Healthcare Cybersecurity

FDA Appoints Kevin Fu as its First Director of Medical Device Security

Posted February 5, 2021 by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has announced the appointment of University of Michigan associate professor Kevin Fu as its first director of medical device security.

Fu will serve a one-year term as acting director of medical device security at the FDA’s Center for Devices and Radiological Health (CDRH) and the recently created Digital Health Center of Excellence, starting on January 1, 2021. Fu has been tasked with helping “to bridge the gap between medicine and computer science and help manufacturers protect medical devices from digital security threats.”

Fu will help to develop the CDRH cybersecurity programs, public-private partnerships, and premarket vulnerability assessments to ensure the safety of medical devices including insulin pumps, pacemakers, imaging machines, and healthcare IoT devices and protect them against digital security threats.

Fu has considerable experience in the field of medical device cybersecurity. Fu currently serves as chief scientist at the University of Michigan’s Archimedes Center for Medical Device Security, which he founded, he co-founded the healthcare cybersecurity startup Virtua Labs with his doctoral students and was previously a member of the National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board. Fu has also conducted research into software radio attacks on implantable medical devices such as pacemakers and cardiac defibrillators and demonstrated how off-the-shelf radio software could be used to access the devices and intercept communications. Fu is currently associate professor of electrical engineering and computer science and the Dwight E. Harken Memorial Lecturer and will retain those University of Michigan roles.

Securing medical devices is a major challenge. Huge numbers of medical devices are now used by hospitals in complex interconnected networks. Many hospitals do not have complete inventories of their devices, and since many run on legacy systems, vulnerabilities can easily go unaddressed. Those vulnerabilities could be exploited by cyber threat actors to cause harm to patients or to gain a foothold in healthcare computer networks.

As Fu explained in an interview recently published on Michigan News, the threat landscape has changed dramatically over the past decade. “Today, there are many more adversaries that are mounting attacks. A decade ago, it was very theoretical. But now you have hundreds of hospitals literally shut down because of ransomware. And new security vulnerabilities are identified in medical device software almost every day,” said Fu. “We need to be vigilant in making sure that all of our medical devices have a basic level of security built in. Medical devices must remain safe and effective despite cybersecurity risks.”

Medical devices need to have privacy and security measures incorporated early in the design process, rather than being bolted on after the devices have been developed. By that time, security flaws have been baked into the devices and they are much harder to address.

Unfortunately, all too often, medical device manufacturers do not seek input from security experts during the design of medical devices and fail to design the devices based on established computer security engineering principles. That is something that needs to change. “You can’t simply sprinkle magic security pixie dust after designing a device,” said Fu.

“Right now, though, I’m focused on medical device safety,” explained Fu. “I’m really looking forward to working at FDA to help build public trust in the safety and effectiveness of medical devices despite the inherent cybersecurity risks.”

The post FDA Appoints Kevin Fu as its First Director of Medical Device Security appeared first on HIPAA Journal.

Global Law Enforcement Action Disrupts NetWalker Ransomware Operation

Posted January 29, 2021 by HIPAA Journal

The U.S. Department of Justice (DOJ) has announced a dark web website used by the NetWalker ransomware gang has been sized as part of a global action to disrupt operations and bring the individuals responsible for the file-encrypting extortion attacks to justice.

The action was taken in coordination with the United States Attorney’s Office for the Middle District of Florida, the Computer Crime and Intellectual Property Section of the Department of Justice, with substantial assistance provided by the Bulgarian National Investigation Service and General Directorate Combatting Organized Crime. The announcement comes just a few hours after Europol an international effort that resulted in the takedown of the Emotet Botnet.

The NetWalker ransomware gang is one of around 20 ransomware-as-a-service (RaaS) operators that recruit affiliates to distribute ransomware for a cut of any ransom payments they generate. The NetWalker gang started operating in late 2019. Since then, the ransomware has proven popular with affiliates and many attacks have been conducted. It has been estimated that in the first 5 months of the operation, the gang had generated around $25 million in ransom payments, around $1.14 million of which was paid by the University of California San Francisco to recover data encrypted in June 2020 attack. The total amount of ransom payments is believed to be in excess of $46 million.

The gang has attacked businesses and organizations in a range of different sectors, with the healthcare industry targeted throughout the pandemic. Attacks have also been conducted on schools, colleges, universities, companies, municipalities, and the emergency services.

The investigation into the NetWalker ransomware operation was led by the FBI’s Tampa Field Office and has so far resulted in one arrest. Sebastien Vachon-Desjardins of Gatineau, a Canadian national, has been indicted for his involvement in extortion attacks as an affiliate of the operation. The DOJ alleges Vachon-Desjardins obtained more than $27.6 million in ransom payments since at least April 2020. Vachon-Desjardins is believed to have been responsible, as an affiliate, for hacking networks and deploying ransomware, for which he received 80% of the ransom payments he generated. He is believed to have conducted at least 91 attacks in 8 months. According to a report from Chainalysis, Vachon-Desjardins is also suspected of working with other RaaS operations.

