Healthcare Cybersecurity

Citrix Patches 2 Actively Exploited NetScaler ADC and Gateway Zero Days

Posted by Steve Alder

Two zero-day vulnerabilities have been identified in customer-managed Citrix NetScaler Application Delivery Controller and NetScaler Gateway devices that are being exploited in the wild. The vulnerabilities are present in the NetScaler management interface can be exploited in unpatched devices that are exposed to the Internet.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog, and while attacks have been limited, CISA warns that the vulnerabilities are frequent attack vectors for malicious cyber actors and exploitation is likely to increase in the coming days. In December, Citrix released an advisory about a vulnerability dubbed CitrixBleed (CVS-2023-4966) which has been extensively exploited by ransomware groups. As such, CISA has advised all federal agencies to ensure the patches are applied as soon as possible and at most within a week.

The two recently disclosed zero-day bugs are unrelated to CitrixBleed.  CVE-2023-6549 is a high-severity buffer overflow vulnerability with a CVSS base score of 8.2. The flaw can be exploited in a denial-of-service attack. CVE-2023-6548 is a medium-severity code injection vulnerability with a CVSS base score of 5.5, which can be exploited to achieve remote code execution. In order to exploit the latter, an attacker would need to be authenticated but only requires low-level privileges.

The vulnerabilities are far less severe than CitrixBleed, nonetheless, customers have been advised to promptly apply the patches as the vulnerabilities are under active exploitation. Proof-of-concept exploit code is not believed to have been publicly released but that is likely to happen soon and exploitation will increase considerably.

The vulnerabilities are present in the following NetScaler ADC and NetScaler Gateway versions:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Citrix has released patches to fix both vulnerabilities and has suggested a workaround if that is not possible.

The post Citrix Patches 2 Actively Exploited NetScaler ADC and Gateway Zero Days appeared first on HIPAA Journal.

December 2023 Healthcare Data Breach Report

Posted by Steve Alder

There was no letup in healthcare data breaches as the year drew to a close, with December seeing the second-highest number of data breaches of the year. The Department of Health and Human Services (HHS) Office for Civil Rights received 74 reports of healthcare data breaches of 500 or more records in December, which helped make 2023 a record-breaking year for healthcare data breaches. While there may still be some late additions to the list, as of January 18, 2023, 725 data breaches of 500 or more healthcare records have been reported to OCR in 2023 – The highest number since OCR started publishing records of data breaches on its “Wall of Shame.” To add some perspective, that is more than twice the number of data breaches that were reported in 2017.

It is not just the number of data breaches that is concerning. Healthcare data breaches have been increasing in severity and there have been ransomware attacks that have seen patients contacted and threatened directly with the exposure of their sensitive health data. Many of the data breaches reported in 2023 have been on a colossal scale, with December no exception with two multi-million-record data breaches reported.

Since 2009, when OCR created its Wall of Shame, the number of breached records has been trending upwards, but even the most pessimistic of security professionals would not have predicted at the start of 2023 that there would be such a massive rise in breached records. 2021 was a bad year with 45.9 million records breached, and 2022 was worse with 51.9 million breached records, but in 2023, an astonishing 133 million records were exposed or stolen. On January 18, 2023, the OCR breach portal showed 133,068,542 individuals had their protected health information exposed or stolen in 2023.

We will explore the year’s data breaches in greater detail and make predictions for the coming year in posts over the next few days but first, let’s take a dive into December’s data breaches to see where and how 11,306,411 healthcare records were breached.

The Biggest Healthcare Data Breaches in December 2023

Two of the largest data breaches of 2023 were reported in December, the largest of which occurred at the New Jersey-based analytics software vendor, HealthEC. Hackers gained access to a system used by more than 1 million healthcare professionals to improve patient outcomes. The platform contained the protected health information of 4,452,782 individuals. The data breach was the second in as many months to result in the exposure of the health data of more than 1 million Michigan residents, prompting the Michigan Attorney General to call for new legislation to hold companies accountable for breaches of healthcare data.

A 2.7 million-record data breach was reported by another business associate, ESO Solutions. ESO Solutions is a provider of software solutions for hospitals, health systems, EMS agencies, and fire departments, and had its network breached and files encrypted with ransomware. At least 12 health systems and hospitals are known to have been affected.

More than 900,000 records were obtained by hackers who gained access to an archive of data from the now defunct Fallon Ambulance Services, which was being stored to meet data retention requirements by Transformative Healthcare, and a cyberattack on Electrostim Medical Services exposed the data of almost 543,000 patients.

