The U.S. Agency for International Development (USAID) was impersonated in phishing campaign that has resulted in the exposure of the protected health information of approximately 12,000 patients of the Utah healthcare provider Revere Health. The phishing attack was rapidly detected by the revere Health IT team, which quickly secured the mailbox to block unauthorized access. According to a breach notice published by Revere Health, the mailbox was only compromised for around 45 minutes on June 21, 2021.

An investigation was launched into the breach to determine whether any information in the email account was viewed or downloaded. While it was not possible to tell whether emails in the account were accessed or exfiltrated, Revere Health said it has monitored the Internet and has found no instances of patient data being shred online.

A review of emails and email attachments confirmed they contained the protected health information of patients of the Heart of Dixie Cardiology Department in St. George, which included medical record numbers, dates of birth, provider names, procedures, and insurance provider names, but no financial information or highly sensitive data.

Revere Health believes the aim of the attacker was not to gain access to patient data, but to use the email account for a more sophisticated phishing attack on Revere health employees. Given the short window of opportunity and the limited nature of the data contained in the account, the risk to patients is perceived to be low. Patients have been advised to be vigilant against any attempted misuse of their data.

The US Agency for International Development has recently been impersonated in a phishing campaign conducted by the Russian threat group Nobelium, which was behind the SolarWinds supply chain attack. The campaign has been ongoing since early 2021. The hackers gained control of the Constant Contact email marketing account used by USAID, and the account was used to send convincing phishing emails to more than 350 organizations. In that campaign the goal was to deliver malware by impersonating genuine USAID email communications. In late May, the U.S. Department of Justice seized two domains being used in the spear phishing campaign.

The post Revere Health Phishing Attack Impacts 12,000 Patients appeared first on HIPAA Journal.

In early August, a hacker made contact with Dissent of DataBreaches.net and claimed to have hacked into the systems of a HVAC vendor. Through that vendor the hacker claimed to have gained access to the networks of its clients, one of which was Boston Children’s Hospital.

The company in question is Canton, MA-based ENE Systems. DataBreaches.net reported in a recent blog post that the hacker had attempted to extort money from the HVAC vendor but the ransom was not paid. The hacker still claimed to have access to the network of ENE Systems and those of its clients and told Dissent that he/she was not interested in causing harm to the hospital. DataBreaches.net was asked to reach out to the hospital and make it clear that its network had been breached through the HVAC vendor, in case the vendor had not communicated the breach to the hospital. DataBreaches.net was provided with screenshots as proof of the hack.

While it was not confirmed whether the networks of other hospitals had been breached, ENE systems lists Brigham & Women’s Hospital and Mass General Hospital as its clients on its website.

Mass General Hospital issued a statement about the incident saying, “The hospital was made aware of potential cyber security issues involving one of its vendors. Once notified, immediate action was taken to follow appropriate guidance to mitigate the risk. Hospital systems and operations remain unaffected by this incident.” Boston Children’s Hospital also confirmed that its vendor had experienced a breach and stated there is no risk to hospital operations nor its business environment, and no patient data were affected in the security incident. Brigham & Women’s Hospital said it had not been notified about any issues with its HVAC vendor.

Supply chain attacks can see the systems of many organizations compromised, as the recent attacks on SolarWinds and Kaseya demonstrated. Attacks can occur at any point in the supply chain, and HVAC vendors have been targeted in the past as they are a potential security weak point.

One notable attack involving an HVAC vendor was the 2013 cyberattack on Target. Hackers gained access to the network of its HVAC vendor, Fazio Mechanical Services. The company was contracted to monitor Target’s refrigerated units and was provided with access to Target’s network to perform the contracted duties.

The hackers exploited that access, compromised Target’s network, then moved laterally and accessed its POS system and stole the credit card data of 41 million individuals and the contact information of 60 million customers. Target’s 2016 financial report put the total breach cost at $292 million.

The post HVAC Vendor Allegedly Hacked: Access Gained to Hospital Systems appeared first on HIPAA Journal.

The personal information of 750,000 Hoosiers collected as part of a COVID-19 contact tracing survey conducted by the Indiana Department of Health has been exposed online and downloaded by a company not authorized to access the data. The survey included information such as names, addresses, dates of birth, emails, and information on gender, ethnicity and race.

The Indiana Department of Health was notified about the unauthorized access on July 2, 2021 and immediately took steps to secure the data to prevent further unauthorized access. According to Tracy Barnes, the Chief Information Officer of the state of Indiana, the company that accessed and downloaded the data was a firm “that intentionally looks for software vulnerabilities, then reaches out to seek business.”

Last week, the Indiana Department of Health obtained a signed “certificate of destruction” from the company confirming the downloaded data had been permanently destroyed and that no further copies of the data had been retained. The company also confirmed the downloaded data had not been disclosed to any other company or individual.  The Indiana Department of Health said the data were returned on August 4, 2021.

State Health Commissioner Kris Box believes the risk to state residents is minimal, especially considering the compromised data did not include highly sensitive information such as health data, health insurance information, Social Security numbers, or financial information.

An investigation was launched into the incident, and it was determined that the reason the data had been exposed was due to a software configuration issue, which left the data exposed to the Internet. Currently it is unclear if any individuals other than those at the cybersecurity company downloaded the records while they were exposed over the Internet.

