HIPAA Breach News

Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies

Posted by HIPAA Journal

A Kaseya KSA supply chain attack has affected dozens of its managed service provider (MSP) clients and saw REvil ransomware pushed out to MSPs and their customers. Kaseya is an American software company that develops software for managing networks, systems, and information technology infrastructure. The software is used to provide services to more than 40,000 organizations worldwide.

The REvil ransomware gang gained access to Kaseya’s systems, compromised the Kaseya’s VSA remote monitoring and management tool, and used the software update feature to install ransomware. The Kaseya VSA tool is used by MSPs to monitor and manage their infrastructure.

It is not clear when the ransomware gang gained access to Kaseya’s systems, but ransomware was pushed out to customers when the software updated on Friday July 2. The attack was timed to coincide with the July 4th holiday weekend in the United States, when staffing levels were much lower and there was less chance of the attack being detected and blocked before the ransomware payload was deployed.

Fast Response Limited Extent of the Attack

The fast response of Kaseya limited the extent of the attack. Over the weekend, Kaseya’s chief executive, Fred Voccola, said the software update was pushed out to around 40 customers and only affected on-premise customers who were running their own data centers and that its cloud-based services were not affected. The number of affected customers is now thought to be closer to 60.

Many of the victims were MSPs. In addition to their systems being encrypted, ransomware code was pushed out to their clients. More than 1,000 MSP clients are known to have been affected and had REvil ransomware installed. Sophos has reported that it is aware of 70 MSPs that have been affected, along with around 350 companies that use their services.

Kaseya has been issuing regular updates since the attack. In a Sunday morning update, Kaseya said there had been no further compromises since the Saturday evening report which suggests the measures implemented following the discovery of the attack have been successful. While no further ransomware attacks are believed to be occurring, the victim count will undoubtedly grow over the coming days.

When the attack was detected, Kaseya shut down its hosted and SaaS VSA servers and told all customers to switch off their own VSA servers while the attack was mitigated. Customers have been told to keep the servers switched off until further notice. Kaseya is working closely with CISA, the FBI, and cybersecurity forensics firms to investigate the incident and to determine the extent of the attack.

“Our security, support R&D, communications, and customer teams continue to work around the clock in all geographies through the weekend to resolve the issue and restore our customers to service,” said Kaseya in a July 4, 2021, statement about the attack. “We are in the process of formulating a staged return to service of our SaaS server farms with restricted functionality and a higher security posture (estimated in the next 24–48 hours but that is subject to change) on a geographic basis. More details on both the limitations, security posture changes, and time frame will be in the next communique later today.”

Supply chain attacks such as this can have a huge impact globally. Attackers compromise one company, then gain access to the networks of thousands of others, as was the case with the SolarWinds Orion supply chain attack in 2020. In that attack, malware was distributed through the software update mechanism which gave the attackers access to the systems of around 18,000 companies that received the update.

Kaseya Was Developing Patches for the Exploited Vulnerabilities

The REvil ransomware gang gained access to Kaseya’s systems by exploiting recently discovered vulnerabilities that had been reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD). Those vulnerabilities had not been publicly disclosed and Kaseya was in the process of developing patches to correct the vulnerabilities when the REvil gang struck.

“Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch,” said Victor Gevers, chairman of DIVD.

Kaseya said patches are being developed to correct the flaws and will be released as soon as possible.

One of the Largest Ransomware Attacks to Date

The REvil gang is believed to operate out of Eastern Europe or Russia and is one of the most prolific ransomware-as-a-service operations. Recent attacks conducted by the gang include JBS Foods, computer giant Acer, Pan-Asian retail giant Dairy Farm, UK clothing company French Connection (FCUK), French pharmaceutical company Pierre Fabre, and Brazilian healthcare company Grupo Fleury to name but a few. The latest attack is one of the largest ransomware attacks ever seen.

