Author Archives: Steve Alder

Data Breaches Reported by Mystic Valley Elder Services & St. Anthony Regional Hospital

Posted by Steve Alder

Mystic Valley Elder Services, a Malden, Massachusetts-based non-profit agency providing home and community-based care to elders and adults living with disabilities, has started issuing individual notifications about a cyberattack and data breach that was identified on April 5, 2024.

A digital forensics company was engaged to investigate the unauthorized activity and confirmed that there had been unauthorized access to its internal systems on April 5, 2024, during which time files may have been acquired. A review was conducted of all affected files which confirmed on July 11, 2024, that protected health information had been exposed. The data involved varied from individual to individual and may have included names, dates of birth, passport numbers, financial account numbers, payment card numbers, online credentials, taxpayer identification numbers, Social Security numbers, driver’s license numbers, health insurance information, and medical information.

Notification letters are now being mailed to the affected individuals and complimentary credit monitoring and identity theft protection services have been made available. Mystic Valley Elder Services said it is enhancing its technical safeguards to prevent similar breaches in the future. The HHS’ Office for Civil Rights shows two listings about this incident, one involving the records of 85,133 individuals in its capacity as a healthcare provider and a breach involving the protected health information of 2,402 individuals in its capacity as a business associate.

St. Anthony Regional Hospital, Iowa

St. Anthony Regional Hospital in Carroll, Iowa, has recently announced it fell victim to a cyberattack in August. Suspicious activity was identified within its network on August 26, 2024, and the forensic investigation confirmed there had been unauthorized access to a subset of its network between August 14, 2024, and August 28, 2024. During that time, the threat actor accessed or downloaded files on the network that contained patients’ protected health information.

St. Anthony Regional Hospital said it is still reviewing the affected files to determine the patients and data involved but has confirmed that the breached information is likely to include names, addresses, dates of birth, Social Security numbers, financial information, and medical information such as diagnosis and treatment information. Notification letters will be mailed to the affected individuals when the investigation is concluded. St. Anthony Regional Hospital is unaware of any misuse of the affected information; however, patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements, credit reports, and explanation of benefits statements.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the file review has been completed.

The post Data Breaches Reported by Mystic Valley Elder Services & St. Anthony Regional Hospital appeared first on The HIPAA Journal.

HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems

Posted by Steve Alder

A critical vulnerability affecting multiple Oracle products is being exploited in the wild. The vulnerability was dubbed The Miracle Exploit by the security researchers who discovered it, due to its severity and the number of products they affected – all products based on Oracle Fusion Middleware and Oracle online systems. The vulnerability is one of a pair of related vulnerabilities that were discovered two years apart. The vulnerabilities can be chained, and both can lead to remote code execution.

The Oracle Fusion Middleware products are used to build web interfaces for Java EE applications and any website developed by ADF Faces framework is affected. The vulnerabilities also affect Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The vulnerabilities are tracked as CVE-2022-21445 (CVSS 9.8) and CVE-2022-21497 (CVSS 8.1) and can be exploited easily by an unauthenticated attacker with network access via HTTP for an application takeover. Successful exploitation can lead to a full system compromise and lateral movement within a network. The vulnerabilities could be exploited to steal sensitive data and could be leveraged by ransomware groups in the future.

CVE-2022-21445 is a deserialization of untrusted data vulnerability and CVE-2022-21497 is a server-side request vulnerability. The first vulnerability allows remote code execution, and the second one could be exploited for lateral movement to other Oracle systems and can also lead to remote code execution. Oracle released patches to fix the vulnerabilities in April 2022, 6 months after the CVE-2022-21445 vulnerability was discovered. In September, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-21445 Miracle Exploit vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. No information was released about the extent to which the vulnerability has been exploited, and there have been no public reports of exploitation, although CISA does receive some reports privately.

Due to the severity of the vulnerabilities and their impact, the Health Sector Cybersecurity Coordination Center has recently released an analyst note warning the healthcare and public health sector about the risk of exploitation. Healthcare organizations could be vulnerable if they use Oracle Fusion products that rely on the ADF Faces framework. HC3 warns that if the vulnerable Oracle middleware components are integrated into their software for managing electronic medical records or other critical systems, exploitation of the vulnerabilities could result in data breaches, operational disruptions, and potentially regulatory penalties.

