Data Breaches Suffered by PracticeMax and UMass Memorial Health

Anthem health plan members who have End-Stage Kidney Disease and are signed up in the VillageHealth program were notified about the potential compromise of some of their protected health information (PHI) during a ransomware attack.

VillageHealth assists Anthem plan members through coordinating care between the dialysis center, nephrologists, and healthcare providers and shares the results with Anthem through its vendor, PracticeMax.

PracticeMax provides business management and information technology solutions to healthcare companies. It identified the attack on May 1, 2021. According to the investigation, the attackers obtained access to its systems on April 17, 2021, and had continuing access possibly until May 5, 2021. PracticeMax mentioned it obtain back the access to its IT systems on the following day.

A forensic analysis of the attack affirmed that it affected one server that held protected health information (PHI) and the attackers may have accessed and acquired them.

The investigation into the incident finished on August 19, 2021, and established the exposure of the following types of data: First and last name, address, date of birth, phone number, Anthem member ID number, and clinical information associated with kidney care services obtained. There were no compromised financial details or Social Security numbers.

PracticeMax states it has performed an evaluation of its policies and protocols and has applied extra safeguards to prevent future attacks, which include rebuilding systems, utilizing more endpoint security solutions, and improving its firewalls. Affected individuals were provided complimentary credit monitoring services for 24 months.

UMass Memorial Health Notifies Patients With Regards to Phishing Attack

UMass Memorial Health has found out that unauthorized persons obtained access to some employees’ email accounts due to responding to phishing emails. The phishing attack was identified on August 25, 2021 upon noticing suspicious activity in its email environment.

UMass blocked authorized access to the email accounts right away and launched a forensic investigation, with support given by a third-party computer forensics company. The investigation affirmed the breach of the email accounts from June 24, 2020 until January 7, 2021, and in the course of that time, the unauthorized individuals got access to PHI stored in the email accounts.

Although no proof was found that pointed out the attackers had viewed or acquired the emails, the chances could not be ruled out. An evaluation of the PHI within the accounts was done on August 25, 2021. The compromised information includes names, financial account information, driver’s license numbers, and Social Security numbers. UMass Memorial Health stated free credit monitoring and identity theft protection services were given to impacted people. UMass Memorial stated it is improving email security and will be re-educating the employees on email guidelines.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

How Password Managers Protect MSPs

A quickly growing business is the offering of password managers for MSPs. This is because cybercriminals are targeting more Managed Service Providers. A recent “State of the Channel” survey revealed that 95% of MSP respondents state that their businesses were being attacked instead of the clients they provide with managed services.

It’s obvious why cybercriminals are attacking MSPs. When a “supply-chain ransomware attack” on an MSP succeeds, it could keep an MSP from providing its clients with its services; and even if only the MSPs’ systems are encrypted, clients can’t run their businesses because of the type of services delivered by the MSP.

Cybercriminals are also attacking SMB clients, but not as much as MSPs. The Datto “State of the Channel” survey reported that 78% of the respondents stated SMB clients had been attacked in the last two years with spyware, adware, and viruses causing as much trouble as ransomware. Even more troubling were the methods used by the cybercriminals to access systems and deploy malware:

  • Reported attacks by 54% of respondents were due to a phishing email
  • Reported attacks by 27% of respondents were due to poor user practices.
  • Reported attacks by 26% of respondents were because of a deficiency of cybersecurity training
  • Reported attacks by 24% of respondents were due to weak passwords and also bad credential management.

Other respondents stated that attacks succeeded because of lost and stolen user credentials, a deficiency of financing for IT security, and insufficiency of executive buy-in for using security tools. All of these causes are preventable or could be mitigated by employing a password manager for MSPs.

How Can Password Managers Protect MSPs

One lacking statistic from Datto´s State of the Channel report is the number of cyberattacks due to MSP susceptibility versus the number of cyberattacks due to client susceptibility. Although it could be presumed that clients are less difficult targets because of a lack of security competence, it is obvious the report says over fifty percent [of MSPs] currently use multi-factor authentication and password management tools.

Using the word “now” implies that less than fifty percent of MSPs were using password management tools in the past. Once again, there is no differentiation between the exclusive use of password managers within the MSP companies and the provision by MSPs of password-management-as-a-service to clients.

The creation, saving, and sharing of login credentials between teams can impact a business´s online protection. According to research, a lot of employees utilize weak passwords simply because they are easier to remember, re-use passwords in several accounts to save needing to recall several passwords, save login credentials in unprotected files, and share security passwords through unsecured avenues of communication like email, chat services, and SMS.

When companies use a password manager, they could likewise implement password policies necessitating the usage of tough, unique passwords for every account. The majority of commercial password managers feature cross-browser, cross-platform synchronization, use with directory services, and protected encrypted credential sharing, so employees have a secure means to swap passwords, credit card information, and other sensitive data.

Password managers for MSPs may be utilized to secure business credentials and clients’ credentials. Passwords are kept in a protected user vault and, whenever a user visits a site that vault has a saved password, the sign-in credentials are auto-filled. Therefore, when a user unintentionally clicks on a phishing email and lands on a phony phishing site, the sign-in credentials won’t auto-fill – notifying the user of a likely threat.

With password guidelines requiring good password tactics, teaching users on good password care, and getting rid of the possibility for weak passwords, the major methods used by cybercriminals to access MSP systems are removed. Regarding the insufficiency of funds for IT security or executive buy-in, password managers for MSPs are affordable in comparison to the price of recovering from a cyberattack and – if given to clients as “password-management-as-a-service,” password managers for MSPs could get more revenue than the cost.

Phishing Attacks at Star Refining & Express MRI

Express MRI, a medical imaging center based in Peachtree Corners, GA, has begun informing patients regarding the exposure of some of their protected health information (PHI) due to a historic data breach. Express MRI found out on July 10, 2020 that an unauthorized person had acquired access to one email account and utilized it to send unauthorized email messages. The occurrence was explored back then, however, it was confirmed that no patient data was accessed.

