HIPAA Breach News

Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause

Posted May 6, 2021 by HIPAA Journal

Network intrusion incidents have overtaken phishing as the leading cause of healthcare data security incidents, which has been the main cause of data breaches for the past 5 years.

In 2020, 58% of the security incidents dealt with by BakerHostetler’s Digitial Assets and Data Management (DADM) Practice Group were network intrusions, most commonly involving the use of ransomware.

This is the 7th consecutive year that the BakerHostetler 2021 Data Security Incident Response (DSIR) Report has been published. The report provides insights into the current threat landscape and offers risk mitigation and compromise response intelligence to help organizations better defend against attacks and improve their incident response. The report is based on the findings of more than 1,250 data security incidents managed by the company in 2020, which included a wide variety of attacks on healthcare organizations and their vendors.

Ransomware attacks are now the attack method of choice for many cybercriminal organizations and have proven to be very profitable. By exfiltrating data prior to encryption, victims not only have to pay to recover their files, but also to prevent the exposure or sale of sensitive data. This new double extortion tactic has been very effective and data exfiltration prior to file encryption is now the norm. Throughout 2020, ransomware attacks continued to grow in frequency and severity.

BakerHostetler reports that the ransoms demanded and the number being paid increased dramatically in 2020, as did the number of threat groups/ransomware variants involved in the attacks. In 2019, there were just 15. In 2020, the number had grown to 75.

Out of the incidents investigated and managed by BakerHostetler in 2020, the largest ransom demand was for more than $65 million. The largest ransom demand in 2019 was ‘just’ $18 million. Payments are often made to speed up recovery, ensure data are recovered, and to prevent the sale or exposure of data. In 2020, the largest ransom paid was more than $15 million – up from just over $5 million in 2019 – and the average ransom payment more than doubled from $303,539 in 2019 to $797,620 in 2020.

In healthcare, the average initial ransom demand was $4,583,090 with a median ransom demand of $1.6 million. The average payment was $910,335 (median $332,330), and the average number of individuals affected was 39,180 (median 1,270). The average time to acceptable restoration of data was 4.1 days and the average forensic investigation cost was $58,963 (median $25,000).

Across all industry sectors, 70% of ransom notes claimed sensitive data had been stolen and 90% of investigations found some evidence of data exfiltration. 25% of incidents resulted in theft of data that required notifications to be issued to individuals. 20% of victims made a payment to the attackers even though they were able to recover their data from backups.

When ransoms are paid, in 99% of cases the payment was made by a third party for the affected organization and in 98% of cases a valid encryption key was provided to allow data to be recovered. It took an average of 13 days from encryption to restoration of data.

Phishing accounted for 24% of all security incidents. Phishing attacks often led to network intrusion (33%), ransomware attacks (26%), data theft (24%), and Office 365 account takeovers (21%).

“In 2020 we saw a continued surge in ransomware as well as an increase in large supply chain matters, further stretching the capacity of the incident response industry,” said Theodore J. Kobus III, chair of BakerHostetler’s DADM Practice Group “Organizations worked to quickly contain incidents – despite challenges in simply getting passwords changed and endpoint, detection and response tools deployed to remote workers.”

It is more common now for legal action to be taken by breach victims. The trend for lawsuits being filed when breaches impact fewer than 100,000 individuals continued to increase in 2020, which is driving up the data breach cost. HIPAA enforcement activity also continued at elevated levels, although in 2020 the majority of the financial penalties issued were for HIPAA Right of Access failures, rather than fines related to security breaches.

The post Network Intrusions and Ransomware Attacks Overtake Phishing as Main Breach Cause appeared first on HIPAA Journal.

Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians

Posted May 5, 2021 by HIPAA Journal

Lawmakers in the Commonwealth of Pennsylvania are calling for an investigation into a data breach involving the contact tracing information of 72,000 Pennsylvanians after it was discovered that sensitive information was being shared via unauthorized channels without the necessary security protections.

Insight Global is an Atlanta-based firm that has been assisting the Commonwealth of Pennsylvania with COVID-19 contact tracing during the pandemic. Several individuals employed by Insight Global were discovered to have created and shared unauthorized copies of documents with each other in the course of conducting their contact tracing duties. Documents and spreadsheets were shared via non-secure channels such as personal Google accounts, which meant sensitive data were sent to servers outside the control of the state or Insight Global.