HC3 recommends applying the latest patch for Oracle JDeveloper, segmenting networks and ensuring environments that use JDeveloper are isolated from production systems, and limiting access to JDeveloper environments to trusted users only and enforcing strong authentication mechanisms.

The post HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems appeared first on The HIPAA Journal.

Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment

Posted by Steve Alder

The New York multi-site medical practice, Albany ENT & Allergy Services, has agreed to pay a $500,000 financial penalty to the state of New York and will invest $2.25 million to strengthen its information security practices after suffering two ransomware attacks that saw threat actors gain access to the medical records of more than 213,000 New York patients. Under the agreement, a further $500,000 in penalties must be paid if Albany ENT & Allergy Services fails to invest the required $2.25 million in upgrades and maintenance of its information security program over the next 5 years.

An investigation was launched by the Office of the New York Attorney General (OAG) following an intrusion of Albany ENT & Allergy Services’ network by two different threat actors between March 23, 2023, and April 4, 2023. The first intrusion involved ransomware and was discovered on March 27, 2023, when files were encrypted. Systems and data were restored by the healthcare provider’s IT vendor; however, the source of the intrusion was not identified before the restoration of external network access.

A different threat actor conducted a second ransomware attack 10 days later on April 2, 2023. A digital forensics firm was engaged to conduct a thorough investigation and remediate any vulnerabilities before the restoration process began. The compromised systems contained the records of 213. 935 patients, including names, addresses, birth dates, driver’s license numbers, Social Security numbers, diagnoses, test results, and treatment information.  Both threat actors provided evidence of data exfiltration when attempting to extort Albany ENT & Allergy Services; however, ransoms were not paid. The file review was completed in May 2023 and the affected individuals were notified and offered complimentary credit monitoring services.

The failure to identify the initial access vector was due to insufficient server logs. While server logs were created, they were not retained for a reasonable period, and there were no security programs in place to monitor and analyze server traffic. The company that conducted the forensic investigation after the second attack concluded that the initial access vector was likely the exploitation of an unpatched vulnerability in a Cisco VPN firewall.

The OAG investigation revealed the breach involved the protected health information of around 80,000 individuals more than the 120,000 individuals stated in the initial breach report. The additional affected individuals had their driver’s license numbers posted online by the threat actors when the ransom was not paid. OAG also determined that the threat actors gained access to six devices that hosted unencrypted personal information and some of those devices continued to store unencrypted personal information for months after the ransomware attacks. While an encryption policy had been implemented for laptop computers, it did not apply to personal information stored on other systems. Multi-factor authentication (MFA) had been implemented, but not consistently, with some remote access systems not protected by MFA.

Albany ENT & Allergy Services did not have an in-house information technology team and outsourced those functions to two third-party vendors. Outsourcing IT functions is acceptable under state law; however, a single Albany ENT & Allergy Services employee was responsible for liaising with those vendors and ensuring appropriate policies and procedures were followed and recommended practices were implemented. That employee did not have any IT or InfoSec experience or training. The lack of effective oversight meant critical security updates were not implemented in a timely manner, logs of activity in information systems were not retained for sufficiently long, MFA was not consistently implemented, and a reasonable information security program was not maintained. The security failures were determined to violate New York Business and Executive Law.

Under the agreement, Albany ENT & Allergy Services is required to implement a range of security measures including establishing a comprehensive information security program and ensuring effective oversight of its information security vendors. “Health care facilities need to take protecting patients’ private information seriously, and that means investing to protect data and responding quickly if breaches occur. Today’s agreement with AENT will strengthen its cybersecurity and protect the private information of New Yorkers who rely on this Capital Region medical provider,” said Attorney General Letitia James. “I urge all health care facilities and general companies to follow guidance from my office on how to have more secure systems to protect New Yorkers’ data.”

The post Albany ENT & Allergy Services Pays $500K Penalty and Commits to $2.25M Cybersecurity Investment appeared first on The HIPAA Journal.

HC3 Issues Warning About Scattered Spider Threat Actor

Posted by Steve Alder

A warning has been issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) about a financially motivated group known as Scattered Spider. Many cybercriminal groups are Russian-speaking and are based in Russia or the Commonwealth of Independent States; however, Scattered Spider is a native English-speaking group and its members are believed to be mostly located in the United States and the United Kingdom. There have been four arrests in those countries but the group remains active. Intelligence gathered on the group suggests the members are mostly in the 19-22 age group.