On June 10, 2021, another evaluation of the security breach was done, and although no particular evidence was found that suggested unauthorized data access or theft, Express MRI deduced that it wasn’t really feasible to completely rule out data access or exfiltration by unauthorized individuals, for that reason Express MRI issued breach notification letters.

An analysis of the breached account confirmed the potential access or exfiltration of the following data: names, email addresses, addresses, birth dates, patient ages, referring doctor names, part of the body scanned, and if the scan was associated to a workers’ payment claim or investigation of a motor vehicle accident. There is no other patient information present in the breached email accounts.

Express MRI stated it took the essential and prompt steps to deal with the incident, which include putting together a team of very competent experts to strengthen the security of its data systems and carry out more safety measures to avoid other breaches.

Star Refining Phishing Attack Impacts 1,910 People

Adelda Health, Inc. also known as Star Refining, has found out that unauthorized persons obtained access to several employees’ email accounts after responding to phishing emails. The personal data of 1,910 people may have been accessed or exfiltrated.

The dental refining company in West Palm Beach, FL discovered the breach on April 29, 2021. A third-party computer forensics company is helping to make sure the incident was completely remediated and to find out the nature and extent of the breach.

An analysis of the breached email accounts showed they contained sensitive information like first and last names, postal addresses, Social Security numbers, driver’s license numbers, and credit card/financial details; nevertheless, there is no evidence that suggested the emails with that data were seen or obtained during the breach of the accounts. The first account access happened on April 12, 2021.

Notifications began to be delivered to impacted persons on July 22, 2021. Free Identity Works credit monitoring and identity theft protection services via Experian were given to impacted persons.

Over 447K Patients Impacted by Orlando Family Physicians Phishing Attack

An unauthorized person accessed the email accounts of Orlando Family Physicians in Florida that contain the protected health information (PHI) of 447,426 patients.

Orlando Family Physicians stated that the compromise of the first email account happened on April 15, 2021 because an employee responded to a phishing email and exposed their account login information. The provider immediately took action to stop unauthorized access and started an investigation to find out the nature and scope of the breach.

With the help of a top-rated cybersecurity forensics company, Orlando Family Physicians confirmed that three more employee email accounts were accessed by unauthorized person. External access to the four compromised email accounts had been blocked in 24 hours after the first unauthored account access.

On May 21, 2021, Orlando Family Physicians confirmed that the unauthorized person possibly accessed email messages in the email account that included patients’ PHI. A review of the email messages and attachments was done, and on July 9, 2021, Orlando Family Physicians had identified all impacted persons.

The email accounts included the personal data and PHI of present patients, prospective patients, workers, and other people. The types of data in the accounts differed from person to person and included at least one of these data elements: Names, demographic information, diagnoses, names of providers, prescription medications, medical record numbers, patient account numbers, medical insurance data (Medicare beneficiary number or another subscriber ID number), and passport numbers.

The phishing attack seems to have been executed with the goal of undertaking financial fraud towards the practice rather than acquiring patient records. Nonetheless, because unauthorized data access and exfiltration cannot be excluded, impacted persons have been instructed to exercise extreme care and carefully monitor their explanation of benefits statements and financial accounts for indications of fraudulent transactions.

Orlando Family Physicians has improved its technical security procedures after the breach and additional training on email security is being given to its employees.

More than 200,000 People Potentially Impacted by ClearBalance Phishing Attack

ClearBalance in San Diego, CA, a loan provider that allows patients to distribute the cost of their hospital expenditures, was affected by a phishing attack last March 8, 2021 and workers were fooled into exposing their sign-in credentials.

ClearBalance discovered the email system breach on April 26, 2021 the moment the hacker tried to make a bogus wire transfer. Action was quickly taken to protect the email system and stop more unauthorized access, and the attempt to make a wire transfer did not succeed. No money was moved to the hacker’s account.

A third-party computer forensic team was involved to look into the breach and to figure out if the attacker viewed or acquired any sensitive information. The investigator affirmed that the breach only affected the email system and did not affect any other system and that the unauthorized person was blocked from accessing the email accounts on the day of discovering the breach.

The attacker did not obtain access to the database that holds the health care record systems of any healthcare company; nevertheless, a number of sensitive information was found in email messages and file attachments which were possibly accessed. An analysis of the email accounts’ contents showed they included these data elements:

Names, tax IDs, birth dates, Social Security numbers, government-issued ID numbers, phone numbers, balance amounts, healthcare account numbers, dates of service, ClearBalance loan numbers and balances, private banking details, clinical data, medical insurance data, and full-face photographic pics. Most people didn’t have PHI particularly affected.

Security measures were strengthened to better secure the email system and personal information, all user security passwords were altered, stronger access settings are put in place on the system, and procedures for submitting suspicious activity reports were kept up to date.

The objective of the attack seems to be to make bogus wire transfers instead of getting sensitive information; nevertheless, as a safety measure against identity theft and fraud, ClearBalance provided impacted people with free identity theft protection services, 2 years of credit monitoring services, and payment insurance coverage plus an identity theft insurance reimbursement guide.

The breach was submitted to the HHS’ Office for Civil Rights as impacting 209,719 people.

Phishing Attack on Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID experienced a phishing attack that resulted in the potential exposure of patient information. The attack also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus discovered strange activity in the email account of one worker on January 6, 2021. The provider quickly secured the account and conducted an investigation to find out the source and nature of the phishing activity. Saint Alphonsus learned that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and data held therein for 2 days. The attacker used the email account to send phishing emails to other contact people in an attempt to steal usernames and passwords.

The employee whose credentials were compromised assisted with a number of business functions that required access to protected health information (PHI), including sending billing for the West Region of Trinity Health, and Fresno.

An analysis of all email messages and file attachments revealed the account comprised the PHI of selected patients. The PHI in the account varied from one patient to another and contained full names along with one or more of these data elements: telephone, date of birth, address, email, medical record number, treatment data, and/or billing details. The account additionally included some Social Security numbers and credit card numbers.