The DOJ said $454,530 in cryptocurrency, paid by three victims of the ransomware attacks, has been seized and Bulgarian law enforcement officials have taken control of a dark web website used by NetWalker ransomware affiliates to communicate with victims and provide instructions for paying ransoms. The website now has a notice explaining the resource is under the control of law enforcement.

The developers of the ransomware are still at large and only one affiliate has been arrested out of more than a dozen, but the action will have caused some disruption to the operation and further arrests may follow.

“We are striking back against the growing threat of ransomware by not only bringing criminal charges against the responsible actors, but also disrupting criminal online infrastructure and, wherever possible, recovering ransom payments extorted from victims,” said Acting Assistant Attorney General Nicholas L. McQuaid of the Justice Department’s Criminal Division. “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

McQuaid also took the opportunity to encourage victims of ransomware attacks to contact law enforcement, saying, “Ransomware victims should know that coming forward to law enforcement as soon as possible after an attack can lead to significant results like those achieved in today’s multi-faceted operation.”

The post Global Law Enforcement Action Disrupts NetWalker Ransomware Operation appeared first on HIPAA Journal.

Multinational Law Enforcement Operation Takes Down the Emotet Botnet

Posted January 28, 2021 by HIPAA Journal

Europol has announced the notorious Emotet Botnet has been taken down as part of a multinational law enforcement operation. Law enforcement agencies in Europe, the United States, and Canada took control of the Emotet infrastructure, which is comprised of hundreds of servers around the world.

The Emotet botnet was one of the most prolific malware botnets of the last decade and the Emotet Trojan was arguably the most dangerous malware variant to emerge in recent years. The Emotet operators ran one of the most professional and long-lasting cybercrime services and was one of the biggest players in the cybercrime world. Around 30% of all malware attacks involved the Emotet botnet.

The Emotet Trojan was first identified in 2014 and was initially a banking Trojan, but the malware evolved into a much more dangerous threat and became the go-to solution for many cybercriminal operations. The Emotet Trojan acted as a backdoor into computer networks and access was sold to other cybercriminal gangs for data theft, malware distribution, and extortion, which is what made the malware so dangerous. Emotet was used to deliver TrickBot and QakBot, which in turn were used to deliver ransomware variants such as Ryuk, Conti, Egregor, and ProLock.

Once a device was infected with the Emotet Trojan it would be added to the botnet and used to infect other devices. Emotet could spread laterally across networks and hijacked email accounts to send copies of itself to contacts. The Emotet gang took phishing to the next level and their campaigns were highly successful. A wide range of lures were used to maximize the chance of the emails being opened and the malware installed. Emotet also hijacked message threads and inserted itself into email conversations to increase the chance of malicious attachments being opened.

The law enforcement operation was planned for around 2 years and was a collaborative effort between authorities in the Netherlands, Germany, France, Lithuania, Canada, Ukraine, the United States, and the United Kingdom, with the operation coordinated by Europol and Eurojust.

The infrastructure used to control the botnet was spread across hundreds of servers, each of which performed different functions and were used to manage infected computers, distribute copies of the Emotet Trojan, exfiltrate data, and provide services to other cybercrime groups. The Emotet gang had also built resiliency into its infrastructure to prevent any takedown attempts.

In order to takedown the infrastructure and prevent any attempts at restoration, the operation was coordinated and saw law enforcement agencies take control of servers simultaneously from the inside. The servers are now under the control of law enforcement and a module that uninstalls the malware is already being distributed. Europol says the malware will be uninstalled from infected devices on March 25, 2021 at 12:00.

In addition to severely disabling the operation, several members of the Emotet gang in Ukraine suspected of running the botnet have been arrested and other arrests are expected to follow.

The post Multinational Law Enforcement Operation Takes Down the Emotet Botnet appeared first on HIPAA Journal.

Ransomware Attacks Account for Almost Half of Healthcare Data Breaches

Posted January 28, 2021 by HIPAA Journal

A new report published by Tenable has revealed almost half of all healthcare data breaches are the result of ransomware attacks, and in the majority of cases the attacks were preventable.

According to the Tenable Research 2020 Threat Landscape Retrospective Report, 730 data breaches were reported across all industry sectors in the first 10 months of 2020 and more than 22 billion records were exposed. 8 million of those records were exposed in healthcare data breaches.

Healthcare registered the highest number of data breaches of any industry sector between January and October 2020, accounting for almost a quarter (24.5%) of all reported data breaches, ahead of technology (15.5%), education (13%), and the government (12.5%).

