Healthcare Cybersecurity

Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals

Posted by HIPAA Journal

Highmark BlueCross BlueShield of Delaware is investigating a breach of 19,000 beneficiaries of employer-paid health plans. The data breach involves two subcontractors of Highmark BCBS – Summit Reinsurance Services and BCS Financial Corporation.

Karen Kane, Highmark BSBC director of privacy and information management, issued a statement saying 16 current and former Highmark self-insured customers have been impacted.

Affected individuals have now been notified of the breach by mail. The breach notification letters were sent by Summit Reinsurance Services (SummitRe). In the letters, consumers were informed that some of their highly sensitive protected health information had potentially been accessed by unauthorized individuals.

A ransomware infection was discovered by SummitRe on August 5, 2016, although a forensic analysis of the cyberattack revealed that access to Summit’s systems was first gained on March 12, 2016. SummitRe stated in the letters that the forensic investigation into the breach is ongoing, although no direct evidence has been uncovered to suggest that any ePHI stored on the affected server has been used inappropriately.

The types of data that could potentially have been accessed include names, Social Security numbers, details of health insurance, providers’ names, medical records relating to insurance claims – including medical diagnoses, and some clinical information.

Patients affected by the breach have been offered a year of credit monitoring and identity restoration services to protect them against identity theft and fraud.

Details of the nature of the cyberattack are being kept under wraps for the time being while the investigation continues. One of the questions that is likely to be asked is what happened during the five months between the initial intrusion and the ransomware infection.

Hackers are known to install ransomware after they no longer require access to infiltrated systems. Often after all valuable information has been obtained. In this case, it is unclear whether any data were exfiltrated during those five months.

SummitRe has been criticized for the letter sent to affected individuals, as it was not abundantly clear who the company was. Affected individuals would have been unlikely to have any dealings with the company in the past as insurance plans were provided through their employers.

Trinidad Navarro, Insurance Commissioner for the State of Delaware, said the letter “appears as if it is A) and Ad, or B) a scam.” Navarro also said, “Unfortunately, we fear that many may have misinterpreted or inadvertently discarded the letter.”

One of the data breach notification letters was provided to NBC 10 reporters by an affected patient. The letter was dated January 4, 2016. It is unclear why it took five months for patients to be notified of the breach – almost 10 months after the server was inappropriately accessed.

HIPAA Breach Notification Rule Requirements for Notifying Individuals of Data Breaches

The HIPAA Breach Notification Rule requires covered entities to notify individuals of a suspected ePHI breach within 60 days of discovery of the breach. Last week, the Department of Health and Human Services’ Office for Civil Rights sent a strong message to covered entities about the importance of issuing timely breach notifications. Presence Health of Illinois agreed to settle potential violations of the HIPAA Breach Notification Rule after OCR investigators became aware that it had delayed breach notifications for 3 months following a 2013 security incident affecting 836 individuals. Presense Health will pay OCR $475,000 as part of the settlement deal.

The post Highmark BCBS of Delaware Investigates Data Breach Affecting 19,000 Individuals appeared first on HIPAA Journal.

Warning for Healthcare Organizations that use MongoDB Databases

Posted by HIPAA Journal

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.

Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).

The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.

Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.

The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.

As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.

The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.

Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.

While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.

Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.

The post Warning for Healthcare Organizations that use MongoDB Databases appeared first on HIPAA Journal.

Warning for Healthcare Organizations that use MongoDB Databases

Posted by HIPAA Journal

Over the course of the past two weeks, the number of organizations that have had their MongoDB databases accessed, copied, and deleted has been steadily growing.

Ethical Hacker Victor Gevers discovered in late December that many MondoDB databases had been left unprotected and were freely accessible over the Internet by unauthorized individuals. By January 6, he reported that 13 organizations had had their databases copied and deleted. In their place was a new database containing nothing but a ransom demand. The hacker responsible offered to return the data once a ransom payment had been made – in this case 0.2 Bitcoin ($175).

The number of affected organizations has rapidly increased over the past few days. Today, more than 32,000 organizations have been issued with ransom demands and have had their databases deleted, including Emory Healthcare.

Emory Healthcare is not the only U.S. healthcare organization to have left databases exposed. MacKeeper security researcher Chris Vickery has identified another potential healthcare victim. A database used by WAMC Sleep Clinic – which operates the website militarysleep.org – has also been left exposed.