Although the provider confirmed the unauthorized account access, it was not possible to ascertain which emails, if any, the attacker accessed. While distributing notifications, no evidence was found that indicates the misuse of any patient information. Saint Alphonsus offered credit monitoring services to affected persons and gave workers further training about email and cybersecurity to avoid the same breaches in the future.

When notifying patients regarding the breach, an error with the mail merge happened. Some patients have received a letter informing them regarding an email security issue and regrettably, the letters generated had an incorrect status for a number of patients, addressing them as deceased or a minor because of the mail merge issue.

It isn’t presently known how many patients were impacted by the breach. Updates will be provided when there’s more information available.

Southeastern Minnesota Center for Independent Living Phishing Attack Impacts 4,122 Individuals Affected

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has found out an unauthorized person who obtained access to the email account of an employee containing the PHI of 4,122 people.

An investigation into the security incident showed the account was exposed on August 6, 2020 and the hacker got access to the account until September 1, 2020. The investigation affirmed on December 22, 2020 the compromise of PHI, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and certain medical treatment details. SEMCIL started sending breach notification letters to affected persons on February 19, 2021.

The investigation did not get any proof that suggests the access or exfiltration of any protected health information. There is likewise no report received that indicates the improper use of any PHI. As a safety measure against identity theft and fraud, those who had their Social Security number or driver’s license number exposed received free offers of identity theft protection services.

PHI Exposed Due to Breaches at Elara Caring, ProPath and Cornerstone Care

Elara Caring, one of America’s largest home-based healthcare services providers, has experienced a phishing attack that impacted over 100,000 patients.

In mid-December, the provider identified suspicious activity in a number of email accounts of employees. It took prompt action to keep the accounts safe and prevent the attackers from accessing the accounts. A third-party security firm helped in investigating the breach.

The investigation affirmed that an unauthorized individual accessed several employee email accounts, though no proof was identified that suggests the attackers viewed or obtained any patient information in the email accounts. It wasn’t possible to eliminate data theft.

An analysis of the exposed email accounts revealed they held the PHI of 100,487 patients, such as names, dates of birth, Employer ID numbers, driver’s license numbers, Social Security numbers, financial/bank account details, passport numbers, addresses, email addresses and passwords, insurance data and insurance account numbers. Elara Caring offered the individuals affected by the attack complimentary credit monitoring and identity protection services.

The provider also took steps to enhance data security and has given more training on cybersecurity to its employees.

ProPath Email Accounts Breached by an Unauthorized Individual

ProPath, the United States’ biggest, countrywide, fully physician-owned pathology practice, has identified an unauthorized person who got access to two email accounts with patient records.

The unauthorized individual accessed the email accounts between May 4, 2020 and September 14, 2020. ProPath found out on January 28, 2021 that protected health information in the email accounts included the names of patients, birth dates, test orders, diagnosis and/or clinical treatment info, medical procedure details, and physician name. The Social Security number, financial account information, driver’s license number, health insurance data, and/or passport number of a limited number of people were also affected.

Persons whose Social Security number was breached were provided credit monitoring services for free. Workers have acquired additional training to aid them to identify malicious email messages and further technical security measures have now been implemented.

It is not yet confirmed exactly how many persons the incident impacted. ProPath stated most people who obtained testing from the company were not affected by the incident.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An unauthorized person accessed an email account that contains the PHI of 11,487 patients receiving services from Cornerstone Care community health centers located in Southwestern Pennsylvania and Northern West Virginia.

The provider detected the email account breach on June 1, 2020 and engaged third-party security specialists to assist investigate the breach. It was established that the breach only impacted a single corporate email account. An evaluation of the PHI included in the account was finished on January 13, 2021.

The account held the names and addresses of patients as well as, for selected people, date of birth, Social Security number, medical background, ailment, treatment procedure, diagnosis, and/or medical insurance data. Those whose Social Security number was exposed received free credit monitoring and identity theft protection services.

Cornerstone Care notified by mail the affected persons on February 25, 2021. It additionally enforced multi-factor authentication on the email accounts.

3 Healthcare Providers Have Began Notifying Patients Regarding Recent Phishing Attacks

This is a summary of healthcare phishing attacks that were publicly announced in the last couple of days.

2,254 Patients Affected by Email Account Breach at Leonard J. Chabert Medical Center

Leonard J. Chabert Medical Center received notified that the protected health information (PHI) of some of its patients was compromised because of a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD reported a breach on November 20, 2020. On November 24, 2020, it found out that a number of patient information coming from Leonard J. Chabert Medical Center, one of its partner hospitals, had likewise been affected by the breach.

Leonard J. Chabert Medical Center received information about the breach on December 3, 2020, the evaluation of which showed that the PHI of 2,254 patients were exposed from September 15, 2020 up to September 18, 2020.

For the majority of patients, the exposed information only included names, telephone numbers, addresses, health record numbers, birth dates, account numbers, types of services gotten, dates of service, and medical insurance identification numbers. The limited health data for example diagnoses and/or bank account numbers of a small number of patients were likewise exposed.

LSU HCSD is going over its email security procedures, which will be improved to avoid the same breaches later on and more security awareness training will be given to staff members.

PHI of 1,800 Patients Possibly Compromised Due to Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) based in Massachusetts discovered that an unauthorized individual accessed a staff member’s email account subsequent to responding to a phishing email. LCHC discovered the phishing attack on November 25, 2020 and promptly secured the email account. With the help of a digital forensics agency, LCHC established that up to 4 email accounts were compromised in the phishing attack.

An analysis of the possibly breached accounts revealed they included patient names along with one or more of these data elements: Mailing address, date of birth, phone number, insurance details, medical record number, diagnoses, and other clinical data. The Social Security number of a number of patients were additionally exposed.

The ongoing investigation has not found any proof that suggests patient data theft or misuse, however, as a preventive measure, people who had their Social Security number potentially compromised received offers of credit monitoring and identity theft protection services for free.

More safety measures are being put in place to avoid further email security breaches. Information protocols are being modified, and worker security awareness training was improved.

Auris Health Informs Patient Regarding March 2020 Email Account Breach

Auris Health located in Redwood City, CA started notifying a number of patients concerning an unauthorized person who possibly obtained access to some of their PHI because of an employee email account breach in March 2020.

