Healthcare Data Privacy

April 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

April was another particularly bad month for healthcare data breaches with 62 reported breaches of 500 or – the same number as March 2021. That is more than 2 reported healthcare data breaches every day, and well over the 12-month average of 51 breaches per month.

Healthcare data breaches in the past 12 months

High numbers of healthcare records continue to be exposed each month. Across the 62 breaches, 2,583,117 healthcare records were exposed or compromised; however, it is below the 12-month average of 2,867,243 breached records per month. 34.4 million healthcare records have now been breached in the past 12 months, 11.2 million of which were breached in 2021.

Healthcare records breached in the past 12 months

Largest Healthcare Data Breaches Reported in April 2021

There were 19 reported data breaches in April that involved more than 10,000 records, including 7 that involved more than 100,000 records with all but one of the top 10 data breaches due to hacking incidents.

Ransomware attacks continue to occur at high levels, with many of the reported attacks affecting business associates of HPAA-covered entities. These incidents, which include attacks on Netgain Technologies, Accellion, and CaptureRX, have affected multiple healthcare provider clients.

The majority of ransomware attacks now involve data theft prior to file encryption, with the stolen data used as leverage to get breach victims to pay. Large quantities of data are stolen in the attacks. The top three data breaches of the month all involved the use of ransomware and involved 1.3 million healthcare records.

There has been some positive news this month. In the wake of the ransomware attack on Colonial Pipeline, multiple ransomware gangs appear to have ceased operations and at least two have now taken the decision not to attack healthcare organizations. This news should naturally be taken with a large pinch of salt, as similar promises were made by certain ransomware gangs at the start of the pandemic and attacks continued at high levels.

Name of Covered Entity Covered Entity Type Business Associate Involvement Individuals Affected Type of Breach Reported Cause of Breach
Trinity Health Business Associate Yes 586,869 Hacking/IT Incident Ransomware (Accellion)
Bricker & Eckler LLP Business Associate Yes 420,532 Hacking/IT Incident Ransomware
Health Center Partners of Southern California Business Associate Yes 293,516 Hacking/IT Incident Ransomware (Netgain Technologies)
Total Health Care Inc. Health Plan No 221,454 Hacking/IT Incident Phishing
Wyoming Department of Health Health Plan No 164,010 Unauthorized Access/Disclosure Exposure of PHI over Internet
Home Medical Equipment Holdco, LLC Healthcare Provider No 153,013 Hacking/IT Incident Phishing
Health Aid of Ohio, Inc. Healthcare Provider No 141,149 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Woodholme Gastroenterology Healthcare Provider No 50,000 Hacking/IT Incident Unspecified hacking and data exfiltration attack
Neighborhood Healthcare Healthcare Provider Yes 45,200 Hacking/IT Incident Ransomware (Netgain Technologies)
Crystal Lake Clinic PC Healthcare Provider No 37,331 Hacking/IT Incident Not confirmed
RiverSpring Health Plans Health Plan No 31,195 Hacking/IT Incident Phishing
Middletown Medical Imaging Healthcare Provider No 29,945 Hacking/IT Incident Exposure of PHI over Internet
St. John’s Well Child and Family Center, Inc. Healthcare Provider No 29,030 Hacking/IT Incident Unspecified hacking and data exfiltration attack
MailMyPrescriptions.com Pharmacy Corporation Healthcare Provider No 24,037 Hacking/IT Incident Phishing
Squirrel Hill Health Center Healthcare Provider No 23,869 Hacking/IT Incident Malware
Eastern Shore Rural Health System Inc. Healthcare Provider Yes 23,282 Unauthorized Access/Disclosure Not confirmed
Faxton St. Luke’s Healthcare Healthcare Provider Yes 17,656 Hacking/IT Incident Ransomware (CaptureRX)
Midwest Transplant Network, Inc. Healthcare Provider No 17,580 Hacking/IT Incident Ransomware
Baptist Health Arkansas Healthcare Provider Yes 16,765 Hacking/IT Incident Hacking of business associate (Foley & Lardner, LLP)

Causes of April 2021 Healthcare Data Breaches

Hacking/IT incidents, which include malware and ransomware attacks, dominated the breach reports in April 2021 and accounted for 67.74% of all reported breaches (42 incidents). These incidents involved 85.93% of all breached records in April. The mean breach size was 52,851 records and the median breach size was 6,563 records.