Due to the high number of healthcare data breaches, Tenable researchers analyzed those breaches to identify the main causes and found that ransomware attacks accounted for 46.4% of all reported data breaches, followed by email compromise attacks (24.6%), insider threats (7.3%), app misconfigurations (5.6%) and unsecured databases (5%). Across all industry sectors, ransomware attacks accounted for 35% of data breaches and 14.4% of breaches were due to email compromises, which shows the healthcare industry is particularly vulnerable to these types of attacks.

While no healthcare organization is immune to ransomware attacks, in the most part these attacks can be prevented. One of the most common ways for ransomware gangs to gain access to healthcare networks is the exploitation of vulnerabilities in Virtual Private Network (VPN) solutions. The two vulnerabilities most commonly exploited by ransomware gangs are the CVE-2019-19781 vulnerability in the Citrix ADC controller, which affects gateway hosts, and the CVE-2019-11510 vulnerability in Pulse Connect Secure.

Patches to correct both of these vulnerabilities were released in early 2020, yet many organizations were slow to apply the patches and correct the flaws, which gave threat actors an easy way to gain a foothold in networks, access and exfiltrate sensitive data, and deploy ransomware.

“As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed, and represent lucrative opportunities for ransomware actors,” said Renaud Deraison, co-founder and chief technology officer at Tenable.

Many organizations continue to use server software that is no longer supported, and ransomware gangs often target vulnerabilities in outdated server software. Ransomware gangs also exploit vulnerabilities in RDP and use brute force tactics to guess weak passwords.

It can be difficult for healthcare organizations to change software solutions and operating systems that are approaching end of life, but it is vital to upgrade to solutions that have active support or ensure that any software that is no longer supported is isolated and those systems cannot be accessed remotely. Locking down RDP and enforcing the use of strong passwords will also help to prevent ransomware attacks.

It is also important to address the second highest cause of healthcare data breaches. Email security solutions will prevent the majority of email attacks, but security awareness training for employees should also be provided regularly. One of the most important steps to take is to implement multi-factor authentication on all email accounts. It is often only after experiencing a phishing attack that healthcare organizations implement multi-factor authentication, but by being proactive, email account breaches can be prevented.

In a summer 2020 blog post, Microsoft explained that multi-factor authentication is the most important security solution to apply to block phishing attacks and will prevent 99.9% of attacks on email accounts.

The post Ransomware Attacks Account for Almost Half of Healthcare Data Breaches appeared first on HIPAA Journal.

FBI Issues Warning Following Spike in Vishing Attacks

Posted January 25, 2021 by HIPAA Journal

Many data breaches start with a phishing email, but credential phishing can also occur via other communication channels such as instant messaging platforms or SMS messages. One often overlooked way for credentials to be obtained is phishing over the telephone. These phishing attacks, termed vishing, can give attackers the credentials they need to gain access to email accounts and cloud services and escalate privileges.

Recently, the Federal Bureau of Investigation (FBI) issued an alert after a spike in vishing incidents to steal credentials to corporate accounts, including credentials for network access and privilege escalation. The change to remote working in 2020 due to COVID-19 has made it harder for IT teams to monitor access to their networks and privilege escalation, which could allow these attacks to go undetected.

The FBI warned that it has observed a change in tactics by threat actors. Rather than only targeting credentials of individuals likely to have elevated privileges, cybercriminals are now trying to obtain all credentials. While the credentials of low-ranking employees may not give them the access to systems, networks, or data they seek, those credentials give them a foothold that can be used to get greater network access, including the ability to escalate privileges.

Threat actors are using VoIP platforms to target corporate employees over the telephone to obtain credentials. One way this is achieved is by convincing an employee to login to a phishing webpage that harvests credentials. For instance, a member of the IT team could be impersonated, and the employee told to visit a webpage to update their software or for security reasons.

In one of the recent attacks, cybercriminals identified an employee of the targeted company in its chatroom, then made contact and convinced the employee to login to a fake VPN page. They stole the employee’s credentials, logged in remotely to the VPN, and performed reconnaissance to find an employee with higher privileges. The aim was to find an employee with permissions to change usernames and email credentials. When an individual was identified, contact was made, and the scam was performed again using a chatroom messaging service to phish that employee’s credentials.

This is the second FBI warning to have been issued on vishing in the past year, and the tactic has been used in attacks since at least December 2019. To improve defenses against these attacks the FBI made the following recommendations:

Implement multi-factor authentication for accessing employee accounts.
Grant network access for new employees on a least privilege scale
Regularly review network access for employees to identify weak spots.
Scan and monitor for unauthorized network access and changes to permissions.
Adopt network segmentation to control the flow of network traffic.
Provide administrators with two accounts: One with admin privileges for system changes and the other for use deploying updates and for email and report generation.

