Phishing Attack on Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID experienced a phishing attack that resulted in the potential exposure of patient information. The attack also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus discovered strange activity in the email account of one worker on January 6, 2021. The provider quickly secured the account and conducted an investigation to find out the source and nature of the phishing activity. Saint Alphonsus learned that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and data held therein for 2 days. The attacker used the email account to send phishing emails to other contact people in an attempt to steal usernames and passwords.

The employee whose credentials were compromised assisted with a number of business functions that required access to protected health information (PHI), including sending billing for the West Region of Trinity Health, and Fresno.

An analysis of all email messages and file attachments revealed the account comprised the PHI of selected patients. The PHI in the account varied from one patient to another and contained full names along with one or more of these data elements: telephone, date of birth, address, email, medical record number, treatment data, and/or billing details. The account additionally included some Social Security numbers and credit card numbers.

Although the provider confirmed the unauthorized account access, it was not possible to ascertain which emails, if any, the attacker accessed. While distributing notifications, no evidence was found that indicates the misuse of any patient information. Saint Alphonsus offered credit monitoring services to affected persons and gave workers further training about email and cybersecurity to avoid the same breaches in the future.

When notifying patients regarding the breach, an error with the mail merge happened. Some patients have received a letter informing them regarding an email security issue and regrettably, the letters generated had an incorrect status for a number of patients, addressing them as deceased or a minor because of the mail merge issue.

It isn’t presently known how many patients were impacted by the breach. Updates will be provided when there’s more information available.

Southeastern Minnesota Center for Independent Living Phishing Attack Impacts 4,122 Individuals Affected

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has found out an unauthorized person who obtained access to the email account of an employee containing the PHI of 4,122 people.

An investigation into the security incident showed the account was exposed on August 6, 2020 and the hacker got access to the account until September 1, 2020. The investigation affirmed on December 22, 2020 the compromise of PHI, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and certain medical treatment details. SEMCIL started sending breach notification letters to affected persons on February 19, 2021.

The investigation did not get any proof that suggests the access or exfiltration of any protected health information. There is likewise no report received that indicates the improper use of any PHI. As a safety measure against identity theft and fraud, those who had their Social Security number or driver’s license number exposed received free offers of identity theft protection services.

PHI Exposed Due to Breaches at Elara Caring, ProPath and Cornerstone Care

Elara Caring, one of America’s largest home-based healthcare services providers, has experienced a phishing attack that impacted over 100,000 patients.

In mid-December, the provider identified suspicious activity in a number of email accounts of employees. It took prompt action to keep the accounts safe and prevent the attackers from accessing the accounts. A third-party security firm helped in investigating the breach.

The investigation affirmed that an unauthorized individual accessed several employee email accounts, though no proof was identified that suggests the attackers viewed or obtained any patient information in the email accounts. It wasn’t possible to eliminate data theft.

An analysis of the exposed email accounts revealed they held the PHI of 100,487 patients, such as names, dates of birth, Employer ID numbers, driver’s license numbers, Social Security numbers, financial/bank account details, passport numbers, addresses, email addresses and passwords, insurance data and insurance account numbers. Elara Caring offered the individuals affected by the attack complimentary credit monitoring and identity protection services.

The provider also took steps to enhance data security and has given more training on cybersecurity to its employees.

ProPath Email Accounts Breached by an Unauthorized Individual

ProPath, the United States’ biggest, countrywide, fully physician-owned pathology practice, has identified an unauthorized person who got access to two email accounts with patient records.

The unauthorized individual accessed the email accounts between May 4, 2020 and September 14, 2020. ProPath found out on January 28, 2021 that protected health information in the email accounts included the names of patients, birth dates, test orders, diagnosis and/or clinical treatment info, medical procedure details, and physician name. The Social Security number, financial account information, driver’s license number, health insurance data, and/or passport number of a limited number of people were also affected.

Persons whose Social Security number was breached were provided credit monitoring services for free. Workers have acquired additional training to aid them to identify malicious email messages and further technical security measures have now been implemented.

It is not yet confirmed exactly how many persons the incident impacted. ProPath stated most people who obtained testing from the company were not affected by the incident.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An unauthorized person accessed an email account that contains the PHI of 11,487 patients receiving services from Cornerstone Care community health centers located in Southwestern Pennsylvania and Northern West Virginia.

The provider detected the email account breach on June 1, 2020 and engaged third-party security specialists to assist investigate the breach. It was established that the breach only impacted a single corporate email account. An evaluation of the PHI included in the account was finished on January 13, 2021.

The account held the names and addresses of patients as well as, for selected people, date of birth, Social Security number, medical background, ailment, treatment procedure, diagnosis, and/or medical insurance data. Those whose Social Security number was exposed received free credit monitoring and identity theft protection services.

Cornerstone Care notified by mail the affected persons on February 25, 2021. It additionally enforced multi-factor authentication on the email accounts.

3 Healthcare Providers Have Began Notifying Patients Regarding Recent Phishing Attacks

This is a summary of healthcare phishing attacks that were publicly announced in the last couple of days.

2,254 Patients Affected by Email Account Breach at Leonard J. Chabert Medical Center

Leonard J. Chabert Medical Center received notified that the protected health information (PHI) of some of its patients was compromised because of a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD reported a breach on November 20, 2020. On November 24, 2020, it found out that a number of patient information coming from Leonard J. Chabert Medical Center, one of its partner hospitals, had likewise been affected by the breach.

Leonard J. Chabert Medical Center received information about the breach on December 3, 2020, the evaluation of which showed that the PHI of 2,254 patients were exposed from September 15, 2020 up to September 18, 2020.

For the majority of patients, the exposed information only included names, telephone numbers, addresses, health record numbers, birth dates, account numbers, types of services gotten, dates of service, and medical insurance identification numbers. The limited health data for example diagnoses and/or bank account numbers of a small number of patients were likewise exposed.