It has now been 7 months since the Clop hacking group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution and data breach reports continue to be issued. More than 2,600 organizations worldwide had data stolen in the attacks, with the healthcare industry among the worst affected.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Data Breach
HealthEC LLC NJ Business Associate 4,452,782 Hacking incident (Data theft confirmed)
ESO Solutions, Inc. TX Business Associate 2,700,000 Ransomware attack
Transformative Healthcare (Fallon Ambulance Services) MA Healthcare Provider 911,757 Hacking incident (Data theft confirmed)
Electrostim Medical Services, Inc. dba EMSI FL Healthcare Provider 542,990 Hacking incident
Cardiovascular Consultants Ltd. AZ Healthcare Provider 484,000 Ransomware attack (Data theft confirmed)
Retina Group of Washington, PLLC MD Healthcare Provider 455,935 Ransomware attack
CompleteCare Health Network NJ Healthcare Provider 313,973 Ransomware attack (Data theft confirmed)
Health Alliance Hospital Mary’s Avenue Campus NY Healthcare Provider 264,197 Hacking incident (Data theft confirmed)
Independent Living Systems, LLC FL Business Associate 123,651 Hacking incident (MOVEit)
Pan-American Life Insurance Group, Inc. LA Health Plan 105,387 Hacking incident (MOVEit)
Meridian Behavioral Healthcare, Inc. FL Healthcare Provider 98,808 Hacking incident
Mercy Medical Center IA Healthcare Provider 97,132 Hacking incident at business associate (PJ&A)
Pan-American Life Insurance Group, Inc. LA Business Associate 94,807 Hacking incident (MOVEit)
Regional Family Medicine AR Healthcare Provider 80,166 Hacking incident
HMG Healthcare, LLC TX Healthcare Provider 80,000 Hacking Incident (Data theft confirmed)
Heart of Texas Behavioral Health Network TX Healthcare Provider 63,776 Hacking incident
Kent County Community Mental Health Authority d/b/a Network180 MI Healthcare Provider 59,334 Unauthorized email account access
Highlands Oncology Group PA AR Healthcare Provider 55,297 Ransomware attack
Southeastern Orthopaedic Specialists, PA NC Healthcare Provider 35,533 Ransomware attack (Data theft confirmed)
Eye Physicians of Central Florida, PLLC, a division of Florida Pediatric Associates, LLC FL Healthcare Provider 31,189 Hacking incident (Data theft confirmed)
Clay County Social Services MN Business Associate 22,005 Ransomware attack (Data theft confirmed)
Bellin Health WI Healthcare Provider 20,790 Hacking incident
Neuromusculoskeletal Center of the Cascades, PC OR Healthcare Provider 19,373 Unauthorized email account access
Independent Living Systems, LLC FL Healthcare Provider 19,303 Hacking incident (MOVEit)
Community Memorial Healthcare, Inc. KS Healthcare Provider 14,798 Hacking incident
VNS Choice dba VNS Health Health Plans NY Health Plan 13,584 Unauthorized email account access
Hi-School Pharmacy WA Healthcare Provider 12,779 Ransomware attack

Many HIPAA-regulated entities keep information to the bare minimum in their breach reports, which allows them to meet legal requirements for breach reporting while minimizing the risk of disclosing information that could be used against them in class action lawsuits. The problem with this minimalistic breach reporting is the victims of the breach are not given enough information to accurately assess the risk they face, and the lack of transparency in data breach reporting makes it difficult to accurately assess how hackers are gaining access to healthcare networks and the nature of the attacks.

This is especially true for ransomware attacks and data theft/extortion attacks. Several breaches have been reported as hacking incidents where a possibility of unauthorized access to or theft of patient data, when the threat actors behind the attacks have claimed responsibility and have added the breached entity to their data leak sites. This trend has grown throughout the year.

December 2023 Data Breach Causes and Data Locations

All of December’s data breaches of 10,000 or more records were hacking incidents, which accounted for 83.78% of the month’s 74 data breaches (62 incidents) and 99.79% of the month’s breached healthcare records (11,283,128 records). The average breach size was 181,986 records and the median breach size was 6,728 records. In 2009, hacking incidents accounted for 49% of all data breaches of 500 or more records. In 2023, hacking incidents accounted for 79.72% of all large data breaches. Something clearly needs to be done to improve resiliency to hacking and there are signs of action being taken at the state and federal level.

