HIPAA Breach News

Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall

2020 was certainly not a typical year. The pandemic placed huge pressures on IT security teams and businesses were forced to rapidly accelerate their digital transformation plans and massively expand their remote working capabilities. Cyber actors seized the opportunities created by the pandemic and exploited vulnerabilities in security defenses to gain access to business networks and sensitive data.

In 2020, phishing and ransomware attacks increased, as did web application attacks, according to the recently published Verizon 2021 Data Breach Investigations Report. The report provides insights into the tactics, techniques and procedures used by nation state actors and cybercriminal groups and how these changed during the pandemic.

To compile the Verizon 2021 Data Breach Investigations Report, the researchers analyzed 79,635 incidents, of which 29,207 met the required quality standards and included 5,258 confirmed data breaches in 88 countries – one third more data breaches than the previous year’s DBIR.

2020 saw an 11% increase in phishing attacks, with cases of misrepresentation such as email impersonation attacks at 15 times the level of 2019. There was a 6% increase in ransomware attacks, with 10% of all data breaches in 2020 involving the use of ransomware – Twice the level of the previous year.

Across all industry sectors, phishing was the main cause of data breaches and was involved in 36% of incidents. The researchers attributed the increase in phishing attacks to the pandemic, with COVID-19 and other related pandemic lures extensively used in targeted attacks on at-home workers. While phishing attacks and the use of stolen credentials are linked, the researchers found attacks involving stolen credentials were similar to the level of the previous year and were involved in 25% of breaches. Exploitation of vulnerabilities was also common, but in most cases it was not new vulnerabilities being exploited but vulnerabilities for which patches have been available for several months or years.

The increase in remote working forced businesses to move many of their business functions to the cloud and securing those cloud resources proved to be a challenge. Attacks on web applications accounted for 39% of all data breaches, far higher than the previous year. Attacks on external cloud assets were much more common than attacks on on-premises assets.

61% of data breaches involved credential theft, which is consistent with previous data breach investigation reports and 85% of data breaches involved a human element. In the majority of cases (80%), data breaches were discovered by a third party rather than the breached entity.

There were considerable variations in attacks and data breaches across the 12 different industry verticals represented in the report. In healthcare, human error continued to be the main cause of data breaches, as has been the case for the past several years. The most common cause of data breaches in misdelivery of paper and electronic documents (36%), but this was far higher in the financial sector (55%). In public administration, the main cause of data breaches was social engineering, such as phishing attacks to obtain credentials.

Healthcare Data Breaches in 2020. Source: Verizon 2021 Data Breach Investigations Report

Verizon analyzed 655 healthcare security incidents, which included 472 data breaches. 221 incidents involved malware, 178 hacking, 137 human error, and 106 social attacks. For the second consecutive year, incidents involving malicious insiders have fallen out of the top three attack types. While it is certainly good news that the number of malicious insider incidents is falling, that does not mean that these incidents are no longer occurring. It could indicate malicious insiders are able to cover their tracks much better. Attacks by external threat actors significantly increased, with healthcare industry cyberattacks commonly involving the use of ransomware. 61% of incidents were the work of external threat actors and 39% were internal data breaches.

Interestingly, considering the value of medical data on the black market, medical data was not the most commonly breached data type. Medical data was breached in 55% of data breaches, with personal data breached in 66% of incidents.  32% of breached involved the theft of credentials. Verizon suggests that could be due to the opportunistic nature of attacks by external threat actors. “With the increase of External actor breaches, it may simply be that the data taken is more opportunistic in nature. If controls, for instance, are more stringent on Medical data, an attacker may only be able to access Personal data, which is still useful for financial fraud. Simply put, they may take what they can get and run.

Breach detection has been steadily improving since 2016, when the majority of data breaches took months or more to identify. The majority of data breaches are now being discovered in days or less, although most commonly not by the breached entity.  80% of data breaches were identified by a third party.

The cost of a data breach is now estimated to be $21,659 on average, with 95% of data breaches having a financial impact of between $826 and $653,587.

The post Verizon: Healthcare Phishing and Ransomware Attacks Increase while Insider Breaches Fall appeared first on HIPAA Journal.

Records of 200,000 Military Veterans Exposed Online

A database containing the personal and protected health information of almost 200,000 U.S. military veterans has been discovered to be accessible online by security researcher Jeremiah Fowler.

The database was identified on April 18, 2021 and a review identified references to a company called United Valor Solutions. Jacksonville, NC-based United Valor Solutions is a contractor of the Department of Veterans Affairs (VA) that provides disability evaluation services for the VA and other government agencies. The database – which contained veterans’ names, dates of birth, contact information, medical information, appointment information, unencrypted passwords, and billing information – could be accessed without a password. The database could have been viewed and downloaded by anyone and information in the database altered or deleted.