The post FBI Issues Warning Following Spike in Vishing Attacks appeared first on HIPAA Journal.

At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020

Posted January 20, 2021 by HIPAA Journal

Ransomware attacks have had a massive impact on businesses and organizations in the United States, and 2020 was a particularly bad year. The healthcare industry, education sector, and federal, state, and municipal governments and agencies have been targeted by ransomware gangs and there were at least 2,354 attacks on these sectors in 2020, according to the latest State of Ransomware report from the New Zealand-based cybersecurity firm Emsisoft.

The number of ransomware attacks increased sharply toward the end of 2019, and while the attacks slowed in the first half of 2020, a major coordinated campaign was launched in September when attacks dramatically increased and continued to occur in large numbers throughout the rest of the year.

In 2020 there were at least 113 ransomware attacks on federal, state, and municipal governments and agencies, 560 attacks on healthcare facilities in 80 separate incidents, and 1,681 attacks on schools, colleges, and universities.

These attacks have caused significant financial harm and in some cases the disruption has had life threatening consequences. Healthcare services have had to be suspended, ambulances have been redirected to alternative facilities, 911 services have been interrupted, medical appointments have been postponed and test results have been delayed. “The fact that there were no ransomware-related deaths in the US last year was simply due to good luck. Security needs to bolstered across the public sector before that luck runs out and lives are lost,” said Fabian Wosar, CTO, Emsisoft.

One of the most damaging attacks was on Universal Health Services, a health system that operates more than 400 hospitals and healthcare facilities in the United States. The attack affected all its locations and caused considerable disruption. An attack on the University of Vermont Health Network forced systems offline, including its EHR system. Several hospital systems remained out of action for several weeks after the attack. The ransomware attack cost the health system around $1.5 million a day in additional expenses and lost revenue while it recovered. “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover,” said Gus Genter, CIO, Winnebago County, who was quoted in the report.

It has become increasingly common for ransomware threat actors to steal sensitive data prior to file encryption and for threats to be issued to publish or sell the stolen data if the ransom is not paid. This tactic was first adopted by the Maze ransomware gang, but many other threat groups have now adopted the same tactic. Emsisoft said only the Maze ransomware gang was exfiltrating data prior to file encryption at the start of 2020, but now at least 17 other threat groups are stealing data and publishing it on leak sites if the ransom is not paid.

In some cases, even payment of the ransom does not guarantee the stolen data will be deleted. Several ransomware gangs, including Sodinokibi (REvil), Netwalker, and Mespinoza are known to have leaked stolen data even after the ransom was paid.

Emsisoft notes that in the first half of 2020, only one of the 60 ransomware attacks on federal, state, county, and municipal governments and agencies resulted in stolen data being leaked; however, in the second half of the year, 23 out of the 53 attacks saw stolen data released on leak sites. At least 12 healthcare organizations that were attacked with ransomware had sensitive data stolen and leaked online.

2020 was clearly a bad year, but there is little to suggest 2021 will be any better. Ransomware attacks are likely to continue at pace and may even increase. “Unless significant action is taken, we anticipate 2021 being another banner year for cybercriminals,” explained Emsisoft in the report.

The post At Least 560 U.S. Healthcare Facilities Were Impacted by Ransomware Attacks in 2020 appeared first on HIPAA Journal.

2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020

Posted January 19, 2021 by HIPAA Journal

More large healthcare data breaches were reported in 2020 than in any other year since the HITECH Act called for the U.S. Department of Health and Human Services’ Office for Civil Rights to start publishing healthcare data breach figures on its website.

In 2020, healthcare data breaches of 500 or more records were reported at a rate of more than 1.76 per day. 2020 saw 642 large data breaches reported by healthcare providers, health plans, healthcare clearing houses and business associates of those entities – 25% more than 2019, which was also a record-breaking year.

More than twice the number of data breaches are now being reported than 6 years ago and three times the number of data breaches that occurred in 2010.

Key Takeaways

25% year-over-year increase in healthcare data breaches.
Healthcare data breaches have doubled since 2014.
642 healthcare data breaches of 500 or more records were reported in 2020.
76 data breaches of 500 or more healthcare records were reported each day in 2020.
2020 saw more than 29 million healthcare records breached.
One breach involved more than 10 million records and 63 saw more than 100K records breached.
Hacking/IT incidents accounted for 67% of data breaches and 92% of breached records.
3,705 data breaches of 500 or more records have been reported since October 2009.
78 million healthcare records have been breached since October 2009.