LSU HCSD is going over its email security procedures, which will be improved to avoid the same breaches later on and more security awareness training will be given to staff members.

PHI of 1,800 Patients Possibly Compromised Due to Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) based in Massachusetts discovered that an unauthorized individual accessed a staff member’s email account subsequent to responding to a phishing email. LCHC discovered the phishing attack on November 25, 2020 and promptly secured the email account. With the help of a digital forensics agency, LCHC established that up to 4 email accounts were compromised in the phishing attack.

An analysis of the possibly breached accounts revealed they included patient names along with one or more of these data elements: Mailing address, date of birth, phone number, insurance details, medical record number, diagnoses, and other clinical data. The Social Security number of a number of patients were additionally exposed.

The ongoing investigation has not found any proof that suggests patient data theft or misuse, however, as a preventive measure, people who had their Social Security number potentially compromised received offers of credit monitoring and identity theft protection services for free.

More safety measures are being put in place to avoid further email security breaches. Information protocols are being modified, and worker security awareness training was improved.

Auris Health Informs Patient Regarding March 2020 Email Account Breach

Auris Health located in Redwood City, CA started notifying a number of patients concerning an unauthorized person who possibly obtained access to some of their PHI because of an employee email account breach in March 2020.

Upon knowing about the breach, access to the account was blocked and an investigation was performed to find out the nature and magnitude of the breach. The inquiry into the attack is in progress, nevertheless, Auris Health has learned that the compromised email account held patient names combined with at least one of the following data elements: tax identification number, Social Security Number, passport number, health insurance number, health data, payment card details, and financial account number(s).

Auris Health is employing extra security measures to avert more breaches later on, such as improving its email authentication procedures. Affected persons got offers of complimentary membership to credit and identity theft monitoring services for two years.

FBI Advisory About the Surge in Vishing Attacks

A lot of data breaches begin with a phishing email, however, credential phishing may likewise happen through other communication channels like instant messaging applications or SMS texts. One frequently missed way for the acquisition of credentials is phishing through the telephone, also called vishing. These attacks allow attackers to get the credentials needed to have access to email accounts and/or cloud services with the ability to modify privileges.

Lately, the Federal Bureau of Investigation (FBI) gave an advisory because of a surge in vishing incidents where attackers steal credentials to company accounts, such as information for network access and escalation of privileges. The switch to remote employment in 2020 as a result of COVID-19 has made it more difficult for IT staff to keep track of network access and privilege escalation, so attacks can often be undetected.

The FBI cautioned that it has noticed a switch in strategies by threat actors. Instead of just targeting credentials of persons that could elevate privileges, cybercriminals are currently attempting to get all credentials. Although the credentials of low-profile workers may not provide the sought-for access to networks, systems, or data, those credentials enable them to get a foothold they can utilize to obtain increased network access, which includes the potential to escalate privileges.

Threat actors are utilizing VoIP systems to target company employees over the phone to get credentials. One way to do this is by persuading an employee to sign in to a phishing website that collects credentials. For example, the threat actor impersonates a member of the IT team and tells the employee to go to a website to update their software program or for security purposes.

In one of the latest vishing attacks, cybercriminals contacted a targeted company’s employee in its chatroom and told the employee to sign in to a counterfeit VPN page. The threat actors stole the employee’s information, signed in remotely to the VPN, and executed reconnaissance to locate an employee with greater privileges. The goal was to identify an employee who has permission to modify usernames and email credentials. As soon as someone is identified, the threat actor contacts the person again using the chatroom messaging service to harvest the credentials of the employee.

This is the FBI’s second warning about vishing. This tactic has been employed in attacks since December 2019. To strengthen defenses against these vishing attacks, the FBI recommends the following:

  • Use multi-factor authentication to increase the security of employee account access.
  • Allow network access for new personnel with limited privileges
  • Frequently evaluate network access for personnel to discover weak areas.
  • Scan and keep track of unauthorized network access and alterations of permissions.
  • Follow network segmentation to regulate the flow of network traffic.
  • Administrators should have two accounts: an account with admin privileges to be used for system changes and another account to be used for making updates, emailing and generating reports.

Beware of Phishing Campaigns That Use Free Google Services

A number of phishing campaigns were discovered that are employing free Google services to get around email security gateways and make sure the deliverability of malicious messages to inboxes.

Phishing emails frequently consist of hyperlinks that lead users to web pages hosting forms that collect login information. Email security gateways utilize various ways to identify these malicious links, such as blacklists of identified malicious sites, rating of domains, and checking the links to assess the information on the destination site. When the links are found to be malicious or suspicious, the emails are rejected. But by utilizing links to legit Google services, phishers are able to get around these security tools and deliver their emails.

Phishers using Google services are not new; nevertheless, Arborblox security analysts have seen an increase in this activity with the increase of remote working. The researchers discovered 5 campaigns using free Google services like Google Drive, Google Forms, Google Docs and Google Sites. Phishers are not only using Google services. Other free cloud services like Dropbox, Webflow, Amazon Simple Email Service, Microsoft OneDrive and SendGrid are being used as well.

One campaign imitated American Express, with the preliminary message asking the user to validate his account for missing some information during card validation. The emails tell the user to go a phishing page designed with Google Forms. The form contains the official logo of American Express and a brief questionnaire asking for information that the attackers can use to get access to the user’s credit card account – login details, telephone number, credit card number and security code, as well as security questions and responses. Because the hyperlink in the email redirects the user to Google Forms – a legit Google domain and service, it is likely that the email security gateway won’t identify the hyperlink as malicious.

Another campaign using Google Forms sent emails that seem to have been from a childless widow with a terminal cancer diagnosis. She says that she is seeking to donate her wealth to charity and tells the recipient to make donations to charity on her behalf. The URL in the email directs the recipient to an untitled Google Form. Anyone who submits a response will be shortlisted for more extortion attempts.