In December 2023, OCR published its Healthcare Sector Cybersecurity Strategy which details several steps that OCR plans to take to improve cyber resiliency in the healthcare sector and patient safety. The extent to which these plans will be made a reality will depend on Congress making the necessary funding available. OCR is planning a much-needed update to the HIPAA Security Rule in 2024 and has stated that it will establish voluntary cybersecurity goals for the healthcare sector. OCR will be working with Congress to provide financial assistance for domestic investments in cybersecurity to help cover the initial cost. The New York Attorney General has also announced that there will be new cybersecurity requirements for hospitals in the state after a significant increase in cyberattacks, and that funds have been made available to help low-resource hospitals make the necessary improvements.

There were 8 data breaches classified as unauthorized access/disclosure incidents, involving 14,998 healthcare records. The average breach size was 1,875 records and the median breach size was 1,427 records. There were four loss/theft incidents reported in December, two of which involved stolen paperwork and two involved the loss of electronic devices, with the latter preventable if encryption had been used. 8,285 records were lost across these incidents.

The most common location of breached healthcare data was network services, which is unsurprising given the large number of hacking incidents. 14 data breaches involved protected health information stored in email accounts, three of which resulted in the exposure of more than 10,000 records.

Where did the Data Breaches Occur?

The raw data from the OCR data breach portal shows healthcare providers were the worst affected entity in December with 49 reported breaches of 500 or more records, followed by business associates with 13 breaches, health pans with 11, and a single breach at a healthcare clearinghouse. While healthcare providers suffered the most breaches, it was data breaches at business associates that exposed the most records. Across the 13 business associate-reported breaches, 7,416,567 records were breached, compared to 3,730,791 records in the 49 breaches at healthcare providers. The health plan breaches exposed 156,479 records and 2,574 records were exposed in the healthcare clearinghouse data breach.

These figures do not tell the full story, as the reporting entity may not be the entity that suffered the data breach. Many data breaches occur at business associates of HIPAA-covered entities but are reported to OCR by the covered entity rather than the business associate. A deeper dive into the data to determine where the breach actually occurred reveals there were 24 data breaches at business associates (7,544,504 records), 43 data breaches at healthcare providers (3,616,078 records), 6 data breaches at health plans (143,255 records), and one breach at a healthcare clearinghouse (2,574 records).

The average size of a business associate data breach was 314,354 records (median: 2,749 records), the average size of a healthcare provider data breach was 84,095 records (median: 5,809 records), and the average health plan data breach was 23,876 records (median: 7,695 records). The chart below shows where the data breaches occurred rather than the reporting entity.

Geographical Distribution of Healthcare Data Breaches

HIPAA-regulated entities in 32 states reported data breaches of 500 or more records in December. California was the worst affected state with 85 large data breaches followed by New York and Texas with 7 reported breaches.

State Number of Breaches
California 8
New York & Texas 7
Florida 6
Massachusetts 4
New Jersey, Tennessee & Wisconsin 3
Arkansas, Connecticut, Illinois, Kansas, Kentucky, Louisiana, Maryland, North Carolina & Washington 2
Alaska, Arizona, Colorado, Iowa, Michigan, Minnesota, Mississippi, Missouri, Montana, New Mexico, North Dakota, Oregon, South Carolina, Virginia & West Virginia 1

HIPAA Enforcement in December 2023

OCR announced two enforcement actions against healthcare providers in December to resolve alleged violations of the HIPAA Rules. OCR continued its enforcement initiative targeting noncompliance with the HIPAA Right of Access with its 46th enforcement action over the failure to provide individuals with timely access to their medical records. Optum Medical Care of New Jersey settled its investigation and agreed to pay a financial penalty of $160,000 to resolve allegations that patients had to wait between 84 days and 231 days to receive their requested records when they should have been provided within 30 days.

OCR also announced its first-ever settlement resulting from an investigation of a phishing attack. Lafourche Medical Group in Louisiana suffered a phishing attack that resulted in the exposure of the protected health information of almost 35,000 individuals. While phishing attacks are not HIPAA violations, OCR’s investigation uncovered multiple violations of the HIPAA Security Rule, including no risk analyses prior to the 2021 phishing attack, and no procedures to regularly review logs of system activity before the attack. Lafourche Medical Group chose to settle the investigation and paid a $480,000 penalty.

These two enforcement actions bring the total number of OCR enforcement actions involving financial penalties up to 13, the lowest annual total since 2019, although there was a slight increase in funds raised from these enforcement actions with $4,176,500 collected in fines. OCR is pushing Congress to increase the penalties for HIPAA violations to make penalties more of a deterrent and also to provide much-needed funding to allow OCR to clear the backlog of HIPAA compliance investigations, in particular investigations of hacking incidents. Currently, OCR’s hands are tied, as the department’s budget has remained the same for years, aside from annual increases for inflation, yet its caseload of breach investigations has soared.