2020 was the third worst year in terms of the number of breached healthcare records, with 29,298,012 records reported as having been exposed or impermissibly disclosed in 2020. While that is an alarming number of records, it is 29.71% fewer than in 2019. 266.78 million healthcare records have been breached since October 2009 across 3,705 reported data breaches of 500 or more records.

The Largest Healthcare Data Breaches in 2020

The largest healthcare data breach of 2020 was a ransomware attack on the cloud service provider Blackbaud Inc. The actual number of records exposed and obtained by the hackers has not been made public, but more than 100 of Blackbaud’s healthcare clients were affected and more than 10 million records are known to have been compromised. The breach does not appear on the OCR breach portal, as each entity affected has reported the breach separately.

Prior to deploying ransomware, the hackers stole the fundraising and donor databases of many of its clients which included information such as names, contact information, dates of birth, and some clinical information. Victims included Trinity Health (3.3 million records), Inova Health System (1 million records), and Northern Light Health Foundation (657,392 records).

The Florida-based business associate MEDNAX Services Inc, a provider of revenue cycle management and other administrative services to its affiliated physician practice groups, experienced the largest phishing attack of the year. Hackers gained access to its Office 365 environment and potentially obtained the ePHI of 1,670 individuals, including Social Security numbers, driver’s license numbers, and health insurance and financial information.

Magellan Health’s million-record data breach also started with a phishing email but and ended with ransomware being deployed. The breach affected several of its affiliated entities and potentially saw patient information stolen.

Dental Care Alliance, a dental support organization with more than 320 affiliated dental practices across 20 states, had its systems hacked and the dental records of more than 1 million individuals were potentially stolen.

63 security incidents were reported in 2020 by HIPAA-covered entities and business associates that involved 100,000 or more healthcare records.

Name of Covered Entity	Covered Entity Type	Individuals Affected	Type of Breach
Trinity Health	Business Associate	3,320,726	Hacking/IT Incident
MEDNAX Services, Inc.	Business Associate	1,290,670	Hacking/IT Incident
Inova Health System	Healthcare Provider	1,045,270	Hacking/IT Incident
Magellan Health Inc.	Health Plan	1,013,956	Hacking/IT Incident
Dental Care Alliance, LLC	Business Associate	1,004,304	Hacking/IT Incident
Luxottica of America Inc.	Business Associate	829,454	Hacking/IT Incident
Northern Light Health	Business Associate	657,392	Hacking/IT Incident
Health Share of Oregon	Health Plan	654,362	Theft
Florida Orthopaedic Institute	Healthcare Provider	640,000	Hacking/IT Incident
Elkhart Emergency Physicians, Inc.	Healthcare Provider	550,000	Improper Disposal
Aetna ACE	Health Plan	484,157	Hacking/IT Incident
Saint Luke’s Foundation	Healthcare Provider	360,212	Hacking/IT Incident
NorthShore University HealthSystem	Healthcare Provider	348,746	Hacking/IT Incident
SCL Health – Colorado	Healthcare Provider	343,493	Hacking/IT Incident
AdventHealth	Healthcare Provider	315,811	Hacking/IT Incident
Nuvance Health	Healthcare Provider	314,829	Hacking/IT Incident
Magellan Rx Management	Business Associate	314,704	Hacking/IT Incident
The Baton Rouge Clinic	Healthcare Provider	308,169	Hacking/IT Incident
Allegheny Health Network	Healthcare Provider	299,507	Hacking/IT Incident
Northeast Radiology	Healthcare Provider	298,532	Hacking/IT Incident

Main Causes of 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the healthcare data breach reports in 2020. 429 hacking/IT-related data breaches were reported in 2020, which account for 66.82% of all reported breaches and 91.99% of all breached records. These incidents include exploitation of vulnerabilities and phishing, malware, and ransomware attacks, with the latter having increased considerably in recent months.

A recent report from Check Point revealed there was a 71% increase in ransomware attacks on healthcare providers in October, and a further 45% increase in healthcare cyberattacks in the last two months of 2020. Some of the year’s largest and most damaging breaches to affect the healthcare industry in 2020 involved ransomware. In many cases, systems were taken out of action for weeks and patient services were affected. Ryuk, Sodinokibi (REvil), Conti, and Egregor ransomware have been the main culprits, with the healthcare industry heavily targeted during the pandemic.

Unauthorized access/disclosure incidents accounted for 22.27% of the year’s breaches and 2.69% of breached records. These incidents include the accessing of healthcare records my malicious insiders, snooping on medical records by healthcare workers, accidental disclosures of PHI to unauthorised individuals, and human error that exposes patient data.