A campaign was identified that utilized a bogus email login page on Google’s Firebase mobile platform. The emails in this campaign imitate the security team and state that important messages were not delivered because of exceeding the email storage quota. The campaign is seeking to collect email login credentials. Because Firebase is a legit cloud storage database, it is unlikely that a Firebase link will be tagged as malicious.

There was also a campaign using Google Docs that impersonated the payroll team. The Google Docs document included a hyperlink to a phishing page that harvested sensitive information. Since the first link is of a legit and frequently used Google service, email security solutions are not likely to block the email. Although a few email solutions could recognize the malicious hyperlink in the Google-hosted document, different redirects are employed to muddle the malicious hyperlink.

Another campaign using a phony Microsoft login page built on Google Sites impersonated Microsoft Teams and the user’s IT department security team. In this case, Google Sites was used to build a webpage with a phishing form and the official Microsoft logo.

These campaigns emphasize the necessity of advanced security solutions that could identify and stop phishing emails that take advantage of legit cloud services and the necessity of giving employees continuous security awareness training to help them recognize phishing emails that elude detection by the cybersecurity defenses of their companies.

Phishing Incidents Reported by Connecticut Department of Social Services and LSU Care Services

Connecticut Department of Social Services (DSS) announced a potential exposure of the protected health information (PHI) of 37,000 people due to a number of phishing attacks that took place between July and December 2019.

A number of email accounts were accessed and were utilized to distribute spam emails to a lot of DSS staff. The investigation of the breach established the incident as phishing attacks. A detailed investigation was done employing state information technology assets and a third-party forensic IT organization. However, the investigators did not uncover any proof that shows the attackers acquired access to patient information in the email accounts. The DSS breach notification mentioned that the forensic professionals couldn’t ascertain that the attackers didn’t access personal data because of the big volume of emails involved and the type of phishing attack.

As a safety measure, DSS provided identity theft protection services to persons and took action to strengthen email security and better shield against phishing attacks down the road.

Phishing Attack on LSU Health Care Services

The Louisiana State University (LSU) Health New Orleans Health Care Services Division reported a likely exposure of information of its patients from a few hospitals in Louisiana as a result of the access of a staff email account by an unauthorized man or woman.

The breach of the email account occurred on September 15, 2020. LSU uncovered the attack on September 18 and quickly blocked the email account. An investigation of the incident did not reveal any information that the unauthorized individual accessed or obtained patient information in the email messages and attached files.

The compromised email account was discovered to have the PHI of patients from the hospitals posted below:

  • Bogalusa Medical Center in Bogalusa
  • University Medical Center in Lafayette
  • Interim LSU Hospital in New Orleans.
  • Leonard J. Chabert Medical Center in Houma
  • Lallie Kemp Regional Medical Center in Independence
  • O. Moss Regional Medical Center in Lake Charles

The types of data likely exposed differed from one patient to another and medical center location, however, may have included names, telephone numbers, dates of birth, addresses, health record numbers, account numbers, Social Security numbers, dates of service, types of services acquired, insurance ID numbers, and certain financial account details and medical data. The investigation into the incident is still ongoing, yet up to now “thousands” of patient records are identified to have been compromised.

At this time, LSU Health is checking further security procedures to better defend against more attacks. Employees likewise got more information and security training.

Breaches at Ascend Clinical, Alamance Skin Center, and Perry County Memorial Hospital

A phishing attack on Ascend Clinical based in Redwood City, CA, an ESRD laboratory testing provider for third party dialysis clinics resulted in a ransomware attack last May 2020.

Strange system activity as well as file encryption were noticed on or about May 31, 2020. Ascend Clinical immediately took action to segregate the impacted systems and investigated the incident to find out the nature and extent of the breach. A third-party security company helped Ascend Clinical to confirm that the attacker accessed its systems after an employee’s response to a phishing email.

Before deploying the ransomware, the attackers acquired access to files containing names, mailing addresses, birth dates, and Social Security numbers. Ascend Clinical, since then, have taken steps to reinforce its email security protection to avoid the same attacks later on.

The breach report sent to the HHS’ Office for Civil Rights showed that the breach affected 77,443 people.

Alamance Skin Center Experiences Ransomware Attack

A ransomware attack on Cone Health, a Greensboro-based health system, impacted only one practice, Alamance Skin Center located in Burlington, NC.

The ransomware attack happened in late July 2020. It seemed to have begun with a phishing attack or brute force attempt aimed at getting credentials. Cone Health took immediate action to isolate the affected systems and engaged third-party computer forensics specialists to evaluate the extent of the data breach. There was no evidence found that suggest the theft of patient information before file encryption. No report was received that indicate the misuse of patient data.

Nevertheless, some patient information was encrypted in the attack and cannot be recovered. Cone Health reports that the attack affected the protected health information (PHI) such as patient names, addresses, medical record numbers, dates of birth, diagnosis data, and date(s) of service.

The attack impacted the appointments system and was not accessible. Patients that have appointment were told to get in touch with the practice to confirm their scheduled appointment. Because it was not possible to determine with full certainty that the attackers did not access patient data, all affected patients were instructed to be cautious against reports of identity theft and fraud.

Alamance Skin Center is going over current policies and procedures and will implement extra safeguards to avoid similar incidents in the future.

Perry County Memorial Hospital Uncovers Email Security Breach

Perry County Memorial Hospital based in Tell City, IN found out that unauthorized persons got access to employees’ email accounts.

According to the investigation into the breach, the hackers accessed the email accounts on August 23, 2020. An analysis of the compromised accounts confirmed that they contained private patient information that may have been viewed or obtained by the attackers, although there was no proof of data theft.

The information possibly exposed only included names, birth dates, diagnoses/diagnostic codes, internal patient account numbers, healthcare provider names, and other health data, as well as the Social Security numbers, Medicare/Medicaid numbers, and health insurance information of certain patients.

Perry County Memorial Hospital is taking action to fortify email security to avert the same breaches from happening again. The hospital also offered the patients whose Social Security number was likely compromised complimentary identity theft monitoring services.