The database, which contains 2GB of information, includes details of 1,200 veterans who suffer from sleep disorders and have registered with the Sleep Clinic. The database contains sensitive information such as veterans’ names, email addresses, home addresses, former rank in the military, and their history of use of the site. The database also contains chat logs of conversations between doctors and veterans. Those logs contain highly sensitive details of patients’ medical conditions.

As with other organizations that have left their MongoDB databases in the default configuration, information can be accessed by anyone who knows where to look. No login credentials are required. Databases can be accessed without the need for usernames or passwords or any authentication.

The problem affects organizations that are using older versions of MongoDB. MongoDB had, in previous versions, been set with unrestricted remote access turned on as default. While later versions of the database platform had this changed with remote access set to off in the default configuration, many organizations are still using older versions and not changed the configuration settings to prevent unrestricted data access.

Unfortunately, many individuals have started to access unprotected MongoDB databases and have deleted data and issued ransom demands. One well known organized ransomware gang has also got involved and is attempting to extort money from 21,000+ organizations.

While some of these ‘hackers’ have exfiltrated data prior to deleting databases, others have not. Ransom demands are being issued nonetheless, although since no copy of the data has been taken, recovery will be impossible even if a ransom payment is made.

Healthcare organizations that use MongoDB databases should ensure that their security settings are updated to prevent remote access by unauthorized individuals. Given the number of organizations already attacked, failure to do so is likely to result in data being hijacked, or worse, permanently deleted. Gevers suggests there are more than 99,000 organizations that have misconfigured MongoDB databases and are therefore at risk.

The post Warning for Healthcare Organizations that use MongoDB Databases appeared first on HIPAA Journal.

FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) issued a safety communication Tuesday about cybersecurity flaws in certain St. Jude Medical cardiac devices and the Merlin@home transmitter after it was confirmed the devices could potentially be remotely accessed by unauthorized individuals.

The FDA confirmed that unauthorized users could “remotely access a patient’s RF-enabled implanted cardiac device by altering the Merlin@home Transmitter,” potentially causing patients to be harmed. The flaws would allow an attacker to deplete the battery on implanted devices, alter pacing, or trigger shocks.

The FDA confirmed that there have been no reported instances of the cybersecurity flaws being exploited to cause harm to patients to date and patients have been advised to continue using the devices as instructed by their healthcare providers.

A patch to address the flaws has been developed and will be automatically applied this week. However, in order for the Merlin@home device to receive the update it must be left plugged in and connected to the Merlin Network.

The cybersecurity vulnerabilities were discovered by researchers at MedSec as part of a study into cybersecurity measures used to protect implantable medical devices. MedSec passed on details of the research to Muddy Waters last summer. In August 2016, Muddy Waters published a report criticizing St. Jude Medical for allowing ‘stunning cybersecurity flaws’ to remain unaddressed in its Merlin@home system and its associated defibrillators and pacemakers. St. Jude Medical denied the claims and sued Muddy Waters for disseminating ‘false and misleading’ information.

However, since the revelations were made in August, Abbott Laboratories, which recently acquired St. Jude Medical in a $25 billion deal, has been conducting its own investigations into device security. Abbott Laboratories has worked closely with both the FDA and the Department of Homeland Security to ensure that its pacemakers, defibrillator devices, and their associated systems are adequately protected and access by unauthorized individuals is blocked. The FDA has reviewed the software patch and has confirmed that it addresses the “greatest risks” and reduces the potential for exploitation and patient harm.

Carson Block, founder of Muddy Waters, issued a statement about the FDA announcement saying it “reaffirms our belief that had we not gone public, St. Jude would not have remediated the vulnerabilities.” However, while critical security vulnerabilities have been addressed, Block said “the announced fixes do not appear to address many of the larger problems, including the existence of a universal code that could allow hackers to control the implants.”

In the safety communication, the FDA reminded consumers that “any medical device connected to a communications network (e.g. wi-fi, public or home Internet) may have cybersecurity vulnerabilities that could be exploited by unauthorized users.” The FDA went on to say “the increased use of wireless technology and software in medical devices, however, can also often offer safer, more efficient, convenient and timely health care delivery.”