The gang is known to exfiltrate data prior to file encryption and demands payment of a ransom for the keys to decrypt encrypted files and to prevent the exposure or sale of data stolen in the attack. It is currently unclear if these attacks involved data theft.

Businesses and organizations affected by the latest attack have been issued with ransom demands ranging from $50,000 to $5 million according to Sophos malware analyst Mark Loman and Emsisoft CTO Fabian Wosar. The REvil gang has asked for a payment of $70 million to supply a universal decryptor that will unlock all systems that have been encrypted in the attack.

“On Friday (02.07.2021) we launched an attack on MSP providers. More than a million systems were infected. If anyone wants to negotiate about universal decryptor – our price is 70,000,000$ in BTC and we will publish publicly decryptor that decrypts files of all victims, so everyone will be able to recover from attack in less than an hour,” wrote the gang on its data leak site.

“We have been advised by our outside experts, that customers who experienced ransomware and receive a communication from the attackers should not click on any links - they may be weaponized,” said Kaseya.

President Biden Orders Federal Investigation

After learning of the attack, U.S. President Joe Biden ordered federal intelligence agencies to investigate the incident, stating on Saturday that it was unclear who was responsible for the attack. President Biden spoke with Vladamir Putin at the June 16 Geneva summit and urged him to crack down on cybercriminal gangs operating out of Russia and warned of consequences should the ransomware attacks continue. “The initial thinking was it was not the Russian government but we’re not sure yet,” President Biden told reporters on a Saturday visit to Michigan. He also confirmed the U.S. would respond if it is determined Russia was to blame for the attack.

CISA Issues Guidance for MSPs and MSP Customers Affected by the Kaseya VSA Supply Chain Attack

Kaseya issued a Compromise Detection Tool on July 3, 2021, which was rolled out to around 900 customers. The tool can be used to quickly determine if a customer’s VSA server has been compromised in the attack. The U.S. Cybersecurity and Infrastructure Security Agency is urging all Kaseya MSP customers to download and run the Compromise Detection Tool as soon as possible.

Kaseya MSP customers have also been advised to enable and enforce multi-factor authentication on every single account and, as far as is possible, to enable and enforce MFA for customer-facing services.

CISA also says MSPs should “implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.”

MSP customers affected by the attack have been advised to implement cybersecurity best practices, especially MSP customers who do not currently have their RMM service running due to the Kaseya attack. CISA recommends the following measures:

  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;
  • Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;
  • Implement:
    • Multi-factor authentication; and
    • Principle of least privilege on key network resources admin accounts.

The post Kaseya KSA Supply Chain Attack Sees REvil Ransomware Sent to 1,000+ Companies appeared first on HIPAA Journal.

Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit

Posted by HIPAA Journal

Dominion National, a Virginia-based insurer, health plan administrator, and administrator of dental and vision benefits, has agreed to settle a class action lawsuit filed by victims of a 2.96 million-record data breach discovered in 2019.

The investigation into the data breach was completed on April 24, 2019. Dominion National determined unauthorized individuals gained access to its servers which contained the personal and protected health information of health plan customers.

Initially, the breach was thought to have affected 122,000 health plan members, but further investigations showed the protected health information of 2,964,778 individuals had potentially been compromised.  The investigation revealed the breach had started as early as August 25, 2010, with the types of data accessible including names, dates of birth, email addresses, member ID numbers, group numbers, subscriber numbers, and Social Security numbers. Individuals who enrolled online through the Dominion National website may also have had their bank account and routing number exposed.

Providers were also affected by the breach and had names, dates of birth, Social Security numbers, and/or taxpayer identification numbers exposed. Dominion National did not find evidence that the individuals behind the cyberattack had acquired or misused the data of members. Affected individuals were offered complimentary credit monitoring and identity theft protection services for 2 years.