Latest Microsoft Teams Phishing Scam and Emotet Trojan Campaigns

Researchers at Abnormal Security detected a new Office 365 phishing campaign that spoofs Microsoft Teams to mislead users into visiting a malicious website with a phishing form that gets Office 365 login information.

Many organizations have adopted Microsoft Teams to enable remote employees to retain contact with the business office. In healthcare, the system is being utilized to give telehealth services to lessen the number of patients going to medical care facilities to regulate the dispersal of COVID-19.

Microsoft noted for the quarter ending June 30, 2020 that more than 150 million students and teachers are now using Microsoft Teams. Over 1,800 various companies have over 10,000 Teams users, and 69 companies have more than 100,000 Teams users. The healthcare industry also has a growing Microsoft Teams user, with 46 million Teams meetings now being done for telehealth reasons. The expanding usage is due to the pandemic, which gives an opportunity for cyber hackers.

Based on figures from Abnormal Security, the most recent campaign was the phony Microsoft Teams emails delivered to around 50,000 Office 365 users to date. The messages seem like they were sent from a user using the display name “There’s new activity in Teams,” thus the messages look like automated notices from Teams.

The messages tell users to sign into Teams as the community is attempting to communicate. The email messages have a button to click to sign in to Teams that displays a phrase – “Reply in Teams.” The notices consist of a genuine-looking footer that has the Microsoft brand and selections to install Microsoft Teams on Android and iOS.

The URL in the message brings the user to a Microsoft login page which is a clone of the official sign-in prompt, aside from the domain on which the page is visible. That domain begins with “microsftteams” to make it look genuine.

The campaign is an example of the many campaigns targeting Office 365 credentials. There are many campaigns aimed towards video conferencing platforms as they increase in popularity during the pandemic.

Emotet Trojan Campaign Employs Phony Microsoft Word Upgrade Notices

The Emotet Trojan is being distributed in a new campaign that utilizes bogus Microsoft Word upgrade announcements as a lure to let users install the malware. Emotet is the most extensively propagated malware presently in use. When an end user’s device is infected with the malware, it is added to a botnet that is employed to infect other gadgets. Emotet is likewise a malware downloader and is utilized to install information stealers like TrickBot and QBot malware, which are employed to transmit ransomware variants like ProLock, Ryuk, and Conti.

The messages look like Microsoft Office announcements that tell the user that they must execute an upgrade of Microsoft Word to include new functions. The messages have a Microsoft Word file and the end-user is advised to Enable Editing and then Enable Content. Doing so will start a malicious macro that will install Emotet onto the end user’s device.

Users must be careful and avert clicking URLs or opening doc attachments in unsolicited messages. Emotet uses the user’s email account to mail other phishing emails, even to those included in a user’s contact list.

Premera Blue Cross HIPAA Penalty of $6.85 Million is the 2nd Biggest HIPAA Violation Penalty Ever

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a $6.85 million HIPAA penalty on Premera Blue Cross to take care of the HIPAA violations found during its investigation of a 2014 data breach concerning the electronic protected health information (ePHI) of 10.4 million people.

Premera Blue Cross based in Mountain lake Terrace, WA is the biggest health plan around the Pacific Northwest and caters to more than 2 million persons in Alaska and Washington. In May 2014, a sophisticated persistent threat group obtained access to Premera’s computer network and stayed undiscovered for more or less 9 months. The hackers attacked the health plan with a spear-phishing email that downloaded malware. The malware allowed the APT group to access ePHI including names, birth dates, addresses, email addresses, bank account data, Social Security numbers, and health plan clinical details.

Premera Blue Cross discovered the breach in January 2015 and informed OCR regarding the breach in March 2015. OCR started an investigation and found “systemic non-compliance” with the HIPAA guidelines.

OCR established that Premera Blue Cross was unable to:

  • Perform an extensive and accurate risk analysis to determine all risks to the integrity, availability, and confidentiality of ePHI.
  • Minimize risks and vulnerabilities to ePHI to a fair and proper level.
  • Apply enough hardware, software program, and procedural elements to capture and evaluate activity associated with information systems made up of ePHI, before March 8, 2015.
  • Stop unauthorized access to the electronic PHI of 10,466,692 persons.

Because of the nature of the HIPAA violations and the magnitude of the breach, OCR decided that a financial fine was necessary. Premera Blue Cross consented to resolve the HIPAA violation case without admission of liability. Besides the financial penalty, Premera Blue Cross accepted to undertake a solid corrective action plan to deal with all areas of non-compliance identified throughout the OCR investigation. Premera Blue Cross will be under direct monitoring by OCR for two years to make sure of its adherence to the CAP.

Roger Severino, OCR Director, stated that when top medical insurance entities fail to spend the time and effort to determine their security weaknesses, be they techie or human, hackers certainly will. This scenario strongly shows the harm that results when cybercriminals are permitted to roam undiscovered in a computer system for almost nine months.

In 2019, Premera Blue Cross consented to resolve a $10 million HIPAA violation legal case due to the breach. 30 state attorneys general had reviewed the health plan and determined that Premera Blue Cross failed to satisfy its responsibilities under HIPAA and Washington’s Consumer Protection Act. Premera Blue Cross additionally consented to pay a $74 million lawsuit filed by people whose ePHI was compromised in the breach.

The latest penalty is OCR’s second-biggest HIPAA penalty issued on a covered entity or business associate in relation to HIPAA violations. The highest financial penalty is the $16 million charged on Anthem Inc. because of a 2015 data breach concerning the ePHI of 79 million persons.

The HIPAA penalty is the 11th penalty to be published by OCR in 2020. It is the 8th to be reported this September. To date in 2020, OCR got paid $10,786,500 to settle HIPAA violations identified during data breach and HIPAA complaints investigations.