There were 17 incidents classed as unauthorized access/disclosures involving 358,870 records – 13.89% of all records breached in April. The mean breach size was 21,110 records and the median breach size was 2,704 records.

Loss and theft incidents continue but only at very low levels. There were just two reported cases of theft of devices containing PHI and one loss incident reported. 4,500 records were breached in these 3 incidents.

April 2021 Healthcare Data Breach causes

Network server incidents, most of which involved ransomware or malware, have overtaken phishing as the main cause of healthcare data breaches, although it should be noted that phishing emails are often the root cause of many ransomware attacks. There were 19 reported incidents involving PHI in email accounts, the majority of which were due to phishing or other forms of credential theft. One of the largest reported breaches in April was due to phishing and resulted in the exposure and potential theft of the PHI of 221,454 individuals.

April 2021 Healthcare Data Breaches - location of PHI

According to the Verizon 2021 Data Breach Investigations Report, phishing attacks increased globally by 11% in 2020 and ransomware attacks increased by 6%. The report shows insider breaches in healthcare have continued to fall and are now not even in the top three breach causes. In 2020, 61% of healthcare data breaches were due to external threat actors and 39% were caused by insiders.

April 2021 Healthcare Data Breaches by Covered Entity Type

Healthcare providers were the worst affected covered entity with 30 data breaches of 500 or more records reported by the provider and a further 13 reported by a vendor. Business associate data breaches continue to be reported at high levels. There were 24 breaches involving business associates, with 10 of those breaches reported by the covered entity. 9 branches were reported by health plans in April, with one breach affecting a health plan reported by its business associate.

States Affected by Healthcare Data Breaches

HIPAA-covered entities and business associates based in 28 states reported breaches of protected health information in April. California was the worst affected state with 7 breaches reported followed by Michigan and Texas with 5 breaches. Florida, New York, and Wisconsin had 4 breaches, and there were 3 reported breaches in Massachusetts and Ohio.

Wyoming, the least populated U.S. state, only had one reported breach, but it affected a quarter of state residents.

State No. Reported Data Breaches
California 7
Michigan and Texas 5
Florida, New York, & Wisconsin 4
Massachusetts & Ohio 3
Georgia, Illinois, Minnesota, Missouri, New Mexico, Pennsylvania, and Vermont 2
Alabama, Arkansas, Colorado, Kansas, Maryland, Montana, North Carolina, New Hampshire, New Jersey, Oregon, Tennessee, Virginia, & Wyoming 1

HIPAA Enforcement Activity in April 2021

It has been a busy year of HIPAA enforcement by the HHS’ Office for Civil Rights with 6 financial penalties imposed to resolve violations of the HIPAA Rules; however, there were no new settlements or civil monetary penalties announced in April, nor any enforcement actions by state Attorneys General.

 

The post April 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

Posted by HIPAA Journal

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes

Posted by HIPAA Journal

Several healthcare groups have expressed concern about the HIPAA Privacy Rule changes proposed by the Department of Health and Human Services (HHS) in December 2020 and published in the Federal Register in January. The HHS has received comments from more than 1,400 individuals and organizations and will now review all feedback before issuing a final rule or releasing a new proposed rule.

There have been calls for changes to the HIPAA Privacy Rule to be made to align it more closely with other regulations, such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder (SUD) treatment programs, and for there to be greater alignment with state health data privacy laws. Some of the proposed HIPAA Privacy Rule changes are intended to remove barriers to data sharing for care coordination, but the changes may still conflict with state laws, especially in relation to SUD treatment. There is concern that poor alignment with other regulations could be a major cause of confusion and could create new privacy and security risks.

Another area of concern relates to personal health applications (PHA). The HHS has defined PHAs, but many groups and organizations have voiced concern about the privacy and security risks associated with sending protected health information (PHI) to these unregulated apps. PHAs fall outside the scope of HIPAA, so any PHI that a covered entity sends to a PHA at the request of a patient could result in a patient’s PHI being used in ways not intended by the patient. A patient’s PHI could also easily be accessed and used by third parties.

PHAs may not have robust privacy and security controls since compliance with the HIPAA Security Rule would not be required. There is no requirement for covered entities to enter into business associate agreements with PHA vendors, and secondary disclosures of PHI would not be restricted by the HIPAA Privacy Rule.

“Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” suggested the American Hospital Association in its feedback to the HHS.

The College of Healthcare Information Management Executives (CHIME) has voiced concerns about the proposal for covered entities to require PHAs to register before providing patient data, and how covered entities would be required to respond when a patient requested their health information to be sent to a PHA that does not have appropriate privacy and security protections. For instance, if a patient requested their PHI be sent to a PHA developed by nation state actor, whether providers would still be required to send PHI at the request of a patient. Concern has also been raised about the growing number of platforms that exchange PHI that fall outside the scope of HIPAA.

One of the proposed changes relates to improving patients’ access to their health data and shortening the time to provide that information from 30 to 15 days. The Association for Behavioral Health and Wellness (ABHW) and CHIME have both voiced concerns about the shortening of the timeframe for honoring patient requests for their healthcare data, as this will place a further administrative burden on healthcare providers, especially during the pandemic. CHIME said it may not be possible to provide PHI within this shortened time frame and doing so may well add costs to the healthcare system. CHIME has requested the HHS document when exceptions are allowed, such as in cases of legal disputes and custody cases. ABHW believes the time frame should not be changed and should remain as 30 days.

It is likely that if the final rule is issued this year, it will be necessary for organizations to ensure compliance during the pandemic, which could prove to be extremely challenging. ABHW has recommended delaying the proposed rule for an additional year to ease the burden on covered entities. CHIME has suggested the HHS should not issue a final rule based on the feedback received, but instead reissue the questions raised in the proposed rule as a request for information and to host a listening session to obtain more granular feedback and then enter into a dialogue about the proposed changes.

The post Healthcare Groups Raise Concern About the Proposed HIPAA Privacy Rule Changes appeared first on HIPAA Journal.

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Posted by HIPAA Journal

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.

March 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

There was a 38.8% increase in reported healthcare data breaches in March. 62 breaches of 500 or more records reported to the HHS’ Office for Civil Rights, with hacking incidents dominating the breach reports. The high number of reported breaches is largely due to an increase in data breaches at business associates.

Healthcare data breaches in the past 12 months

The number of breached records also increased sharply with 2,913,084 healthcare records exposed or impermissibly disclosed across those 62 incidents; an increase of 135.89% from February.

Breached healthcare records in the past 12 months

Largest Healthcare Data Breaches Reported in March 2021

The table below shows the 25 largest healthcare data breaches to be reported in March, all of which were hacking/IT incidents. 76% involved compromised network servers with the remaining 24% involving breaches of email accounts. 60% of these breaches involved business associates.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached Information
Health Net Community Solutions Health Plan 686,556 Hacking/IT Incident Network Server
Health Net of California Health Plan 523,709 Hacking/IT Incident Network Server
Woodcreek Provider Services LLC Business Associate 207,000 Hacking/IT Incident Network Server
Trusted Health Plans, Inc. Health Plan 200,665 Hacking/IT Incident Network Server
Apple Valley Clinic Healthcare Provider 157,939 Hacking/IT Incident Network Server
Saint Alphonsus Health System Healthcare Provider 134,906 Hacking/IT Incident Email
The Centers for Advanced Orthopaedics Healthcare Provider 125,291 Hacking/IT Incident Email
Cancer Treatment Centers of America at Midwestern Regional Medical Center Healthcare Provider 104,808 Hacking/IT Incident Email
SalusCare Healthcare Provider 85,000 Hacking/IT Incident Email
California Health & Wellness Health Plan 80,138 Hacking/IT Incident Network Server
Mobile Anesthesiologists Healthcare Provider 65,403 Hacking/IT Incident Network Server
Trillium Community Health Plan Health Plan 50,000 Hacking/IT Incident Network Server
PeakTPA Business Associate 50,000 Hacking/IT Incident Network Server
Sandhills Medical Foundation, Inc. Healthcare Provider 39,602 Hacking/IT Incident Network Server
ProPath Services, LLC Healthcare Provider 39,213 Hacking/IT Incident Email
BioTel Heart Healthcare Provider 38,575 Hacking/IT Incident Network Server
Healthgrades Operating Company, Inc. Business Associate 35,485 Hacking/IT Incident Network Server
The New London Hospital Association, Inc. Healthcare Provider 34,878 Hacking/IT Incident Network Server
La Clinica de La Raza, Inc. (La Clinica) Healthcare Provider 31,132 Hacking/IT Incident Network Server
Arizona Complete Health Health Plan 27,390 Hacking/IT Incident Network Server
Health Net Life Insurance Company Health Plan 26,637 Hacking/IT Incident Network Server
Colorado Retina Associates, P.C. Healthcare Provider 26,609 Hacking/IT Incident Email
Haven Behavioral Healthcare Business Associate 21,714 Hacking/IT Incident Network Server
Health Prime International Business Associate 17,562 Hacking/IT Incident Network Server
CalViva Health Health Plan 15,287 Hacking/IT Incident Network Server

