The Chattanooga Heart Institute in Texas has confirmed the protected health information of 411,383 individuals was compromised in a cyberattack that was discovered on April 17, 2023. On July 28, 2023, the Chattanooga Heart Institute notified the HHS’ Office for Civil Rights and the Maine attorney general about the cyberattack, which was thought to have involved the protected health information of 170,450 individuals. A supplemental breach notification has now been sent to the Maine Attorney General confirming the data breach was more extensive than the initial investigation suggested.

The investigation into the attack is ongoing, but it has now been confirmed that an unauthorized third party had access to its network between March 8 and March 16, 2023, and exfiltrated files containing patients’ protected health information. While its electronic medical record system remained secure, files were accessed and exfiltrated that contained information such as names, addresses, email addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, diagnoses, lab results, conditions, medications, account information, and other clinical, demographic and financial information.

The affected individuals have been offered complimentary credit monitoring services for 12 months and steps have been taken to improve security to prevent further attacks. While the notification letters do not mention the group behind the attack, the Karakurt threat group claimed responsibility.

NoEscape Ransomware Group Leaks Data from Attack on Mulkay Cardiology Consultants

The NoEscape ransomware group has leaked data allegedly stolen from Mulkay Cardiology Consultants in New Jersey. According to the listing, more than 60 GB of confidential and personal data was stolen in the attack, which includes the protected health information of 30,000 patients. The leaked data includes names, dates of birth, addresses, phone numbers, health insurance policy numbers, medical cards, medical records, access cards, driver’s licenses, Covid certificates, diagnostic data, and other confidential information. The listing includes sample images and 2.43 GB of downloadable data.

NoEscape is a relatively new ransomware group that first appeared in May 2023. The Health Sector Cybersecurity Coordination Center recently issued a NoEscape Analyst Note about the group that includes details of its tactics, techniques, and procedures, and best practices for hardening security. Mulkay Cardiology Consultants currently has no breach notice on its website and the attack is not yet showing on the HHS’ Office for Civil Rights breach portal.

The post The Chattanooga Heart Institute Doubles April 2023 Cyberattack Victim Count appeared first on HIPAA Journal.

U.S. plastic surgery offices are being targeted by cybercriminal groups that gain access to their networks, steal data, and attempt to extort the practices and their patients, according to a recent public service announcement from the U.S. Federal Bureau of Investigation (FBI).

There have been several attacks on plastic surgery providers in recent months. While ransomware may be used in these attacks, the primary purpose of the attacks is to steal sensitive patient data, which can include medical records and sensitive pre- and post-surgery photographs. Plastic surgery centers are issued with a ransom demand, payment of which is required to prevent the release of the stolen data. In some cases, sensitive patient data and images have been released online, and the threat actors have attempted to extort the patients directly. One attack on the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D. in May 2023, required payment of a $2.5 million ransom to prevent the release of the stolen data. Some of the practice’s patients were contacted directly and told to pay to have their sensitive information unpublished.

According to the FBI, the threat actors use technology to hide their true phone numbers and email addresses and use phishing emails to distribute malware. The malware provides access to internal protected computers, allowing them to harvest sensitive data, including photographs. The threat actors have been observed enhancing the stolen data with information gathered from social media platforms, and have also used social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. The enhanced data is used as leverage for extortion and for other fraud schemes. The threat actors contact plastic surgery surgeons and their patients via the telephone, email, SMS messages, and social media platforms. Sensitive ePHI is also shared with the patients’ friends, family, colleagues, and contacts, and public-facing websites are created to share the stolen data.

The FBI has shared tips on how to improve security and reduce the risk of falling victim to these attacks. These measures include reviewing the privacy settings of social media accounts and ideally making accounts private to limit what others can see and what can be posted by others on profiles. Care should be taken accepting friend requests, and audits should be conducted of friends to ensure they are all known individuals. Accounts should be configured to make friend lists visible only to known individuals. Strong, unique passwords and MFA should also be used for all accounts, especially email, financial, and social media accounts. A password manager is recommended for generating strong, unique passwords for accounts and storing them securely. Bank accounts and credit reports should also be routinely checked for suspicious activity.

While not mentioned in the announcement, plastic surgery offices should ensure that they follow cybersecurity best practices such as setting strong passwords and enabling multifactor authentication, and they should deploy endpoint detection solutions and robust anti-phishing controls.

The post FBI: Plastic Surgery Offices Targeted by Extortion Groups appeared first on HIPAA Journal.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an update on AvosLocker ransomware, which includes known indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with the AvosLocker ransomware variant.