Shortly after announcing the data breach and issuing notification letters to affected individuals, a class action lawsuit – Abubaker v. Dominion Dental USA, Inc. et al. – was filed in the United States District Court, Eastern District of Virginia against Dominion National (Dominion Dental USA, Inc., Dominion Dental Services USA, Inc., Dominion National Insurance Company, Dominion Dental Services of New Jersey, Inc., and Dominion Dental Services, Inc.) and Avalon Insurance Company, Capital Advantage Insurance, Capital BlueCross, and Providence Health Plan.

The plaintiffs alleged the defendants were negligent for failing to adequately protect servers and databases and for not detecting the presence of the hackers in systems for 9 years. As a result of those failures, individuals have been placed at a significant risk of identity theft and fraud.

Under the terms of the proposed settlement, class members will be entitled to submit a claim for losses and out-of-pocket expenses incurred in relation to the data breach. Claims can be submitted for ordinary losses up to $300 to cover out-of-pocket expenses and fees for credit reports and credit monitoring between August 14, 2019, and July 19, 2021. Up to $100 can also be claimed for time lost responding to the security incident.

Dominion National will also be accepting claims for extraordinary losses up to $7,500 per person for actual, documented, and unreimbursed monetary losses that are fairly and reasonably traceable to the data breach.

A cap of $2 million has been placed on claims for ordinary and extraordinary losses. If the claims total exceeds $2 million, claims will be paid pro rata. The exclusion deadline is October 2, 2021, the objection deadline is October 2, 2021, and the deadline for submitting claims is January 15, 2022. A fairness hearing has been scheduled for November 19, 2021.

Dominion National will also be covering the costs of settlement administration, court-approved attorneys’ fees and expenses, and service awards for named plaintiffs. Additional security measures have also been implemented to improve security, which have cost Dominion National approximately $2,679,500.

The post Dominion National Proposes $2 Million Settlement to Resolve Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack

Posted by HIPAA Journal

Chicago, IL-based Northwestern Memorial HealthCare and Reno, NV-based Renown Health have been affected by a cyberattack on one of their business associates.

The data breach was discovered by Stockholm-based Elekta, which provides a software platform used for clinical radiotherapy treatment for cancer and brain disorders. Elekta issued a statement confirming its first-generation cloud-based storage system was accessed by unauthorized individuals, which affected a subset of customers in North America.

Elekta has been working with law enforcement and third-party cybersecurity experts to determine exactly how the breach occurred and the nature and scope of the attack. Elekta started notifying affected healthcare providers in April 2021.

Elekta’s investigation revealed its systems were compromised between April 2, 2021 and April 20, 2021. During that time the attackers accessed and exfiltrated a copy of a database that contained the information of oncology patients. The breach was confined to Elekta’s systems. The systems of its healthcare provider clients were not accessed at any point.

Northwestern Memorial HealthCare said the database included information such as patient names, dates of birth, Social Security numbers, health insurance information, medical record numbers, and clinical information related to cancer treatment, such as medical histories, physician names, dates of service, treatment plans, diagnoses, and/or prescription information.

Renown Health has reported the breach as affecting 65,181 patients with the data involved including names, Social Security numbers, addresses, dates of birth, diagnoses, medical treatment information, appointment confirmations and other patient metrics such as height and weight.

Northwestern Memorial Healthcare said the database contained the protected health information of 201,197 oncology patients who had received treatment at one of the following hospitals:

  • Northwestern Medicine Central DuPage Hospital
  • Northwestern Medicine Delnor Community Hospital
  • Northwestern Medicine Huntley Hospital
  • Northwestern Medicine Kishwaukee Hospital
  • Northwestern Medicine Lake Forest Hospital
  • Northwestern Medicine McHenry Hospital
  • Northwestern Memorial Hospital
  • Northwestern Medicine Valley West Hospital
  • Northwestern Medicine Valley West Hospital

While data theft was confirmed, Elekta said it has no reason to believe that any patient information has been or will be misused or made public.

