Author Archives: HIPAA Journal

LuxSci Demonstrates Commitment to Privacy and Security by Achieving HITRUST Certification

LuxSci, the Massachusetts-based provider of HIPAA-compliant email communications services, has announced it has achieved HITRUST CSF Certification.

The HITRUST Common Security Framework (CSF) is a comprehensive, certifiable framework for organizations that create, access, store, or transmit sensitive and regulated data.  The HITRUST CSF consists of a prescriptive set of scalable controls that confirm to multiple regulations and standards, including those of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and the ISO/IEC 27000-series.

Through the incorporation of federal and state regulations, standards, and frameworks, and using a risk-based approach, the HITRUST CSF helps organizations address compliance challenges and implement safeguards to ensure the confidentiality, integrity, and availability of sensitive data. HITRUST CSF Certification is the gold standard for security and the most widely adopted cybersecurity framework in the healthcare industry.

LuxSci adopted the HITRUST CSF and applied its principles and controls to its entire fleet of servers that are used to deliver email, marketing, forms, texting and web hosting services. LuxSci recently underwent a comprehensive third-party audit against the HITRUST CSF controls and was confirmed as having achieved HITRUST CSF certified status for information security.

Customers of service providers such as LuxSci need unequivocal evidence that their service providers are HIPAA compliant and are taking all the necessary steps to ensure privacy and security. HITRUST CSF certification provides that evidence.

“Achieving HITRUST CSF certification validates the security-first posture we have been espousing for years,” said LuxSci CEO and Founder, Erik Kangas. “Security is a process: you are never done being secure. The HITRUST CSF model evolves with the security landscape and we are proud to be able to use it as a benchmark for measuring and managing our security and compliance.”

LuxSci is committed to ensuring its servers remain secure and customer data is always protected. By adopting security best practices, the company will ensure that it continuously maintains its HITRUST CSF Certification status and will help its customers maintain the highest standard of security and compliance, while helping them solve their particular business problems.

The post LuxSci Demonstrates Commitment to Privacy and Security by Achieving HITRUST Certification appeared first on HIPAA Journal.

Webinar: Confronting Critical Communication and Safety Gaps in Healthcare

Earlier this year, HIPAA Journal readers were invited to take part in the 2020 Healthcare Emergency Preparedness and Security Trends Survey conducted by Rave Mobile Safety. On November 12, 2020, Rave Mobile Safety will be hosting a webinar in which the findings of the survey will be revealed.

The survey was conducted on 295 healthcare professionals and explored the top critical communication and safety challenges healthcare providers are facing today.

This year, the 2019 Novel Coronavirus – SARS-CoV-2 – has had a major impact on healthcare providers and continues create challenges for hospitals, clinics, and doctor’s offices. Healthcare providers have been forced to adopt new protocols to ensure the health and safety of patients and staff, but the survey showed that there were many communication and safety challenges in healthcare even before the pandemic, and those challenges could be affecting the emergency response.

During the webinar Rave Mobile Safety will discuss the key findings from the survey and will explore the new protocols that now need to be adopted by healthcare providers to keep patients and staff healthy in the coronavirus era, and how healthcare providers can stay prepared for other potential threats.

Webinar attendees will have the opportunity to learn about new and ongoing safety obstacles that have been uncovered by the survey and why steps must be taken to remove those obstacles. Proven best practices will be shared to help healthcare providers bridge the main communication gaps that exist across the healthcare industry, and information will be provided about solutions that can be adopted to help healthcare organizations address those challenges during the pandemic and beyond.

The webinar will be taking place on:

Thursday, November 12 from 2:00 PM – 2:30 PM ET.

Register for the Webinar Here

The post Webinar: Confronting Critical Communication and Safety Gaps in Healthcare appeared first on HIPAA Journal.

FDA Approves Tool for Scoring Medical Device Vulnerabilities

The FDA has approved a new rubric designed by the MITRE Corporation for assigning Common Vulnerability Scoring System (CVSS) scores to medical device vulnerabilities.

The CVSS was designed for assigning scores to vulnerabilities in IT systems according to their severity, and while the system works well for many IT systems, it is less well suited to scoring vulnerabilities in medical devices.