HIPAA Enforcement by State Attorneys General

State attorneys general have the authority to enforce HIPAA compliance and 2023 saw an increase in enforcement actions. The HIPAA Journal has tracked 16 enforcement actions by state attorneys general in 2023 that resolved violations of HIPAA or equivalent state consumer protection and data breach notification laws. In December, three enforcement actions were announced, two by New York Attorney General Letitia James and one by Indiana Attorney General Todd Rokita. New York has been particularly active this year having announced 4 settlements to resolve HIPAA violations in 2023 and the state also participated in two multi-state actions.

In December, AG James announced a settlement had been reached with Healthplex to resolve alleged violations of New York’s data security and consumer protection laws with respect to data retention, logging, MFA, and data security assessments which contributed to a cyberattack and data breach that affected 89,955 individuals. The case was settled for $400,000. AG James also investigated New York Presbyterian Hospital over a reported breach of the health information of 54,396 individuals related to its use of tracking technologies on its website, which sent patient data to third parties such as Meta and Google in violation of the HIPAA Privacy Rule and New York Executive Law. The case was settled for $300,000.

The Indiana Attorney General investigated CarePointe ENT over a breach of the health information of 48,742 individuals. AG Rokita alleged that CarePointe ENT was aware of security issues several months before they were exploited by cybercriminals but did not address them in a timely manner. There was also no business associate agreement with its IT services provider. The investigation was settled for $125,000.

The data for this report was obtained from the U.S. Department of Health and Human Services’ Office for Civil Rights on January 18, 2023.

The post December 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

Multiple Threat Groups Exploiting Ivanti VPN/NAS Zero-Days

Posted by Steve Alder

Urgent action is required to fix two zero day flaws in Ivanti Connect Secure VPN and Policy Secure NAS appliances. The vulnerabilities were discovered by researchers at Volexity and were disclosed by Avanti last week. While they have been exploited in the wild since December 2023 by an Advanced Persistent Threat group, the attacks have been highly targeted and at the time of the disclosure, fewer than 20 customers had been attacked but the situation has now changed. On January 11, 2023, multiple threat actors started mass exploiting the flaws in indiscriminate attacks on businesses of all sizes across multiple sectors.

Ivanti will be releasing patches to fix the flaws starting in the week of January 22, 2024, and final patches will be released in the week of February 19, 2024; however, there is a workaround that can prevent exploitation of the flaws until the patches are released Any HIPAA-regulated entity that uses one of the vulnerable products should ensure that the workaround is implemented immediately given the extent to which the flaws are being exploited.

The vulnerabilities are CVE-2023-46805, an authentication bypass flaw (CVSS 8.2) that is present in of Ivanti ICS 9.x, 22.x and Ivanti Policy Secure, and CVE-2024-21887, a command injection vulnerability (CVSS 9.1) in Ivanti Connect Secure 9.x, 22.x and Ivanti Policy Secure. The authentication bypass flaw allows an unauthenticated remote attacker to bypass security controls and access restricted resources, and the command injection flaw allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.

The initial attacks were conducted by an unknown APT group that downloaded malware tool kits for espionage purposes. The latter attacks have been conducted by multiple threat actors. One actor has already attacked hundreds of appliances and backdoored targets’ systems using a GIFTEDVISITOR webshell variant. According to Volexity, as of January 14, 2023, more than 1,700 ICS VPN appliances had been compromised with the webshell.

In addition to applying the mitigation measures, customers have been advised to run the Ivanti Integrity Checker Tool to identify signs of compromise.

The post Multiple Threat Groups Exploiting Ivanti VPN/NAS Zero-Days appeared first on HIPAA Journal.

At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023

Posted by Steve Alder

Last year was a particularly bad year for ransomware attacks. According to an analysis by the cybersecurity firm Emsisoft, 46 hospital systems suffered ransomware attacks in 2023, up from 25 in 2022 and 27 in 2021. Across those 46 attacks, at least 141 hospitals were directly affected and experienced disruption due to the lack of access to IT systems and patient data.

It is difficult to accurately report on ransomware attacks in the healthcare sector, as many victims fail to disclose whether ransomware was used. Breach notification letters to the affected individuals and state Attorneys General often describe ransomware attacks as cyberattacks, unauthorized access, hacking incidents, security incidents, or encryption events, and as such, the number of attacks experienced in the sector is likely to be significantly understated. Emsisoft’s State of Ransomware in the U.S.: Report and Statistics 2023 reveals 2,207 U.S. hospitals, schools, and governments were directly impacted by ransomware in 2023 and many others were indirectly impacted via attacks on their supply chains.

