation pages are similar besides the unique 32-digit code contained in a “query string”. The researchers stated there are probably millions of active booking confirmation pages since Walgreens has been doing COVID-19 tests at about 6,000 websites throughout the United States for nearly 18 months.

The researchers mentioned a hacker can make a bot crank out 32-digit identification numbers, add them to web links, and then identify active pages. Thinking about the number of digits in the link would be a lengthy task, although it is not impossible.

Any firm that made such simple errors in an app that manages health care data is one that does not think about security seriously, mentioned Ruiz to Recode. It’s simply one more example of a big company that prioritizes its income over data privacy.

Password Recommendations by NCSC

There are updates to UK’s NCSC password recommendation. This new strategy satisfies the password strength requirements and is still user-friendly.

There are several schools of thought with regards to making passwords, however, all are dependent on the assumption that passwords must be adequately complex to make sure they are not quickly guessed, not just by humans, but the algorithms employed by hackers during their brute force attacks.

Every year, there are lists published of the worst passwords that are put together from credentials compromised in data breaches. These listings clearly show that certain people are not very good at selecting passwords. For instance, “password,” “12345678,” and “qwertyuiop” are passwords that are often included in the lists. Because of the risk of users making weak passwords, a lot of companies currently have minimum prerequisites for password difficulty, however, that doesn’t always suggest that strong passwords shall be set.

The Issue with the Need for Password Complexity

Usually, the minimum specifications for password difficulty are to have a minimum of a number, one lower- and upper-case letter, and usually a special character. Including these elements results in harder to guess passwords – at least in theory. In reality, people bypass these requirements by using passwords like “Passw0rd!” or “Qwertyuiop1!” that satisfy complexity prerequisites although are still unbelievably weak and very prone to brute force attacks.

From a security viewpoint, all accounts must have a unique password that should never be employed for several accounts. Passwords must preferably be made up of random numbers, letters, and characters and be adequately long – at least 8 characters. The problem is that although these random difficult passwords are tough and will be resilient to brute force attacks, they are likewise virtually difficult for the majority of people to recall since the average individual has around 100 passwords.

The National Institute of Standards and Technology (NIST) showcased this problem in its most recent password guidance (SP 800-63B), and advises the usage of passphrases instead of passwords, since the length of a passphrase of, for example, 16 characters, provides the necessary difficulty while still user-friendly.

Currently, the National Cyber Security Centre (NCSC), part of the UK Government Communications Headquarters (GCHQ) has advised a new strategy for making passwords that bring together safety with functionality.

NCSC Password Advice

The NCSC’s proposed password is in contrast to the recommended arbitrary complexity password. Complex passwords containing numbers, lower- and upper-case letters, and special characters are usually not complex and offer a false sense of protection. This is because the character combinations chosen by end-users are typically not random. There are hints that a lot of people utilize so that passwords are easy to recall and satisfy password complexity specifications, and those hints are well-known to hackers. For instance, changing an E with a 3, a 1 with an exclamation mark, an O with a zero, or a 5 with an S.

There are also letters and numbers combinations that are more typical than others, and those more typical combinations are integrated into the password guessing tools of hackers. It’s counterintuitive that the observance of these complexity prerequisites leads to using more predictable passwords.

The NCSC password advice puts sufficient complexity and at the same time makes passwords quick to recall. The recommendation is to use 3 random words to create a password. Using 3 random words results in passwords that are reasonably long, adequately complex, yet quick to recall.

This three random word strategy of creating passwords is effective in a number of various ways:

  • Length – Passwords are typically lengthier
  • Novelty – Encourages using words that were not considered in the past
  • Impact – The technique is simple to describe
  • Usability – It is easy to come up with three words and keep them in mind

NCSC’s technical director Dr. Ian Levy explains that the traditional password advice to recall several complex passwords is just silly. By adopting this recommendation, people are less vulnerable to cybercriminals and people should create such passwords for their vital accounts, and consider using a password manager.

The last piece of advice is crucial, as the tactic of utilizing 3 random words doesn’t work if unique passwords must be made for 100 online accounts. Using 3 random words isn’t a panacea that resolves the problem of recalling many passwords in just one stroke and utilizing it together with secure storage.

The goal of the most recent NCSC password recommendations is not to fix the password issue totally, but just to improve password variety – which is, minimizing the number of passwords that are guessed by inexpensive and effective search algorithms, driving an attacker to perform several search algorithms (or utilize inefficient algorithms) to get a handy number of passwords.