When vulnerabilities are discovered in medical devices, device manufacturers use the CVSS as a consistent and standardized way of communicating the severity of a vulnerability to the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and other agencies. The scores are used by IT teams in hospitals and clinics for prioritizing patching and software updates. If a vulnerability has a score of 9.0, it naturally takes priority over a vulnerability with a CVSS score of 3.0, for instance. However, CVSS base scores do not adequately reflect the clinical environment and potential patient safety impacts.

To address this issue, the FDA contracted the MITRE Corporation to develop a new rubric specifically for medical devices to allow vulnerabilities to be accurately scored. This week, the FDA announced that the new rubric has been qualified as a Medical Device Development Tool (MDDT) and has now been approved for use. To qualify as an MDDT, a tool must produce scientifically plausible measurements and must work as intended within the specified context of use.

The new rubric for applying the CVSS to medical devices, in combination with CVSS v3, creates a common framework for risk evaluation and communication between all parties involved in security vulnerability disclosure, especially in relation to the severity of vulnerabilities and to convey urgency to allow responses to be prioritized.

Part of the problem with the CVSS is the base score assigned to a vulnerability is intended to give a general impression of the risk associated with that vulnerability but the base score metric does not take into consideration the environment in which the device or IT system is used. It is important to adjust the score in relation to the specific case in which a device or IT system is used, as this can greatly increase the risk posed by a vulnerability.

This is especially important in healthcare, where the base score may be relatively low even though the risk is actually high, such as when patient safety is affected.  There have been several cases where vulnerabilities in medical devices have been assigned a relatively low severity score using CVSS v3, even though exploitation of the flaws pose a direct and serious risk to patients.

The new rubric provides detailed instructions for assigning CVSS scores to medical device vulnerabilities, explains the base metric group, but also the importance of the temporarily metric group and the environmental metric group, with around half of the rubric dedicated to the latter and its importance for adjusting scores to accurately reflect risk as part of a risk assessment for a medical device.

The post FDA Approves Tool for Scoring Medical Device Vulnerabilities appeared first on HIPAA Journal.

Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom

Several vulnerabilities have recently been identified in B. Braun products used by healthcare organizations in the United States.

B.Braun OnlineSuite

Three vulnerabilities have been identified in B. Braun OnlineSuite, a clinical IT solution for creating and sending drug libraries and managing infusion devices and other medical equipment. If exploited, an attacker could escalate privileges, upload and download arbitrary files, and remotely execute code.

The most serious flaws are a relative path traversal vulnerability – CVE-2020-25172 – which allows uploads and downloads of files by unauthenticated individuals, and a remote code execution vulnerability – CVE-2020-25174 – which allows a local attacker to execute code as a high privileged user. The flaws have been assigned CVSS v3 base scores of 8.6 and 8.4 out of 10.

An Excel macro vulnerability – CVE-2020-25170 – has also been identified in the export feature, caused by the mishandling of multiple input fields, which has been assigned a CVSS v3 base score of 6.9.

The flaws are present in OnlineSuite AP 3.0 and earlier. B.Braun has addressed the flaws in the update, OnlineSuite Field Service Information AIS06/20, which users are advised to apply as soon as possible.

SpaceCom and Battery Pack SP with Wi-Fi

11 vulnerabilities have been identified in SpaceCom, which is used to connect external devices for data documentation in a Patient Data Management System, PC or USB memory stick, and Battery Pack with WiFi.

The flaws affect SpaceCom, software Versions U61 and earlier and Battery pack with Wi-Fi, software Versions U61 and earlier.

If exploited, an attacker could compromise the security of SpaceCom devices and escalate privileges, view sensitive information, upload arbitrary files, and remotely execute arbitrary code.