Upon knowing about the breach, access to the account was blocked and an investigation was performed to find out the nature and magnitude of the breach. The inquiry into the attack is in progress, nevertheless, Auris Health has learned that the compromised email account held patient names combined with at least one of the following data elements: tax identification number, Social Security Number, passport number, health insurance number, health data, payment card details, and financial account number(s).

Auris Health is employing extra security measures to avert more breaches later on, such as improving its email authentication procedures. Affected persons got offers of complimentary membership to credit and identity theft monitoring services for two years.

FBI Advisory About the Surge in Vishing Attacks

A lot of data breaches begin with a phishing email, however, credential phishing may likewise happen through other communication channels like instant messaging applications or SMS texts. One frequently missed way for the acquisition of credentials is phishing through the telephone, also called vishing. These attacks allow attackers to get the credentials needed to have access to email accounts and/or cloud services with the ability to modify privileges.

Lately, the Federal Bureau of Investigation (FBI) gave an advisory because of a surge in vishing incidents where attackers steal credentials to company accounts, such as information for network access and escalation of privileges. The switch to remote employment in 2020 as a result of COVID-19 has made it more difficult for IT staff to keep track of network access and privilege escalation, so attacks can often be undetected.

The FBI cautioned that it has noticed a switch in strategies by threat actors. Instead of just targeting credentials of persons that could elevate privileges, cybercriminals are currently attempting to get all credentials. Although the credentials of low-profile workers may not provide the sought-for access to networks, systems, or data, those credentials enable them to get a foothold they can utilize to obtain increased network access, which includes the potential to escalate privileges.

Threat actors are utilizing VoIP systems to target company employees over the phone to get credentials. One way to do this is by persuading an employee to sign in to a phishing website that collects credentials. For example, the threat actor impersonates a member of the IT team and tells the employee to go to a website to update their software program or for security purposes.

In one of the latest vishing attacks, cybercriminals contacted a targeted company’s employee in its chatroom and told the employee to sign in to a counterfeit VPN page. The threat actors stole the employee’s information, signed in remotely to the VPN, and executed reconnaissance to locate an employee with greater privileges. The goal was to identify an employee who has permission to modify usernames and email credentials. As soon as someone is identified, the threat actor contacts the person again using the chatroom messaging service to harvest the credentials of the employee.

This is the FBI’s second warning about vishing. This tactic has been employed in attacks since December 2019. To strengthen defenses against these vishing attacks, the FBI recommends the following:

  • Use multi-factor authentication to increase the security of employee account access.
  • Allow network access for new personnel with limited privileges
  • Frequently evaluate network access for personnel to discover weak areas.
  • Scan and keep track of unauthorized network access and alterations of permissions.
  • Follow network segmentation to regulate the flow of network traffic.
  • Administrators should have two accounts: an account with admin privileges to be used for system changes and another account to be used for making updates, emailing and generating reports.

Beware of Phishing Campaigns That Use Free Google Services

A number of phishing campaigns were discovered that are employing free Google services to get around email security gateways and make sure the deliverability of malicious messages to inboxes.

Phishing emails frequently consist of hyperlinks that lead users to web pages hosting forms that collect login information. Email security gateways utilize various ways to identify these malicious links, such as blacklists of identified malicious sites, rating of domains, and checking the links to assess the information on the destination site. When the links are found to be malicious or suspicious, the emails are rejected. But by utilizing links to legit Google services, phishers are able to get around these security tools and deliver their emails.

Phishers using Google services are not new; nevertheless, Arborblox security analysts have seen an increase in this activity with the increase of remote working. The researchers discovered 5 campaigns using free Google services like Google Drive, Google Forms, Google Docs and Google Sites. Phishers are not only using Google services. Other free cloud services like Dropbox, Webflow, Amazon Simple Email Service, Microsoft OneDrive and SendGrid are being used as well.

One campaign imitated American Express, with the preliminary message asking the user to validate his account for missing some information during card validation. The emails tell the user to go a phishing page designed with Google Forms. The form contains the official logo of American Express and a brief questionnaire asking for information that the attackers can use to get access to the user’s credit card account – login details, telephone number, credit card number and security code, as well as security questions and responses. Because the hyperlink in the email redirects the user to Google Forms – a legit Google domain and service, it is likely that the email security gateway won’t identify the hyperlink as malicious.

Another campaign using Google Forms sent emails that seem to have been from a childless widow with a terminal cancer diagnosis. She says that she is seeking to donate her wealth to charity and tells the recipient to make donations to charity on her behalf. The URL in the email directs the recipient to an untitled Google Form. Anyone who submits a response will be shortlisted for more extortion attempts.

A campaign was identified that utilized a bogus email login page on Google’s Firebase mobile platform. The emails in this campaign imitate the security team and state that important messages were not delivered because of exceeding the email storage quota. The campaign is seeking to collect email login credentials. Because Firebase is a legit cloud storage database, it is unlikely that a Firebase link will be tagged as malicious.

There was also a campaign using Google Docs that impersonated the payroll team. The Google Docs document included a hyperlink to a phishing page that harvested sensitive information. Since the first link is of a legit and frequently used Google service, email security solutions are not likely to block the email. Although a few email solutions could recognize the malicious hyperlink in the Google-hosted document, different redirects are employed to muddle the malicious hyperlink.

Another campaign using a phony Microsoft login page built on Google Sites impersonated Microsoft Teams and the user’s IT department security team. In this case, Google Sites was used to build a webpage with a phishing form and the official Microsoft logo.

These campaigns emphasize the necessity of advanced security solutions that could identify and stop phishing emails that take advantage of legit cloud services and the necessity of giving employees continuous security awareness training to help them recognize phishing emails that elude detection by the cybersecurity defenses of their companies.

Phishing Incidents Reported by Connecticut Department of Social Services and LSU Care Services

Connecticut Department of Social Services (DSS) announced a potential exposure of the protected health information (PHI) of 37,000 people due to a number of phishing attacks that took place between July and December 2019.