The Most Effective Password Strategy

Based on the NCSC password recommendations, the most effective password strategy is to create a password made of 3 random words and to utilize a password manager. With a password manager, users can create absolutely random strings of letters, numbers, and characters that are extremely complex, yet users don’t need to remember them. The passwords are saved in encrypted form within a safe password vault and are going to be auto-filled whenever a user wants. It’s not necessary to remember or type the passwords. These tools are quite secure, and a lot of work under the zero-knowledge design, which means even the developer of the password manager doesn’t get access to the password vaults.

All that a user must do is to create a protected, master password for the password vault and establish 2-factor authentication. The technique of utilizing 3 random words will work nicely for the master password that gives access to user’s vault of really random, lengthy complex passwords.

There are low-cost or even free password managers. For instance, Bitwarden offers a safe, open-source password manager tool that is free. The individual premium package is only $10 a year. Despite the low cost, very few still use it.

If companies and people start to use a password manager and use the most recent NCSC password recommendations, there will be a substantial improvement in password security and usability.

4,400 Individuals Impacted by Wisconsin Dermatology Practice Reports Data Breach

Forefront Management, LLC and Forefront Dermatology, S.C. based in Manitowoc, WI found out on June 4, 2021 that unauthorized persons had obtained access to its system and possibly viewed personal and confidential staff and patient data.

The impacted systems were promptly taken off the internet to block unauthorized persons from further accessing the network. An investigation was started to identify the nature and extent of the breach. On June 24, 2021, Forefront confirmed that selected files kept on its system had been viewed and the hacker possibly acquired the personal data of a small number of Forefront workers, such as their names and Social Security numbers. According to the results of the investigation, the first breach of the network happened on May 28, 2021 and the hacker possibly accessed it until June 4, 2021.

Throughout the investigation, Forefront confirmed that the unauthorized person likewise accessed files that contained the personal data and protected health information (PHI) of a small number of present and past Forefront patients.

Patient data possibly exposed during the breach included names, addresses, birth dates, patient account numbers, health record numbers, medical insurance member ID numbers, dates of service, names of provider, and/or medical and clinical treatment data.

Forefront submitted a breach summary to state attorneys general indicating that 4,431 people were impacted by the breach. Although there is no hint that any misuse of data in the files, Forefront is giving impacted persons a free membership to TransUnion’s myTrueIdentity Credit Monitoring Service for 12 months.

Forefront stated that it is improving its security standards to help avoid the occurrence of the same incident in the future.

Data Breach of W Health MyChart Portal and Jones Family Dental Computers

University of Wisconsin Hospitals and Clinics Authority has announced a breach of its Epic MyChart website which impacted 4,318 patients of UW Health. The hospital detected strange activity in the website and launched an investigation on April 20, 2021, to find out the nature and magnitude of the data breach.

The investigation continued until May 4, 2021, and confirmed that unauthorized persons got access to the website for approximately 4 months, starting from December 27, 2020 up to April 13, 2021.

UW Health stated the person had accessed the MyChart patient website homepage which shows clinical data including dates of hospital admission, consultation reminders, care team, subject lines of emails from health providers, and requests to see new test results data. Pages were furthermore viewed that contained some patient consultation and admission dates, demographic data like names, addresses, telephone numbers, and email addresses, medical insurance and claims data, diagnoses, prescription drugs, and test results. Breach notification letters were mailed to impacted patients beginning on June 18, 2021.

UW Health also took the necessary steps to strengthen security like increasing password security, employing 2-factor authentication for the MyChart portal access, disabling accounts that were non-active for 15 months, and improving its tracking processes.

Hacking of the Jones Family Dental Computers

Jones Family Dental based in Ashland, OR, reported a hacking incident that potentially compromised the protected health information (PHI) of 6,493 present and past patients. An investigation was started after the recognition of suspicious computer activity, which showed that an unauthorized person accessed its computers from April 15, 2021 to April 18, 2021.

It cannot be determined if the computers with patient data were accessed, however, the likelihood cannot be eliminated. The practice doesn’t think any patient information was viewed or exfiltrated; nevertheless, it sent notification letters to impacted persons as a safety measure.

Patient data on the computer system during the breach contained these data elements: name, birth date, address, driver’s license number, treatment records, medical history, diagnostic data, and/or health/dental insurance details.