Rather than develop their own malware payloads and attack tools, Scattered Spider uses publicly available tools and malware developed by other threat actors. Legitimate tools known to have been leveraged by the group include remote monitoring and management solutions such as AnyDesk, Connectwise Control, ASG Remote Desktop, Screenconnect, and Splashtop; Mimikatz and LaZagne for credential theft; and Ngrok to create secure tunnels to remote web servers.

The group has previously used multiple malware variants in its operations including Atomic, Racoon Stealer, VIDAR Stealer, and Meduza Stealer, as well as phishing kits such as EIGHTBAIT and Oktapus, and the BlackCat and Ransomhub ransomware variants. The group has also collaborated with the Qilin threat group.

Information stealers are commonly used to obtain credentials for initial access, and then living-off-the-land techniques are used to evade security solutions while the group moves laterally within networks, disabling security solutions and stealing sensitive data. Attacks often end with the deployment of ransomware.

Scattered Spider uses advanced social engineering tactics, with its members well-versed in spear phishing, smishing, and voice phishing. One campaign attributed to Scattered Spider involves spear phishing voice techniques, where members of the IT Help Desk are targeted over the phone with the group posing as employees, sometimes aided by artificial intelligence to impersonate voices.

The aim is to trick the IT Help Desk into performing password resets and registering their own devices to receive multifactor authentication codes. The Help Desk is provided with personal information about the person they are impersonating and usernames and employee IDs obtained in previous stages of its attacks. HC3 has previously issued a warning about this campaign as healthcare organizations were among the group’s victims.

Scattered Spider has been active since at least 2022 and was initially focused on customer relationship management (CRM), business process outsourcing (BPO), telecommunications, and technology companies; however, the group has since expanded its targeting and has been attacking a broader range of sectors. While the healthcare industry has not been extensively targeted by the group, healthcare organizations have been attacked. The Scattered Spider threat actor profile shares indicators of compromise and recommended mitigations to improve defenses.

The post HC3 Issues Warning About Scattered Spider Threat Actor appeared first on The HIPAA Journal.

Wichita County and Parkland Health Suffer Data Breaches

Posted by Steve Alder

Wichita County in Texas experienced a cyberattack in May 2024 that exposed the sensitive data of 47,784 individuals, the majority of which are residents of Wichita County. According to County officials, the incident was detected on May 7, 2024, when network disruption was experienced. Immediate action was taken to secure its network and prevent further unauthorized access and independent forensics experts were engaged to investigate the security breach.

Experts were engaged to conduct a data review to determine the types of data that may have been acquired in the incident, and the review was completed on September 3, 2024. Contact information was then verified contact information to allow the notification letters to be sent. That process was completed on October 2, 2024, and notifications were mailed to the affected individuals on October 22, 2024.

The types of data involved varied from individual to individual and may have included name along with one or more of the following: date of birth, Social Security number, driver’s license number, other government ID, passport number, financial account information, health insurance information and medical information related to the treatment of mental or physical health conditions.

Complimentary credit monitoring and identity theft protection services have been made available to the affected individuals for 2 years. The Medusa ransomware group appears to have been responsible for the attack, although that has not been confirmed by Wichita County officials.

Parkland Health Investigating Cyberattack and Data Breach

Parkland Health, the community public health system for Dallas County in Texas which includes Parkland Memorial Hospital in Dallas, has experienced a cyberattack involving unauthorized access to the protected health information of 6,523 patients. In an October 22 notice to the Texas Attorney General, Parkland Health confirmed that the breach included names, dates of birth, and medical information.

No other details about the breach are known at this stage. Parkland Health said it is still investigating the cyberattack and will release further information when the investigation is concluded. Individual notifications have been mailed to the affected individuals.

The post Wichita County and Parkland Health Suffer Data Breaches appeared first on The HIPAA Journal.

HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified potential misuse of health risk assessments (HRAs) and HRA-linked chart reviews by Medicare Advantage (MA) companies, which may have resulted in millions of dollars in overpayments.