“We take the security and integrity of our data very seriously,” said Barnes. “We have corrected the software configuration and will aggressively follow up to ensure no records were transferred.” Indiana’s Office of Technology will conduct scans regularly to ensure that the downloaded data is not transferred to third parties.

Notification letters are being sent to affected individuals to make them aware of the privacy breach, and the state said it will be offering a 12-month membership to a credit monitoring service provided by Experian to individuals affected by the breach.

The Indiana Department of Health did not name the company concerned, but HIPAA Journal has learned the company is UpGuard, a firm that regularly scans the Internet for misconfigured cloud services to identify sensitive exposed data. The company is proactive in searching for security vulnerabilities and exposed data and has identified many cases where sensitive data have been left unprotected. In all cases, the company alerts the entities concerned to ensure data are secured to prevent sensitive information falling into the hands of cybercriminals.

“Our team sent a note to the state of Indiana to notify them that they had an API that was configured for public access. Upon looking at the data, we determined that the information was sensitive and that it should not be public,” said UpGuard spokeswoman, Kelly Rethmeyer.

The post Contact Tracing Survey Data of 750,000 Hoosiers Exposed Online appeared first on HIPAA Journal.

Marietta, OH-based Memorial Health System has been forced to divert emergency care due to a suspected ransomware attack.

The cyberattack occurred in the early hours of Sunday morning, with the health system forced to shut down IT systems to contain the attack. Emergency protocols were implemented due to the lack of access to essential IT systems, and the staff has been working with paper charts.

Memorial Health System operates three hospitals in Ohio and West Virginia, all of which have been affected by the attack. Since electronic health records were not accessible, patient safety was potentially put at risk, so the decision was taken to divert emergency patents.

“We will continue to accept: STEMI, STROKE and TRAUMA patients at Marietta Memorial Hospital. Belpre and Selby are on diversion for all patients due to radiology availability. It is in the best interest of all other patients to be taken to the nearest accepting facility,” according to an August 15 press release. “If all area hospitals on are diversion, patients will be transported to the emergency department closest to where the emergency occurred. This diversion will be ongoing until IT systems are restored.”

All urgent surgical appointments and radiology examinations on Monday were cancelled; however, all primary care appointments are going ahead as scheduled, although patients with appointments have been advised to call in advance to confirm.

“Maintaining the safety and security of our patients and their care is our top priority and we are doing everything possible to minimize disruption,” said Memorial Health System President and CEO Scott Cantley. “Staff at our hospitals – Marietta Memorial, Selby, and Sistersville General Hospital—are working with paper charts while systems are restored, and data recovered.”

An investigation into the breach has been launched, but it is too early to tell how much data, if any, have been compromised in the attack. Memorial Health System officials said they have not yet found evidence indicating the attackers obtained employee or patient data. IT experts are currently methodically investigating the breach to understand precisely how hackers gained access to its systems, the actions they took once access was gained, and which systems and files they viewed or downloaded.

The cyberattack has been reported to the FBI and the Department of Homeland Security, and the health system is working closely with its information technology partners to restore its systems and data as quickly as possible.

Bleeping Computer has reportedly seen evidence suggesting the Hive ransomware threat group was responsible for the attack. Like many other ransomware operations, the Hive ransomware gang is known for stealing data prior to using ransomware and has a leak site which is used to pressure victims into paying the ransom.

Bleeping Computer says evidence has been obtained suggesting databases containing the protected health information of around 200,000 patients were stolen in the attack, with the databases including names, dates of birth, and Social Security numbers.

The post Cyberattack Forces Memorial Health System to Divert Patients to Alternate Hospitals appeared first on HIPAA Journal.

Electromed Inc., a New Prague, MN-based developer and manufacturer of airway clearance devices, has announced it suffered a security breach in June 2021 in which unauthorized individuals gained access to certain IT systems.

Electromed said unauthorized activity was detected in its IT systems on June 16, 2021 and steps were immediately taken to prevent further unauthorized access. An investigation was launched to determine the source and scope of the breach and third-party cybersecurity experts were engaged to assist with the investigation.

Electromed determined the unauthorized third party accessed certain files that contained the personal and protected health information of its customers, as well as information of its employees and certain third-party contractors.  A comprehensive review was conducted of all files on the affected systems, which revealed they contained customers’ first and last names, mailing addresses, medical information, health insurance information and, for associates, Social Security numbers, driver’s license numbers, and financial account information.

While it is possible that the above types of information were obtained by the attackers, no evidence has been found to indicate misuse of the above information and no reports have been received of any cases of identity theft related to the security breach.

As a precaution against identity theft and fraud, complementary credit monitoring and identity theft protection services have been offered to affected individuals, who have been advised to check their credit reports, financial accounts, and explanation of benefits statements for any sign of fraudulent activity.

“Protecting the privacy of customers’ personal information is important to us, and we regret any inconvenience this incident may cause its customers,” said Electromed in its substitute breach notice. “To help prevent a similar incident from occurring in the future, we have taken steps to enhance the security of its systems, and continues to review its security protocols and processes, and enhancing employee training and education.”

The security breach has ben reported to the HHS’ Office for Civil Rights as affecting 47,200 individuals.

The post PHI of 47,000 Individuals Potentially Compromised in Electromed Inc. Data Breach appeared first on HIPAA Journal.