AvosLocker is a relatively new ransomware-as-a-service operation that was first identified in July 2021. While the group is not as prominent as LockBit Clop, and ALPHV (BlackCat), AvosLocker ransomware affiliates have compromised organizations across multiple critical infrastructure sectors. The group engages in exfiltration-based extortion, requiring the payment of a ransom to prevent the release of stolen data and for the keys to decrypt files.

AvosLocker affiliates use legitimate software and open source tools during their ransomware operations. The group has been observed using Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent as backdoor access vectors, the open source networking tunneling tools Ligolo and Chisel, Cobalt Strike for command and control, PowerShell and batch (.bat) scripts for lateral movement, Lazagne and Mimikatz for credential harvesting, and FileZilla and Rclone for data exfiltration. The FBI has also observed affiliates using custom webshells to enable network access.

The cybersecurity advisory updates the joint advisory issued the FBI, CISA, and the Treasury’s Financial Crimes Enforcement Network (FinCEN) in March 2023 and includes a YARA rule that was created by the FBI for detecting a signature for a file identified as enabling malware – NetMonitor.exe. NetMonitor.exe masquerades as a legitimate process but functions like a reverse proxy to allow affiliates to connect to the tool from outside the victim’s network. Indicators of Compromise (IoCs) have also been shared that were obtained from investigations of attacks from January 2023 to March 2023, along with recommended mitigations to reduce the risk of compromise by AvosLocker ransomware.

The post CISA and FBI Update AvosLocker Ransomware Cybersecurity Advisory appeared first on HIPAA Journal.

Microsoft has issued a security alert warning that a Chinese Advanced Persistent Threat (APT) Group has been exploiting a zero-day vulnerability in Atlassian Confluence Data Center and Server products.

The vulnerability, CVE-2023-22515, is a critical privilege escalation vulnerability caused by broken access controls. The vulnerability has a maximum CVSS severity score of 10 and can be exploited by any device with a network connection to a vulnerable application. Successful exploitation of the vulnerability allows unauthorized individuals to create Confluence administrator accounts and access Confluence instances.

Atlassian issued a security advisory about the vulnerability on October 4, 2023, and released patches to fix the flaw. Fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. The vulnerability does not affect Atlassian Cloud sites. Microsoft said it has observed the Chinese APT group Storm-0062 (aka DarkShadow/Oro0lxy) exploiting the flaw since September 14, 2023, and identified four malicious IP addresses sending exploit traffic: 192.69.90[.]31 104.128.89[.]92 23.105.208[.]154 199.193.127[.]231. The extent to which the vulnerability has been exploited has not been disclosed, although Atlassian said earlier this month that a handful of customers had been targeted.

Atlassian and Microsoft say urgent action is required to prevent the vulnerability from being exploited and warn that publicly accessible Confluence Data Center and Server instances are at critical risk. Customers should ensure they upgrade their instances to a fixed version and should conduct comprehensive threat detection. After updating their instances, customers should search for unexpected members of the confluence-administrators group, unexpected newly created user accounts, requests to /setup/*.action in network access logs, and look for the presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory.

The post Atlassian Confluence Data Center and Server Vulnerability Actively Exploited by Chinese APT Actor appeared first on HIPAA Journal.

More than 700 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights in 2021 and 2022, and 2023 is on track to become the third successive year with 700+ large healthcare data breaches. Malicious actors continue to target healthcare organizations as they store large amounts of easily monetized data, which can be held to ransom or sold. Cyberattacks on healthcare organizations have financial and human costs. Healthcare organizations are having to pay millions in breach costs and the attacks often cause disruption to patient care, which increases the risk of complications, affects patient outcomes, and causes an increase in patient mortality rates.

A recent survey of 653 healthcare IT and security professionals has confirmed the impact of these attacks on healthcare organizations. The survey was conducted by the Ponemon Institute on behalf of the cybersecurity firm Proofpoint for its Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care 2023 report. The survey confirmed the extent to which healthcare organizations are being attacked. 88% of the surveyed organizations experienced an average of 40 attacks in the past 12 months, with the attacks costing an average of $4.99 million per incident, which is a 13% increase from the previous year.

The four most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC), all of which were found to result in disruption to patient care. Two-thirds (66%) of organizations that experienced one or more of these common attacks said they disrupted patient care, 50% reported an increase in medical procedure complications, and 23% said the attacks increased patient mortality rates. The findings are similar to the previous year, indicating healthcare organizations have not made much progress in improving patient safety and well-being following cyberattacks.