PHI of Over 250,000 Individuals Affected by Data Breaches

A ransomware attack on Assured Imaging in Tucson, AZ resulted in the encryption of its medical record system. Assured Imaging is a subsidiary of Rezolut Medical Imaging and provider of Health Screening and Diagnostic Services.

Assured Imaging learned about the attack on May 19, 2020 and worked promptly to prevent further unauthorized access and recover the encrypted information. With the help of a third-party computer forensics agency, Assured Imaging looked into the ransomware attack to figure out the extent of the breach. The investigation showed an unauthorized individual acquired access to its systems between May 15, 2020 and May 17, 2020 and exfiltrated limited data prior to deploying the ransomware.

The forensic investigation affirmed that information was stolen although it wasn’t possible to know precisely what files the attackers exfiltrated. Assured Imaging conducted a review to know all types of information that could have been accessed. The compromised system was confirmed to consist of full names, birth dates, addresses, patient IDs, facility used, treating physician’s names, medical backgrounds, services done, analysis of the service done, and recommendations on future assessment.

Assured Imaging is not aware of any misuse of patient data however the service provider encourages all affected people to keep track of their accounts and credit reports for any indication or bogus activity.

Assured Imaging submitted an incident report to law enforcement and the Department of Health and Human Services’ Office for Civil Rights. According to the OCR breach portal, the attack affected around 244,813 persons.

6,000 Roper St. Francis Healthcare Patients Affected by Email Breach

Roper St. Francis Healthcare based in Charleston, SC experienced a data breach that affected only one email account. The provider detected the breach on July 8, 2020, but the investigation into the breach revealed that the email account compromise occurred from June 13, 2020 to June 17, 2020.

The forensic investigation affirmed that the email account held patients’ names, health record or patient account numbers, dates of birth, and limited clinical and/or treatment information, such as diagnoses, providers’ names, and/or procedure data. The health insurance details and/or Social Security numbers of some people were also contained in the email account. The breach impacted around 6,000 patients.

Roper St. Francis Healthcare offered complimentary credit monitoring and identity theft protection services to those who had their Social Security number compromised. Employee training on email security has been reinforced and email security solutions have been increased.

This is not Roper St. Francis’s first phishing attack report this year. In February, the healthcare provider publicized the compromise of the email accounts of 13 personnel due to a phishing attack between November 15 2018 and December 1, 2018. The PHI of 35,253 patients was affected in the breach.

Agent Tesla Trojan Used in COVID-19 Phishing Campaigns

A complex COVID-19 themed phishing campaign was identified that imitates manufacturers, importers and exporters of chemicals by offering the email recipient personal protective equipment (PPE) including disposable face masks, forehead thermometers, and other medical items used to fight COVID-19.

Researchers at Area 1 Security discovered the phishing campaign, which was found  active since May 2020 and has attacked numerous inboxes. The threat actors typically alter their tactics, techniques and procedures (TTPs) every 10 days to avoid being detected by security tools.

Whenever launching a new phishing email campaign, the threat actors frequently change IP addresses, the companies impersonated, and the phishing baits. In a number of the intercepted email messages, aside from spoofing a real company, the attackers use the names of real company employees, their contact details and email addresses to look more legitimate. They add the spoofed company’s logo to the emails and the correct company website link in the signature, so that in case the recipient performs  any checks, he will be convinced that the email is legit.

The threat actors’ objective is to download the Agent Tesla Trojan, a sophisticated remote access Trojan (RAT) that allows attackers to access an infected device and perform a variety of malicious actions. With the RAT, the attacker could log keystrokes on an infected gadget and steal sensitive data from the user’s AppData folder, and then send that information to the command and control server through SMTP. The trojan can additionally steal information from email, web browsers, FTP and VPN clients.

Hacking forums offer the RAT as malware-as-a-service. RAT is quite popular because it makes conducting campaigns easy and affordable. Agent Tesla is also available for free download on Russian websites using a torrent. The malware has a User interface (UI) that enables users to keep track of infections and access the information it steals.

The RAT is downloaded as a zipped file attachment. Upon extraction, the recipient sees an executable file that looks like a .pdf file. Because Windows hides known file extensions by default, the extracted file will look like a .pdf file even if it is an executable file. For instance, the display name “Supplier-Face Mask Forehead Thermometer.pdf” is actually “Supplier-Face Mask Forehead Thermometer.pdf.gz” or “Supplier-Face Mask Forehead Thermometer.pdf.exe”.

The hash is often altered so that signature-based security solutions cannot detect the malware until the update of definitions include the new hash. The attackers additionally take advantage of configuration flaws in email authentication protocols like DKIM,  DMARC, and SPF when spoofing the websites of legit companies.

The researchers stated that most of the attackers use a shotgun approach, instead of sending spear phishing emails to selected targets. The researchers have discovered a number of targeted attacks on Fortune 500 companies’ executives.

Because the campaign is routinely updated to avoid being detected by security solutions, the employees must be made aware of the campaign so that they won’t inadvertently install the malware.

Research Reveals Higher Credential Theft Using Spoofed Login Pages

IRONSCALES conducted a study that revealed a big increase in credential theft using spoofed webpages. In the first half of 2020, the researchers identified and analyzed fraudulent login pages that copied big brands. They identified over 50,000 bogus login pages with around 200 spoofed brands.

The login pages are built into compromised sites and various attacker-operated domains and closely imitate the real login pages the brands used. In certain instances, the attacker embeds the fake login within the email message.

The email messages used to lead naive recipients to the phony login pages employ social engineering techniques to persuade recipients to divulge their usernames and passwords. After capturing that information, the attacker uses it to sign in to the real accounts for different nefarious uses, for instance, bogus wire transfers, credit card scams, data theft, identity theft, etc.

IRONSCALES researchers discovered that the brands having many fake login pages closely imitated the brands having many active phishing webpages. Paypal had the most number (11,000) of fake login pages. Microsoft comes next with 9,500. Facebook has 7,500 fake login pages, eBay has 3,000, and Amazon has 1,500.