  • CVE-2020-25158 (CVSS 7.6) – Reflected cross-site scripting (XSS) vulnerability allowing injection of arbitrary web script or HTML into various locations.
  • CVE-2020-25150 (CVSS 7.6) -Relative path traversal attack vulnerability allowing an attacker with service user privileges to upload arbitrary files and execute arbitrary commands.
  • CVE-2020-25162 (CVSS 7.5) – Path injection vulnerability allowing unauthenticated individuals to access sensitive information and escalate privileges.
  • CVE-2020-25156 (CVSS 7.2) – Active debug code that enables attackers in possession of cryptographic material to access the device as root.
  • CVE-2020-25160 (CVSS 6.8) -Improper access controls that allow extraction and tampering with the device’s network configuration.
  • CVE-2020-25166 (CVSS 6.8) -Improper verification of the cryptographic signature of firmware updates, which allows an attacker to generate valid firmware updates with arbitrary content that can be used to tamper with devices.
  • CVE-2020-16238 (CVSS 6.7) – Improper privilege management that gives attackers command line access to the underlying Linux system, and privileges to be escalated to root user.
  • CVE-2020-25152 (CVSS 6.5) -Session fixation vulnerability allowing hijacking of web sessions and escalation of privileges.
  • CVE-2020-25154 (CVSS 5.4) – Open redirect vulnerability allowing redirection to malicious websites.
  • CVE-2020-25164 (CVSS 5.1) – Use of a one-way hash which allows the recovery of user credentials of the administrative interface.
  • CVE-2020-25168 (CVSS 3.3) – Use of hard-coded credentials that would allow command line access to access the device’s Wi-Fi module

Braun has released updates to correct the flaws. Users should update to SpaceCom: Version U62 or later and Battery Pack SP with Wi-Fi: Version U62 or later.

Braun also recommends devices should not be accessible directly from the internet and to use a firewall and isolate medical devices from the business network.

The vulnerabilities were identified by Julian Suleder, Nils Emmerich, and Birk Kauer of ERNW Research GmbH; Dr. Oliver Matula of ERNW Enno Rey Netzwerke GmbH.

The post Vulnerabilities Identified in B. Braun OnlineSuite and SpaceCom appeared first on HIPAA Journal.

September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised

September has been a bad month for data breaches. 95 data breaches of 500 or more records were reported by HIPAA-covered entities and business associates in September – A 156.75% increase compared to August 2020.

Sept 2020 healthcare data breach report monthly breaches

Not only did September see a massive increase in reported data breaches, the number of records exposed also increased significantly. 9,710,520 healthcare records were exposed in those breaches – 348.07% more than August – with 18 entities suffering breaches of more than 100,000 records. The mean breach size was 102,216 records and the median breach size was 16,038 records.

Sept 2020 healthcare data breach report monthly breached records

Causes of September 2020 Healthcare Data Breaches

The massive increase in reported data breaches is due to the ransomware attack on the cloud software company Blackbaud. In May 2020, Blackbaud suffered a ransomware attack in which hackers gained access to servers housing some of its customers’ fundraising databases. Those customers included many higher education and third sector organizations, and a significant number of healthcare providers.

Blackbaud was able to contain the breach; however, prior to the deployment of the ransomware, the attackers exfiltrated some customer data. The breach was initially thought to only include limited data about donors and prospective donors, but further investigations revealed Social Security numbers and financial information were also exfiltrated by the hackers.

Blackbaud negotiated a ransom payment and paid to prevent the publication or sale of the stolen data. Blackbaud has reported it has received assurances that all stolen data were deleted. Blackbaud has engaged a company to monitor dark web sites but no data appears to have been offered for sale.

Blackbaud announced the ransomware attack in July 2020 and notified all affected customers. HIPAA-covered entities affected by the breach started to report the data breach in August, with most reporting in September.

It is currently unclear exactly how many U.S. healthcare organizations were affected by the breach and the final total may never be known. has been tracking the Blackbaud breach reports and, at last count, at least 80 healthcare organizations are known to have been affected. The records of more than 10 million patients are thought to have been compromised as a result of the ransomware attack.

Sept 2020 healthcare data breach report causes of breaches

Unsurprisingly, given the numbers of healthcare providers affected by the Blackbaud breach, hacking/IT incidents dominated the breach reports. 83 breaches were attributed to hacking/IT incidents and 9,662,820 records were exposed in those breaches – 99.50% of all records reported as breached in September.  The mean breach size was 116,420 records and the median breach size was 27,410 records.

There were 7 unauthorized access/disclosure incidents reported in September involving a total of 34,995 records. The mean breach size was 4,942 records and the median breach size was 1,818 records. There were 4 loss/theft incidents reported involving 12,029 records, with a mean breach size of 3,007 records and a median size of 2,978 records. There was 1 improper disposal incident reported involving 1,076 records.

Most of the compromised records were stored on network servers, although there were a sizable number of breaches involving PHI stored in email accounts.

