Data breaches declined by 24% globally in the first 6 months of 2021, although breaches in the United States increased by 1.5% in that period according to the 2021 Mid-Year Data Breach QuickView Report from Risk-Based Security.

Risk Based Security identified 1,767 publicly reported breaches between January 1, 2021 and June 30, 2021. Across those breaches, 18.8 billion records were exposed, which represents a 32% decline from the first 6 months of 2020 when 27.8 billion records were exposed. 85% of the exposed records in the first half of 2021 occurred in just one breach at the Forex trading service FBS Markets.

The report confirms the healthcare industry continues to be targeted by cyber threat actors, with the industry having reported more data breaches than any other industry sector this year. Healthcare has been the most targeted industry or has been close to the top since at least 2017 and it does not appear that trend will be reversed any time soon. 238 healthcare data breaches were reported in the first 6 months of 2021, with finance & insurance the next most attacked sector with 194 reported incidents, followed by information with 180 data breaches.

The report shows there have been significant shifts in data breach trends in 2021. While data breaches have declined globally and have remained fairly constant in the United States, there has been a marked increase in ransomware attacks. Risk Based Security recorded 352 ransomware attacks in the first 6 months of 2021 and, if that pace continues, the number of attacks will be significantly higher than 2020.

Ransomware attacks are extremely costly in healthcare due to the long period of downtime, and without access to medical records patient safety is put at risk. This is of course known to ransomware gangs. The reliance on access to data and the high cost of downtime increases the probability of the ransom being paid.

In 2020, data breaches started to take longer to be reported and that trend has continued in 2021. This is in part due to the increase in ransomware attacks, which can take longer to investigate, but even taking that into account there were many cases when breach notifications took an unusually long time to be issued and that has started to attract attention from regulators.

“Ransomware attacks continue at an alarming pace, inflicting serious damage on the victim organizations that rely on their services,” said Inga Goddijn, Executive Vice President at Risk Based Security. “The slow pace of reporting brought on by lengthy incident investigations has not improved and attackers continue to find new opportunities to take advantage of changing circumstances.”

The majority of reported breaches (67.97%) were hacking incidents, with only 100 (5.66%) due to viruses, and just 45 email incidents (2.55%). There were 76 web breaches reported (4.30%); however, they resulted in the highest number of records being breached.

Data breaches that exposed access credentials such as email addresses and passwords have remained consistent with other years, with email addresses exposed in 40% of breaches and passwords in 33%. The majority of reported breaches in 2021 were the result of external threat actors (78.66%), with 13.75% caused by insiders. Out of the confirmed insider breaches, the majority were accidental (58.85%), with 18.52% caused by malicious insiders.

Risk Based Security also notes that breach severity is increasing. Large numbers of data breaches have been reported in 2021 that involved sensitive data, which is a particularly worrying trend.

The post Healthcare Industry has Highest Number of Reported Data Breaches in 2021 appeared first on HIPAA Journal.

For the third consecutive month, the number of reported healthcare data breaches of 500 or more records increased. June saw an 11% increase in reported breaches from the previous month with 70 data breaches of 500 or more records reported to the HHS’ Office for Civil Rights – the highest monthly total since September 2020 and well above the average of 56 breaches per month over the past year.

While the number of reported breaches increased, there was a substantial fall in the number of breached healthcare records, which decreased 80.24% from the previous month to 1,290,991 breached records. That equates to more than 43,000 breached records a day in June.

More than 40 million healthcare records have been exposed or impermissibly disclosed over the past 12 months across 674 reported breaches. On average, between July 2020 and June 2021, an average of 3,343,448 healthcare records were breached each month.

Largest Healthcare Data Breaches in June 2021

There were 19 healthcare data breaches of 10,000 or more records reported in June. Ransomware continues to pose problems for healthcare organizations, with 6 of the top 10 breaches confirmed as ransomware attacks. Several healthcare organizations reported ransomware attacks in June that occurred at third-party vendors, with the number of healthcare providers confirmed as being affected by the ransomware attacks on vendors Elekta, Netgain Technologies, and CaptureRx continuing to grow.

The largest healthcare data breach to be reported in June was a phishing attack on the medical payment billing service provider MultiPlan. A threat actor gained access to an email account containing the protected health information of 214,956 individuals.

Northwestern Memorial HealthCare and Renown Health were affected by the ransomware attack on the Swedish radiation therapy and radiosurgery solution provider Elekta Inc., That attack is known to have affected a total of 42 healthcare providers in the United States.

Causes of June 2021 Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports in June 2021, with ransomware attacks accounting for a large percentage of those breaches. There were 58 reported hacking/IT incidents, in which the protected health information of 1,190,867 individuals was exposed or compromised – 92.24% of all breached records in June. The mean breach size was 20,532 records and the median breach size was 2,938 records.

There were 9 unauthorized access/disclosure incidents reported that involved the impermissible disclosure of the PHI of 81,764 individuals. The mean breach size was 9,085 records and the median breach size was 5,509 records.

There was one incident reported involving the loss of paperwork containing the PHI of 14,532 individuals, one portable electronic device theft affecting 1,166 patients, and 1 incident involving the improper disposal of 2,662 physical records.

42 hacking incidents involved PHI stored on network servers, most of which were data access and exfiltration incidents involving ransomware. There were 19 email security breaches involving PHI stored in email accounts, most of which were phishing incidents.

Covered Entities Reporting Data Breaches in June

The breach reports show healthcare providers were the worst affected covered entity type with 53 data breaches. 9 breaches were reported by health plans, and 8 by business associates of HIPAA covered entities. HIPAA-covered entities often report breaches at third party vendors, which can mask the extent to which business associates are being targeted by hackers. Adjusted figures taking this into account show the extent to which business associates are suffering data breaches. There were 36 data breaches reported that involved business associates, as shown in the pie chart below.