A number of email accounts were accessed and were utilized to distribute spam emails to a lot of DSS staff. The investigation of the breach established the incident as phishing attacks. A detailed investigation was done employing state information technology assets and a third-party forensic IT organization. However, the investigators did not uncover any proof that shows the attackers acquired access to patient information in the email accounts. The DSS breach notification mentioned that the forensic professionals couldn’t ascertain that the attackers didn’t access personal data because of the big volume of emails involved and the type of phishing attack.

As a safety measure, DSS provided identity theft protection services to persons and took action to strengthen email security and better shield against phishing attacks down the road.

Phishing Attack on LSU Health Care Services

The Louisiana State University (LSU) Health New Orleans Health Care Services Division reported a likely exposure of information of its patients from a few hospitals in Louisiana as a result of the access of a staff email account by an unauthorized man or woman.

The breach of the email account occurred on September 15, 2020. LSU uncovered the attack on September 18 and quickly blocked the email account. An investigation of the incident did not reveal any information that the unauthorized individual accessed or obtained patient information in the email messages and attached files.

The compromised email account was discovered to have the PHI of patients from the hospitals posted below:

  • Bogalusa Medical Center in Bogalusa
  • University Medical Center in Lafayette
  • Interim LSU Hospital in New Orleans.
  • Leonard J. Chabert Medical Center in Houma
  • Lallie Kemp Regional Medical Center in Independence
  • O. Moss Regional Medical Center in Lake Charles

The types of data likely exposed differed from one patient to another and medical center location, however, may have included names, telephone numbers, dates of birth, addresses, health record numbers, account numbers, Social Security numbers, dates of service, types of services acquired, insurance ID numbers, and certain financial account details and medical data. The investigation into the incident is still ongoing, yet up to now “thousands” of patient records are identified to have been compromised.

At this time, LSU Health is checking further security procedures to better defend against more attacks. Employees likewise got more information and security training.

Breaches at Ascend Clinical, Alamance Skin Center, and Perry County Memorial Hospital

A phishing attack on Ascend Clinical based in Redwood City, CA, an ESRD laboratory testing provider for third party dialysis clinics resulted in a ransomware attack last May 2020.

Strange system activity as well as file encryption were noticed on or about May 31, 2020. Ascend Clinical immediately took action to segregate the impacted systems and investigated the incident to find out the nature and extent of the breach. A third-party security company helped Ascend Clinical to confirm that the attacker accessed its systems after an employee’s response to a phishing email.

Before deploying the ransomware, the attackers acquired access to files containing names, mailing addresses, birth dates, and Social Security numbers. Ascend Clinical, since then, have taken steps to reinforce its email security protection to avoid the same attacks later on.

The breach report sent to the HHS’ Office for Civil Rights showed that the breach affected 77,443 people.

Alamance Skin Center Experiences Ransomware Attack

A ransomware attack on Cone Health, a Greensboro-based health system, impacted only one practice, Alamance Skin Center located in Burlington, NC.

The ransomware attack happened in late July 2020. It seemed to have begun with a phishing attack or brute force attempt aimed at getting credentials. Cone Health took immediate action to isolate the affected systems and engaged third-party computer forensics specialists to evaluate the extent of the data breach. There was no evidence found that suggest the theft of patient information before file encryption. No report was received that indicate the misuse of patient data.

Nevertheless, some patient information was encrypted in the attack and cannot be recovered. Cone Health reports that the attack affected the protected health information (PHI) such as patient names, addresses, medical record numbers, dates of birth, diagnosis data, and date(s) of service.

The attack impacted the appointments system and was not accessible. Patients that have appointment were told to get in touch with the practice to confirm their scheduled appointment. Because it was not possible to determine with full certainty that the attackers did not access patient data, all affected patients were instructed to be cautious against reports of identity theft and fraud.

Alamance Skin Center is going over current policies and procedures and will implement extra safeguards to avoid similar incidents in the future.

Perry County Memorial Hospital Uncovers Email Security Breach

Perry County Memorial Hospital based in Tell City, IN found out that unauthorized persons got access to employees’ email accounts.

According to the investigation into the breach, the hackers accessed the email accounts on August 23, 2020. An analysis of the compromised accounts confirmed that they contained private patient information that may have been viewed or obtained by the attackers, although there was no proof of data theft.

The information possibly exposed only included names, birth dates, diagnoses/diagnostic codes, internal patient account numbers, healthcare provider names, and other health data, as well as the Social Security numbers, Medicare/Medicaid numbers, and health insurance information of certain patients.

Perry County Memorial Hospital is taking action to fortify email security to avert the same breaches from happening again. The hospital also offered the patients whose Social Security number was likely compromised complimentary identity theft monitoring services.

Latest Microsoft Teams Phishing Scam and Emotet Trojan Campaigns

Researchers at Abnormal Security detected a new Office 365 phishing campaign that spoofs Microsoft Teams to mislead users into visiting a malicious website with a phishing form that gets Office 365 login information.

Many organizations have adopted Microsoft Teams to enable remote employees to retain contact with the business office. In healthcare, the system is being utilized to give telehealth services to lessen the number of patients going to medical care facilities to regulate the dispersal of COVID-19.

Microsoft noted for the quarter ending June 30, 2020 that more than 150 million students and teachers are now using Microsoft Teams. Over 1,800 various companies have over 10,000 Teams users, and 69 companies have more than 100,000 Teams users. The healthcare industry also has a growing Microsoft Teams user, with 46 million Teams meetings now being done for telehealth reasons. The expanding usage is due to the pandemic, which gives an opportunity for cyber hackers.

Based on figures from Abnormal Security, the most recent campaign was the phony Microsoft Teams emails delivered to around 50,000 Office 365 users to date. The messages seem like they were sent from a user using the display name “There’s new activity in Teams,” thus the messages look like automated notices from Teams.

The messages tell users to sign into Teams as the community is attempting to communicate. The email messages have a button to click to sign in to Teams that displays a phrase – “Reply in Teams.” The notices consist of a genuine-looking footer that has the Microsoft brand and selections to install Microsoft Teams on Android and iOS.