Insight Global announced the breach on April 29, 2021 and said in its substitute breach notice that the data related to contract tracing of individuals between September 2020 and April 21, 2021. An investigation into the breach has been launched and third-party security experts have been assisting to determine the extent of the security issues and their impact. So far, no evidence has been found to suggest any personal or health information has been misused. The investigation into the security issues is ongoing.

Insight Global reports that the exposed information included names of individuals potentially exposed to COVID-19, positive/negative test status, whether symptoms were experienced, information on the names of household members, and email addresses, telephone numbers and other data necessary for specific social support services.

Insight Global said it became aware of the security issue on April 21, 2021 and took immediate steps to resolve the issues, and those steps were completed by April 23. Insight Global has been working closely with the Pennsylvania Department of Health since the discovery of the security issues and will be notifying affected individuals by mail once address information has been verified. Insight Global said no Social Security numbers or financial information have been exposed and, out of an abundance of caution, affected individuals are being provided with complimentary credit monitoring and identity protection services.

An investigation conducted by Target 11 found employees had been recording contact tracing information in the free versions of Google Sheets and were sharing those spreadsheets and other documents with colleagues via personal email accounts for contact tracing purposes. The free versions of these Google services are not HIPAA compliant and should not have been used.

Insight Global had security protocols in place to ensure contact tracing data could be recorded and shared securely. It is currently unclear whether this was simply a case of isolated employees circumventing security protocols and creating unauthorized documents and spreadsheets to make their work easier. However, regardless o the cause, sensitive data has been exposed.

The Commonwealth of Pennsylvania has decided not to renew its contract with Insight Global over the security breach. The contract is set to expire on July 31, 2021. A spokesperson for the Pennsylvania Department of Health said, “We are extremely dismayed that employees from Insight Global acted in a way that may have compromised this type of information and sincerely apologize to all impacted individuals.”

State Representative Jason Ortitay (R- Allegheny, Washington) claims to have learned about the breach weeks ago and raised the alarm with the state Governor’s office on April 1, 2021. Republican lawmakers are now calling for an investigation into the security breach by the state Attorney General’s office, House Government Oversight Committee, and federal law enforcement agencies.

The post Lawmakers Call for Investigation into Breach of the Contact Tracing Data of 72,000 Pennsylvanians appeared first on HIPAA Journal.

Ransomware Attack on Scripps Health Disrupts Patient Care

Posted May 3, 2021 by HIPAA Journal

The San Diego-based healthcare provider Scripps Health suffered a cyberattack on May 1, 2021 which forced it to take its information technology systems offline. Scripps Health operates four hospitals in the San Diego area and has been able to continue to provide care to patients; however, stroke, heart attack, and trauma patients seeking emergency treatment at all four of its hospitals in Encinitas, La Jolla, San Diego, and Chula Vista were diverted to alternative facilities as a precautionary measure.

Scripps Health issued a statement confirming its outpatient urgent care centers, Scripps HealthExpress locations, and emergency departments do remain open, and staff are continuing to care for patients. While information technology systems are down, including its online portal, Scripps Health is operating on established backup processes and is using offline documentation methods. Patient safety has not been put at risk.

It is unclear when it will be possible to bring systems back online, so the decision has been taken to postpone some patient appointments for Monday and later this week.

Scripps Health has not disclosed full details about the nature of the attack, but local media outlets are reporting this as a ransomware attack. Scripps Health and its technical teams are working around the clock to restore systems and resolve all issues resulting from the attack.

Midwest Transplant Network Suffers Suspected Ransomware Attack

The Midwest Transplant Network has also announced it was the victim of a cyberattack. On April 30, 2021, the Westwood, KS-based healthcare provider confirmed that its IT department and third-party security experts have been working round the clock to stop and remove the threat and determine the extent to which patient data has been compromised.

While it is possible that patient information was accessed, the investigation into the breach has not uncovered any evidence to suggest any patient information was exfiltrated by the attackers. Patients are being notified by mail if they have potentially been affected.

Midwest Transplant Network said that throughout the incident it was able to continue its mission through organ, eye, and tissue donation. Up to 17,600 individuals are understood to have potentially had their protected health information exposed.

The post Ransomware Attack on Scripps Health Disrupts Patient Care appeared first on HIPAA Journal.