Cybersecurity Guidance for Medical Device Manufacturers

In December 2016, the FDA published its final cybersecurity guidance for medical device manufacturers. The document details measures that medical device manufacturers should adopt to ensure post-market devices are routinely assessed for vulnerabilities that could be exploited by hackers. The FDA released guidance in 2014 covering pre-market submissions for the management of cybersecurity in medical devices.

The post FDA Confirms Muddy Waters’ Claims that St. Jude Medical Devices Can be Hacked appeared first on HIPAA Journal.

Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted

Posted by HIPAA Journal

Another healthcare provider has announced that a ransomware infection has resulted in patients’ protected health information being encrypted, and potentially accessed, by cybercriminals.

The Susan M. Hughes Center, a provider of aesthetic medicine and cosmetic surgery services in New Jersey and Philadelphia, discovered ransomware had been installed on its computer system on August 30, 2016.

A computer server was attacked and infected which resulted in files containing patients’ names, telephone numbers, dates of service, payment amounts, and details of services provided being encrypted. The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 11,400 patients have been impacted.

Upon discovery of the incident, passwords were reset and action was taken to isolate the affected server. Fortunately, the center was able to switch to a backup system while the infection was resolved. According to the substitute breach notice posted on the company website, an investigation into the attack was immediately launched and an external cybersecurity firm was hired to conduct a forensic investigation.

While PHI may have been accessed by the attackers, the cosmetic surgery center has not received any reports to suggest any PHI has been used inappropriately.

Ransomware attacks are reportable breaches under HIPAA Rules. Covered entities are required to notify patients of a ransomware attack that potentially results in their PHI being compromised, and OCR must be notified. If the potential breach impacts more than 500 individuals, a notice must be issued to the media and a substitute breach notice placed on the company’s website.

As with other breaches of PHI, the HIPAA Breach Notification Rule allows covered entities up to 60 days to issue a notification to OCR and to inform patents of a ransomware attack if PHI has been compromised.

Yet in this instance, patients were not notified of the attack until December 27, 2016, almost four months after the attack was discovered. Office for Civil Rights was notified of the incident on the same day. It is unclear why notifications were delayed for so long.

Office for Civil Rights has not previously taken action against healthcare organizations solely for delaying breach notifications, although yesterday OCR announced a settlement had been reached with Presence Health of Illinois for the failure to issue breach notifications within the 60-day Breach Notification Rule reporting period. In the case of Presense Healthcare, breach notifications were issued around 100 days after the breach was discovered. Presense Health agreed to settle potential HIPAA violations for $475,000.

The post Cosmetic Surgery Center Reports Ransomware Infection: 11,400 Patients Impacted appeared first on HIPAA Journal.

Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks

Posted by HIPAA Journal

A hacker by the name of Harak1r1 has taken advantage of a misconfigured MongoDB healthcare database containing 200,000 records of Emory Healthcare patients. The hacker stole the database and issued a 0.2 Bitcoin ransom demand for its safe return.

Emory healthcare is the largest healthcare provider in Georgia with headquarters in Atlanta. The database contained the protected health information of patients of the Emory Brain Health Center. Information in the database includes patients’ names, addresses, email addresses, dates of birth, medical ID numbers, and phone numbers.

However, while the attack involves a ransom demand, Harak1r1 is not using ransomware.  The database of Emory Healthcare was accessed, the database was stolen, and the data tables wiped. Emory Healthcare is far from the only victim. More than 4,000 companies have been attacked by Harak1r1.

The attacks on misconfigured MongoDB databases were discovered by the ethical hacker Victor Gevers of GDI Foundation on December 27, 2016.

Gevers found a MongoDB database that had been left unsecured.  When the database was accessed, instead of data in the tables, the database appeared to have been wiped clean and replaced with a ransom demand asking for 0.2 Bitcoin to be paid to recover the database. Gevers reports that the attacker gained access to the healthcare provider’s MongoDB database, exfiltrated it, and replaced the data with a new table called Warning which contained the ransom demand.

Gevers investigated and discovered numerous organizations had also been attacked. The victim count has been steadily rising over the past couple of weeks, from tens to hundreds to thousands.

Reports this morning indicate the total victim count has now surpassed 28,000. Norway-based security researcher Niall Merrigan is tracking the attacks along with Gevers. At the time of writing, the victim count has reached 28,321.