The URL in the message brings the user to a Microsoft login page which is a clone of the official sign-in prompt, aside from the domain on which the page is visible. That domain begins with “microsftteams” to make it look genuine.

The campaign is an example of the many campaigns targeting Office 365 credentials. There are many campaigns aimed towards video conferencing platforms as they increase in popularity during the pandemic.

Emotet Trojan Campaign Employs Phony Microsoft Word Upgrade Notices

The Emotet Trojan is being distributed in a new campaign that utilizes bogus Microsoft Word upgrade announcements as a lure to let users install the malware. Emotet is the most extensively propagated malware presently in use. When an end user’s device is infected with the malware, it is added to a botnet that is employed to infect other gadgets. Emotet is likewise a malware downloader and is utilized to install information stealers like TrickBot and QBot malware, which are employed to transmit ransomware variants like ProLock, Ryuk, and Conti.

The messages look like Microsoft Office announcements that tell the user that they must execute an upgrade of Microsoft Word to include new functions. The messages have a Microsoft Word file and the end-user is advised to Enable Editing and then Enable Content. Doing so will start a malicious macro that will install Emotet onto the end user’s device.

Users must be careful and avert clicking URLs or opening doc attachments in unsolicited messages. Emotet uses the user’s email account to mail other phishing emails, even to those included in a user’s contact list.

Premera Blue Cross HIPAA Penalty of $6.85 Million is the 2nd Biggest HIPAA Violation Penalty Ever

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a $6.85 million HIPAA penalty on Premera Blue Cross to take care of the HIPAA violations found during its investigation of a 2014 data breach concerning the electronic protected health information (ePHI) of 10.4 million people.

Premera Blue Cross based in Mountain lake Terrace, WA is the biggest health plan around the Pacific Northwest and caters to more than 2 million persons in Alaska and Washington. In May 2014, a sophisticated persistent threat group obtained access to Premera’s computer network and stayed undiscovered for more or less 9 months. The hackers attacked the health plan with a spear-phishing email that downloaded malware. The malware allowed the APT group to access ePHI including names, birth dates, addresses, email addresses, bank account data, Social Security numbers, and health plan clinical details.

Premera Blue Cross discovered the breach in January 2015 and informed OCR regarding the breach in March 2015. OCR started an investigation and found “systemic non-compliance” with the HIPAA guidelines.

OCR established that Premera Blue Cross was unable to:

  • Perform an extensive and accurate risk analysis to determine all risks to the integrity, availability, and confidentiality of ePHI.
  • Minimize risks and vulnerabilities to ePHI to a fair and proper level.
  • Apply enough hardware, software program, and procedural elements to capture and evaluate activity associated with information systems made up of ePHI, before March 8, 2015.
  • Stop unauthorized access to the electronic PHI of 10,466,692 persons.

Because of the nature of the HIPAA violations and the magnitude of the breach, OCR decided that a financial fine was necessary. Premera Blue Cross consented to resolve the HIPAA violation case without admission of liability. Besides the financial penalty, Premera Blue Cross accepted to undertake a solid corrective action plan to deal with all areas of non-compliance identified throughout the OCR investigation. Premera Blue Cross will be under direct monitoring by OCR for two years to make sure of its adherence to the CAP.

Roger Severino, OCR Director, stated that when top medical insurance entities fail to spend the time and effort to determine their security weaknesses, be they techie or human, hackers certainly will. This scenario strongly shows the harm that results when cybercriminals are permitted to roam undiscovered in a computer system for almost nine months.

In 2019, Premera Blue Cross consented to resolve a $10 million HIPAA violation legal case due to the breach. 30 state attorneys general had reviewed the health plan and determined that Premera Blue Cross failed to satisfy its responsibilities under HIPAA and Washington’s Consumer Protection Act. Premera Blue Cross additionally consented to pay a $74 million lawsuit filed by people whose ePHI was compromised in the breach.

The latest penalty is OCR’s second-biggest HIPAA penalty issued on a covered entity or business associate in relation to HIPAA violations. The highest financial penalty is the $16 million charged on Anthem Inc. because of a 2015 data breach concerning the ePHI of 79 million persons.

The HIPAA penalty is the 11th penalty to be published by OCR in 2020. It is the 8th to be reported this September. To date in 2020, OCR got paid $10,786,500 to settle HIPAA violations identified during data breach and HIPAA complaints investigations.

PHI of Over 250,000 Individuals Affected by Data Breaches

A ransomware attack on Assured Imaging in Tucson, AZ resulted in the encryption of its medical record system. Assured Imaging is a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services.

Assured Imaging learned about the attack on May 19, 2020 and worked promptly to prevent further unauthorized access and recover the encrypted information. With the help of a third-party computer forensics agency, Assured Imaging looked into the ransomware attack to figure out the extent of the breach. The investigation showed an unauthorized individual acquired access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated limited data prior to deploying the ransomware.

The forensic investigation affirmed that information was stolen although it wasn’t possible to know precisely what files the attackers exfiltrated. Assured Imaging conducted a review to know all types of information that could have been accessed. The compromised system was confirmed to consist of full names, birth dates, addresses, patient IDs, facility used, treating physician’s names, medical backgrounds, services done, analysis of the service done, and recommendations on future assessment.

Assured Imaging is not aware of any misuse of patient data however the service provider encourages all affected people to keep track of their accounts and credit reports for any indication or bogus activity.

Assured Imaging submitted an incident report to law enforcement and the Department of Health and Human Services’ Office for Civil Rights. According to the OCR breach portal, the attack affected around 244,813 persons.

6,000 Roper St. Francis Healthcare Patients Affected by Email Breach

Roper St. Francis Healthcare based in Charleston, SC experienced a data breach that affected only one email account. The provider detected the breach on July 8, 2020, but the investigation into the breach revealed that the email account compromise occurred from June 13, 2020 to June 17, 2020.