Out of the four most common types of attacks, supply chain attacks were the most likely to negatively affect patient care. Supply chain attacks were experienced by 64% of surveyed organizations in the past 2 years and 77% of those organizations said the attacks caused disruption to patient care, up from 70% in 2022. All 653 surveyed organizations said they had experienced at least one incident that involved the loss or exfiltration of sensitive data in the past 2 years, and on average, 19 such incidents occurred at each organization. 43% of respondents said these incidents impacted patient care, 46% of those organizations experienced an increase in patient mortality rates, and 38% saw increased complications from medical procedures.

BEC attacks were most likely to result in poor outcomes due to delayed procedures (71%). BEC attacks also resulted in an increase in medical procedure complications (56%) and longer lengths of stay (55%). 59% of organizations that suffered a ransomware attack said it resulted in poorer outcomes due to delayed procedures, and 68% said a ransomware attack caused disruption to patient care.

Ransomware attacks have increased in 2023.  54% of surveyed organizations said they experienced an attack in the past 12 months, up from 41% in 2022; however, fewer healthcare organizations are paying ransoms to obtain the keys to decrypt files and/or prevent the release of stolen data. 40% of organizations that suffered a ransomware attack paid the ransom, compared to 51% in 2022. Threat actors have responded to the falling ransom payments by increasing their ransom demands. The average total cost for the highest ransom payment spiked 29% to $995,450 in 2023.

When healthcare IT professionals were asked about their biggest concerns about cyberattacks, cloud compromise (74%) was the biggest worry followed by supply chain attacks (63%), BEC (62%), and ransomware (48%). The two biggest cybersecurity challenges were both related to staffing. 58% of respondents said a lack of in-house cybersecurity expertise was keeping their organization’s cybersecurity posture from being fully effective, and 50% said insufficient staffing was a major challenge.

“While the healthcare sector remains highly vulnerable to cybersecurity attacks, I’m encouraged that industry executives understand how a cyber event can adversely impact patient care. I’m also more optimistic that significant progress can be made to protect patients from the physical harm that such attacks may cause,” said Ryan Witt, chair, Healthcare Customer Advisory Board at Proofpoint. “Our survey shows that healthcare organizations are already aware of the cyber risks they face. Now they must work together with their industry peers and embrace governmental support to build a stronger cybersecurity posture—and consequently, deliver the best patient care possible.”

The post 66% of Healthcare Organizations Say Patient Care was Disrupted by a Cyberattack appeared first on HIPAA Journal.

The HHS’ Health Sector Cybersecurity Coordination Center (HC3) has issued a health and public health (HPH) sector alert about a new ransomware group called Akira, which has been in operation since March 2023. Akira is a ransomware-as-a-service (RaaS) group that recruits affiliates to conduct attacks in exchange for a percentage of the profits they generate. The group mostly attacks small- to medium-sized businesses, although sets substantial ransom payments, which are typically between $200,000 and $4 million. The group has claimed at least 60 victims in a little over 5 months of operation, including organizations in the HPH sector.

The group engages in double extortion tactics, where valuable data are identified and exfiltrated before files are encrypted. The group issues a ransom demand, payment of which is required for the keys to decrypt files and to prevent the release of stolen data. Victims are required to contact the group via their TOR site to negotiate the ransom payment. Victims who pay the ransom are offered a security report that explains the vulnerabilities the group exploited to access their network.

The group uses a variety of methods for initial access including compromised credentials and the exploitation of vulnerabilities in virtual private networks (VPNs), especially where multi-factor authentication has not been implemented. The group has a Windows and Linux ransomware variant and targets both Windows and VMware ESXi servers and incident response data show the group uses a variety of tools in its attacks, including the PCHunter toolkit, the MASSCAN port scanner, Mimikatz for credential harvesting, WinSCP, and PsExec.

The group is thought to have links to the disbanded Conti ransomware group due to Akira and Conti ransomware using similar code, cryptocurrency wallets, and the directory exclusions. HC3 has shared Indicators of Compromise (IoCs) in the Akira ransomware sector alert and provides several recommended mitigations to help network defenders improve resilience to attacks and detect attacks in progress.

The post Akira Ransomware Group Targeting the Healthcare and Public Health Sector appeared first on HIPAA Journal.

A recent survey of healthcare professionals indicates 78% of healthcare organizations have experienced at least one cybersecurity incident in the past 12 months. 60% of those incidents had a moderate or significant impact on the delivery of care, 15% had a severe impact, and 30% involved sensitive data. Protected Health Information (PHI) was exposed or stolen in 34% of incidents in North America.

The survey was conducted by Pollfish on behalf of the cybersecurity firm Claroty on 1,100 individuals in North and South America, APAC, and Europe. Respondents worked full-time in the health sector in cybersecurity, engineering, IT, or networking. The survey indicates 26% of organizations that experienced a cyberattack paid a ransom to either prevent the release of stolen data or to decrypt encrypted files. The costs of these attacks typically fell in the range of $100,000 to $1 million; however, more than one-third of respondents who experienced a cyberattack said the recovery costs were greater than $1 million. The biggest cost from the attacks in all but the APAC region was operational downtime.