Without access to patient records and essential IT systems, hospitals are often forced to put their emergency departments on redirect, with ambulances sent to neighboring healthcare facilities. Other hospitals in the region are placed under an increased strain due to the sharp increase in the number of patients, and the resource constraints caused by the increase in patients has a negative impact on time-sensitive conditions such as acute stroke.

The outages caused by these attacks mean scheduled appointments often need to be canceled and rescheduled and bottlenecks occur with lab testing and radiology, resulting in delays to diagnosis and treatment, longer patient stays, a slowing of patient throughput, and the disruption inevitably results in poorer patient outcomes. While there have been no reported deaths in the United States as a direct result of ransomware attacks, studies have shown that following a ransomware attack, there is an increase in medical complications and mortality rates. One study, conducted by McGlave, Neprash, and Nikpay of the University of Minnesota School of Public Health, found that in-hospital mortality for patients already admitted at the time of a ransomware attack increased. The attacks also caused a 17%-25% reduction in hospital volume during the initial attack week, and they estimated that between 2016 and 2021, ransomware attacks killed between 42 and 67 Medicare patients.

These attacks naturally have a significant financial impact. According to the Verizon Cost of a Data Breach Report, the average cost of a healthcare data breach increased to its highest ever level in 2023, costing an average of $11 million, a 53% increase since 2020. Emsisoft said 32 of the 46 attacks on health systems resulted in sensitive data, including protected health information, being stolen.

The average ransom payment in 2028 was $5,000, but by 2023 the average payment increased by 29,900% to around $1.5 million. The increased profits from ransomware attacks allow ransomware groups to scale their operations, pay initial access brokers, and purchase zero-days, which means even more attacks can be conducted. Fewer victims are now paying ransoms which means ransom demands need to increase to make up for the shortfall. Some ransomware groups have also started engaging in more aggressive tactics, such as contacting patients and demanding payment. Some attacks on plastic surgery centers have resulted in intimate images being publicly posted and patients being told they needed to pay to have those images removed from the Internet. One group contacted individual patients and threatened them with the release of their sensitive data and demanded $50 per patient to delete their data.

Many ransomware groups operate out of countries that turn a blind eye to the attacks, and some nation states are thought to use ransomware groups as proxies. While international law enforcement operations have successfully disrupted some ransomware groups, the individuals involved are rarely brought to justice. With so much money involved and a low risk of being caught, attacks are unlikely to reduce and may even continue to increase. The solution suggested by Emsisoft and many other experts is simple. Since ransomware attacks are conducted by financially motivated threat actors, making attacks unprofitable is the easiest way of tackling the problem. Governments should therefore ban ransom payments and cut off this very lucrative income stream.

“Current counter-ransomware strategies amount to little more than building speed bumps and whacking moles. The reality is that we’re not going to defend our way out of this situation, and we’re not going to police our way out of it either. For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them,” said Emsisoft Threat Analyst, Brett Callow. “The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”

The post At Least 141 Were Hospitals Directly Affected by Ransomware Attacks in 2023 appeared first on HIPAA Journal.

November 2023 Healthcare Data Breach Report

Posted by Steve Alder

After two months of declining healthcare data breaches, there was a 45% increase in reported breaches of 500 or more healthcare records. In November, 61 large data breaches were reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) – three more than the monthly average for 2023. From January 1, 2023, through November 30, 2023, 640 large data breaches have been reported.

In addition to an increase in data breaches, there was a massive increase in the number of breached records. 22,077,489 healthcare records were exposed or compromised across those 61 incidents – a 508% increase from October. November was the second-worst month of the year in terms of breached records behind July, when 24 million healthcare records were reported as breached. There is still a month of reporting left but 2023 is already the worst-ever year for breached healthcare records. From January 1, 2023, through November 30, 2023, 115,705,433 healthcare records have been exposed or compromised – more than the combined total for 2021 and 2022.

Largest Healthcare Data Breaches in November 2023

November was a particularly bad month for large data breaches, with 28 breaches of 10,000 or more records, including two breaches of more than 8 million records. Two of the breaches reported in November rank in the top ten breaches of all time and both occurred at business associates of HIPAA-covered entities. The largest breach occurred at Perry Johnson & Associates, Inc. (PJ&A) a provider of medical transcription services. The PJ&A data breach was reported to OCR as affecting 8,952,212 individuals, although the total is higher, as some of its clients have chosen to report the breach themselves. Hackers had access to the PJ&A network for more than a month between March and May 2023.