Breach Type	Number of breaches	Records breached	Mean Records Breached	Median Records Breached
Hacking/IT Incident	429	26,949,956	62,820	8,000
Unauthorized Access/Disclosure	143	787,015	5,504	1,713
Theft	39	806,552	20,681	1,319
Improper Disposal	16	584,980	36,561	1,038
Loss	15	169,509	11,301	2,298

Location of Breached Protected Health Information

The increased use of encryption and cloud services for storing data have helped to reduce the number of loss/theft incidents, which used to account for the majority of reported breaches. Phishing attacks are still a leading cause of data breaches in healthcare and are often the first step in a multi-stage attack that sees malware or ransomware deployed.

Email account breaches were reported at a rate of more than 1 every two days in 2020, but email-related breaches took second spot this year behind breaches of network servers. Network servers often store large amounts of patient data and are a prime target for hackers and ransomware gangs.

While the majority of healthcare data breaches have involved electronic protected health information, a significant percentage of breaches in 2020 involved paper/film copies of protected health information which were obtained by unauthorized individuals, lost, or disposed of in an insecure manner.

Which Entities Suffered the Most Data Breaches in 2020?

The pie chart below shows the breakdown of HIPAA covered entities affected by data breaches of 500 or more records in 2020. Healthcare providers suffered the most breaches with 497 reported incidents. Business associates reported 73 data breaches, but it should be noted that in many cases a breach was experienced at the business associate, but the incident was reported by the covered entities affected. In total, 258 of the year’s breaches had some business associate involvement, which is 40.19% of all breaches. There were 70 breaches reported by health plans, and 2 breaches reported by healthcare clearinghouses.

2020 Healthcare Data Breaches by State

South Dakota, Vermont, Wyoming residents survived 2020 without experiencing any healthcare data breaches, but there were breaches reported by entities based in all other states and the District of Columbia.

California was the worst affected state with 51 breaches, followed by Florida and Texas with 44, New York with 43, and Pennsylvania with 39.

State	No. Breaches	State	No. Breaches	State	No. Breaches	State	No. Breaches
California	51	Virginia	18	New Jersey	9	Kansas	3
Florida	44	Indiana	17	South Carolina	9	Nebraska	3
Texas	44	Massachusetts	17	Washington	9	West Virginia	3
New York	43	Maryland	16	Delaware	8	District of Columbia	2
Pennsylvania	39	North Carolina	16	Utah	8	Idaho	2
Ohio	27	Colorado	14	Louisiana	6	Nevada	2
Iowa	26	Missouri	14	Maine	6	Oklahoma	2
Michigan	21	Arizona	12	New Mexico	6	Mississippi	1
Georgia	20	Arkansas	12	Oregon	5	Montana	1
Illinois	20	Kentucky	12	Hawaii	4	New Hampshire	1
Minnesota	20	Wisconsin	12	Alabama	3	North Dakota	1
Connecticut	19	Tennessee	10	Alaska	3	Rhode Island	1

HHS HIPAA Enforcement in 2020

2020 was a busy year in terms of HIPAA enforcement. The HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, conducted 19 HIPAA compliance investigations that resulted in financial penalties. More penalties were agreed with HIPAA covered entities and business associates in 2020 than in any other year since OCR started enforcing HIPAA compliance. $13,554,900 was paid in penalties across the 19 cases.

It can take several years from the start of an investigation before a financial penalty is levied. Some of the largest settlements of the year date back to breaches that were experienced in 2015 or earlier; however, the large increase in financial penalties in 2020 is largely due to a HIPAA enforcement drive launched by OCR in late 2019 to tackle noncompliance with the HIPAA Right of Access. There were 11 settlements reached with healthcare providers in 2020 to resolve cases where individuals were not provided with timely access to their medical records.

You can view a summary of OCR’s 2020 HIPAA enforcement actions in this post.

State AG HIPAA Enforcement in 2020

OCR is not the only enforcer of HIPAA compliance. State attorney generals also have the authority to take action against entities found not to be in compliance with the HIPAA Rules. There has been a trend for state attorneys general to work together and pool resources in their legal actions for noncompliance with the HIPAA Rules. In 2020, two multi-state actions were settled with HIPAA covered entities/business associates to resolve violations of the HIPAA Rules.

The health insurer Anthem Inc. settled a case that stemmed from its 78.8 million-record data breach in 2015 and paid financial penalties totalling $48.2 million to resolve multiple potential violations of HIPAA and state laws.

CHSPSC LLC, a Tennessee-based management company that provides services to subsidiary hospital operator companies and other affiliates of Community Health Systems, also settled a multi-state action and paid a financial penalty of $5 million to resolve alleged HIPAA violations. The case stemmed from a 2014 data breach that saw the ePHI of 6,121,158 individuals stolen by hackers.