 

Causes of March 2021 Healthcare Data Breaches

43 breaches – 69.35% of the month’s total – were the result of hacking/IT incidents such as compromised network servers and email accounts. Hacking incidents accounted for 98.43% of all records breached in March – 2,867,472 records. The average breach size was 66,685 records and the median breach size was 26,609 records.  17 unauthorized access/disclosure incidents were reported in March (27.42% of breaches) and 44,395 records were breached in those incidents – 1.52% of the month’s total. The average breach size was 2,611 records and the median breach size was 1,594 records. There was one theft incident reported involving 500 healthcare records and one loss incident that affected 717 individuals.

causes of March 2021 healthcare data breaches

Many of the reported breaches occurred at business associates of HIPAA covered entities, with those breaches impacting multiple healthcare clients. Notable business associate data breaches include a cyberattack on Accellion that affected its file transfer appliance. Hackers exploited vulnerabilities in the appliance and stole client files. A ransom was demanded by the attackers and threats were issued to publish the stolen data if payment was not made. The two largest data breaches of the month were due to this incident.

Several healthcare organizations were affected by a ransomware attack on business associate Netgain Technology LLC, including the 3rd and 5th largest breaches reported in March. Med-Data suffered a breach that affected at least 5 covered entities. This incident involved an employee uploading files containing healthcare data to a public facing website (GitHub).

 

The most common location of breached protected health information was network servers, many of which were due to ransomware attacks or other malware infections. Email accounts were the second most common location of breached PHI, which were mostly accessed following responses to phishing emails.

March 2021 healthcare data breaches - location PHI

Covered Entities Reporting Data Breaches in March 2021

Healthcare providers were the worst affected covered entity with 40 reported breaches and 15 breaches were reported by health plans, with the latter increasing 200% from the previous month. While only 5 data breaches were reported by business associates of covered entities, 30 of the month’s breaches – 48.39% – involved business associates but were reported by the covered entity. That represents a 200% increase from February.

March 2021 healthcare data breaches - breached entity

Distribution of March 2021 Healthcare Data Breaches

There was a large geographical spread of data breaches, with covered entities and business associates in 30 states affected. California was the worst affected state with 11 data breaches reported. There were 5 breaches reported in Texas, 4 in Florida and Massachusetts, 3 in Illinois and Maryland, 2 in each of Arkansas, Arizona, Michigan, Minnesota, Missouri, Ohio, and Pennsylvania, and one breach was reported in each of Alabama, Colorado, Connecticut, Georgia, Idaho, Kansas, Louisiana, Montana, New Hampshire, Nevada, Oregon, South Carolina, Tennessee, Utah, Washington, Wisconsin, and West Virginia.

HIPAA Enforcement Activity in March 2021

The HHS’ Office for Civil Rights announced two further settlements to resolve HIPAA violations in March, both of which involved violations of the HIPAA Right of Access. These two settlements bring the total number of financial penalties under OCR’s HIPAA Right of Access enforcement initiative to 18.

Arbour Hospital settled its case with OCR and paid a $65,000 financial penalty and Village Plastic Surgery settled its case and paid OCR $30,000. Both cases arose from complaints from patients who had not been provided with timely access to their medical records.

The post March 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms

Posted by HIPAA Journal

The Advanced Persistent Threat (APT) group Charming Kitten has been linked to a spear phishing campaign conducted in late 2020 targeting senior professionals at medical research organizations in the United States and Israel by security firm Proofpoint.