The second-largest breach was reported by Welltok, Inc. as affecting 8,493,379 individuals. Welltok works with health plans and manages communications with their subscribers. The Welltok data breach is one of many 2023 data breaches involving the exploitation of a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution by the Clop hacking group. Globally, more than 2,615 organizations had the vulnerability exploited and data stolen.

A further three data breaches were reported that involved the protected health information of more than 500,000 individuals. Sutter Health was also one of the victims of the mass hacking of the MOVEit vulnerability and had the data of 845,441 individuals stolen, as did Blue Shield of California (636,848 records). In both cases, the MOVEit tool was used by business associates of those entities. East River Medical Imaging in New York experienced a cyberattack that saw its network breached for three weeks between October and September 2023, during which time the hackers exfiltrated files containing the PHI of 605,809 individuals. All 28 of these large data breaches were hacking incidents that saw unauthorized access to network servers.

Name of Covered Entity State Covered Entity Type Individuals Affected Cause of Breach
Perry Johnson & Associates, Inc., which does business as PJ&A NV Business Associate 8,952,212 Hacking and data theft incident
Welltok, Inc. CO Business Associate 8,493,379 Hacking incident (MOVEit Transfer)
Sutter Health CA Healthcare Provider 845,441 Hacking incident at business associate (MOVEit Transfer)
California Physicians’ Service d/b/a Blue Shield of California CA Health Plan 636,848 Hacking incident at business associate (MOVEit Transfer)
East River Medical Imaging, PC NY Healthcare Provider 605,809 Hacking and data theft incident
State of Maine ME Health Plan 453,894 Hacking incident (MOVEit Transfer)
Proliance Surgeons WA Healthcare Provider 437,392 Ransomware attack
Medical Eye Services, Inc. NY Business Associate 377,931 Hacking incident (MOVEit Transfer)
Medical College of Wisconsin WI Healthcare Provider 240,667 Hacking incident (MOVEit Transfer)
Warren General Hospital PA Healthcare Provider 168,921 Hacking and data theft incident
Financial Asset Management Systems (“FAMS”) GA Business Associate 164,796 Ransomware attack
Morrison Community Hospital District IL Healthcare Provider 122,488 Ransomware attack (BlackCat)
South Austin Health Imaging LLC dba Longhorn Imaging Center TX Healthcare Provider 100,643 Hacking and data theft incident (SiegedSec threat group)
Mulkay Cardiology Consultants at Holy Name Medical Center, P.C. NJ Healthcare Provider 79,582 Ransomware attack (NoEscape)
International Paper Company Group Health and Welfare Plan (the “IP Plan”) TN Health Plan 78,692 Hacking incident at business associate (MOVEit Transfer)
CBIZ KA Consulting Services, LLC NJ Business Associate 30,806 Hacking incident (MOVEit Transfer)
Endocrine and Psychiatry Center TX Healthcare Provider 28,531 Hacking and data theft incident
Blue Shield of California OR Blue Shield of California Promise Health Plan CA Business Associate 26,523 Hacking incident at business associate (MOVEit Transfer)
Wyoming County Community Health System NY Healthcare Provider 26,000 Hacking and data theft incident
Westat, Inc. MD Business Associate 20,045 Hacking incident (MOVEit Transfer)
Psychiatry Associates of Kansas City KS Healthcare Provider 18,255 Hacking and data theft incident
Southwest Behavioral Health Center UT Healthcare Provider 17,147 Hacking and data theft incident
TGI Direct, Inc. MI Business Associate 16,113 Hacking incident (MOVEit Transfer)
Pharmacy Group of Mississippi, LLC MS Healthcare Provider 13,129 Hacking and data theft incident
U.S. Drug Mart, Inc. TX Healthcare Provider 13,016 Hacking and data theft incident at business associate
Catholic Charities of the Diocese of Rockville Centre d/b/a Catholic Charities of Long Island NY Healthcare Provider 13,000 Hacking and data theft incident
Foursquare Healthcare, Ltd. TX Healthcare Provider 10,890 Ransomware attack
Saisystems International, Inc. CT Business Associate 10,063 Hacking and data theft incident

November 2023 Data Breach Causes and Data Locations

Many of the month’s breaches involved the mass hacking of a vulnerability in the MOVEit Transfer solution by the Clop threat group. MOVEit data breaches continue to be reported, despite the attacks occurring in late May. According to the cybersecurity firm Emsisoft, at least 2,620 organizations were affected by these breaches, and 77.2 million records were stolen. 78.1% of the affected organizations are based in the United States.  Progress Software is currently being investigated by the U.S. Securities and Exchange Commission over the breach. Hacking/ransomware attacks accounted for 88.52% of the month’s data breaches (54 incidents) and 99.94% of the breached records (22,064,623 records). The average data breach size was 408,604 records and the median breach size was 10,477 records.