However, not all of the attacks have been conducted by Harak1r1. There now appears to be at least 13 individuals involved. One attacker from India has attacked and wiped the data of more than 16,000 organizations. Unfortunately, not all of the attackers are exfiltrating data. Organizations are being issued with ransom demands, but their databases are simply being wiped. Payment of the ransom may not result in data being recovered.

The good news is that the problem appears to only affect older installations of MongoDB that have been left in the default configuration. The bad news is that there are 99,000 or more of these unprotected databases according to Gevers.

In the default configuration databases can be accessed over the Internet without the need for any hacking tools. Even usernames and passwords are not required to gain access to the unprotected databases.

MongoDB, Inc., the company behind MongoDB, fixed the issue in the latest MongoDB version. Unfortunately, if MongoDB admins have not upgraded to the latest version or have not otherwise secured their MongoDB installations, their databases may be stolen or simply deleted.

Any organization that used MongoDB should take immediate action to ensure their installation is up to date and their data secured and backed up. The 0.2 Bitcoin ransom may not break the bank, but there is a high probability that data will simply be wiped. Should that happen, and a viable backup not exist, data will be permanently lost.

The post Emory Healthcare Joins 28,000 Other Victims of MongoDB Ransom Attacks appeared first on HIPAA Journal.

Patients Holding Back Health Information Over Fears of Data Privacy

Posted by HIPAA Journal

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers.

However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited.

Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider.

Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data.

Important Medical Information is Being Withheld by Patients

The extent to which patients are withholding information has recently been highlighted by a Black Book survey. Between September and December 2016, Black Book conducted a national poll on 12,090 adult consumers to assess patients’ confidence in healthIT and the extent to which they have been willing to share their health information.

The results of the survey clearly show that patients are extremely concerned about the privacy of their data and believe that sensitive health information is being shared without their knowledge. There are also serious concerns about healthcare organizations’ abilities to protect health information and ensure that it remains private.

For the Black Book survey, consumers were asked about the contact they had had with technology used by their physician, hospital, and other healthcare organizations over the past 12 months, including mobile apps, patient portals, and electronic health records.

57% of respondents who had experience of these health technologies said they were concerned about the privacy protections put in place and whether their data could be kept private.

87% of Patients Unwilling to Share their Full Medical Histories

Consumer confidence in privacy and security measures put in place by healthcare providers appears to be at an all time low. In the last quarter of 2016, Black Book reports that 87% of patients were unwilling to comprehensively share all of their health information with their providers. 89% of consumers who had visited a healthcare provider in 2016 said they had withheld some information during their visits.

While certain types of information are openly shared, healthcare patients are particularly concerned about sharing highly sensitive data. Many feel that those data are being shared without their knowledge.

90% of respondents said they were concerned about details of their pharmacy prescriptions being shared beyond their chosen provider and payer, and that information was being shared with the government, retailers, and employers. 81% were concerned that information about chronic conditions was being shared without their knowledge, and 99% were concerned about the sharing of mental health notes. 93% of respondents said they were concerned about their personal financial information being shared.

According to Black Book Managing Partner Doug Brown, “Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming.” In a statement issued about the findings of the survey he said, “This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability.”

Providers’ Expertise with Technology Inspires Trust

Providers can do more to improve patients’ confidence in technology by demonstrating that they know how to use it. Patients do not appear to have an issue with the technology itself. Only 5% of respondents said they mistrusted the technology. However, 69% of respondents said their current primary care physician did not display enough technology prowess for them to be able to trust that individual with all of their data. 84% of respondents said their level of trust in their provider was influenced by how that provider used technology.

Patients are also having trouble using technology. 96% of consumers said they had left physicians’ offices “with poorly communicated or miscommunicated instructions on patient portal use,” and 83% reported having difficulty using the portal at home. Only 40% of patients said they had tried to use the portal in their physician’s office.

The survey also revealed that patients believe the data they are collecting via personal wearable devices is important. 91% of consumers said their physician practice’s medical record system should store any health-related data they request. However, most physicians do not want access to so much information. 94% of physicians that responded to this section of the survey said much of the personally collected health information is redundant and would be unlikely to make a clinical difference. Furthermore, so much information is now being collected that they are becoming overwhelmed by data.