The forensic investigation affirmed that the email account held patients’ names, health record or patient account numbers, dates of birth, and limited clinical and/or treatment information, such as diagnoses, providers’ names, and/or procedure data. The health insurance details and/or Social Security numbers of some people were also contained in the email account. The breach impacted around 6,000 patients.

Roper St. Francis Healthcare offered complimentary credit monitoring and identity theft protection services to those who had their Social Security number compromised. Employee training on email security has been reinforced and email security solutions have been increased.

This is not Roper St. Francis’s first phishing attack report this year. In February, the healthcare provider publicized the compromise of the email accounts of 13 personnel due to a phishing attack between November 15 2018 and December 1, 2018. The PHI of 35,253 patients was affected in the breach.

Agent Tesla Trojan Used in COVID-19 Phishing Campaigns

A complex COVID-19 themed phishing campaign was identified that imitates manufacturers, importers and exporters of chemicals by offering the email recipient personal protective equipment (PPE) including disposable face masks, forehead thermometers, and other medical items used to fight COVID-19.

Researchers at Area 1 Security discovered the phishing campaign, which was found  active since May 2020 and has attacked numerous inboxes. The threat actors typically alter their tactics, techniques and procedures (TTPs) every 10 days to avoid being detected by security tools.

Whenever launching a new phishing email campaign, the threat actors frequently change IP addresses, the companies impersonated, and the phishing baits. In a number of the intercepted email messages, aside from spoofing a real company, the attackers use the names of real company employees, their contact details and email addresses to look more legitimate. They add the spoofed company’s logo to the emails and the correct company website link in the signature, so that in case the recipient performs  any checks, he will be convinced that the email is legit.

The threat actors’ objective is to download the Agent Tesla Trojan, a sophisticated remote access Trojan (RAT) that allows attackers to access an infected device and perform a variety of malicious actions. With the RAT, the attacker could log keystrokes on an infected gadget and steal sensitive data from the user’s AppData folder, and then send that information to the command and control server through SMTP. The trojan can additionally steal information from email, web browsers, FTP and VPN clients.

Hacking forums offer the RAT as malware-as-a-service. RAT is quite popular because it makes conducting campaigns easy and affordable. Agent Tesla is also available for free download on Russian websites using a torrent. The malware has a User interface (UI) that enables users to keep track of infections and access the information it steals.

The RAT is downloaded as a zipped file attachment. Upon extraction, the recipient sees an executable file that looks like a .pdf file. Because Windows hides known file extensions by default, the extracted file will look like a .pdf file even if it is an executable file. For instance, the display name “Supplier-Face Mask Forehead Thermometer.pdf” is actually “Supplier-Face Mask Forehead Thermometer.pdf.gz” or “Supplier-Face Mask Forehead Thermometer.pdf.exe”.

The hash is often altered so that signature-based security solutions cannot detect the malware until the update of definitions include the new hash. The attackers additionally take advantage of configuration flaws in email authentication protocols like DKIM,  DMARC, and SPF when spoofing the websites of legit companies.

The researchers stated that most of the attackers use a shotgun approach, instead of sending spear phishing emails to selected targets. The researchers have discovered a number of targeted attacks on Fortune 500 companies’ executives.

Because the campaign is routinely updated to avoid being detected by security solutions, the employees must be made aware of the campaign so that they won’t inadvertently install the malware.

Research Reveals Higher Credential Theft Using Spoofed Login Pages

IRONSCALES conducted a study that revealed a big increase in credential theft using spoofed webpages. In the first half of 2020, the researchers identified and analyzed fraudulent login pages that copied big brands. They identified over 50,000 bogus login pages with around 200 spoofed brands.

The login pages are built into compromised sites and various attacker-operated domains and closely imitate the real login pages the brands used. In certain instances, the attacker embeds the fake login within the email message.

The email messages used to lead naive recipients to the phony login pages employ social engineering techniques to persuade recipients to divulge their usernames and passwords. After capturing that information, the attacker uses it to sign in to the real accounts for different nefarious uses, for instance, bogus wire transfers, credit card scams, data theft, identity theft, etc.

IRONSCALES researchers discovered that the brands having many fake login pages closely imitated the brands having many active phishing webpages. Paypal had the most number (11,000) of fake login pages. Microsoft comes next with 9,500. Facebook has 7,500 fake login pages, eBay has 3,000, and Amazon has 1,500.

Though PayPal tops the list of spoofed brands, bogus Microsoft login pages present the biggest threat to companies. If attackers steal Office 365 credentials, they can use the information to gain access to corporate Office 365 email accounts that may have a variety of highly sensitive information and, even a considerable amount of protected health information (PHI) if accessing healthcare companies.

The following brands were also frequently impersonated: Adobe, Alibaba, Aetna, AT&T, Apple, Bank of America, DocuSign, Delta Air Lines, JP Morgan Chase, Netflix, LinkedIn, Squarespace, Wells Fargo and Visa.

The most typical email recipients in these fraud campaigns include people engaged in the financial providers, medical care, and technology sectors, not to mention government institutions.

About 5% of the fraudulent login pages were polymorphic, which means for one brand name there were over 300 permutations. Microsoft login pages got the greatest degree of polymorphism since it has 314 permutations. The reason behind the big number of permutations of login pages isn’t completely clear. IRONSCALES hints this is due to the fact Microsoft and other brand names are actively looking for fake login pages mimicking their brand. Utilizing several varied permutations makes it more difficult for human and technical settings to determine and shut down the pages.

The emails employed in these campaigns frequently circumvent security settings and reach the inboxes. Messages that contain bogus logins may now routinely circumvent technical controls, like SPAM filters and secure email gateways, without a lot of time, dollars, or resources spent by the attacker. This happens because both the sender and the message can pass different authentication standards and gateway controls that hunt for malicious payloads or identified signatures that are often missing from these kinds of messages.

Though the bogus login pages are different somewhat from the login pages spoofed, they are still good and frequently successful when a user gets to the page. IRONSCALES states that this is because of “inattentional blindness”, where people are not able to see a sudden change in plain view.