Fowler notified United Valor Solutions about the exposed data breach. The company replied the following day confirming the exposed database had been reported to its contractors and public access had been shut down. It is unclear for how long the database was exposed; however, United Valor Solutions said the database only appeared to have been accessed by internal IP addresses and Fowler’s.

Fowler said he found evidence of a ransomware attack. Within the dataset was a message titled “Read_me” which claimed that records had been downloaded and would be exposed if a 0.15 Bitcoin ransom was not paid.”

According to Threatpost, which first reported the story, the VA has been investigating the incident and that it appears to have been related to penetration testing. Reginald Humphries, director of IT strategic communication at the Office of Information and Technology at the VA provided a statement: “It appears that a researcher was attempting to find security deficiencies and flaws in United Valor Solutions systems. At this time, we do not believe there was a data breach but rather this was done for research purposes, at the request of the contractor, United Valor Solutions.” The VA investigation into the incident is ongoing.

Additional Individuals Impacted by Insider Atascadero State Hospital Breach

A breach previously reported by the California Department of State Hospitals (DSH) has affected more individuals than previously thought. The breach, which was identified on February 25, 2021, involved improper medical record access by a former employee.

The breach was initially thought to have involved the records of 1,415 patients and former patients, 617 employee names, the personal and protected health information of 1,735 employees, and information about 1,217 job applicants who had not been successful in gaining employment.

Further investigations into the improper access revealed the personal information of a further 80 individuals was accessed, including addresses, phone numbers, email addresses, social security numbers, dates of birth, and driver’s license numbers. The immigration information of 38 individuals, employment-related health information of 81 individuals who had with applied for work, had been employed, or were former employees, and 20 individuals’ dates of birth and the last four digits of their Social Security numbers were also accessed.

The employee concerned has been placed on administrative leave while the case is investigated. The California Highway Patrol is assisting the DSH with the investigation.

The post Records of 200,000 Military Veterans Exposed Online appeared first on HIPAA Journal.

University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years

University of Florida Health Shands has discovered a former employee has accessed the medical records of 1,562 patients without authorization.

The HIPAA violations were discovered on April 7, 2021 and the employee’s access to medical records was immediately terminated pending an investigation. The investigation confirmed the employee had been accessing patient medical records without a work reason for doing so from March 30, 2019 to April 6, 2021.

The types of information that could have been viewed included names, addresses, phone numbers, birth dates, and lab test results, but no Social Security numbers, financial information, or health insurance information was compromised.

University of Florida Health Shands does not believe any PHI has been stolen or further disclosed; however, out of an abundance of caution, affected individuals have been offered one year of complimentary credit monitoring services.

Third Party Breach Affects St. Paul’s PACE Patients

Community Eldercare of San Diego, dba St. Paul’s PACE, has been affected by a breach at one of its vendors. PeakTPA is a health plan management company that provides billing and other administrative services to St. Paul’s PACE. PeakTPA suffered a cyberattack on December 31, 2020 in which the records of certain St. Paul’s PACE patients were compromised.

While the cybercriminal organization behind the attack was not disclosed in its breach notice, PeakTPA said the gang was broken up by the FBI on January 27, 2021 and was informed that all documents stolen in the attack were recovered. The timing suggests the attack may have been conducted by the Netwalker ransomware gang.

PeakTPA said information accessed by the attackers included names, addresses, dates of birth, medication information and Social Security numbers. Affected individuals have been offered complimentary credit monitoring, fraud consultation, and identity theft restoration services through Kroll for 3 years. PeakTPA said additional security measures have now been implemented to prevent similar breaches in the future.

Cyberattack Impacts 29,000 St. John’s Well Child and Family Center Patients

St. John’s Well Child and Family Center, Inc. in West Sacramento, CA is notifying 29,030 individuals that some of their protected health information was potentially viewed or acquired in a cyberattack on February 3, 2021.

Upon discovery of the attack, steps were immediately taken to secure its systems and third-party cybersecurity experts were engaged to assist with the investigation. The investigation confirmed that the attackers potentially viewed or acquired protected health information such as names, Social Security numbers, and other personal or health information.

Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services for 12 months.

The post University of Florida Health Shands Employee Accessed PHI Without Authorization for 2 Years appeared first on HIPAA Journal.

Ransomware Attack on New York Medical Group Impacts 330K Patients

The New York medical group practice, Orthopedic Associates of Dutchess County, has announced the protected health information of certain patients was potentially stolen in a recent cyberattack.