Sept 2020 healthcare data breach report - location of PHI

Largest Healthcare Data Breaches Reported in September 2020

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Breach Cause
Trinity Health Business Associate 3,320,726 Hacking/IT Incident Blackbaud Ransomware Attack
Inova Health System Healthcare Provider 1,045,270 Hacking/IT Incident Blackbaud Ransomware Attack
NorthShore University HealthSystem Healthcare Provider 348,746 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Colorado (affiliated covered entity) Healthcare Provider 343,493 Hacking/IT Incident Blackbaud Ransomware Attack
Nuvance Health (on behalf of its covered entities) Healthcare Provider 314,829 Hacking/IT Incident Blackbaud Ransomware Attack
The  Baton Rouge Clinic, A Medical Corporation Healthcare Provider 308,169 Hacking/IT Incident Ransomware Attack
Virginia Mason Medical Center Healthcare Provider 244,761 Hacking/IT Incident Blackbaud Ransomware Attack
University of Tennessee Medical Center Healthcare Provider 234,954 Hacking/IT Incident Blackbaud Ransomware Attack
Legacy Community Health Services, Inc. Healthcare Provider 228,009 Hacking/IT Incident Phishing Attack
Allina Health Healthcare Provider 199,389 Hacking/IT Incident Blackbaud Ransomware Attack
University of Missouri Health Care Healthcare Provider 189,736 Hacking/IT Incident Phishing Attack
The Christ Hospital Health Network Healthcare Provider 183,265 Hacking/IT Incident Blackbaud Ransomware Attack
Stony Brook University Hospital Healthcare Provider 175,803 Hacking/IT Incident Blackbaud Ransomware Attack
Atrium Health Healthcare Provider 165,000 Hacking/IT Incident Blackbaud Ransomware Attack
University of Kentucky HealthCare Healthcare Provider 163,774 Hacking/IT Incident Blackbaud Ransomware Attack
Children’s Minnesota Healthcare Provider 160,268 Hacking/IT Incident Blackbaud Ransomware Attack
Roswell Park Comprehensive Cancer Center Healthcare Provider 141,669 Hacking/IT Incident Blackbaud Ransomware Attack
Piedmont Healthcare, Inc. Healthcare Provider 111,588 Hacking/IT Incident Blackbaud Ransomware Attack
SCL Health – Montana (affiliated covered entity) Healthcare Provider 93,642 Hacking/IT Incident Blackbaud Ransomware Attack
Roper St. Francis Healthcare Healthcare Provider 92,963 Hacking/IT Incident Blackbaud Ransomware Attack

September 2020 Data Breaches by Covered Entity Type

88 healthcare providers reported data breaches of 500 or more records in September and 2 breaches were reported by health plans. 5 breaches were reported by business associates of HIPAA-covered entities, but a further 53 breaches involved a business associate, with the breach reported by the covered entity. Virtually all of those 53 breaches were due to the ransomware attack on Blackbaud.

Sept 2020 healthcare data breach report - covered entity type

September 2020 Data Breaches by State

Covered entities and business associates in 30 states and the district of Columbia reported data breaches of 500 or more records in September.

New York was the worst affected state with 10 breaches, 6 breaches were reported in each of California, Minnesota, and Pennsylvania, 5 in each of Colorado, South Carolina, and Texas, 4 in Florida, Georgia, Massachusetts, Ohio, and Virginia, 3 in each of Iowa, Kentucky, Louisiana, and Michigan, and 2 in each of Connecticut, Maryland, North Carolina, Tennessee, and Wisconsin.

One breach was reported in each of Alabama, Delaware, Illinois, Indiana, Missouri, New Hampshire, New Jersey, Oklahoma, Washington, and the District of Columbia.

HIPAA Enforcement Activity in September 2020

Prior to September, the HHS’ Office for Civil Rights had only imposed three financial penalties on covered entities and business associates to resolve HIPAA violations, but there was a flurry of announcements about HIPAA settlements in September with 8 financial penalties announced.

The largest settlement was agreed with Premera Blue Cross to resolve HIPAA violations discovered during the investigation of its 2014 data breach that affected 10.4 million of its members. OCR found compliance issues related to risk analyses, risk management, and hardware and software controls. Premera agreed to pay a financial penalty of $6,850,000 to resolve the case. This was the second largest HIPAA fine ever imposed on a covered entity.