Northwestern Memorial Healthcare said individuals whose Social Security number was compromised will be provided with complimentary credit monitoring and identity theft protection services. Renown Health said Eletka is providing complimentary identity monitoring, fraud consultation, and identity theft restoration services.

In total, 42 healthcare systems are believed to have been affected by the breach. In some cases, affected facilities had to temporarily halt cancer procedures and arrange for patients to continue their treatment at alternative healthcare facilities.

Other victims include:

The post Northwestern Memorial HealthCare and Renown Health Affected by Elekta Cyberattack appeared first on HIPAA Journal.

University Medical Center of Southern Nevada Suffers REvil Ransomware Attack

Posted by HIPAA Journal

University Medical Center of Southern Nevada (UMC) has suffered a ransomware attack in which patient data was stolen. The medical center confirmed it identified suspicious activity within the hospital network in mid-June and took immediate action to contain the threat and restrict access to its servers.

The investigation into the cyberattack is continuing and law enforcement has been notified. At this stage it appears that the attackers targeted a server that was used to store patient data. The investigation is still in the early stages, but UMC said it appears that clinical systems were not affected.

UBM said it is working with the Las Vegas Metropolitan Police Department, the FBI, and third-party cybersecurity experts to determine the exact origin and scope of the breach.

Any cyberattack that causes disruption to hospital operations has potential to result in considerable harm to patients. This is especially true for an attack on UMC, which runs the only Level 1 trauma center in Nevada.

UMC said the fast action of its IT department helped to contain the breach, but that response “resulted in minor, intermittent computer login issues for some UMC team members. While these login issues were certainly inconvenient, there have been no disruptions to patient care or UMC’s clinical systems.”

While clinical systems are not believed to have been accessed, out of an abundance of caution, UMC said it is issuing notifications to patients and affected employees and will be providing complimentary identity protection and credit monitoring services.

It has been confirmed that the attack was conducted by the REvil (Sodinokibi) ransomware gang. Data allegedly stolen prior to the encryption of files has been uploaded to the group’s data leak site. That dataset includes the names, Social Security numbers, passport numbers, and scans of driver’s licenses of 6 UMC patients, which the group said is a small sample of data stolen from UMC prior to the use of ransomware to encrypt files. It is unclear exactly how much data the attackers stole.

The REvil ransomware gang has been one of the most active ransomware operations over the past year, having conducted many attacks on businesses in the United States. The gang was behind the attack on JBS Foods in May 2021 which resulted in the temporary closure of food production facilities in the United States. JBS reportedly paid the gang $11 million in Bitcoin following the attack.

Following the attack on Colonial Pipeline by the DarkSide ransomware gang and its own attack on JBS Foods, the REvil ransomware gang issued a joint statement with the Avaddon ransomware operation stating they were limiting attacks by their affiliates and would not be targeting certain industries, including healthcare. That decision appears to have been reversed.

The post University Medical Center of Southern Nevada Suffers REvil Ransomware Attack appeared first on HIPAA Journal.

Email Data Breaches Reported by UofL Health and Jawonio

Posted by HIPAA Journal

UofL Health has started notifying 42,465 patients that some of their protected health information (PHI) was sent to an incorrect external email address.

The Louisville, KY healthcare system sent notification letters to affected patients on June 7, 2021 advising them about the exposure of some of their PHI. UofL Health was contacted the following day by the owner of the external domain and was provided with technical evidence that showed the emails had not been viewed by anyone and had been permanently deleted.

Some patients whose PHI was exposed were offered complimentary identity theft protection services. While it has now been confirmed that PHI had not been viewed and is no longer accessible, UofL Health said any patient who was offered identity theft protection services will still be able to sign up for them free of charge.

“We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner,” said UofL Health in a website notice to its patients. UofL Health did not state in its breach notice what information was in the emails.

Jawonio Notifies 13,313 Patients About Email Account Breach

Jawonio, a provider of lifespan services for individuals with developmental disabilities, behavioral health challenges, and chronic medical conditions in the Mid​-Hudson Region of New York, has discovered its email environment has been accessed by an unauthorized individual.