Security guidelines and procedures are under review and will be revised to stop the same breaches down the road.

Over 3.2 Million People Impacted by 20/20 Hearing Care Network Data Breach

The 20/20 Hearing Care Network has begun informing millions of present and previous members regarding the potential compromise or deletion of some of their protected health information (PHI).

On January 11, 2021, the provider detected suspicious activity in its AWS cloud storage account and immediately took steps to stop the hacker from further accessing the account. An investigation was started to find out the nature and extent of the data breach. Third-party forensics specialists who helped investigate confirmed the unauthorized access of the S3 buckets hosted in AWS, the download of data in those buckets, and the deletion of all files in the S3 buckets.

The forensic investigators affirmed at the end of February that certain data that was downloaded and deleted from the AWS storage account contained the PHI of several or all health plan members. Although data theft was ascertained, it wasn’t possible to know accurately which data was accessed or deleted from the S3 buckets. The potentially obtained types of data included names, birth dates, Social Security numbers, member ID numbers, and medical insurance data.

Beginning on or approximately May 28, 2021, 20/20 Hearing Care Network sent notification letters to all people possibly impacted by the breach. As a safety measure against improper use of member data, a number of impacted persons were provided with free credit monitoring and identity theft protection services.

In a breach notice, 20/20 mentioned that although there was confirmed data theft, it is convinced there was no misuse of member information. The report submitted with the Maine Attorney General categorizes this breach as ‘insider wrongdoing’.

Right after the security breach, 20/20 performed a tougher review of guidelines and procedures and took steps to strengthen security to avoid the same breaches later on.

The breach report was filed with the Maine Attorney General as impacting around 3,253,822 people, making this one of the biggest healthcare data breaches to be uncovered this 2021.

TitanHQ’s WebTitan OTG (on-the-go) Now Available for Chromebooks

TitanHQ has launched its latest version of its top-rated DNS filtering software program – WebTitan Cloud. It is a cloud-based cybersecurity program that enables users to stop web-based threats, regulate Internet access, and have complete visibility of the activities of their online users.

The most recent product, WebTitan Cloud 4.16, consists of DNS Proxy 2.06, which can filter users in the Azure Active Directory, and also directory incorporation for Active Directory and on-premise AD. TitanHQ has additionally introduced the expansion of WebTitan Cloud to offer security for Chromebooks.

The brand new Chromebook filtering solution – WebTitan OTG (on-the-go) for Chromebooks – allows educational organizations to implement filtering controls for BYOD and keep students safe when utilizing devices issued by the school.

According to TitanHQ CEO, Ronan Kavanagh, this brand new product launched after an intensive first quarter. The introduction of WebTitan Cloud 4.16 delivers remarkable new safety capabilities for our clients. After having considerable progress in 2020, TitanHQ wants these product innovations and new features to make 2021 yet another outstanding year for TitanHQ.

Protecting Chromebooks with WebTitan OTG (on-the-go)

Chromebook usage has been growing considerably, particularly in the education field. Chromebooks are the most affordable way for learners to gain access to the web and online learning solutions, however, controls must be put in place to adhere to state and federal regulations like the Children’s Internet Protection Act (CIPA).

WebTitan OTG for Chromebooks enables administrators to make sure students could only access safe, filtered internet information in-class and at home. The product may be utilized to implement Safe Search, prohibit accessing age-inappropriate or harmful web material, and Chromebooks may be closed down to stop the circumvention of blocking settings. Administrators additionally get on-demand data regarding internet access and could see locations, information accessed, attempts of viewing restricted material, which includes live views of internet activity.

Main Features of WebTitan OTG for Chromebooks

  • Affordable web filtering for educational institutions.
  • Quick to set up and manage remotely.
  • Complete reporting on all Chromebook end users and locations.
  • User level guidelines.
  • No extra on-premises hardware necessary.
  • No slow & costly VPNs or Proxies needed.
  • Chromebooks may be shut down to prevent circumvention.
  • Speedy, easy to customize & accurate DNS filtering.

Ransomware Attack on Home Healthcare Service Provider Impacts 753,000 People

Personal Touch Holding Corp based in Lake Success, NY is a home healthcare services provider. The company is notifying 753,107 patients concerning a potential breach of their protected health information (PHI).