CHSPSC LLC, a business associate of Community Health Systems, agreed to pay OCR $2,300,000 to resolve its HIPAA violation case which stemmed from a breach of the PHI of 6 million individuals in 2014. OCR found compliance issues related to risk analyses, information system activity reviews, security incident procedures, and access controls.

Athens Orthopedic Clinic PA agreed to pay a $1,500,000 penalty to resolve its case with OCR which stemmed from the hacking of its systems by TheDarkOverlord hacking group. The PHI of 208,557 patients was compromised in the attack. OCR’s investigation uncovered compliance issues related to risk analyses, risk management, audit controls, HIPAA policies and procedures, business associate agreements, and HIPAA Privacy Rule training for the workforce.

Five of the September settlements resulted from OCR’s HIPAA Right of Access enforcement initiative and were due to the failure to provide patients with timely access to their medical records.

Entity Settlement
Beth Israel Lahey Health Behavioral Services $70,000
Housing Works, Inc. $38,000
All Inclusive Medical Services, Inc. $15,000
Wise Psychiatry, PC $10,000
King MD $3,500


There was one settlement to resolve a multistate investigation by state attorneys general, with Anthem Inc. agreeing to pay a financial penalty of $48.2 million to resolve multiple violations of HIPAA and state laws in relation to its 78.8 million record data breach in 2015, which is on top of the $16 million financial penalty imposed by OCR in October 2018.

The post September 2020 Healthcare Data Breach Report: 9.7 Million Records Compromised appeared first on HIPAA Journal.

6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks

The U.S. Department of Justice has announced 6 Russian hackers have been indicted for their role in the 2017 NotPetya malware attacks and a long list of offensive cyber campaigns on multiple targets in the United States and other countries.

The six individuals are suspected members of the GRU: Russia’s Main Intelligence Directorate, specifically GRU Unit 74455, which is also known as Sandworm. The Sandworm unit is believed to be behind a long list of offensive cyber campaigns spanning several years.

Sandworm is suspected of being instrumental in attempts to influence foreign elections, including the 2016 U.S. presidential election and the 2017 French Presidential election. One of the most destructive offensive campaigns involved the use of NotPetya malware in 2017. NotPetya was a wiper malware used in destructive attacks worldwide that leveraged the Microsoft Windows Server Message Block (SMBv1) vulnerability.

Several hospitals and medical clinics were affected by NotPetya and had data wiped and computer systems taken out of action. NotPetya hit the pharmaceutical giant Merck, Danish shipping firm Maersk, and FedEx subsidiary TNT Express. The attack on Merck has been estimated to have cost $1.3 billion. In total, the malware caused more than $10 billion in damages and affected more than 300 companies worldwide.

Sandworm was also behind attempts to disrupt the 2018 Winter Olympics using Olympic Destroyer malware, and the hackers attempted to disrupt the investigation of the Novichok poisonings of former Russian spy Sergei Skripal and his daughter by the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory.

Sandworm was also behind destructive attacks on Ukraine’s energy grid between December 2015 and December 2016 and other government targets using KillDisk, BlackEnergy, and Industroyer malware, along with attacks on government entities and companies in Georgia in 2018.

“The crimes committed by these defendants and Unit 74455 are truly breathtaking in their scope, scale and impact,” said U.S. Attorney for the Western District of Pennsylvania, Scott Brady. “These are not acts of traditional spying against governments. Instead, these are crimes committed by Russian government officials against real victims who suffered real harm.”

The alleged Russian operatives are Yuriy Sergeyevich Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko and Petr Nikolayevich Pliskin. Each has been charged with 7 counts – one count of  conspiracy to commit computer fraud and abuse, one count of conspiracy to commit wire fraud, one count of intentional damage to a protected computer, two counts of wire fraud, and two counts of aggravated identity theft, with the indictment also alleging false registration of domain names. In total, the maximum possible sentence if found guilty on all counts is 71 years in prison. The indictment also includes details of the specific roles each defendant played in the attacks, confirmed the detailed nature of the intelligence collected on each individual by intelligence agencies, law enforcement, foreign governments, and private companies.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said Assistant Attorney General for National Security John C. Demers.  “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.”