61% of respondents in North America said they were very or moderately concerned about cyberattacks on their systems. The biggest concerns in this region were insider threats (47%), followed by supply chain and privilege escalation attacks (41%), denial of service (DoS) attacks (39%), and ransomware attacks (38%). A majority of organizations (78%) said they have clear leadership in place for medical device security, which is most commonly the responsibility of IT security teams, and cybersecurity programs typically covered sensitive data such as PHI, EHRs, IT systems, endpoints, medical devices, and BMS such as elevators and HVAC equipment. When asked about the security standards, regulations, and guidelines, the NIST and HITRUST Cybersecurity Frameworks were seen as the most important in North America followed by HIPAA and 405(d).

The survey indicates that healthcare organizations have a clear understanding of the aspects of security that need to be improved. The biggest gaps in defenses were cited as medical device vulnerability patching, asset inventory management, and medical device network segmentation. 60% of respondents said their organization’s security posture has improved over the past 12 months and 51% said their security budgets had been increased in the past year; however, efforts to improve cybersecurity were being hampered by the global shortage of cybersecurity professionals. More than 70% of respondents said they were looking to hire additional cybersecurity staff members and 80% said finding qualified candidates was difficult.

“Security challenges in the healthcare sector continue to mount as the number and types of connected assets grow and the attack surface expands. Beyond the financial ramifications organizations in any sector can face in the wake of a successful attack, in healthcare the stakes are raised due to the patient outcomes at risk,” explained Claroty in the report. “With strong security leadership in place, well-rounded security programs implemented, and the adherence to guidelines and frameworks from regulatory bodies, healthcare organizations are on the right track to ensuring cyber and operational resilience. Recognizing there is more work to be done, they are also prioritizing investments in people, processes, and technologies to build resilience further and ensure compliance while delivering uninterrupted, quality care to their patients.”

The post 78% of Healthcare Organizations Suffered a Cyberattack in the Past Year appeared first on HIPAA Journal.

CyCognito has published its latest State of External Exposure Management Report, which highlights the extent to which vulnerabilities affect organizations and how easy it is for hackers to exploit those vulnerabilities.

For the report, CyCognito’s researchers aggregated and analyzed 3.5 million digital assets across its customer base between June 2022 and May 2023, which includes small, medium, and large enterprises, including Fortune 500 companies.

The study found that 70% of web applications had severe security gaps, such as lacking web application firewall (WAF) protection and not using encrypted connections such as HTTPS, with 25% of web applications lacking both protections. A typical enterprise has more than 12,000 web apps such as APIs, SaaS applications, databases, and servers. The researchers found at least 30% of those web apps have more than 3,000 assets and had at least one exploitable or high-risk vulnerability.

The study confirmed the extent to which personally identifiable information (PII) is put at risk. 74% of assets containing PII were found to be exposed to at least one major exploit, and one in ten assets had at least one easily exploitable issue. While critical severity vulnerabilities are a major concern, for every easily exploitable critical vulnerability identified, there were 133 easily exploitable high, medium, or low severity issues.

As CyCognito explains in the report, the attack surface is constantly changing and its research suggests the attack surface fluctuates by as much as 10% each month. That means that over the course of a year, thousands of new assets may have been added to the network and any one of those assets could contain an exploitable vulnerability. Because the attack surface is dynamic, organizations cannot make do with mapping it just once as the map created will be out of data almost immediately.

Naturally, there is a balance to be struck, so many organizations have a biannual or quarterly mapping cadence, although such infrequent mapping could result in serious gaps in awareness and coverage. “To stay aware of risks as soon as they appear, use frequent mapping and scanning of all assets to maintain an up-to-date, comprehensive understanding of your external attack surface,” suggests CyCognito.

Attention needs to be paid to web apps, which typically account for around 22% of the attack surface. They are easy to deploy, provide access to valuable data, connect businesses with employees and customers, and can have dozens of components, each of which can be affected by security issues. Organizations should ensure that web apps are properly protected with WAF and encrypted connections, especially those that provide access to PII or e-commerce platforms.

Addressing security issues is a never-ending process. It is important to ensure that the most serious issues are prioritized and addressed first. CyCognito recommends using context about affected assets and threat actor activity to identify the most serious threats to prioritize and not to rely on CVSS scores, as there may be a far greater risk from less severe flaws, which threat actors can easily exploit.

The post Study Reveals State of External Exposure Management appeared first on HIPAA Journal.