Healthcare Data Security

100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities

Posted by HIPAA Journal

Researchers at Forescout and JSOF have identified 9 vulnerabilities in Internet-connected devices that could be exploited in denial-of-service and remote code execution attacks. The flaws have been identified in certain implementations of the Domain Name System (DNS) protocol in TCP/IP network communication stacks.

The flaws are mostly due to how parsing of domain names occurs, which can breach DNS implementations, and problems with DNS compression, which devices use to compress data to communicate over the Internet using TCP/IP.

This class of vulnerabilities has been named NAME:WRECK. They affect common IoT and operational technology systems, including FreeBSD, IPnet, Nucleus NET, and NetX. While the use of these IoT/OP systems does not necessarily mean devices are vulnerable, many will be. The researchers suggest that around 1% of IoT devices are likely to be susceptible to the flaws, which is more than 100 million devices worldwide.

Vulnerable devices are used in a range of industry sectors, including healthcare, retail, manufacturing, and the government, with healthcare organizations and government agencies two of the top three worst affected sectors. Fortunately, the vulnerabilities are not straightforward to exploit. A malicious packet must be sent in response to a legitimate DNS request, so exploitation would require a man-in-the-middle attack or the use of an exploit for a different vulnerability between the target device and the DNS server. E.g., DNSpooq.

The 9 vulnerabilities are detailed in the table below, along with the products and TCP/IP stacks affected:

Vulnerability CVE Stack Impact CVSS Score
CVE-2016-20009 IPnet Remote Code Execution 9.8
CVE-2020-15795 Nucleus NET Remote Code Execution 8.1
CVE-2020-27009 Nucleus NET Remote Code Execution 8.1
CVE-2020-27736 Nucleus NET Denial of Service 6.5
CVE-2020-27737 Nucleus NET Denial of Service 6.5
CVE-2020-27738 Nucleus NET Denial of Service 6.5
CVE-2020-25677 Nucleus NET DNS Cache Poisoning 5.3
CVE-2020-7461 FreeBSD Remote Code Execution 7.7
Awaiting CVE NetX Denial of Service 6.5

The flaws range in severity, with the most serious vulnerabilities rated critical. The vulnerabilities can also be chained. For example, with CVE-2020-27009, an attacker can craft a DNS response packet and write arbitrary data in sensitive parts of the memory. CVE-2020-15795 allows the attacker to craft meaningful code to be injected, and CVE-2021-25667 allows a bypass of DNS query-response matching to deliver the malicious packet to the target.

FreeBSD is also used in pfSense firewalls and network appliances such as Check Point IPSO and McAfee SecurOS. NetX is used in wearable patient monitors such as those manufactured by Welch Allyn. Nucleus NET is used extensively in healthcare devices, including ZOLD defibrillators and ZONARE ultrasound machines. The flaw in FreeBSD is of particular concern as the network stack is used in many embedded devices and millions of higher performance IT servers, including those used by major websites such as Yahoo and Netflix.

The flaws could be used for extortion in denial-of-service attacks on mission-critical systems, to steal sensitive data, or could allow modifications to devices to alter functions and could cause significant damage. Since vulnerable devices are used in heating, ventilation, lighting, and security systems, critical building functions could also be tampered with.

While patches have now been released to correct the flaws, applying those patches may be problematic. Many of the vulnerable affected internet-enabled devices are used to control mission-critical applications that are always running and cannot easily be shut down.

Mitigating NAME:WRECK Vulnerabilities

The first stage is to identify all vulnerable devices. Forescout is developing an open-source script that can be used to fingerprint all vulnerable devices. Devices will not be protected until the patches are applied, so after identifying all vulnerable devices, mitigations should be implemented until the patches can be applied. Those measures should include device and network segmentation, restricting external communication with vulnerable devices, and configuring the devices to run internal DNS servers. Network traffic should also be monitored for malicious packets attempting to exploit the vulnerabilities and other flaws in DNS, mDNS, and DCHP clients.

Patches have been released for FreeBSD, Nucleus NET, and NetX and device manufacturers, including Siemens, have already started releasing patches to correct the flaws in their products.

The post 100 Million+ Devices Affected by NAME:WRECK DNS Vulnerabilities appeared first on HIPAA Journal.

Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities

Posted by HIPAA Journal

The U.S. National Security Agency (NSA) has identified four zero-day vulnerabilities in Microsoft Exchange Server versions 2013, 2016, and 2019 which are used for on-premises Microsoft Exchange Servers. Immediate patching is required as the flaws are likely to be targeted by threat actors.

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch all vulnerable on-premises Exchange Servers by 12.01 AM on Friday April 16, 2021 due to the high risk of exploitation of the flaws. At the time of issuing the patches there have been no known cases of exploitation of the flaws in the wild, but it is likely that now the flaws have been publicly disclosed, the patches could be reverse engineered and working exploits developed.

All four of the vulnerabilities could lead to remote execution of arbitrary code and would allow threat actors to take full control of vulnerable Exchange Servers as well as persistent access and control of enterprise networks.

Two of the vulnerabilities can be exploited remotely by unauthenticated attackers with no user interaction required. Both of those flaws, tracked as CVE-2021-28480 and CVE-2021-28481, have been assigned a CVSS v3.1 rating of 9.8 out of 10. The third flaw, CVE-2021-28483 has a CVSS rating of 9.0 out of 10, and the fourth, CVE-2021-28482, a rating of 8.8 out of 10.

If any vulnerable Microsoft Exchange Servers cannot be updated before the Friday deadline, CISA has instructed federal agencies to remove those servers from federal networks until the updates can be applied. Technical and/or management controls must be implemented to ensure newly provisioned and previously disconnected endpoints are updated prior to connecting them to agency networks. CIOs or equivalents are required to submit a report to CISA by Noon ET on Friday confirming that all vulnerable Exchange Servers have been updated or disconnected, and should any cyber incidents be detected, Indicators of Compromise must be submitted to CISA.

Patches to correct all four flaws were released by Microsoft on April 2021 Patch Tuesday, along with patches for a further 15 critical flaws across its product suite and 88 flaws that were rated important. One zero-day vulnerability has been patched – a Win32K elevation of privilege vulnerability: CVE-2021-28310 – which Kaspersky believes is being actively exploited in the wild by at least one threat group. In combination with browser exploits, attackers can escape sandboxes and gain system privileges for further access. Exploitation would allow the remote execution of arbitrary code, the creation of new accounts with full privileges, information disclosure and destruction, and the ability to install new programs.

The post Immediate Patching Required for 4 New Critical Microsoft Exchange Server Vulnerabilities appeared first on HIPAA Journal.

HHS OIG: HHS Information Security Program Rated ‘Not Effective’

Posted by HIPAA Journal

The Department of Health and Human Services Office of Inspector General has published the findings of its annual evaluation of the HHS information security programs and practices, as required by the Federal Information Security Modernization Act of 2014 (FISMA). It was determined that the HHS information security program has not yet reached the level of maturity to be considered effective.

The independent audit was conducted on behalf of the HHS’ OIG by Ernst & Young (EY) to determine compliance with FISMA reporting metrics and to assess whether the overall security program of the HHS met the required information security standards.

The HHS was assessed against the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework across the FISMA domains: Risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring (ISCM), incident response, and contingency planning.

The levels of maturity for information security are Level 1 (Ad hoc policies); Level 2 (Defined); Level 3 (Consistently Implemented); Level 4 (Managed and Measurable); and Level 5 (Optimized policies). It is necessary to achieve Level 4 for an information security policy to be considered effective.

As of September 30, 2020 the HHS had made progress since the previous audit and had implemented several changes to strengthen the maturity of its enterprise-wise cybersecurity program. There were improvements across all FISMA domains, including increased maturation of data protection and privacy and continuous monitoring of information systems.

However, the HHS was given a “not effective” rating due to the failure to achieve the Level 4 maturity level in any of the 5 functional areas – Identify, Protect, Detect, Respond, and Recover function. The audit revealed there were deficiencies within the Identify, Protect, and Respond functional areas and the maturity level was below Consistently Implemented for some FISMA metric questions, both at the HHS overall and at selected operating divisions (OpDivs), in Contingency Planning.