Personal Touch Holding Corp manages approximately 30 Personal Touch Home Care subsidiaries in over six U.S. states. On January 27, 2021, Personal Touch learned it encountered a cyberattack that involved its private cloud. The attackers encrypted the business files of Personal Touch stored in the
cloud along with those of 29 of its indirect and direct subsidiaries.

The investigation into the incident is still in progress. At this time, it is uncertain how much PHI was affected; nevertheless, it is likely that the attackers acquired information kept in its private cloud before deploying the ransomware.

A review of its cloud storage showed that these patient data might have been breached during the attack: names, phone numbers, addresses, birth dates, Social Security numbers, financial data, such as credit card numbers, check copies, bank account details, health treatment data, medical record numbers, medical insurance card, and health plan benefit numbers.

Employee details were likewise affected, such as names, contact details, birth dates, Social Security numbers (like spouse and dependent Social Security numbers), passport numbers, driver’s license numbers, birth certificates, demographic details, background and credit reports, company usernames and passwords, individual email addresses, insurance cards, fingerprints, retirement benefits details, health, and welfare plan benefit numbers, health treatment details, check copies, and other financial data required for payroll.

Upon uncovering the breach, Personal Touch sought outside counsel and involved independent forensics professionals to help investigate the incident. The company has also alerted the FBI, the state attorneys general, and the HHS’ Office for Civil Rights. Advanced monitoring and detection software had been implemented as well.

This is Personal Touch subsidiaries’ second ransomware attack after a little over one year. The first attack was in January 2020 when Personal Touch reported the compromise of the PHI of patients of 16 subsidiaries due to a ransomware attack on Crossroads Technologies, its cloud vendor. Personal Touch used Crossroads Technologies’ cloud to host electronic health records. There were 156,400 breached medical records because of that ransomware attack.

More Health Insurance Companies Confirmed as Victims of Accellion Ransomware Attack and Multiple Lawsuits Filed

The number of healthcare companies to report they have been impacted by the Accellion ransomware attack is increasing, with two of the most recent victims such as Trillium Community Health Plan and Arizona Complete Health.

At the end of December, unauthorized people exploited zero-day vulnerabilities in Accellion’s old File Transfer Appliance platform and stole information from its customers before downloading CLOP ransomware.

Trillium Community Health Plan recently informed 50,000 of its members that protected health information (PHI) like names, dates of birth, addresses, health insurance ID numbers, and diagnosis and treatment data was taken by the people that launched the attack and the information was published on the internet between January 7 and January 25, 2021.

Trillium mentioned it has currently halted using Accellion, has taken out all data files stored in its systems, and has taken steps to minimize the threat of future attacks, which include going over its data-sharing processes. Trillium is providing affected members complimentary credit monitoring and identity theft protection services for 12 months.

Arizona Complete Health has advised 27,390 of its plan members regarding the data breach and the types of information that were compromised. The health plan also discontinued utilizing Accellion and took out its files from its systems and provided its plan members credit monitoring and identity theft protection services for 12 months free.

Previously, the supermarket and pharmacy firm Kroger based in Ohio announced that it was impacted by the attack, and the PHI of 368,000 clients were exposed. The University of Colorado and Southern Illinois University School of Medicine likewise mentioned they were affected.

Lawsuits Filed Against Accellion and its Customers

Several lawsuits have currently been filed against Accellion and its customers because of the breach. Centene Corp. has filed a legal case against Accellion alleging it failed to comply with several provisions of its business associate agreement (BAA). The cyberattack led to the theft of the PHI of a substantial number of its health plan members. Centene thinks it is going to suffer from considerable costs due to the breach and has made a request to the courts to order Accellion to abide by the stipulations of its BAA and pay for all breach-related costs. Cenene stated in the lawsuit that the attackers obtained 9 gigabytes of its data.

A federal lawsuit was also filed against Kroger because of the breach. The lawsuit, which seeks class-action status, claims that Kroger was negligent and had complete awareness of the potential security concerns with the legacy file transfer solution, but did not upgrade to a safer solution even after being advised by Accellion. Kroger gave its clients credit monitoring and identity theft protection services for 2 years; nevertheless, since names, addresses, birth dates, medical information, and Social Security numbers were compromised, 2 years is not regarded as enough to safeguard Kroger customers from identity theft and fraud.

Data Breaches at Agency for Community Treatment Services, Leon Medical Centers and Proliance Surgeons

Agency for Community Treatment Services, Inc. (ACTS) based in Tampa, FL is informing some patients about the potential comprimise of some of their protected health information (PHI) due to a cyberattack in October 21, 2020.