Ransomware gangs continue to target the healthcare industry, and in November several ransomware groups listed stolen healthcare data on their leak sites including NoEscape and BlackCat. Many hacking groups choose not to use ransomware and instead just steal data and threaten to sell or publish the data if the ransom is not paid, such as Hunter’s International and SiegedSec. Since there is little risk of ransomware actors being apprehended and brought to justice, the attacks are likely to continue. OCR is planning to make it harder for cyber actors to succeed by introducing new cybersecurity requirements for healthcare organizations. These new cybersecurity requirements will be voluntary initially but will later be enforced. New York has also announced that stricter cybersecurity requirements for hospitals will be introduced in the state, and financial assistance will be offered.

There were 6 data breaches classified as unauthorized access/disclosure incidents, across which 10,371 records were impermissibly accessed by or disclosed to unauthorized individuals. The average data breach size was 1,481 records and the median breach size was 1,481 records. There was one reported incident involving the theft of paperwork that contained the protected health information of 2,495 individuals. For the second consecutive month, there were no reported loss or improper disposal incidents. The most common location of breached PHI was network servers, which accounted for 77% of all incidents. 10 incidents involved PHI stored in email accounts.

Where did the Data Breaches Occur?

The OCR data breach portal shows healthcare providers were the worst affected HIPAA-regulated entity in November, with 42 reported data breaches. There were 13 data breaches reported by business associates and 6 data breaches reported by health plans. The problem with these figures is they do not accurately reflect where the data breaches occurred. When a business associate experiences a data breach, they may report it to OCR, the affected covered entities may report the breach or a combination of the two. As such, the raw data often does not accurately reflect the number of data breaches occurring at business associates of HIPAA-covered entities. The data used to compile the charts below has been adjusted to show where the data breach occurred rather than the entity that reported the breach.

Geographical Distribution of Healthcare Data Breaches

Data breaches were reported by HIPAA-regulated entities in 28 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

State Number of Breaches
California 8
New York 6
Illinois & Texas 5
Connecticut, Florida, Georgia, Indiana, Iowa, Kansas, Maine, Michigan, Minnesota, New Jersey, Oregon, South Carolina & Washington 2
Arizona, Colorado, Maryland, Massachusetts, Mississippi, Nevada, Ohio, Pennsylvania, Tennessee, Utah & Wisconsin 1

HIPAA Enforcement Activity in November 2023

OCR announced one enforcement action in November. A settlement was agreed with St. Joseph’s Medical Center to resolve allegations of an impermissible disclosure of patient information to a reporter. OCR launched an investigation following the publication of an article by an Associated Press reporter who had been allowed to observe three patients who were being treated for COVID-19. The article included photographs and information about the patients and was circulated nationally. OCR determined that the patients had not provided their consent through HIPAA authorizations, therefore the disclosures violated the HIPAA Privacy Rule. St. Joseph Medical Center settled the alleged violations and paid an $80,000 financial penalty.

HIPAA is primarily enforced by OCR although State Attorneys General may also investigate HIPAA-regulated entities and they also have the authority to issue fines for HIPAA violations. In November, one settlement was announced by the New York Attorney General to resolve alleged violations of HIPAA and state laws. U.S. Radiology Specialists Inc. was investigated over a breach of the personal and protected health information of 198,260 individuals, including 95,540 New York Residents. The New York Attorney General’s investigation determined that U.S. Radiology Specialists was aware that vulnerabilities existed but failed to address those vulnerabilities in a timely manner. Some of those vulnerabilities were exploited by cyber actors in a ransomware attack. U.S. Radiology Specialists agreed to pay a $450,000 financial penalty and ensure full compliance with HIPAA and state laws.

The post November 2023 Healthcare Data Breach Report appeared first on HIPAA Journal.

ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates

Posted by Steve Alder

In response to the law enforcement operation that resulted in the seizure of its websites, the ALPHV/BlackCat ransomware group has removed virtually all restrictions on affiliates and said discounts and extensions have stopped, and patient data will now be published on its leak site.