Though PayPal tops the list of spoofed brands, bogus Microsoft login pages present the biggest threat to companies. If attackers steal Office 365 credentials, they can use the information to gain access to corporate Office 365 email accounts that may have a variety of highly sensitive information and, even a considerable amount of protected health information (PHI) if accessing healthcare companies.

The following brands were also frequently impersonated: Adobe, Alibaba, Aetna, AT&T, Apple, Bank of America, DocuSign, Delta Air Lines, JP Morgan Chase, Netflix, LinkedIn, Squarespace, Wells Fargo and Visa.

The most typical email recipients in these fraud campaigns include people engaged in the financial providers, medical care, and technology sectors, not to mention government institutions.

About 5% of the fraudulent login pages were polymorphic, which means for one brand name there were over 300 permutations. Microsoft login pages got the greatest degree of polymorphism since it has 314 permutations. The reason behind the big number of permutations of login pages isn’t completely clear. IRONSCALES hints this is due to the fact Microsoft and other brand names are actively looking for fake login pages mimicking their brand. Utilizing several varied permutations makes it more difficult for human and technical settings to determine and shut down the pages.

The emails employed in these campaigns frequently circumvent security settings and reach the inboxes. Messages that contain bogus logins may now routinely circumvent technical controls, like SPAM filters and secure email gateways, without a lot of time, dollars, or resources spent by the attacker. This happens because both the sender and the message can pass different authentication standards and gateway controls that hunt for malicious payloads or identified signatures that are often missing from these kinds of messages.

Though the bogus login pages are different somewhat from the login pages spoofed, they are still good and frequently successful when a user gets to the page. IRONSCALES states that this is because of “inattentional blindness”, where people are not able to see a sudden change in plain view.

Children’s Hospital Colorado Phishing Attack and Hoag Clinic Laptop Theft

Children’s Hospital Colorado is sending notifications to 2,553 patients regarding the potential access of some of their protected health information (PHI) due to unauthorized access of an email account from April 6 to April 12, 2020.

The attacker obtained credentials to access the account after an employee responded to a phishing email. The hospital identified the phishing attack on June 22, 2020 and immediately secured the email account. An analysis of the email messages and the file attachments in the account revealed that they held patient names, dates of service, medical record numbers, clinical diagnosis data and zip codes.

Since the breach, the hospital took steps to strengthen email security defenses and evaluated the platforms for teaching employees about cybersecurity. Technical controls associated to email were also analyzed.

Laptop Containing Unencrypted PHI Stolen From Hoag Clinic

On June 5, 2020, a thief stole the laptop computer issued to an employee of Hoag Clinic based in Costa Mesa, CA. The laptop was left in a vehicle parked in a Newport Beach worksite parking lot. The clinic learned about the theft on the same day and notified the law enforcement, however, the unit was not recovered.

The IT security team verified that the laptop held the protected health information of 738 people, which include first and last names, middle initial, phone number, e-mail address, address, date of birth, age, medical record number, physician’s name, whether the patient is being followed by case management, if a COVID-19 test was performed, if the individual was transferred to case management, if a telehealth consultation was booked, communication status notes, and if the individual was interested in home health.

The Hoag clinic has re-educated its employees on safety measures, enhanced policies relating to the transport of laptop computers between worksites, and a complete security evaluation was performed to ensure all proper cybersecurity precautions are in place. The clinic offered the affected people complimentary 12 months membership to the Experian IdentityWorks identity theft detection and resolution service.

Cyberattacks at the University of Utah and Highpoint Foot and Ankle Center Impacts 35,000+ Patients’ PHI

The University of Utah has encountered a phishing attack that has possibly affected the protected health information (PHI) of around 10,000 patients. This is the University of Utah’s 4th security breach report to be sent to the Department of Health and Human Services in 2020. All four cases are reported as hacking/IT incidents that involve email. The past breach reports were sent in on June 8, 2020 (affecting 1,909 people), April 3, 2020 (affecting 5,000 people), and March 21, 2020 (affecting 3,670 people).

Unauthorized people obtained access to worker email accounts from January 22, 2020 to May 22, 2020, as per the substitute breach notice published on the health website of the University of Utah. It is not clear at this point whether the most recent breach report likewise involved obtaining access to worker email accounts in a similar period of time.

Kathy Wilets, the University of Utah Health Director of Public Relations, presented an announcement to databreaches.net revealing that the phishing attacks were being considered as distinct incidents but could have been a part of a synchronized plan. She stated the most recent incident possibly involved gaining access to a restricted amount of patient data. The number of people impacted of 10,000 is an approximation. The investigation might show a lesser number of people were impacted. Action has since been undertaken to enhance email security, which includes the use of 2-factor authentication.

Ransomware Attack on Highpoint Foot and Ankle Center Impacts 25,554 Patients

Highpoint Foot and Ankle Center located in New Britain Township, PA experienced a ransomware attack last May 2020 wherein the attackers encrypted and possibly obtained or exfiltrated patient data. Highpoint Foot and Ankle found out the ransomware attack last May 20, 2020 when employees were held back from obtaining specific records on the system.

The investigation began and uncovered that an unauthorized individual had installed ransomware remotely on its computer networks. There is no proof found that indicate the attacker obtained patient information prior to encrypting the data files. There was likewise no report obtained that indicate the improper use of patient information.

A third-party computer forensics company was employed to help with the investigation and established that the potential exposure of files that contain 25,554 patients’ PHI. The files included names, birth dates, addresses, social security numbers, diagnoses, treatment data, and release states.

Extra safety measures have now been enforced to safeguard patient files and all patients impacted by the ransomware attack already got notified by mail.

Phishing Attacks in NC and TX Impacts 30,000 Patients’ PHI

Choice Health Management Services based in Claremont, NC, a rehabilitation services provider and operator of a few nursing facilities in North and South Carolina, has encountered an email security breach that affected its workers, and current and past patients.