The security incident was detected on March 5, 2021 when suspicious activity was identified in its systems. An investigation into the incident confirmed its systems had been accessed by unauthorized individuals on or around March 1, 2021. The attackers gained access to certain systems and encrypted files and issued a ransom demand for the keys to unlock the encrypted files.

The attackers claimed they had stolen sensitive data prior to the encryption of files, although it was not possible to determine which files had been stolen. A review of the systems accessed by the attackers revealed they contained files that included protected health information such as names, addresses, contact telephone numbers, email addresses, emergency contact information, diagnoses, treatment information, medical record numbers, health insurance information, payment details, dates of birth, and Social Security numbers.

Individuals potentially affected by the breach have been notified by mail and have been offered a 12- month complimentary membership to credit monitoring and identity theft protection services. To date, there have been no reports of attempted or actual misuse of any patient data.

The protected health information of 331,376 individuals was potentially compromised in the attack.

PHI of 5,426 Individuals Compromised in Entrust Medical Billing Ransomware Attack

Entrust Medical Billing, a Canton, OH-based medical billing company, has suffered a ransomware attack in which the protected health information of 5,426 individuals may have been compromised.

Third-party cybersecurity professionals were engaged to assist with the investigation and determine the extent of the breach. On or around March 1, 2021, the investigation confirmed some of the files exfiltrated by the attackers contained protected health information such as names, addresses, dates of birth, medical diagnosis/clinical information/treatment type or location, medical procedure information, patient account number, and health insurance information.

While data theft was confirmed, no evidence has been found to indicate actual or attempted misuse of any of the stolen data. Affected individuals have now been notified and those whose Social Security number has been compromised have been offered complimentary credit monitoring services. New technical safeguards have now been implemented and monitoring across its network environment has been increased.

The post Ransomware Attack on New York Medical Group Impacts 330K Patients appeared first on HIPAA Journal.

CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients

CaptureRx, a San Antonio, TX-based provider of 340B administrative services to healthcare providers, has suffered a ransomware attack in which files containing the protected health information of customers’ patients were stolen.

The security breach was detected on February 19, 2021, with the investigation confirming unauthorized individuals had accessed and acquired files containing sensitive data on February 6, 2021. A review of those files was completed on March 19, 2021 and affected healthcare provider clients were notified between March 30 and April 7, 2021.

CaptureRx has since been working with the affected healthcare providers to notify all individuals affected. The types of data exposed and acquired by the attackers was limited to names, dates of birth, prescription information and, for a limited number of patients, medical record numbers.

CaptureRx had security systems in place to ensure the privacy and security of healthcare data, but the attackers had managed to bypass those protections. Following the attack, policies and procedures were reviewed and enhanced and additional training has been provided to the workforce to reduce the risk of any further security breaches.

It is currently unclear how many of its healthcare provider clients have been affected nor the total number of individuals impacted by the breach. Breach victims include:

  • The Mohawk Valley Health System affiliate, Faxton St. Luke’s Healthcare in New York – 17,655 patients.
  • Randolph, VT-based Gifford Health Care – 6,777 patients.
  • Thrifty Drug Stores (Thrifty White) – Currently unknown number of patients.

CaptureRx said the investigation into the breach has not uncovered evidence to suggest any actual or attempted misuse of data stolen in the attack; however, affected individuals have been advised to monitor their account and explanation of benefits statements for signs of fraudulent activity.

The post CaptureRx Ransomware Attack Affects Multiple Healthcare Provider Clients appeared first on HIPAA Journal.

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.

Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians

Lawmakers in the Commonwealth of Pennsylvania are calling for an investigation into a data breach involving the contact tracing information of 72,000 Pennsylvanians after it was discovered that sensitive information was being shared via unauthorized channels without the necessary security protections.

Insight Global is an Atlanta-based firm that has been assisting the Commonwealth of Pennsylvania with COVID-19 contact tracing during the pandemic. Several individuals employed by Insight Global were discovered to have created and shared unauthorized copies of documents with each other in the course of conducting their contact tracing duties. Documents and spreadsheets were shared via non-secure channels such as personal Google accounts, which meant sensitive data were sent to servers outside the control of the state or Insight Global.

Insight Global announced the breach on April 29, 2021 and said in its substitute breach notice that the data related to contract tracing of individuals between September 2020 and April 21, 2021. An investigation into the breach has been launched and third-party security experts have been assisting to determine the extent of the security issues and their impact. So far, no evidence has been found to suggest any personal or health information has been misused. The investigation into the security issues is ongoing.

Insight Global reports that the exposed information included names of individuals potentially exposed to COVID-19, positive/negative test status, whether symptoms were experienced, information on the names of household members, and email addresses, telephone numbers and other data necessary for specific social support services.