The HHS achieved Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics but had yet to achieve Managed and Measurable (level 4) in any of the IG FISMA metrics. There was no change in any of the FISMA metrics from the audit in FY19, although the audit revealed progress had been made in several individual IG FISMA metrics, such as consistent implementation of data exfiltration systems, ongoing Authorization to Operate (ATO) monitoring, and configuration management controls. Progress had not been achieved in other areas due to the lack of information security continuous monitoring across the different HHS operating divisions, which is essential for providing reliable data for informing risk management decisions.

Several recommendations were made to strengthen the HHS’ enterprise-wide cybersecurity program. The HHS concurred with 11 of the recommendations and did not concur with 2.

The post HHS OIG: HHS Information Security Program Rated ‘Not Effective’ appeared first on HIPAA Journal.

FBI Issues Warning About Mamba Ransomware

Posted by HIPAA Journal

An increase in cyberattacks involving Mamba ransomware has prompted the Federal Bureau of Investigation and the Department of Homeland Security to issue a flash alert warning organizations and companies in multiple sectors about the dangers of the ransomware.

In contrast to many ransomware variants that have their own encryption routines, Mamba ransomware has weaponized the open source full disk encryption software DiskCryptor. DiskCryptor is a legitimate encryption tool that is not malicious and is therefore unlikely to be detected as such by security software.

The FBI has not provided any details of the extent to which the ransomware has been used in attacks, which have so far mostly targeted government agencies and transportation, legal services, technology, industrial, commercial, manufacturing, construction companies.

Several methods are used to gain access to systems to deploy the ransomware, including exploitation of vulnerabilities in Remote Desktop Protocol (RDP) and other unsecured methods of remote access.

Rather than searching for certain file extensions to encrypt, Mamba ransomware used DiskCryptor to encrypt entire drives, rendering all infected devices inoperable. After encryption, a ransom note is displayed that alerts the victim that their drive has been infected and an email address is provided for contact, the victim’s ID and Hostname, and a place to enter the decryption key to restore the drive.

The Mamba ransomware package includes DiskCryptor, which is unpacked and installed. The system is rebooted after around two minutes to complete the installation, and the encryption routine is started. A second restart will take place around two hours later which completes the encryption routine and displays the ransom note.

It is possible to stop an attack in progress up until the second restart. The encryption key and the shutdown time variable are saved to the configuration file – myConfig.txt – which remains readable until the second restart. The myConfig.txt cannot be accessed after the second restart and the decryption key will then be required to decrypt files. This gives network defenders a short window of opportunity to stop an attack and recover without having to pay the ransom. A list of DiskCryptor files is included in the alert to help network defenders identify attacks in progress. These files should be blacklisted if DiskCryptor is not used.

The FBI TLP: White Alert also details mitigations that will make it harder for an attack to succeed, to limit the impact of a successful attack, and ensure that systems can be recovered without paying the ransom.

Suggested mitigations include:

  • Backing up data and storing the backups on an air-gapped device.
  • Segmenting networks.
  • Configuring systems to only allow software to be installed by administrators.
  • Patching operating systems, software, and firmware promptly.
  • Implementing multifactor authentication.
  • Maintaining good password hygiene.
  • Disabling unused remote access/RDP ports and monitoring access logs.
  • Only using secure networks and implementing a VPN for remote access.

The post FBI Issues Warning About Mamba Ransomware appeared first on HIPAA Journal.

February 2021 Healthcare Data Breach Report

Posted by HIPAA Journal

The was a 40.63% increase in reported data breaches of 500 or more healthcare records in February 2021. 45 data breaches were reported to the Department of Health and Human Services’ Office for Civil Rights by healthcare providers, health plans and their business associates in February, the majority of which were hacking incidents.

Healthcare Data Breaches Past 12 Months

After two consecutive months where more than 4 million records were breached each month there was a 72.35% fall in the number of breached records. 1,234,943 records were exposed, impermissibly disclosed, or stolen across the 45 breaches.