The Department of Justice (DoJ) recently announced that the Federal Bureau of Investigation was able to gain access to the infrastructure of the ALPHV/BlackCat ransomware group, which allowed it to seize the websites used for communication, data leaks, and negotiations and obtain the decryption keys to help around 500 victims recover from attacks. The decryption tool developed by the FBI has saved around $68 million in ransom payments, according to the DoJ.

According to the search warrant, the FBI engaged with a confidential human source (CHS) to sign up to become an affiliate of the group. After an interview with the operators, the CHS was provided with credentials to access the backend affiliate portal, thus giving the FBI access to the portal. The FBI was able to obtain 946 public/private key pairs for the group’s Tor sites that were used to host victim communication sites, leak sites, and affiliate panels.

Updated ALPHV/BlackCat Cybersecurity Advisory Published

A joint cybersecurity advisory has been issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) that updates its April 2022 advisory about ALPHV. The latest advisory includes updated information on the tactics, techniques, and procedures (TTPs) associated with the group and Indicators of Compromise (IoCs) from FBI investigations as recently as December 6, 2023. Healthcare organizations are strongly advised to implement the recommended mitigations as while the law enforcement operation was a success and caused disruption, the ALPHV group claims it is still operational. Based on its response, the group has now decided to play hardball.

ALPHV Responds by Removing Restrictions

ALPHV is also able to access its sites and responded with an update of its own, stating on its leak site that the website has been unseized. The group provided its side of the story, claiming that the FBI only gained access to the decryption keys from the previous month and a half – around 400 victims. The group said it has attacked more than 3,000 companies and that as a result of the FBI’s actions, the decryption keys for those will never be released.

In the angry message, the group said it has now removed all but one of the restrictions for affiliates. Affiliates will still not be permitted to conduct any attacks on targets in the Commonwealth of Independent States, but all other restrictions have been removed. “You can now block hospitals, nuclear power plants, anything and anywhere,” wrote the group. In the post, ALPHV said it will no longer offer discounts on ransom demands, will not provide any time extensions, and that if patient data is stolen, it will no longer be removed and will be uploaded to its data leak site. The group also claimed it will always notify the SEC and the HHS in the event of no initial contact.

A rebrand may still be on the cards, but based on the response, the group is still operational and now plans to be even more vindictive. ALPH said if victims do not make contact before they are added to its blog, stolen data will be leaked and the families of executive teams and employees will be harassed – “even your young children are not exempt,” wrote ALPHV.

The post ALPHV/BlackCat Claims Healthcare Restrictions Removed for Affiliates appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

Feds Share Threat Intelligence on Play Ransomware Operation

Posted by Steve Alder

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) about Play ransomware, aka Playcrypt. Play ransomware is believed to be a closed group rather than a ransomware-as-a-service operation and has been active since June 2022. The Play ransomware group engages in double extortion tactics, exfiltrating sensitive data before encrypting files. The stolen data is used as leverage to get victims to pay the ransom. Victims are required to contact the group via email to find out how much they must pay to prevent the release of stolen data on the group’s data leak site and to obtain the keys to decrypt data.

From June 2022 until October 2023, the Play ransomware group is known to have conducted at least 300 attacks on organizations around the world, including critical infrastructure in the United States. An analysis of the operation by Trend Micro in July 2023 found that 13.9% of victims of Play ransomware attacks were in the healthcare sector, with most attacks conducted on organizations in the United States. The group uses a variety of methods to gain initial access to victims’ networks, including abusing valid accounts and exploiting vulnerabilities in public-facing applications. The group has previously exploited vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and the ProxyNotShell vulnerabilities in Microsoft Exchange (CVE-2022-41040 and CVE-2022-41082), and in some attacks has used Remote Desktop Protocol and VPNs for initial access. Once initial access has been gained, the group uses tools such as Cobalt Strike, PsExec, and SystemBC for file execution and lateral movement, Mimikatz for credential theft, and WinSCP for data exfiltration.

The cybersecurity alert includes details of the MITRE ATT&CK tactics and techniques used by the group, Indicators of Compromise (IoCs) from attacks as recent as October 2023, and recommended mitigations for hardening defenses. These include implementing multifactor authentication, keeping software, operating systems, and firmware up to date, segmenting networks to hamper attempts at lateral movement, filtering network traffic, disabling unused ports, and regularly conducting reviews of logs of systems activity and audits of user accounts.

The post Feds Share Threat Intelligence on Play Ransomware Operation appeared first on HIPAA Journal.

ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.