Russian has responded by denying any involvement in the cyberattacks attributed to the hackers. A spokesperson for the Russian embassy in Washington said, “Russia does not and did not have intentions to engage in any kind of destabilizing operations around the world. This does not correspond to our foreign policy, national interests or our understanding of how relations between states are built. Russia respects the sovereignty of other countries and does not interfere in their affairs.”

It is unlikely that the indicted hackers will ever face a trial, as there is no extradition treaty between Russia and the United States.

The post 6 Russian Hackers Indicted for Offensive Cyber Campaigns Including 2017 NotPetya Wiper Attacks appeared first on HIPAA Journal.

Dickinson County Health Suffers Ransomware Attack

Michigan-based Dickinson County Health has suffered a malware attack that has taken its EHR system offline. The attack has forced the health system to adopt EHR downtime procedures and record patient data using pen and paper. The attack commenced on October 17, 2020 and disrupted computer systems at all its clinics and hospitals in Michigan and Wisconsin.

Systems were shut down to contain the malware and third-party security experts have been retained to investigate the breach and restore its systems and data. While the attack caused considerable disruption, virtually all patient services remained fully operational. It is currently unclear whether patient data were accessed or stolen by the attackers.

“We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” said Chuck Nelson, DCHS CEO. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.”

25,000 Individuals Potentially Impacted by Passavant Memorial Homes Security Breach

Passavant Memorial Homes Family of Services (PMHFOS), a Pennsylvania-based provider of support services for individuals with intellectual disabilities, autism, and behavioral health needs, has experienced a security breach in which the protected health information of its clients may have been compromised.

The incident occurred on August 15, 2020. An unauthorized individual used the contact form on its website to send a message to an authorized user confirming a username and password had been obtained that gave access to its systems. The message alerted PMHFOS to the vulnerability and the individual claimed no malicious actions were taken.

The breach was investigated by a third-party computer forensics experts who determined that malware had not been installed and no files had been encrypted; however, it was not possible to determine whether any individually identifiable information had been accessed or exfiltrated.  Scans were conducted on the dark web to determine whether any client information had been released, but no information was found. A review of the systems that were accessible revealed they contained the PHI of 25,000 individuals.

In response to the breach PMHFOS disabled the compromised account, performed a system-wide password reset, provided further security awareness training to employees, and updated its network security measures. Two-factor authentication has also been implemented. The breach was reported to law enforcement and PMHFOS’ cyber insurance carrier.

Email Error Exposed Email Addresses of Michigan Medicine Patients

Ann Arbor-MI-based Michigan Medicine has started notifying 1,062 patients that their names, email addresses, and limited health information may have been accessed by unauthorized individuals.

Michigan Medicine sent an email communication in late September to patients advising them about an Inflammatory bowel Disease event; however, the email addresses of patients were not added to the blind carbon copy (BCC) field and could therefore be viewed by all other individuals on the mailing list.

The email did not contain highly sensitive information, although it may have been possible to determine the names of patients from their email addresses and the email identified individuals as suffering from inflammatory bowel disease.

When the error was discovered, separate emails were sent to all individuals on the mailing list informing them about the error and instructing them to delete the first email. Letters were also sent to affected patients on October 16. Michigan Medicine has now changed its procedures for emailing patients to prevent similar errors in the future.

The post Dickinson County Health Suffers Ransomware Attack appeared first on HIPAA Journal.

Active Threat Warning Issued About SharePoint RCE Vulnerability

The UK National Cyber Security Centre (NCSC) has recently issued a security alert advising organizations to patch a serious remote code execution vulnerability in Microsoft SharePoint. The DHS Cybersecurity and infrastructure Security Agency is also urging organizations to patch the flaw promptly to prevent exploitation.

The vulnerability, tracked as CVE-2020-16952, is due to the failure of SharePoint to check the source markup of an application package. If exploited, an attacker could run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account, potentially with administrator privileges.

To exploit the vulnerability an attacker would need to convince a user to upload a specially crafted SharePoint application package to a vulnerable version of SharePoint. This could be achieved in a phishing campaign using social engineering techniques.

The vulnerability has been assigned a CVSS v3 base score of 8.6 out of 10 and affects the following SharePoint releases:

  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SharePoint Online is not affected by the vulnerability.