Charming Kitting, aka Phosphorus, Ajax, and TA453, is an APT group with links to the Islamic Revolutionary Guard Corps (IRCG) in Iran. Charming Kitting has been active since at least 2014 and is primarily involved in espionage campaigns involving spear phishing attacks and custom malware. The attacks previously linked to the APT group have been on dissidents, academics, and journalists, so the latest spear phishing campaign targeting medical research organizations is a departure from the group’s usual targets.

The phishing campaign, dubbed BadBlood, attempted to steal Microsoft Office credentials and coincided with growing tensions between Iran, the United States, and Israel. It is unclear at this stage whether the targeting of very senior professionals in medical research firms is part of a wider campaign or was simply an outlier event. The researchers suspect the latter to be the case and the groups was attempting to obtain specific types of intelligence.

The campaign was detected in December 2020, around a month after the U.S Department of Justice seized 27 website domains operated by IRCG that were being used for covert campaigns that attempted to influence events in the United States and other countries.

The spear phishing campaign involved emails from a Gmail account that impersonated a prominent Israeli physicist, Daniel Zajfman. The emails had the subject line “Nuclear weapons at a glance: Israel” and social engineering methods were used to convince the recipients to click a link in the emails and visit a Charming Kitten domain that spoofed Microsoft OneDrive. An image of a PDF file was hosted on the landing page stating that the file could not be opened. Clicking the image directed the individual to web page with a fake Microsoft Office login prompt that harvested credentials. After credentials were stolen, the victim was redirected to a page containing a document with the same title as the email with content related to that topic.

Proofpoint researchers were unable to determine what Charming Kitten did with the stolen credentials, but they point out that previous phishing campaigns conducted by the group have resulted in the contents of compromised email accounts being exfiltrated by the APT group and the accounts used in further phishing campaigns.

The researchers suggest the attackers appear to have a mission to gain access to information related to genetics, oncology, and neurology, that they were also seeking access to patient data, and they wanted to obtain credentials for use in further phishing campaigns. This was a highly targeted campaign that attempted to obtain the credentials of fewer than 25 senior-level staffers at medical research organizations.

“While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” said Proofpoint’s Joshua Miller.

The post Iranian APT Group Linked to Spear Phishing Campaign Targeting Senior Staffers at Medical Research Firms appeared first on HIPAA Journal.

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

Posted by HIPAA Journal

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and the live feeds and archived footage from almost 150,000 cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals.

As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information.

Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes.

Till Kottmann, one of the hackers in the collective, said her collective accessed Verkada systems on March 8, 2021 and had full access for around 36 hours. Since the system was fully centralized, it was easy to access and download camera footage from its clients. Kottmann described the security on Verkada’s systems as “nonexistent and irresponsible.” Kottmann said an internal development system had inadvertently been exposed to the Internet and hard-coded credentials for a system account were stored in an unencrypted subdomain that provided full access.

The hackers were able to use the credentials to login to the web-based systems used by all customers to access their own security cameras, except the super admin privileges allowed them to access the security cameras of all customers.

Footage was obtained from corporate customers including Tesla, Equinox, Cloudflare, and Nissan, along with camera feeds from Madison County Jail in Huntsville, AL, Sandy Hook Elementary School in Newtown, CT and many others.

The security cameras of ICU departments in hospitals could also be accessed, including Halifax Health in Florida and Wadley Regional Medical Center in Texarkana, TX.

Verkada issued a statement about the hacking incident, saying “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.” All affected customers have now been notified and an investigation into the breach has been launched.

Surveillance Cameras are a Potential Security Risk

The hacking incident should serve as a wake-up call about the dangers of surveillance cameras. While security cameras can improve security, they may also be a security weak point. This incident is certainly notable in terms of scale, buy Verkada is not the only security camera company to have suffered a breach.

In 2020, the threat group behind the Chalubo and FBot botnets – which targets poorly secured IoT devices – was discovered to be exploiting vulnerabilities in CCTV cameras manufactured by Taiwan-based LILIN and using the devices for DDoS attacks.

Also in 2020, vulnerabilities were identified in around 700,000 security cameras including those manufactured by Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis which put them at risk of being hacked. The vulnerabilities could be exploited to bypass firewalls and steal passwords. The flaws were present in a P2P solution from Shenzhen Yunni Technology Company that was used by the camera manufacturers.

The post Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras appeared first on HIPAA Journal.