Healthcare Records Breached Past 12 Months

Largest Healthcare Data Breaches Reported in February 2021

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach Cause of Breach
The Kroger Co. OH Healthcare Provider 368,100 Hacking/IT Incident Ransomware
BW Homecare Holdings, LLC (Elara Caring single affiliated covered entity) TX Healthcare Provider 100,487 Hacking/IT Incident Phishing
RF EYE PC dba Cochise Eye and Laser AZ Healthcare Provider 100,000 Hacking/IT Incident Ransomware
Gore Medical Management, LLC GA Healthcare Provider 79,100 Hacking/IT Incident Hacking incident
Summit Behavioral Healthcare TN Healthcare Provider 70,822 Unauthorized Access/Disclosure Phishing
Humana Inc KY Health Plan 62,950 Unauthorized Access/Disclosure Subcontractor shared PHI without consent
Nevada Orthopedic & Spine Center NV Healthcare Provider 50,000 Hacking/IT Incident Unconfirmed
Fisher Titus Health, Inc. OH Health Plan 49,636 Hacking/IT Incident Phishing
Covenant HealthCare MI Healthcare Provider 47,178 Hacking/IT Incident Phishing
UPMC PA Healthcare Provider 36,086 Hacking/IT Incident Phishing attack on BA
Grand River Medical Group IA Healthcare Provider 34,000 Hacking/IT Incident Phishing
AllyAlign Health, Inc. VA Health Plan 33,932 Hacking/IT Incident Ransomware
Harvard Eye Associates CA Business Associate 29,982 Hacking/IT Incident Ransomware attack on BA
Texas Spine Consultants, LLP TX Healthcare Provider 25,728 Unauthorized Access/Disclosure Unconfirmed
UPMC Health Plan PA Health Plan 19,000 Hacking/IT Incident Phishing attack on BA

Causes of February 2021 Healthcare Data Breaches

Three breaches of more than 100,000 record were reported in February. The largest healthcare data breach of the month was reported by Kroger, an Ohio-based chain of supermarkets and pharmacies. The breach was due to a CLOP ransomware attack on a vendor – Accellion – that resulted in the theft of the protected health information of 368,100 of its customers. Kroger was one of several HIPAA-covered entities to be affected by the breach.

Elara Caring, one of the nation’s largest providers of home-based care, announced that several employee email accounts containing protected health information had been accessed by unauthorized individuals as a result of responses to phishing emails. Cochise Eye and Laser was also the victim of a ransomware attack in which the protected health information of 100,000 individuals was potentially stolen.

February 2021 Healthcare Data Breaches - Causes

Phishing attacks were the most common cause of data breaches in February, with network server incidents in close second. These mostly involved hacking and the deployment of malware or ransomware. Hacking incidents accounted for 71.1% of the month’s breaches and 85.7% of all records breached in the month. The average size of a hacking breach was 30,239 records and the median breach size was 8,849 records.

There were 10 unauthorized access/disclosure incidents reported in February involving 172,799 records. The average breach size was 17,280 records and the median breach size was 2,497 records. There were 2 theft incidents and 1 reported loss incident reported involving a total of 3,773 records, all three of which involved paper records.

February 2021 Healthcare Data Breaches - Location of breached PHI

Entities Reporting Healthcare Data Breaches in February 2021

Healthcare providers were the worst affected covered entity type in February, with 35 breaches reported. There were 5 breaches reported by health plans and 5 reported by business associates of HIPAA-covered entities. A further 5 breaches were reported by the covered entity but had some business associate involvement.

Entities affected by February 2021 healthcare data breaches

Healthcare Data Breaches by State

Healthcare data breaches of 500 or more records were reported in 20 states in February 2021. The worst affected states were California and Texas with six breaches reported in each state. 5 entities in Pennsylvania reported breaches, there were 4 breaches reported in Florida and Michigan, 2 in each of North Carolina, Nevada, Ohio, Tennessee, and Virginia, and 1 in each of Arizona, Colorado, Georgia, Iowa, Kentucky, Louisiana, Minnesota, North Dakota, Utah, and Wyoming.

HIPAA Enforcement Activity in February 2021

In February, the HHS’ Office for Civil Rights announced two settlements had been reached with HIPAA-covered entities to resolve potential violations of the HIPAA Rules. Both enforcement actions were in response to complaints from patients who had not been provided with timely access to their medical records.

OCR launched a new enforcement initiative in late 2019 targeting healthcare providers who were not complying with the HIPAA Right of Access provision of the HIPAA Privacy Rule. Three Right of Access enforcement actions have resulted in settlements so far in 2021, and the latest two bringing the total number of settlements under this enforcement initiative to 16.

Sharpe Healthcare settled its case with OCR and paid a $70,000 penalty and Renown Health settled its case for $75,000.