The security breach was discovered on October 23 upon deployment of the ransomware (|occurred}. The hackers acquired access to portions of the ACTS server and data networks and did file encryption to block access. Systems had to be taken offline to stop unauthorized access. To find out the scope of the breach, third-party computer forensic specialists investigated the matter .

Though it’s possible that there was unauthorized data access, the investigators did not find any proof to indicate the access or exfiltration of patient information. ACTS mentioned that this was because of the attackers making considerable efforts to hide their malicious activity. The attackers may consequently have accessed or gotten information saved on the breached systems.

The assessment of the compromised systems revealed that they held patient names, birth dates, Social Security numbers, and medical data that contain data such as diagnoses, treatment information, and health insurance data associated with the services obtained by patients from 2000 and 2013.

ACTS could bring back the encrypted data using backups and no ransom was paid. It took steps after the incident to reinforce security and avoid other attacks. Since patient information may have been exposed, ACTS is giving all affected people complimentary credit monitoring and identity theft protection services.

Conti Ransomware at Leon Medical Centers Attacked

Leon Medical Centers, a network of 8 medical centers in Miami and Hialeah in Florida, encountered a Conti ransomware attack. The attackers stole the protected health information of patients prior to the deployment of ransomware and issued a ransom demand with a threat to publish the stolen information of patients.

The attackers claimed the stolen data included names of patients, addresses, diagnoses, treatment data, medical insurance details, patient images and Social Security numbers. They assert to have obtained the PHI of over 1 million patients, though Leon Medical Centers debunked that statement and said the amount of stolen information was very overstated.

The attack happened before December 22, 2020 and Leon Medical Centers is still looking into the incident. At this time it is not clear precisely what data was stolen and how many patients were impacted.

Proliance Surgeons Announce Corporate Website Breach

The corporate website of Proliance Surgeons based in Seattle, WA suffered a breach resulting in the likely theft of payment card information. The surgical practice explained in a December 23, 2020 breach notice that attackers had accessed the website between November 13, 2019 to June 24, 2020. During that time frame, the attackers possibly accessed and gotten cardholder names, card numbers, zip codes, and expiry dates. No other PHI was compromised. The breach only affected individuals who paid for services on the internet, not persons who paid in person or over the phone.

The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections. Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.

New Offerings Introduced by Atlantic.Net for U.S. SMBs During the COVID-19 Pandemic

The HIPAA-compliant cloud service provider Atlantic.Net introduced two new projects on November 15, 2020. The goal of the projects is to assist small- to medium-sized businesses (SMBs) at this period of the Covid-19 pandemic.

Despite the difficulties during the pandemic, SMBs are attempting to employ more long term remote workers with minimal budgets, which has consequently put pressure on their IT and cloud services platforms. To help companies make it through the challenges, Atlantic.Net has introduced two new offerings. The first provides the business with new cloud VPS customers having two times the resources than what was provided in the past, for zero cost.

In the beginning, this new offering is available to all Atlantic.net cloud plans around the Orlando data center. There will be automatic upgrades to the features of the next price cloud plan. Atlantic.Net is considering to make this offer available in the seven worldwide data centers in the following couple of weeks.

The second offering will give new users an automatic upgrade of Atlanic.Net’s Free Server promotion. Instead of getting just 1 GB, users will get 2GB. The upgrade will be given for one year at no extra cost.

COVID 19 has put IT and cloud services systems under serious stress considering that remote work is growing bigger and more permanent. So as to help companies, Atlantic.Net is offering companies even more flexibility with their cloud solutions. Hopefully, not only the small to mid-size businesses of America can benefit from the offerings, but also the country’s healthcare providers that need audit-ready and HIPAA compliant cloud solutions for about half the cost.

Atlantic.net is a top provider of cloud services to countless numbers of developers and SMB clients in over 100 countries. Some of the valued clients of Atlantic.net include NASA, Hilton, Lenovo, and Newegg. Atlantic.Net is additionally a major provider of HIPAA-compliant cloud solutions to the healthcare sector in the United States, providing scalable cloud computing through the seven international data centers located in San Francisco, New York, Dallas, London, Orlando, Toronto, and Ashburn.

See the information on the most recent cloud offerings of Atlantic.Net including the pricing structure on this page