Insight Global said it became aware of the security issue on April 21, 2021 and took immediate steps to resolve the issues, and those steps were completed by April 23. Insight Global has been working closely with the Pennsylvania Department of Health since the discovery of the security issues and will be notifying affected individuals by mail once address information has been verified. Insight Global said no Social Security numbers or financial information have been exposed and, out of an abundance of caution, affected individuals are being provided with complimentary credit monitoring and identity protection services.

An investigation conducted by Target 11 found employees had been recording contact tracing information in the free versions of Google Sheets and were sharing those spreadsheets and other documents with colleagues via personal email accounts for contact tracing purposes. The free versions of these Google services are not HIPAA compliant and should not have been used.

Insight Global had security protocols in place to ensure contact tracing data could be recorded and shared securely. It is currently unclear whether this was simply a case of isolated employees circumventing security protocols and creating unauthorized documents and spreadsheets to make their work easier. However, regardless o the cause, sensitive data has been exposed.

The Commonwealth of Pennsylvania has decided not to renew its contract with Insight Global over the security breach. The contract is set to expire on July 31, 2021. A spokesperson for the Pennsylvania Department of Health said, “We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals.”

State Representative Jason Ortitay (R- Allegheny, Washington) claims to have learned about the breach weeks ago and raised the alarm with the state Governor’s office on April 1, 2021. Republican lawmakers are now calling for an investigation into the security breach by the state Attorney General’s office, House Government Oversight Committee, and federal law enforcement agencies.

The post Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians appeared first on HIPAA Journal.

Ransomware Attack on Scripps Health Disrupts Patient Care

The San Diego-based healthcare provider Scripps Health suffered a cyberattack on May 1, 2021 which forced it to take its information technology systems offline. Scripps Health operates four hospitals in the San Diego area and has been able to continue to provide care to patients; however, stroke, heart attack, and trauma patients seeking emergency treatment at all four of its hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were diverted to alternative facilities as a precautionary measure.

Scripps Health issued a statement confirming its outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments do remain open, and staff are continuing to care for patients. While information technology systems are down, including its online portal, Scripps Health is operating on established backup processes and is using offline documentation methods. Patient safety has not been put at risk.

It is unclear when it will be possible to bring systems back online, so the decision has been taken to postpone some patient appointments for Monday and later this week.

Scripps Health has not disclosed full details about the nature of the attack, but local media outlets are reporting this as a ransomware attack. Scripps Health and its technical teams are working around the clock to restore systems and resolve all issues resulting from the attack.

Midwest Transplant Network Suffers Suspected Ransomware Attack

The Midwest Transplant Network has also announced it was the victim of a cyberattack. On April 30, 2021, the Westwood, KS-based healthcare provider confirmed that its IT department and third-party security experts have been working round the clock to stop and remove the threat and determine the extent to which patient data has been compromised.

While it is possible that patient information was accessed, the investigation into the breach has not uncovered any evidence to suggest any patient information was exfiltrated by the attackers. Patients are being notified by mail if they have potentially been affected.

Midwest Transplant Network said that throughout the incident it was able to continue its mission through organ, eye, and tissue donation. Up to 17,600 individuals are understood to have potentially had their protected health information exposed.

The post Ransomware Attack on Scripps Health Disrupts Patient Care appeared first on HIPAA Journal.

Health Aid of Ohio Security Incident Affects up to 141,00 Individuals

Health Aid of Ohio, a Parma, OH-based full-service home medical equipment provider, has discovered unauthorized individuals gained access to its systems and exfiltrated some files from its network. The breach was detected on February 19, 2021 when suspicious network activity was detected. Action was quickly taken to eject the attackers from the network and secure all patient data.

An investigation into the breach confirmed that files were accessed and exfiltrated from Health Aid’s systems, but it was not possible to determine exactly which files had been removed from its systems. It is possible that some of the exfiltrated files contained the protected health information of VA plan members.

That information potentially included names, addresses, telephone numbers, and details of the type of equipment delivered to houses or was repaired in individuals’ homes. The protected health information of individuals who received services through their insurance carrier or healthcare provider included names, telephone numbers, dates of birth, Social Security numbers, insurance information, diagnosis information, and equipment type.

While the above information may have been stolen, no reports have been received to suggest there has been any fraudulent misuse of any of the above information to date.

Health Aid of Ohio has not disclosed how the attackers gained access to its systems and whether malware or ransomware was involved. The Federal Bureau of Investigation has been notified and appropriate authorities informed. The breach report submitted to the HHS’ Office for Civil Rights indicates up to 141,149 individuals have potentially been affected.

The post Health Aid of Ohio Security Incident Affects up to 141,00 Individuals appeared first on HIPAA Journal.