The post February 2021 Healthcare Data Breach Report appeared first on HIPAA Journal.

2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches

Posted by HIPAA Journal

2021 was a challenging year for healthcare organizations. Not only was the industry on the frontline in the fight against COVID-19, hackers who took advantage of overrun hospitals to steal data and conduct ransomware attacks.

The 2021 Breach Barometer Report from Protenus shows the extent to which the healthcare industry suffered from cyberattacks and other breaches in 2020. The report is based on 758 healthcare data breaches that were reported to the HHS’ Office for Civil Rights or announced via the media and other sources in 2020, with the data for the report provided by databreaches.net.

The number of data breaches has continued to rise every year since 2016 when Protenus started publishing its annual healthcare breach report. 2020 saw the largest annual increase in breaches with 30% more breaches occurring than 2019. Data was obtained on 609 of those incidents, across which 40,735,428 patient and health plan members were affected. 2020 was the second consecutive year that saw more than 40 million healthcare records exposed or compromised.

Healthcare Hacking Incidents Increased by 42% in 2020

Healthcare hacking incidents increased by 42% in 2020, continuing a 5-year trend that has seen hacking incidents increase each year. 470 incidents were classed as hacking-related breaches, which accounted for 62% of all breaches in the year. 31,080,823 healthcare records were compromised in the 277 incidents where the number of affected individuals is known. Many of the 2020 hacking incidents involved the use of ransomware. Ransomware attacks increased considerably in 2020, with more than double the number of ransomware attacks on healthcare organizations than in 2019.

Surge in Insider Data Breaches in 2020

There has been a four-year decline in insider breaches, but the Protenus report shows insider data breaches increased in 2020. More than 8.5 million records were exposed or compromised in those incidents – more than double the number of breached records by insiders as 2019. In fact, more records were breached by insiders in 2020 than in 2017, 2018, and 2019 combined. In 2020, 1 in 5 data breaches was an insider incident.

Insider breaches include insider errors and insider wrongdoing. 96 breaches involved insider error in 2020, of which data was obtained for 74 of the incidents. There were 45 cases of insider wrongdoing, with data obtained for 30 of the incidents. Errors by employees resulted in the exposure of the protected health information of at least 7,673,363 individuals and insider wrongdoing incidents resulted in the exposure/theft of at least 241,128 records.

Business Associates Often Involved

The number of data breaches involving business associates increased in 2020, with 12% of all breaches having at least some business associate involvement. Business associate breaches resulted in the exposure or theft of more than 24 million patient records, with 55% of all hacking incidents having some business associate involvement along with 25% of insider error incidents. The number of breaches involving business associates could be considerably higher as the researchers were unable to accurately determine if business associates were involved in many of the breaches.

Data Breaches Discovered Faster but Breach Reporting Slower

In 2020 it took an average of 187 days from the breach occurring to discovery by the breached entity, which is a considerable improvement on the 224-day average discovery time in 2019. In 2020, the median discovery time was just 15 days. However, there was considerable variation in discovery times, from almost immediately in some cases to several years after the breach in others.

Reporting on data breaches was slower than in 2019, with the average time for reporting a breach increasing from 80 days in 2019 to 85 days in 2020, with a median time of 60 days – the maximum time allowed for reporting a breach by the HIPAA Breach Notification Rule. The figures were based on just 339 out of the 758 breaches due to a lack of data.

“The current climate has increased risk for health systems as a new trend emerged of at least two data breaches per day, a troubling sign of the continuing vulnerability of patient information, heightened by the pandemic,” explained Protenus in the report. “Healthcare organizations need to leverage technology that allows organizations to maintain compliance priorities in a resource-constrained environment. Hospitals can’t afford the costs often associated with these incidents, as more than three dozen hospitals have filed bankruptcy over the last several months. Non-compliance is not an option.”

The post 2020 Saw Major Increase in Healthcare Hacking Incidents and Insider Breaches appeared first on HIPAA Journal.

Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras

Posted by HIPAA Journal

A hacking collective has gained access to the systems of the Californian security camera startup Verkada Inc. and the live feeds and archived footage from almost 150,000 cloud-connected surveillance cameras used by large corporations, schools, police departments, jails, and hospitals.