About This Report

The Health Insurance Portability and Accountability Act (HIPAA) requires all healthcare data breaches to be reported to the HHS’ Office for Civil Rights. A summary of breaches of 500 or more records is published by the HHS Office for Civil Rights. This report was compiled using data on the HHS website on 01/19/21 and includes data breaches currently under investigation and archived cases.

The post 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020 appeared first on HIPAA Journal.

December 2020 Healthcare Data Breach Report

Posted January 18, 2021 by HIPAA Journal

2020 ended with healthcare data breaches being reported at a rate of 2 per day, which is twice the rate of breaches in January 2020. Healthcare data breaches increased 31.9% month over month and were also 31.9% more than the 2020 monthly average.

There may still be a handful more breaches to be added to the OCR breach portal for 2020 but, as it stands, 565 healthcare data breaches of 500 or more records have been reported to OCR in 2020. That is more than any other year since the HITECH Act required OCR to start publishing data breach summaries on its website.

December was the second worst month of 2020 in terms of the number of breached records. 4,241,603 healthcare records were exposed, compromised, or impermissibly disclosed across the month’s 62 reported data breaches. That represents a 272.35% increase in breached records from November and 92.25% more than the monthly average in 2020. For comparison purposes, there were 41 reported breaches in December 2019 and 397,862 healthcare records were breached.

Largest Healthcare Data Breaches Reported in December 2020

Name of Covered Entity	State	Covered Entity Type	Individuals Affected	Type of Breach	Cause
MEDNAX Services, Inc.	FL	Business Associate	1,290,670	Hacking/IT Incident	Phishing attack
Dental Care Alliance, LLC	FL	Business Associate	1,004,304	Hacking/IT Incident	Unspecified hacking incident
Aetna ACE	CT	Health Plan	484,157	Hacking/IT Incident	Phishing attack (business associate)
Allegheny Health Network	PA	Healthcare Provider	299,507	Hacking/IT Incident	Ransomware attack (Blackbaud)
AMITA Health	IL	Healthcare Provider	261,054	Hacking/IT Incident	Ransomware attack (Blackbaud)
Community Eye Care, LLC	NC	Health Plan	149,804	Hacking/IT Incident	Email account breach
GenRx Pharmacy	AZ	Healthcare Provider	137,110	Hacking/IT Incident	Ransomware attack
Wilmington Surgical Associates, P.A.	NC	Healthcare Provider	114,834	Hacking/IT Incident	Ransomware attack
Agency for Community Treatment Services, Inc.	FL	Healthcare Provider	73,825	Hacking/IT Incident	Ransomware attack
Sonoma Valley Healthcare District	CA	Healthcare Provider	69000	Hacking/IT Incident	Ransomware attack

There were two healthcare data breaches reported in December that each impacted more than 1 million individuals. The largest breach was a phishing attack on the Florida-based business associate, MEDNAX Services, Inc. MEDNAX provides revenue cycle management and other administrative services to its affiliated physician practice groups. Hackers gained access to its Microsoft Office 365-hosted email system after employees responded to phishing emails. The compromised accounts contained the protected health information of 1,290,670 patients of its clients.

Dental Care Alliance is a Sarasota, FL-based dental support organization with more than 320 affiliated dental practices in 20 U.S. states. Little information has been released about the exact nature of the cyberattack, other than hackers gaining access to its systems and viewing files containing patient information.

Causes of December 2020 Healthcare Data Breaches

Ransomware gangs continue to target healthcare organizations and attacks have increased considerably in recent months. 5 of the worst data breaches reported in December involved ransomware, as did many of the smaller breaches. Several healthcare providers have only just reported being affected by the ransomware attack on Blackbaud Inc., which was discovered by the cloud service provide in May 2020.

Phishing continues to be a major cause of healthcare data breaches. There were 13 data breaches involving unauthorized accessing of email accounts, the majority of which used credentials stolen in phishing attacks. While most of the month’s breaches involved unauthorized accessing of electronic protected health information, 17.75% of the month’s breaches involved paper records and films, highlighting the importance of also protecting physical records.

33 hacking/IT incidents were reported to OCR in December 2020. Those incidents accounted for 98.39% of the month’s breached records (4,173,519 records). An average of 126,470 records were breached per incident with a median breach size of 8,000 records per incident.

There were 21 unauthorized access/disclosure incidents reported to OCR which involved a total of 57,837 records. The average breach size was 2,754 records and the median breach size was 1,020 records.

There were 7 theft and loss incidents reported (5 theft/2 loss). The average breach size was 1,392 records and the median breach size was 856 records. There was also one incident involving the improper disposal of 501 records.

Entities Reporting Data Breaches in December 2020

Healthcare providers were the worst affected covered entity in December 2020 with 39 breaches reported, but there was a major increase in data breaches reported by health plans. 17 health plans reported breaches of 500 or more records in December, which is a 183% increase from November.