The Centers for Medicare and Medicaid Services (CMS) pays MA companies higher risk-adjusted payments for sicker enrollees to cover costlier care and each year, MA companies receive millions in overpayments based on unsupported diagnoses for MA enrollees. When diagnoses are reported only using enrollees’ HRAs and HRA-linked chart reviews and there are no follow-up visits, procedures, or tests, HHS-OIG is concerned that the diagnoses may be inaccurate and therefore the payments made by the CMS may be improper. Alternatively, the lack of follow-up visits and tests suggests that if the diagnoses are accurate, enrollees have not received the necessary care for serious health conditions.

HHS-OIG’s analysis of MA encounter data identified 1.7 million MA enrollees whose diagnoses were only reported using HRAs and HRA-linked chart reviews and did not include any follow-ups. Out of the 17 million MA enrollees, 19,028 enrollees had no other service records at all in 2022 apart from a single HRA. HHS-OIG estimates that around $7.5 billion in MA risk-adjusted payments were made for 2023 and that 80% of those payments were made to just 20 MA companies.

Almost two-thirds of those payments were based only on In-home HRAs and HRA-linked chart reviews, which have a higher risk of misuse as they are usually administered by MA companies and their third-party vendors rather than enrollees’ own providers. In fiscal year 2023, the CMS identified $12.7 billion in net overpayments due to plan-submitted diagnoses that were not supported by documentation in enrollees’ medical records and concerns have been raised by oversight entities that MA companies are using HRA and HRA-type assessments to maximize their risk-adjusted payments rather than to improve the care provided to enrollees. HHS-OIG says the risk-adjustment payment policy creates a financial incentive for MA companies to misrepresent health statuses and submit unsupported diagnoses to inflate their risk-adjusted payments.

HHS-OIG recommended the CMS take steps to identify and prevent misuse of HRAs and HRA-linked chart reviews. HHS-OIG suggested the CMS impose additional restrictions on the use of diagnoses reported only on in-home HRAs or chart reviews linked to in-home HRAs for risk-adjusted payments, conduct audits to validate diagnoses reported using only HRAs and HRA-linked chart reviews, and determine whether certain health conditions such as diabetes and congestive heart failure that drove payments on in-home HRAs and chart reviews are more vulnerable to misuse by MA companies. The CMS only concurred with the last recommendation.

The post HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies appeared first on The HIPAA Journal.

38,000 Individuals Affected by Center for Urban Community Services Cyberattack

Posted by Steve Alder

Security breaches have been reported by the Center for Urban Community Services in New York, Riverview Health in Indiana, and Smile Design Management in Florida.

The Center for Urban Community Services, New York

The Center for Urban Community Services, a New York social services organization, has notified 38,000 individuals about a network intrusion that occurred between September 4, 2023, and September 9, 2023. The intrusion was detected on September 9, 2023, and an investigation was launched, but data acquisition was not confirmed at the time. Center for Urban Community Services has now confirmed sensitive data was exfiltrated in the incident. The types of information involved varied from individual to individual and may have included names, addresses, telephone numbers, dates of birth, Social Security numbers, benefit identification numbers, health information, and prescription information. The Center for Urban Community Services is unaware of any misuse of the affected information.

Riverview Health, Indiana

Riverview Health in Noblesville, IN has discovered unauthorized access to an employee’s email account. An unidentified third party had access to the account for less than an hour on August 23, 2024, before the intrusion was detected by its security software and access to the account was blocked. The investigation confirmed that a single email account had been compromised after an employee was tricked by a social engineering scam. The window of opportunity for viewing and copying sensitive information in the account was short but it is possible that electronic files in the account may have been compromised. The files were reviewed and confirmed to contain patients’ protected health information such as name, sex, date of birth, medical record number, admission date(s), and medical information such as diagnosis.

Since social security numbers, financial information, bank account numbers, and health insurance information were not compromised, Riverview Health believes the risk of misuse of patient data is low. Riverview Health is reviewing its policies around phishing and social engineering and is evaluating methods and procedures for improving electronic access and controls. Notification letters were mailed to the affected individuals on October 24, 2024. The HHS’ Office for Civil Rights portal indicates that 1,562 individuals were affected.

Smile Design Management, Florida

Smile Design Management, a Tampa, FL-based operator of 50 dental care facilities in Florida, has discovered unauthorized access to files on its network. The breach was detected on February 22, 2024, when unusual network activity related to a third-party software solution was detected.