As initially reported by Bloomberg, Verkada’s systems were accessed by a white hat hacking collective named Advanced Persistent Threat 69420 using credentials they found on the Internet. Those credentials gave the group super admin level privileges, which provided root access to the security cameras and, in some cases, the internal networks of the company’s clients. The hackers also said they were able to obtain the full list of Verkada clients and view the company’s private financial information.

Verkada’s systems were not accessed with a view to conducting any malicious actions, instead the aim was to raise awareness of the ease at which the systems could be hacked. Malicious threat actors could also have easily gained access to the Verkada’s systems for a range of malicious purposes.

Till Kottmann, one of the hackers in the collective, said her collective accessed Verkada systems on March 8, 2021 and had full access for around 36 hours. Since the system was fully centralized, it was easy to access and download camera footage from its clients. Kottmann described the security on Verkada’s systems as “nonexistent and irresponsible.” Kottmann said an internal development system had inadvertently been exposed to the Internet and hard-coded credentials for a system account were stored in an unencrypted subdomain that provided full access.

The hackers were able to use the credentials to login to the web-based systems used by all customers to access their own security cameras, except the super admin privileges allowed them to access the security cameras of all customers.

Footage was obtained from corporate customers including Tesla, Equinox, Cloudflare, and Nissan, along with camera feeds from Madison County Jail in Huntsville, AL, Sandy Hook Elementary School in Newtown, CT and many others.

The security cameras of ICU departments in hospitals could also be accessed, including Halifax Health in Florida and Wadley Regional Medical Center in Texarkana, TX.

Verkada issued a statement about the hacking incident, saying “We have disabled all internal administrator accounts to prevent any unauthorized access. Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.” All affected customers have now been notified and an investigation into the breach has been launched.

Surveillance Cameras are a Potential Security Risk

The hacking incident should serve as a wake-up call about the dangers of surveillance cameras. While security cameras can improve security, they may also be a security weak point. This incident is certainly notable in terms of scale, buy Verkada is not the only security camera company to have suffered a breach.

In 2020, the threat group behind the Chalubo and FBot botnets – which targets poorly secured IoT devices – was discovered to be exploiting vulnerabilities in CCTV cameras manufactured by Taiwan-based LILIN and using the devices for DDoS attacks.

Also in 2020, vulnerabilities were identified in around 700,000 security cameras including those manufactured by Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis which put them at risk of being hacked. The vulnerabilities could be exploited to bypass firewalls and steal passwords. The flaws were present in a P2P solution from Shenzhen Yunni Technology Company that was used by the camera manufacturers.

The post Hackers Access Live Feeds and Archived Footage from 150,000 Verkada Security Cameras appeared first on HIPAA Journal.

Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation

Posted by HIPAA Journal

A coalition of 41 state Attorneys General has agreed to settle an investigation into Retrieval-Masters Creditors Bureau dba American Medical Collection Agency (AMCA) over a 2019 data breach that resulted in the exposure/theft of the protected health information of 21 million Americans.

Retrieval-Masters Creditors Bureau is a debt collection agency, with its AMCA arm providing small debt collection services to healthcare clients such as laboratories and medical testing facilities.

From August 1, 2018 until March 30, 2019, an unauthorized individual had access to AMCA’s systems and exfiltrated sensitive data such as names, personal information, Social Security numbers, payment card information and, for some individuals, medical test information and diagnostic codes. The AMCA data breach was the largest healthcare data breach reported in 2019.

AMCA notified states about the breach starting June 3, 2019, and individuals affected by the breach were offered two years of complimentary credit monitoring services. The high cost of remediation of the breach saw AMCA file for bankruptcy protection in June 2019.

The multi-state investigation into the breach was led by the Indiana, Texas, Connecticut, and New York Attorneys General, with the Indiana and Texas AGs also participating in the bankruptcy proceedings to ensure that the investigation continued, and the personal and protected health information of breach victims was protected. AMCA received permission from the bankruptcy court to settle the multistate action and filed for dismissal of the bankruptcy on December 9, 2020.

The multistate investigation confirmed information security deficiencies contributed to the cause of the breach and despite AMCA receiving warnings from banks that processed AMCA payments about fraudulent use of payment cards, AMCA failed to detect the intrusion.