The post Patients Holding Back Health Information Over Fears of Data Privacy appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2016

Posted by HIPAA Journal

 

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 15,936,849 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As 2017 begins, there have been 313 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records

 

Year Number of Breaches Number of Records Exposed
2016 313 15,936,849
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1785 170,519,503

 

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.

 

Year 2016 Healthcare Data Breaches
500 to 1000 Records 1,000 to 10,000 Records 10,000 to 100,000 Records 100,001+ Records
2016 13 62 151 86
2015 12 37 142 76

 

Aside from one major breach at a business associate, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest data breach experienced by a health plan was the 91,187-record breach reported by Washington State Health Care Authority in September.

Largest Healthcare Data Breaches of 2016

 

Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,62,0000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
11 Premier Healthcare, LLC Healthcare Provider Theft 205,748
12 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
13 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528

 

Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all 76 of those data breaches and the exposure of 1,459,816 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 127 102
Hacking/IT Incident 102 57
Theft 60 81
Loss 16 23
Improper Disposal 7 6

 

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

 

Breached Entity 2016 2015
Healthcare Provider 247 196
Health Plan 46 62
Business Associate 19 19

Data Source: Department of Health and Human Services’ Office for Civil Rights

The post Largest Healthcare Data Breaches of 2016 appeared first on HIPAA Journal.

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

Posted by HIPAA Journal

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation.

The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas.

In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft.

At the time of writing, Onaghinor has yet to be arrested and his whereabouts is unknown. He is considered to be a fugitive of the law and Lacey said “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”

The phishing attack occurred on May 13, 2016. A large number of expertly crafted phishing emails were sent to Los Angeles County employees. The emails appeared to be legitimate; however, responding to the emails resulted in employees disclosing their usernames and passwords to the attacker. In total, 108 L.A. County employees responded, and by doing so, compromised their email accounts.

The email accounts contained a wide range of sensitive data including financial and health information. Investigators were required to individually check each email in the 108 compromised accounts to determine which individuals had been impacted and what information had been exposed.

The extensive investigation determined that 756,000 individuals had been impacted by the breach. Those individuals had previously had contact via email with the following Los Angeles County departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”

According to the breach notice recently uploaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, 749,017 patients of the County of Los Angeles Departments of Health and Mental Health were impacted.

The information contained in the email accounts included full names, home addresses, phone numbers, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, Medi-Cal and insurance carrier IDs, medical record numbers, payment card numbers, bank account information, and medical information, including diagnoses and treatment information.

While the information was potentially accessed 7 months previously, Los Angeles County has uncovered no evidence to suggest that any information has been misused. As a precaution against identity theft and fraud, all individuals impacted by the breach have been offered a year of credit monitoring, identity consultation, and identity restoration services without charge.

Phishing emails are regularly sent to government employees and many make it past spam filters to employees’ inboxes. However, for the emails to result in the disclosure of 108 email account credentials is concerning.

Preventing employees from responding to phishing emails is a challenge, but a successful attack of this scale suggests a spectacular failure of systems and training, although the attack was detected the following day and L.A. County “immediately implemented strict security measures” to reduce the impact of the breach.

Phishing emails are a difficult threat to mitigate, although there are proven technologies and tactics that can be employed to reduce risk and at least limit the harm caused. Anti-phishing training has been demonstrated to greatly improve employees’ phishing email identification skills, in particular when anti-phishing exercises are conducted.

A study of 40 million phishing simulation emails by PhishMe (between January 2015 and July 2016) showed that susceptibility to phishing attacks falls to around 20% after just one failed phishing email simulation, while the implementation of a reporting tool can dramatically reduce the time to detect phishing threats. The sooner the threat is detected, the easier it is to alert employees and mitigate risk.

Solutions such as advanced spam filters can reduce the volume of phishing emails that are delivered to end users, while web filtering gateways can block users’ attempts to respond to phishing emails. Preventing end users from visiting websites based in foreign countries can reduce risk, although foreign-based phishers often host their phishing sites in the United States.

Along with next generation firewalls and intrusion detection systems it is possible to mount a reasonable defense against phishing attacks and reduce the damaged caused when those attacks succeed.

The attack should serve as a reminder of how serious the threat of phishing is, and how important it is for organizations – government and private sector – to enhance the controls they have in place to mitigate the threat.

The post 108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted appeared first on HIPAA Journal.