June 2021 Healthcare Data Breaches by State

There were large healthcare data breaches reported by HIPAA covered entities and business associates based in 32 states. California was the worst affected state with 8 reported breaches, followed by New York with 6.

HIPAA Enforcement Activity in June 2021

The HHS’ Office for Civil Rights announced one HIPAA enforcement action in June under its HIPAA Right of Access enforcement initiative. The Diabetes, Endocrinology & Lipidology Center, Inc. in Martinsburg, West Virginia was ordered to pay a financial penalty of $5,000 to resolve its HIPAA Right of Access case and agreed to adopt a robust corrective action plan to ensure that patients will be provided with timely access to their medical records. There were no confirmed HIPAA enforcement actions by state Attorneys General in June.

The post June 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide.

The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure.

It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed.

Fast Response Limited Extent of the Attack

The fast response of Kaseya limited the extent of the attack. Over the weekend, Kaseya’s chief executive, Fred Voccola, said the software update was pushed out to around 40 customers and only affected on-premise customers who were running their own data centers and that its cloud-based services were not affected. The number of affected customers is now thought to be closer to 60.

Many of the victims were MSPs. In addition to their systems being encrypted, ransomware code was pushed out to their clients. More than 1,000 MSP clients are known to have been affected and had REvil ransomware installed. Sophos has reported that it is aware of 70 MSPs that have been affected, along with around 350 companies that use their services.

Kaseya has been issuing regular updates since the attack. In a Sunday morning update, Kaseya said there had been no further compromises since the Saturday evening report which suggests the measures implemented following the discovery of the attack have been successful. While no further ransomware attacks are believed to be occurring, the victim count will undoubtedly grow over the coming days.

When the attack was detected, Kaseya shut down its hosted and SaaS VSA servers and told all customers to switch off their own VSA servers while the attack was mitigated. Customers have been told to keep the servers switched off until further notice. Kaseya is working closely with CISA, the FBI, and cybersecurity forensics firms to investigate the incident and to determine the extent of the attack.

“Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service,” said Kaseya in a July 4, 2021, statement about the attack. “We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24–48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”

Supply chain attacks such as this can have a huge impact globally. Attackers compromise one company, then gain access to the networks of thousands of others, as was the case with the SolarWinds Orion supply chain attack in 2020. In that attack, malware was distributed through the software update mechanism which gave the attackers access to the systems of around 18,000 companies that received the update.

Kaseya Was Developing Patches for the Exploited Vulnerabilities

The REvil ransomware gang gained access to Kaseya’s systems by exploiting recently discovered vulnerabilities that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD). Those vulnerabilities had not been publicly disclosed and Kaseya was in the process of developing patches to correct the vulnerabilities when the REvil gang struck.

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” said Victor Gevers, chairman of DIVD.

Kaseya said patches are being developed to correct the flaws and will be released as soon as possible.

One of the Largest Ransomware Attacks to Date

The REvil gang is believed to operate out of Eastern Europe or Russia and is one of the most prolific ransomware-as-a-service operations. Recent attacks conducted by the gang include JBS Foods, computer giant Acer, Pan-Asian retail giant Dairy Farm, UK clothing company French Connection (FCUK), French pharmaceutical company Pierre Fabre, and Brazilian healthcare company Grupo Fleury to name but a few. The latest attack is one of the largest ransomware attacks ever seen.

The gang is known to exfiltrate data prior to file encryption and demands payment of a ransom for the keys to decrypt encrypted files and to prevent the exposure or sale of data stolen in the attack. It is currently unclear if these attacks involved data theft.

Businesses and organizations affected by the latest attack have been issued with ransom demands ranging from $50,000 to $5 million according to Sophos malware analyst Mark Loman and Emsisoft CTO Fabian Wosar. The REvil gang has asked for a payment of $70 million to supply a universal decryptor that will unlock all systems that have been encrypted in the attack.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” wrote the gang on its data leak site.

“We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized,” said Kaseya.

President Biden Orders Federal Investigation

After learning of the attack, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, stating on Saturday that it was unclear who was responsible for the attack. President Biden spoke with Vladamir Putin at the June 16 Geneva summit and urged him to crack down on cybercriminal gangs operating out of Russia and warned of consequences should the ransomware attacks continue. “The initial thinking was it was not the Russian government but we’re not sure yet,” President Biden told reporters on a Saturday visit to Michigan. He also confirmed the U.S. would respond if it is determined Russia was to blame for the attack.

CISA Issues Guidance for MSPs and MSP Customers Affected by the Kaseya VSA Supply Chain Attack

Kaseya issued a Compromise Detection Tool on July 3, 2021, which was rolled out to around 900 customers. The tool can be used to quickly determine if a customer’s VSA server has been compromised in the attack. The U.S. Cybersecurity and Infrastructure Security Agency is urging all Kaseya MSP customers to download and run the Compromise Detection Tool as soon as possible.

Kaseya MSP customers have also been advised to enable and enforce multi-factor authentication on every single account and, as far as is possible, to enable and enforce MFA for customer-facing services.

CISA also says MSPs should “implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

MSP customers affected by the attack have been advised to implement cybersecurity best practices, especially MSP customers who do not currently have their RMM service running due to the Kaseya attack. CISA recommends the following measures:

• Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
• Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
• Implement:
  • Multi-factor authentication; and
  • Principle of least privilege on key network resources admin accounts.

The post Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies appeared first on HIPAA Journal.