Choice Health detected the security breach in late 2019 when dubious activity was noticed in the email accounts of a few of its workers. An internal investigation established on January 17, 2020 the unauthorized access of 17 employees’ email accounts. Because it wasn’t possible to know which email messages and/or email attachments the attackers had opened, a third-party company was hired to continue the investigation. Although the review was finished on March 27, 2020 stating that the compromised accounts held sensitive information, it was not clear which areas the affected persons went to for treatment. It was only on May 12, 2020 that those people were tied to a specific facility.

The compromised accounts included a broad range of sensitive information such as names, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, credit card data, financial account details, employer identification number, email address with a password or linked security questions, username with a password or connected security questions, date of service, provider name, patient number, medical record number, medical data, diagnostic or treatment details, surgical data, prescription drugs, and/or health insurance details.

Choice Health sent notifications to the affected patients and took action to enhance security to avoid other data breaches. According to the HHS’ Office for Civil Rights breach portal, there were 11,650 people affected.

Phishing Attack on Houston Health Clinic Impacts 19,000 Patients

Legacy Community Health, a Houston, TX federally qualified health center, is notifying about 19,000 patients regarding the potential unauthorized access of some of their protected health information (PHI) by a person who obtained access to one employee’s email account.

On April 10, 2020, a worker replied to an email thinking it is a legit request and revealed credentials that permitted the attacker access to his/her email account. Legacy Community Health identified the breach on April 16, 2020 and immediately secured the email account.

Aided by a third-party computer forensics company, Legacy Community Health affirmed that the breach affected only one email account which was discovered to consist of patient names, dates of service, and health information associated to the care offered at its clinics.

The investigation into the breach is continuing and notifications will shortly be given to all people whose information was exposed. At this period, there is no evidence found that suggest the access or misuse of any patient information.

Legacy Community Health is working to enhance email security and has allowed multi-factor authentication on its email accounts. Additional training was likewise provided to employees to help them distinguish and stay away from phishing emails.

Third Phishing Attack on the University of Utah Health This Year

Another phishing attack on the University of Utah Health resulted in the compromise of 2,700 patients’ protected health information (PHI).

This is the University of Utah’s third phishing incident to be reported to the HHS’ Office for Civil Rights this year. The University reported the first incident on March 21, which affected 3,670 patients and the second incident on April 3, which affected 5,000 patients.

In the most recent attack, an unauthorized person accessed employee email accounts from April 6 to May 22, 2020 after responding to phishing emails. The University secured the email accounts promptly and launched an investigation to find out if the attackers accessed patients’ PHI.

The investigators were unable to ascertain if there was access or exfiltration of PHI, however, the accounts indeed consist of some PHI which was possibly viewed. After analyzing the emails and attachments included in the compromised accounts, it was confirmed that the accounts contained names, birth dates, medical record numbers, and certain clinical data pertaining to the medical services given at the University of Utah Healthcare facilities.

The investigation of the incident is still in progress, however, up to now, there is no evidence that indicates the theft of any PHI by the attackers and there are no reports received that suggest the misuse of PHI. On June 5, 2020, the University already began sending notification letters to the affected patients.

In the University of Utah Health’s substitute breach notice, it mentioned that it is reviewing the information of its security protocols. Security procedures will be strengthened and employee’s resilience to phishing attacks will undergo improvements. The entire enterprise will implement security enhancements including the use of multi-factor authentication to avert future email account access in case of a compromise of credentials.

Voicemail Phishing Fraud Identified Targeting Remote Healthcare Workers

Many companies are forced to change working practices because of the COVID-19 pandemic. A large number of employees now work remotely from home. In healthcare, personnel can work remotely and offer telehealth services to their patients. Although this strategy is essential to control the virus and to make sure that patients still get the medical services they require, remote working brings in cybersecurity threats and cybercriminals are taking advantage of the situation. There has been a notable rise in cyberattacks directed at remote workers in the past three months.

Several techniques are being employed to fool remote employees into installing malware or revealing credentials, such as a new strategy that cybersecurity firm IRONSCALES has lately uncovered.

In a current report, IRONSCALES mentioned that cybercriminals are spoofing messages generated automatically by Private Branch Exchange (PBX) systems to steal credentials. PBX is a legacy phone system that a number of enterprises use to handle calls on autopilot. One of the functions of these systems is the recording of voicemail messages and sending recordings directly to the inboxes of users. These systems have been very helpful during the COVID-19 pandemic, as they make sure that employees do not miss vital voicemail messages while doing their job remotely. But cybercriminals also got another way to conduct an attack.

In this strategy, the attackers spoof messages from the PBX system and tell an employee that there is a new voicemail message. The emails are customized and include the user’s name or company name to make it look that the communications are legitimate. Subject lines used with the messages are also meticulously crafted to spoof the messages sent by the genuine PBX systems.

To receive the messages, users are led to an online site that spoofs PBX integrations with the purpose of stealing credentials. It may appear strange for attackers to make phishing websites to spoof PBX integrations considering that the majority of voicemails are rather benign in the data shared. Nonetheless, attackers understand that the credentials could be employed for several other logins, such as for websites with important PII or business data. Furthermore, any sensitive information that is remaining in the voicemail can possibly be utilized for a social engineering attack.

IRONSCALES discovered this voice phishing (vishing) strategy in mid-May. Based on the report, the vishing campaign is being done internationally and about 100,000 mailboxes were targeted. If your company sends voicemails automatically to workers’ inboxes, then your organization is vulnerable to falling victim to this trick.

IRONSCALES recommends increasing awareness of this fraud with remote workers and employing an email security system good at sensing and blocking email security risks such as this, which to date were useful at bypassing DMARC anti-spoofing measures.

Fake VPN Notifications Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign was discovered that uses fake VPN warnings as a lure so that remote employees would reveal their Office 365 credentials.