Children’s Hospital Colorado Phishing Attack and Hoag Clinic Laptop Theft

Children’s Hospital Colorado is sending notifications to 2,553 patients regarding the potential access of some of their protected health information (PHI) due to unauthorized access of an email account from April 6 to April 12, 2020.

The attacker obtained credentials to access the account after an employee responded to a phishing email. The hospital identified the phishing attack on June 22, 2020 and immediately secured the email account. An analysis of the email messages and the file attachments in the account revealed that they held patient names, dates of service, medical record numbers, clinical diagnosis data and zip codes.

Since the breach, the hospital took steps to strengthen email security defenses and evaluated the platforms for teaching employees about cybersecurity. Technical controls associated to email were also analyzed.

Laptop Containing Unencrypted PHI Stolen From Hoag Clinic

On June 5, 2020, a thief stole the laptop computer issued to an employee of Hoag Clinic based in Costa Mesa, CA. The laptop was left in a vehicle parked in a Newport Beach worksite parking lot. The clinic learned about the theft on the same day and notified the law enforcement, however, the unit was not recovered.

The IT security team verified that the laptop held the protected health information of 738 people, which include first and last names, middle initial, phone number, e-mail address, address, date of birth, age, medical record number, physician’s name, whether the patient is being followed by case management, if a COVID-19 test was performed, if the individual was transferred to case management, if a telehealth consultation was booked, communication status notes, and if the individual was interested in home health.

The Hoag clinic has re-educated its employees on safety measures, enhanced policies relating to the transport of laptop computers between worksites, and a complete security evaluation was performed to ensure all proper cybersecurity precautions are in place. The clinic offered the affected people complimentary 12 months membership to the Experian IdentityWorks identity theft detection and resolution service.

Cyberattacks at the University of Utah and Highpoint Foot and Ankle Center Impacts 35,000+ Patients’ PHI

The University of Utah has encountered a phishing attack that has possibly affected the protected health information (PHI) of around 10,000 patients. This is the University of Utah’s 4th security breach report to be sent to the Department of Health and Human Services in 2020. All four cases are reported as hacking/IT incidents that involve email. The past breach reports were sent in on June 8, 2020 (affecting 1,909 people), April 3, 2020 (affecting 5,000 people), and March 21, 2020 (affecting 3,670 people).

Unauthorized people obtained access to worker email accounts from January 22, 2020 to May 22, 2020, as per the substitute breach notice published on the health website of the University of Utah. It is not clear at this point whether the most recent breach report likewise involved obtaining access to worker email accounts in a similar period of time.

Kathy Wilets, the University of Utah Health Director of Public Relations, presented an announcement to databreaches.net revealing that the phishing attacks were being considered as distinct incidents but could have been a part of a synchronized plan. She stated the most recent incident possibly involved gaining access to a restricted amount of patient data. The number of people impacted of 10,000 is an approximation. The investigation might show a lesser number of people were impacted. Action has since been undertaken to enhance email security, which includes the use of 2-factor authentication.

Ransomware Attack on Highpoint Foot and Ankle Center Impacts 25,554 Patients

Highpoint Foot and Ankle Center located in New Britain Township, PA experienced a ransomware attack last May 2020 wherein the attackers encrypted and possibly obtained or exfiltrated patient data. Highpoint Foot and Ankle found out the ransomware attack last May 20, 2020 when employees were held back from obtaining specific records on the system.

The investigation began and uncovered that an unauthorized individual had installed ransomware remotely on its computer networks. There is no proof found that indicate the attacker obtained patient information prior to encrypting the data files. There was likewise no report obtained that indicate the improper use of patient information.

A third-party computer forensics company was employed to help with the investigation and established that the potential exposure of files that contain 25,554 patients’ PHI. The files included names, birth dates, addresses, social security numbers, diagnoses, treatment data, and release states.

Extra safety measures have now been enforced to safeguard patient files and all patients impacted by the ransomware attack already got notified by mail.

Phishing Attacks in NC and TX Impacts 30,000 Patients’ PHI

Choice Health Management Services based in Claremont, NC, a rehabilitation services provider and operator of a few nursing facilities in North and South Carolina, has encountered an email security breach that affected its workers, and current and past patients.

Choice Health detected the security breach in late 2019 when dubious activity was noticed in the email accounts of a few of its workers. An internal investigation established on January 17, 2020 the unauthorized access of 17 employees’ email accounts. Because it wasn’t possible to know which email messages and/or email attachments the attackers had opened, a third-party company was hired to continue the investigation. Although the review was finished on March 27, 2020 stating that the compromised accounts held sensitive information, it was not clear which areas the affected persons went to for treatment. It was only on May 12, 2020 that those people were tied to a specific facility.

The compromised accounts included a broad range of sensitive information such as names, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, credit card data, financial account details, employer identification number, email address with a password or linked security questions, username with a password or connected security questions, date of service, provider name, patient number, medical record number, medical data, diagnostic or treatment details, surgical data, prescription drugs, and/or health insurance details.

Choice Health sent notifications to the affected patients and took action to enhance security to avoid other data breaches. According to the HHS’ Office for Civil Rights breach portal, there were 11,650 people affected.

Phishing Attack on Houston Health Clinic Impacts 19,000 Patients

Legacy Community Health, a Houston, TX federally qualified health center, is notifying about 19,000 patients regarding the potential unauthorized access of some of their protected health information (PHI) by a person who obtained access to one employee’s email account.

On April 10, 2020, a worker replied to an email thinking it is a legit request and revealed credentials that permitted the attacker access to his/her email account. Legacy Community Health identified the breach on April 16, 2020 and immediately secured the email account.

Aided by a third-party computer forensics company, Legacy Community Health affirmed that the breach affected only one email account which was discovered to consist of patient names, dates of service, and health information associated to the care offered at its clinics.

The investigation into the breach is continuing and notifications will shortly be given to all people whose information was exposed. At this period, there is no evidence found that suggest the access or misuse of any patient information.

Legacy Community Health is working to enhance email security and has allowed multi-factor authentication on its email accounts. Additional training was likewise provided to employees to help them distinguish and stay away from phishing emails.