SharePoint vulnerabilities are attractive to hackers as SharePoint is commonly used by enterprise organizations. Previous SharePoint vulnerabilities have been extensively exploited, two of which were listed in CISA’s list of the top 10 most exploited vulnerabilities between 2016 and 2019.

Microsoft issued an out-of-band patch to correct the flaw this week. The patch needs to be applied to correct the vulnerability as there are no mitigations to prevent exploitation of the flaw. The patch changes the way SharePoint checks the source markup of application packages.

A proof of concept exploit for the vulnerability has been publicly released on GitHub by security researcher Steven Seeley, who discovered the flaw and reported it to Microsoft. The PoC could easily be weaponized so there is a high risk of exploits being developed and used in attacks on organizations. At the time of the release of the patch, Microsoft was unaware of any cases of exploitation of the flaw in the wild.

According to NCSC, “This PoC can be detected by identifying HTTP headers containing the string runat=’server’ – as well as auditing SharePoint page creations.”

Rapid7 researchers have warned that the vulnerability has a very high value to hackers due to the ease at which the vulnerability can be exploited to gain privileged access.

“The bug is exploitable by an authenticated user with page creation privileges, which is a standard permission in SharePoint, and allows the leaking of an arbitrary file, notably the application’s web.config file, which can be used to trigger remote code execution (RCE) via .NET deserialization,” explained Rapid7.  The patch should be applied as soon as possible to prevent exploitation.

The post Active Threat Warning Issued About SharePoint RCE Vulnerability appeared first on HIPAA Journal.

Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data

Comparitech security researcher Bob Diachenko has discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers.

The exposed Elasticsearch cluster was discovered on October 1, 2020, the day the database cluster was indexed by the search engine. The Elasticsearch cluster was found to contain 10 collections of data, the largest of which consisted of 275 million records and included information such as caller names, phone numbers, and caller locations, along with other sensitive data. One database in the cluster was found to contain transcribed voicemail messages which included a range of sensitive data such as information about financial loans and medical prescriptions. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed.

The voicemails included caller names, phone numbers, voicemail box identifiers, internal identifiers, and the transcripts included personal information such as full names, phone numbers, dates of birth, and other data. Voicemails left at medical clinics including details of prescriptions and medical procedures. Information about loan inquiries were also exposed, along with some insurance policy numbers.

Diachenko reported the exposed Elasticsearch cluster to Broadvoice, which took prompt action to prevent any unauthorized access. According to Broadvoice CEO Jim Murphy, “We learned that on October 1st, a security researcher was able to access a subset of b-hive data. The data had been stored in an inadvertently unsecured storage service Sept. 28th and was secured Oct. 2nd.” Diachenko confirmed on October 4, 2020 that the Elasticsearch cluster had been secured.

“At this point, we have no reason to believe that there has been any misuse of the data. We are currently engaging a third-party forensics firm to analyze this data and will provide more information and updates to our customers and partners. We cannot speculate further about this issue at this time,” said Murphy.

Broadvoice reported the breach to law enforcement and is investigating the breach. It is currently unclear if anyone other than Diachenko found and accessed the databases.

While most of the databases contained only limited information, it would be of value to cybercriminals who could easily target customers of Broadvoice in phishing scams. The information in the database could be used to convince customers that they were in contact with Broadvoice, and they could be fooled into revealing further sensitive information or making fraudulent payments.

Individuals whose information was detailed in the voicemail transcripts would be most at risk, as the additional data could be used to create convincing and persuasive phishing campaigns.

Comparitech researchers have previously demonstrated individuals are constantly scanning for exposed databases and that they are often discovered within hours of them being exposed. Their research showed that attempts were made to access their Elasticsearch honeypot within 9 hours of the data being exposed. Once databases are indexed by search engines such as Shodan and BinaryEdge attacks occur within a matter of minutes.

Comparitech researchers scan the internet to identify exposed data and report breaches to the owners of the databases. “In order to help raise awareness of data exposures in general and inform affected parties of this particular incident, we publish a report,” explained Comparitech. “Our aim is to have the data secured and all relevant parties informed as quickly as possible to minimize the potential damage caused.”

The post Exposed Broadvoice Databases Contained 350 Million Records, Including Health Data appeared first on HIPAA Journal.