Third-party cybersecurity specialists were engaged to investigate the activity and confirmed unauthorized access to its network between February 22, 2024, and February 23, 2024. The review of the affected files was completed on August 15, 2024, and after verifying contact information, notification letters were sent to the affected individuals, who have been offered complimentary credit monitoring and identity theft protection services. The substitute breach notice does not state the types of information compromised in the incident.

Smile Design Management said it has implemented additional technical safeguards to prevent similar breaches in the future. The breach was reported to the HHS’ Office for Civil Rights on October 10, 2024, as involving the protected health information of 500 individuals.

The post 38,000 Individuals Affected by Center for Urban Community Services Cyberattack appeared first on The HIPAA Journal.

Long Island Plastic Surgical Group Confirms 161K-Record Data Breach

Posted by Steve Alder

Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, has confirmed to the HHS’ Office for Civil Rights that the protected health information of 161,707 individuals was compromised in a hacking incident earlier this year.

According to its substitute breach notice, external cybersecurity professionals were engaged to investigate the incident and confirmed that a network intrusion occurred between January 4, 2024, and January 8, 2024, involving the exfiltration of a limited amount of patient data. The file review was completed on September 15, 2024, and confirmed that full names had been stolen in combination with some or all of the following: date of birth, Social Security number, driver’s license number/state identification number, passport number, financial account information, medical information, biometric information, health insurance policy information, and clinical photographs.

Long Island Plastic Surgical Group said it is unaware of any improper use of the affected information as a direct result of the incident; however, as a precaution, individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Long Island Plastic Surgical Group said it had implemented many safeguards to protect patient data and will continue to evaluate and modify its internal controls to further enhance security.

Long Island Plastic Surgical Group did not state in its notification letter whether this was a ransomware attack; however, the Radar threat group claimed responsibility. In a conversation with databreaches.net, a spokesperson for the group said the attack was conducted in conjunction with the ALPHV threat group, where ALPHV handled the intrusion and Radar handled the data exfiltration. Radar claimed that ALPHV was paid a ransom but Radar was not given its cut of the ransom payment. Radar subsequently issued its own ransom demand to prevent the publication of the stolen data; however, the ransom was not paid. The Federal Bureau of Investigation (FBI) has now seized the Radar data leak site.

Dr. Daniel J. Leeman, M.D.

Dr. Daniel J. Leeman, M.D., a Texas-based board-certified plastic surgeon and ENT specialist, has reported a hacking-related data breach to the HHS’ Office for Civil Rights that involved the protected health information of 50,000 patients. This appears to have been a cyberattack on his practice rather than through a business associate. Dr. Leeman filed a breach notice with the Texas Attorney General on September 4, 2024, confirming names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued ID numbers (such as passport numbers or state IDs), financial information (such as account numbers, credit/debit card numbers), medical information, and health insurance information were involved. The affected individuals have now been notified by mail.

Clay Platte Family MedicineBarry Pointe Family Medicine ClinicSummit Family and Sports Medicine ClinicCobblestone Family Medicine Clinic

The protected health information of patients of Clay Platte Family Medicine and Barry Pointe Family Medicine Clinic in Kansas City, MO; Summit Family and Sports Medicine Clinic in Summit, MO; and Cobblestone Family Medicine Clinic in Liberty, MO was compromised in a June 2024 data security incident. Suspicious network activity was detected on June 26, 2024, and immediate action was taken to secure its network. A cybersecurity firm was engaged to investigate the activity and confirmed that an unauthorized third party had access to the network and potentially viewed or acquired files containing patient information.

On September 10, 2024, the affected clinics confirmed names, addresses, Social Security numbers, dates of birth, and health insurance information were involved. Individual notifications were mailed on October 16, 2024, and complimentary credit monitoring and identity theft protection services have been made available. The breach was reported to the Maine Attorney General as involving the personal information of 53,916 individuals, including 4 Maine residents. The clinics said they are reviewing and enhancing their data security policies and procedures to prevent similar breaches in the future.

Wellfleet Group, LLC

Wellfleet Group, a Massachusetts-based third-party administrator for Wellfleet Insurance Company and Wellfleet New York Insurance Company that provides health insurance solutions and services to students at post-secondary education institutions, is notifying 22,959 individuals that some of their protected health information has been compromised.