There were 6 data breaches reported by business associates of HIPAA covered entities, but 40% of the month’s breaches (25) had some business associate involvement. In many cases, the breach was experienced by the business associate but was reported by the covered entity.

December 2020 Healthcare Data Breaches by State

HIPAA covered entities and business associates in 58% of U.S. states reported data breaches in December. Florida was the worst affected of the 29 states with 9 reported data breaches. Pennsylvania also had a particularly bad month with 7 reported breaches, followed by Missouri and Texas with 4, and Illinois, North Carolina, and Tennessee with 3.

There were two breaches reported in each of Arizona, Connecticut, Georgia, Massachusetts, Minnesota, Ohio, and Wisconsin, and one breach reported in each of Arkansas, California, Colorado, Delaware, Indiana, Iowa, Kentucky, Louisiana, Maine, Mississippi, Nebraska, Oregon, Utah, Virginia, and West Virginia.

HIPAA Enforcement in December 2020

2020 has been a busy year in terms of HIPAA enforcement. More financial penalties were imposed on HIPAA covered entities and their business associates to resolve potential HIPAA violations in 2020 than in any other year since the HHS was given the authority to enforce HIPAA compliance. 19 settlements were reached to resolve cases where HIPAA Rules appeared to have been violated.

OCR announced one further financial penalty in December – The 13^th financial penalty under its HIPAA Right of Access initiative. Peter Wrobel, M.D., P.C., dba Elite Primary Care, agreed to pay OCR a $36,000 to resolve a case involving the failure to provide two patients with timely access to their medical records.

You can read more about 2020 HIPAA enforcement in our end of year summary.

The post December 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments

Posted January 15, 2021 by HIPAA Journal

The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that threat actors are exploiting poor cyber hygiene to gain access to enterprise cloud environments. The alert was issued after CISA observed a surge in attacks on organizations that have transitioned to a largely remote workforce in response to the pandemic.

While some of the tactics outlined in the report may have been used by the hackers behind the SolarWinds Orion supply chain attack, these tactics have not been tied to any specific threat group and are being used by multiple threat actors to gain access cloud environments and obtain sensitive data.

According to the alert, threat actors are using a variety of tactics, techniques, and procedures to attack cloud environments, including brute force attacks to guess weak passwords, phishing attacks, and the exploitation of unpatched vulnerabilities and weaknesses in cloud security practices.

Phishing is commonly used to obtain credentials to remotely access cloud resources and applications. The phishing emails typically include hyperlinks to malicious websites where credentials are harvested. If multi-factor authentication has not been implemented, the credentials can be used by the attackers to access cloud resources. The phishing emails often appear to be secure messages and link to seemingly legitimate file hosting account logins. The compromised email accounts are then used to send further phishing emails internally to other employees. These internally sent phishing emails often link to documents within what appears to be the organization’s file hosting service.

There have been cases where auto-forwarding rules have been set up in the compromised email accounts to collect sensitive emails, or for search rules to be set up to locate and collect sensitive data. “In addition to modifying existing user email rules, the threat actors created new mailbox rules that forwarded certain messages received by the users (specifically, messages with certain phishing-related keywords) to the legitimate users’ Really Simple Syndication (RSS) Feeds or RSS Subscriptions folder in an effort to prevent warnings from being seen by the legitimate users,” explained CISA.

In addition to using phishing emails to steal login credentials, brute force tactics are used to guess weak passwords. In many cases, brute force and phishing attacks have succeeded but were thwarted by multi-factor authentication, which prevented the stolen credentials from being used; however, CISA identified one attack where multi-factor authentication was bypassed to gain access to cloud resources using ‘pass-the-cookie’ tactics. A pass-the-cookie attack involves the use of a stolen cookie for an already authenticated session to log into online services or web apps. These attacks can succeed even if an organization has correctly implemented multi-factor authentication.

Threat actors have been targeting employees who work remotely using personally owned or company provided devices to access their organization’s cloud resources from home. While organizations have implemented security solutions to block these attacks, many have succeeded as a result of poor cyber hygiene practices.

In the alert, CISA details best practices that can be adopted to improve cyber hygiene and strengthen cloud security configurations to block attacks on cloud services. These include implementing conditional access, reviewing Active Directory sign-in logs and unified audit logs for suspicious activity, enforcing MFA for all users, reviewing email forwarding rules regularly, following guidance on securing privileged access, resolving client site requests internal to the network, and recommends IT teams should adopt a zero-trust mindset. Specific recommendations have also been provided to help enterprise organizations secure their M365 environments.

Enterprise organizations have been advised to read the Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services Analysis Report and implement the recommendations.

The post CISA Warns of Hackers Exploiting Poor Cyber Hygiene to Access Cloud Environments appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information