Healthcare companies are doing more telehealth services throughout the COVID-19 public health emergency in order to help avert the spread of the coronavirus and make sure that healthcare providers can continue to give services to patients who are self-isolating in their house.

Virtual private networks (VPNs) are employed to support telehealth services and give them secure access to their network and patient records. A number of vulnerabilities were identified in VPNs which threat actors are exploiting to get access to organization networks to steal sensitive information and deploy ransomware and malware. Prompt patching is thus important for VPN systems and updates VPN clients on employee laptop computers. Workers may for this reason update their VPN.

Abnormal Security researchers found a phishing campaign that impersonates a user’s company and asserts there is an issue with the VPN configuration that should be resolved to permit the user to keep using the VPN to gain access to the network.

The emails seem like they were sent by the IT Support staff and contain a URL that should be clicked to get an update. The employee is told in the email that they need to give their username and password to sign in to do the update.

This target of the campaign are specific businesses and spoofs an internal email to make it seem like that the email was sent from a trustworthy domain. The URL includes anchor text associated with the user’s company to conceal the real destination URL to make it seem trustworthy. When the user clicks the link in the email, they will be directed to a site with an authentic Office 365 login prompt. The phishing website is hosted on a genuine Microsoft .NET platform thus it has has a valid security certificate.

The attacker can get the login credentials typed on the website and use it to gain access to the user’s email account and acquire sensitive data in emails and attachments, along with other data using the Office 365 credentials through single sign-on.

Abnormal Security discovered a number of phishing emails that employ different variations of this email message, which were sent from a number of IP addresses. Since the destination phishing URL is similar in each email, it recommends that the emails are a part of the same campaign sent by a single attacker.

Data Breaches at Geisinger Wyoming Valley Medical Center and District Medical Group

District Medical Group (DMG) in Arizona, which is an integrated medical group, has begun sending notifications to 10,190 patients regarding the possible compromise of their protected health information (PHI). On March 11, 2020, DMG found out that an unauthorized person had gotten access to some employees’ email accounts because of responding to phishing emails.

DMG straight away performed a password reset to block the unauthorized individual from logging into the accounts. A top cybersecurity company was involved to look into the breach. The investigation showed the compromise of some email accounts from February 4, 2020 to February 10, 2020.

A review of emails messages and attachments in the compromised accounts shown they included patient data like names, medical data, medical record numbers, and medical insurance information. The Social Security numbers of some patients were likewise potentially breached. There is no proof found that indicated the attackers opened or copied the email messages.

DMG cautioned the impacted patients to be wary and keep track of their accounts and statements for any indication of a fraudulent transaction. As a safety provision, the medical group provided free credit monitoring and identity theft protection services to individuals who had their Social Security numbers included in the accounts.

DMG has enhanced employee training and has taken steps to strengthen email security to avoid other breaches later on.

An employee of Geisinger Wyoming Valley Medical Center Terminated for Unauthorized Health Record Access

Geisinger Wyoming Valley Medical Center (GWVMC) in Wilkes-Barre, PA learned that an employee was accessing patient health records without acceptable employment reasons.

GWVMC was informed of the possible HIPAA breach on March 20, 2020 and started an internal investigation. The worker was permitted to access patient files to finish daily work responsibilities, however, it was found out that the staff accessed the health records of 805 patients beyond those work responsibilities. The unauthorized access began in July 2017 and went on until March 2020.

The investigation failed to reveal any data that indicate the access of patient information with malicious intent. As a safety provision, GWVMC offered free credit monitoring and identity theft protection services to the impacted patients.

The employee accessed the following types of data: names, telephone numbers, physical addresses, email addresses, birth dates, Social Security numbers, health ailments, diagnoses, prescription drugs, consultation notes, dates of service, test data findings, and appointment data.

GWVMC took applicable disciplinary measures against the personnel for violating HIPAA rules and hospital policies. The personnel does not work at GWVMC anymore.

BJC HealthCare Phishing Attack Impacts Patients at 19 Hospitals

BJC Healthcare reported the unauthorized access of the email accounts of three employees after responding to the phishing emails they received.

On March 6, 2020, BJC Healthcare detected suspicious activity in the email accounts, which prompted the immediate security of the accounts. A prominent computer forensics company was hired to conduct an investigation which revealed that the attackers had only accessed the three accounts for a limited period of time on March 6. The investigators cannot tell if the attacker viewed or obtained patient data.

An evaluation of the accounts revealed they had the information of patients at 19 BJC Healthcare and affiliated hospitals. The email messages and attachments contained varying protected health information (PHI) of patients, which may have included the following data elements:

Patients’ names, dates of birth, patient account numbers, medical record numbers, and limited treatment and/or clinical details, which contained provider names, visit dates, prescribed medicines, diagnoses, and testing data. The health insurance details, Social Security numbers, and driver’s license numbers of a number of patients were also potentially compromised.

BJC Healthcare will notify by mail all patients affected by the breach as soon as the email account analysis is completed. Patients whose driver’s license or Social Security number were potentially compromised will be provided credit monitoring and identity theft protection services for free.

BJC HealthCare stated more security measures will be enforced to avoid occurrences such as this in the future and employees will get training again to help them identify and steer clear of suspicious emails.

The BJC HealthCare and affiliated hospitals affected by the breach are:

  • Alton Memorial Hospital
  • Barnes-Jewish St. Peters Hospital
  • Barnes-Jewish Hospital
  • Barnes-Jewish West County Hospital
  • BJC Behavioral Health
  • BJC Home Care
  • BJC Medical Group
  • BJC Corporate Health Services
  • Boone Hospital Center
  • Christian Hospital
  • Louis Children’s Hospital
  • Memorial Hospital East
  • Memorial Hospital Belleville
  • Missouri Baptist Medical Center
  • Missouri Baptist Physician Services, LLC
  • Missouri Baptist Sullivan Hospital
  • Progress West Hospital
  • Parkland Health Center Boone Terre
  • Parkland Health Center Farmington