Wellfleet Group learned on August 1, 2024, that student medical referral information could be accessed online via search engines and launched an investigation to determine the cause and extent of the data exposure. The investigation revealed a previously unknown misconfiguration on its website “allowed deep-links to the medical referral print page of users to be accessible without authentication.” Search engine web crawlers scraped the referrals and indexed them, allowing them to be found by performing Internet searches using the students’ names.

Wellfleet Group corrected the misconfiguration and worked to have the indexed referrals removed from the Internet. A review was also conducted to identify any further misconfigurations on its website, data security controls for the website were reset, and its standards for review and technical support of applications and software development processes have been updated to prevent similar incidents in the future.

The affected individuals were students participating in their educational institution’s student health plan and the compromised information included their full name, address, phone number, date of birth, insurance group/policy number, school ID number, and health/medical information such as the reason for referral and diagnosis code. The affected individuals have been offered complimentary credit monitoring services.

The post Long Island Plastic Surgical Group Confirms 161K-Record Data Breach appeared first on The HIPAA Journal.

OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks

Posted by Steve Alder

The majority of healthcare data breaches reported in the past few years are due to hacking incidents but many of these security incidents do not involve the exploitation of vulnerabilities in software and operating systems for initial access. Far more common is the exploitation of human vulnerabilities, where healthcare workers are tricked into providing cyber actors with access to internal systems and sensitive data. According to the Verizon 2024 Data Breach Investigations Report, more than two-thirds of breaches involve the human element rather than the exploitation of weaknesses and vulnerabilities in technology.

One of the most common methods used is phishing, where a cyber actor makes contact with a healthcare employee and convinces them to visit a malicious website where they are asked to enter their credentials or are convinced to download a malicious file, both of which give the cyber actor the access they need. With phishing, the initial contact is often via email, although an increasing number of phishing attacks are now occurring via SMS (smishing), instant messaging platforms, social media networks, and over the telephone (vishing).

Phishing usually involves deception and impersonation. A trusted individual, company, or institution is impersonated, and the targeted individual is provided with a seemingly legitimate reason for taking the requested action. This could be a request for collaboration on a report, a notification about a failed delivery, a missed payment of an invoice, or a security warning. There is often a threat of negative consequences if no action is taken, commonly a pressing matter such as impending loss of service, a significant charge that will soon be applied to an account, or unauthorized account access that warrants immediate steps to secure the account.

The techniques used in phishing are known as social engineering – manipulation, influencing, or deceiving someone into taking a certain action, which in cybersecurity terms involves gaining unauthorized access to computer systems, financial accounts, or sensitive data. While phishing is one of the best-known attack methods that uses social engineering techniques, cyber actors use social engineering in other types of attacks to achieve similar goals. There is baiting, where social engineering is used to trick someone into taking an action to obtain something of value, such as to be entered into a free prize draw or get an amazingly low purchase price on goods and services. In order to get what is promised, sensitive information must be disclosed such as credentials, a credit/debit card number, or personal information.

Advances in artificial intelligence (AI) technology have provided cyber actors with a new way of manipulating individuals – deepfakes. Deepfakes take impersonation and deception to a new level, where trusted individuals are impersonated via audio or video. Deepfakes of authority figures can be created that are incredibly realistic, using synthesized facial images and speech or manipulated videos, photos, and audio recordings to trick people into taking any number of actions. Deepfakes can even be created in real-time, such as impersonating a CEO in a call to a help desk to request credentials be reset or to add an attacker-owned device to receive multifactor authentication codes, or in Zoom meetings where the meeting participants are convinced they are conversing with the genuine person.

Social engineering is the subject of the October 2024 cybersecurity newsletter from the HHS’ Office for Civil Rights. In the newsletter, OCR explains how social engineering is used in attacks on healthcare organizations and how to identify and avoid social engineering attacks. The newsletter also explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities improve their defenses against social engineering and mitigate threats.

“Attackers have learned how to convincingly imitate our loved ones and our business partners, meaning that nothing can be assumed or taken at face value. Attackers continue to refine their manipulation through social engineering tradecraft. All of these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used,” explained OCR in the newsletter. “Educating workforce members on these attacks is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. Such knowledge is powerful not only to protect individuals in their personal online activities, but also by extension an individual’s employer. This is especially important in the current environment where work is taken home on laptops, smartphones, and through remote work.”

The post OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks appeared first on The HIPAA Journal.