Suspicious activity was detected in its email environment on April 20, 2020. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Assisted by third-party cybersecurity experts, Jawonio learned on November 24, 2020 that the personal and protected health information of 13,313 individuals had potentially been compromised.

The affected email accounts were reviewed and discovered to include names, dates of birth, medical record numbers, Social Security numbers, medical condition information, treatment information, government issued identification numbers, health insurance information, and financial account information.

While PHI was potentially viewed, no evidence was found to indicate that information has been misused. Individuals affected by the security breach have been provided with complimentary credit monitoring and identity protection services. The delay in issuing breach notification letters was due to the lengthy process of identifying current mailing addresses for affected individuals.

The post Email Data Breaches Reported by UofL Health and Jawonio appeared first on HIPAA Journal.

Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years

Posted by HIPAA Journal

A former employee of Aultman Health Foundation accessed 7,300 patient records without authorization for almost 12 years before the HIPAA violation was discovered.

The employee was provided with access to patient records to fulfil duties related to coordinating patient care but was discovered to have accessed patient records when there was no legitimate work reason for doing so. The types of information accessed included patient names, addresses, dates of birth, health insurance information, diagnosis and treatment information, and Social Security numbers.

Aultman said it suspended the employee’s access to patient records as soon as the privacy violation was uncovered, and an investigation was immediately launched to determine the nature and scope of the HIPAA violation. The investigation revealed the employee accessed patient records without authorization from September 14, 2009 until April 26, 2021. The employee was terminated for violating HIPAA and hospital policies.

Aultman has started notifying patients whose records were viewed. Patient’s whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services. Aultman said its employees were aware that they were only permitted to access patient records for work purposes. “To help prevent something like this from happening again, Aultman has provided additional training to its system users and is implementing additional measures to protect the information of its patients,” said an Aultman spokesperson.

The incident appears to be a case of snooping. The former employee is not facing criminal charges and, so far, there is no indication that patient information has been or will be misused.

The Canton, OH-based health system operates Aultman Hospital, Aultman Orrville Hospital, Aultman Alliance Community Hospital, and several urgent care community health centers and physical therapy facilities in Stark County.

The post Ohio Hospital Worker Snooped on 7,300 Patient Records over 12 Years appeared first on HIPAA Journal.

Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation

Posted by HIPAA Journal

A former Cedar Rapids Hospital employee has been sentenced to 5 years’ probation for wrongfully accessing and distributing the protected health information of her ex-boyfriend.

Jennifer Lynne Bacor, 41, of Las Vegas, NV, was employed as a patient care technician at a Cedar Rapids hospital. The position gave her access to systems containing the individually identifiable information of patients. While she was authorized to access that information, she was only permitted to view the information of patients in order to complete her work duties.

Bacor’s ex-boyfriend had visited the hospital on multiple occasions in 2017 to receive treatment. Bacor used her login credentials to access his medical records from October 2013 to September 2017 on multiple occasions between April and October 2017, when there was no legitimate work reason for doing so.

Accessing the protected health information of an individual when there is no legitimate work purpose for doing so is a violation of the Health Insurance Portability and Accountability Act (HIPAA), for which criminal charges can be filed.

Bacor took a photograph of a medical image that showed injuries sustained by her ex-boyfriend and sent the photo to a third party. The third party subsequently sent the image to other individuals via Facebook Messenger, including taunting language and emojis with the image. Bacor was also found to have stated in social media chats with another person that she was attempting to get primary custody of the two children she had with her ex-boyfriend.

After learning about the privacy breach, the ex-boyfriend filed a complaint with the hospital on October 4, 2017 alleging Bacor had accessed his medical records without authorization and provided the photo to the hospital. The hospital conducted an investigation into the privacy breach and confirmed Bacor had accessed his medical records on 10 occasions. Bacor was initially suspended, then fired for the HIPAA violation.