Under the terms of the settlement, AMCA is required to create and implement an information security program, develop an incident response plan, employ a qualified chief information security officer (CISO), hire a third-party assessor to perform an information security assessment, and continue to assist state attorneys general with investigations into the data breach.

A financial penalty of $21 million has been imposed on AMCA which will be distributed pro rata between the affected states; however, due to the financial position of the company, the $21 million financial penalty has been suspended. That payment will only need to be made if AMCA defaults on the terms of the settlement agreement.

“AMCA is a cautionary tale: When a company does not adequately invest in information security, the costs associated with a data breach can lead to bankruptcy – destroying the business and leaving affected individuals in harm’s way,” said Connecticut Attorney General Tong. “My office will continue to work to protect personal information even where the business that had the responsibility to do so cannot.”

“AMCA’s security failures resulted in 21 million Americans having their data illegally accessed. I am committed to protecting New Yorkers’ personal data and will not hesitate to hold companies accountable when they fail to safeguard that information,” said New York Attorney General Letitia James. “Today’s agreement ensures that the company has the appropriate security and incident response plan in place so that a failure like this does not take place again.”

Indiana, Texas, Connecticut, and New York led the investigation and were assisted by Florida, Illinois, Maryland, Massachusetts, Michigan, North Carolina, and Tennessee. The Attorneys General of Arizona, Arkansas, Colorado, the District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Minnesota, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Utah, Vermont, Virginia, Washington, and West Virginia also joined the settlement.

The post Multistate Settlement Resolves 2019 American Medical Collection Agency Data Breach Investigation appeared first on HIPAA Journal.

CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities

Posted by HIPAA Journal

The Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity authorities Australia, New Zealand, Singapore, and the United Kingdom have issued an alert for users of the Accellion File Transfer Appliance (FTA) about 4 vulnerabilities which are being actively exploited by a threat actor to gain access to sensitive data.

The Accellion FTA is a legacy file transfer appliance used to share large files. Accellion identified a zero-day vulnerability in the product in mid-December and released a patch to address the flaw, although further vulnerabilities have since been identified.

The vulnerabilities are tracked as:

  • CVE-2021-27101 – SQL injection vulnerability via a crafted HOST header
  • CVE-2021-27102 – Operating system command execution vulnerability via a local web service
  • CVE-2021-27103 – Server-side request forgery via a crafted POST request
  • CVE-2021-27104 – Operating system command execution vulnerability via a crafted POST request

The SQL injection flaw (CVE-2021-27011) allows unauthorized individual to run remote commands on targeted devices. An exploit for the vulnerability has been combined with a webshell, with the latter used receive commands sent by the attacker and exfiltrate data and clean up logs. The removal of clean up logs allows the attacker to avoid detection and hampers analysis of the attack.

Once sensitive data have been exfiltrated, the attacker attempts to extort money from the victim. Threats are issued to publicly expose the stolen data on a ransomware data leak site if the ransom is not paid. FireEye/Mandiant have linked the attacks with the FIN11 and CL0P ransomware operation, although ransomware is not being used in the attacks.

Accellion became aware of attacks exploiting the vulnerabilities in January 2021 and reports fewer than 100 clients have been affected and around 2 dozen clients are believed to have suffered significant data theft. Kroger has recently reported that some pharmacy and little Clinic customers have been affected, and Centene has similarly suffered a data breach via the exploitation of the vulnerabilities. Other victims include Transport for New South Wales in Australia, the Canadian Aircraft manufacturer Bombardier, the Reserve Bank of New Zealand, the Australian financial regulator ASIC, the Office of the Washington State Auditor, and the University of Colorado.

CISA has provided Indicators of Compromise (IoCs) in its cybersecurity alert (AA21-055A) which can be used by Accellion customers to determine if the vulnerabilities have been exploited, along with advice should malicious activity be detected.

In addition to performing an analysis to identify if the flaws have been exploited, CISA recommends isolating systems hosting the software from the Internet and updating Accellion FTA to version FTA_9_12_432 or later. It is also recommended by Accellion and CISA to migrate from this legacy product to a supported file sharing platform. The Accellion FTA reaches end-of-life on April 30, 2021. Accellion recommends upgrading to its Kiteworks file sharing platform, which has enhanced security features.

The post CISA Warns of Active Exploitation of Accellion File Transfer Appliance Vulnerabilities appeared first on HIPAA Journal.