In August 2020, Bacor admitted to law enforcement officers that she had violated federal privacy laws in an attempt to protect her children. Bacor entered into a plea arrangement and pleaded guilty to one count of wrongfully obtaining individually identifiable information under false pretenses.

U.S. District Judge C.J. Williams said Bacor had “weaponized” her ex-boyfriend’s private medical information by sending it to others and sentenced her to 5 months’ probation and fined her $1,000. Bacor has also been prohibited from working in any job that requires her to have access to the private medical records of others.

The post Former Cedar Rapids Hospital Employee Who Weaponized Ex-Boyfriend’s PHI Sentenced to Probation appeared first on HIPAA Journal.

Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers

Posted by HIPAA Journal

Ohio Medicaid has announced that its data manager, Maximus Corp, has experienced a data breach in which the personal information of Medicaid healthcare providers has been compromised.

Maximus is a global provider of government health data services. Through the provision of those services the company had been provided with the personal information of Medicaid healthcare providers. On May 19, 2021, Maximus discovered a server that contained personal information provided to the Ohio Department of Medicaid (ODM) or to a Managed Care Plan had been accessed by unauthorized individuals between May 17 and May 19, 2021.

Upon discovery of the breach, Maximus took the server offline to prevent any further unauthorized access and a leading third-party cybersecurity firm was engaged to assist with the investigation. The cybersecurity firm confirmed that the breach was confined to an application on the server and no other servers, applications, or systems were affected.

No evidence was found to indicate any information within the application has been misused, although data theft could not be ruled out. The application was used for the purposes of credentialing or tax identification related to the role of each individual as a healthcare provider.

The types of sensitive data contained within the application was limited to names, dates of birth, Social Security numbers, and Drug Enforcement Agency numbers. Maximus said individuals covered by Medicaid were not affected and the breach.

Maximus said the rapid detection of the breach limited potentially adverse impacts; however, since there is a possibility of data theft, all individuals affected were notified on June 18, 2021, and have been offered complimentary credit monitoring services for 24 months.

The breach has been reported to the Maine Attorney General as affecting 334,690 individuals. Those individuals are located in multiple U.S. states.

The post Maximus Reports Breach Affecting 334,000 Medicaid Healthcare Providers appeared first on HIPAA Journal.

PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack

Posted by HIPAA Journal

Wolfe Eye Clinic, the operator of a network of eye health clinics throughout Iowa, has announced it was the victim of a ransomware attack on February 8, 2021. Hackers gained access to its systems and used ransomware to encrypt files. A ransom demand was issued for the keys to decrypt files, but the clinic refused to pay and opted to recover files from backups. As is now common in ransomware attacks, prior to file encryption the attackers exfiltrated data from Wolfe Eye Clinic systems.

Wolfe Eye Clinic explained in its substitute breach notification letter that immediate action was taken to secure its network environment and independent IT security and forensic investigators were engaged to determine the scope and extent of the security breach. Due to the scale and complexity of the attack, it took until May 28, 2021 for the full scope of the security breach to be determined and to identify the information compromised in the attack.

The forensic investigation concluded on June 8, 2021, when it was confirmed the attackers accessed and exfiltrated the data of current and former patients. The stolen protected health information included names, addresses, birth dates, Social Security numbers and, for some individuals, medical and health information.

Notification letters have started to be mailed to affected individuals and complimentary identity theft protection and credit monitoring services are being offered for 12 months through IDX. Wolfe Eye Clinic said it is implementing additional safeguards to prevent further attacks.

The attackers appear to have exfiltrated a large amount of data. KCCI Des Moines has reported the incident as affecting approximately 500,000 individuals, making this one of the most extensive ransomware attacks on a single healthcare provider to have been reported this year.

The post PHI of Up to 500,000 Individuals Potentially Stolen in Wolfe Eye Clinic Ransomware Attack appeared first on HIPAA Journal.