Health Aid of Ohio Security Incident Affects up to 141,00 Individuals

Posted May 3, 2021 by HIPAA Journal

Health Aid of Ohio, a Parma, OH-based full-service home medical equipment provider, has discovered unauthorized individuals gained access to its systems and exfiltrated some files from its network. The breach was detected on February 19, 2021 when suspicious network activity was detected. Action was quickly taken to eject the attackers from the network and secure all patient data.

An investigation into the breach confirmed that files were accessed and exfiltrated from Health Aid’s systems, but it was not possible to determine exactly which files had been removed from its systems. It is possible that some of the exfiltrated files contained the protected health information of VA plan members.

That information potentially included names, addresses, telephone numbers, and details of the type of equipment delivered to houses or was repaired in individuals’ homes. The protected health information of individuals who received services through their insurance carrier or healthcare provider included names, telephone numbers, dates of birth, Social Security numbers, insurance information, diagnosis information, and equipment type.

While the above information may have been stolen, no reports have been received to suggest there has been any fraudulent misuse of any of the above information to date.

Health Aid of Ohio has not disclosed how the attackers gained access to its systems and whether malware or ransomware was involved. The Federal Bureau of Investigation has been notified and appropriate authorities informed. The breach report submitted to the HHS’ Office for Civil Rights indicates up to 141,149 individuals have potentially been affected.

The post Health Aid of Ohio Security Incident Affects up to 141,00 Individuals appeared first on HIPAA Journal.

Californian Healthcare Provider Discovers Patient Data was Exposed on the Internet for Over a Year

Posted April 30, 2021 by HIPAA Journal

Doctors Medical Center of Modesto (DCM) in California has discovered a contractor used by a former vendor accidentally exposed patient data over the Internet.

DCM had contracted with the SaaS platform provider Medifies to provide virtual waiting room services. On April 2, 2021, DCM discovered the data of some of its patients was accessible over the Internet. DCM contacted Medifies about the exposed data and the issue was corrected the same day and the data was secured.

The investigation into the breach confirmed an error had been made when performing a software update which allowed the data to be accessed via the Internet. The error was made by a Medifies software development contractor.

The software update that made the information accessible occurred in December 2019, which meant patient data had been exposed online for more than a year, during which time it is possible that it was found and viewed by unauthorized individuals. No evidence was found to suggest any of the exposed information was viewed by unauthorized individuals.

The exposed data varied from patient to patient and may have included name, address, email address, date of birth, general procedure information, procedure date, and physician name. The names, addresses, email addresses, and cell phone numbers of significant others who may have subscribed to receive updates regarding a patient’s procedure may also have been exposed.

DCM had previously terminated its business relationship with Medifies but has been working closely with the company to investigate the breach. The types of information exposed should not put people at risk of identity theft; however, out of an abundance of caution, affected individuals have been offered complimentary credit monitoring services for one year and have until April 23, 2022 to activate those services.

The post Californian Healthcare Provider Discovers Patient Data was Exposed on the Internet for Over a Year appeared first on HIPAA Journal.

Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack

Posted April 29, 2021 by HIPAA Journal

The Philadelphia-based health system, Einstein Healthcare Network, is facing a class action lawsuit over an August 2020 phishing attack that resulted in multiple employee email accounts being accessed by an unauthorized individual.

Einstein Healthcare is a non-profit health system that operates four hospitals – Einstein Medical Center Philadelphia, Elkins Park Hospital, MossRehab in Elkins Park, and Einstein Medical Center Montgomery – and multiple outpatient and primary care clinics throughout the greater Philadelphia area.

The investigation into the breach determined the email accounts were subjected to unauthorized access for 12 days between August 5 and August 17, 2020. A review of the compromised email accounts revealed they contained the protected health information of 353,616 patients, including names, dates of birth, account/medical record numbers, medical information such as diagnosis and treatment information and, for some individuals, Social Security numbers and health insurance information.

Patients affected by the breach were notified by mail starting October 9, 2020 while the incident was still being investigated, then further notifications were sent to patients between January 21 and February 8, 2021 when it became clear that more individuals had been affected.

Following the breach, the health system implemented additional security measures to prevent further breaches and retrained the workforce on how to identify suspicious emails. Individuals whose Social Security number was exposed were offered complimentary credit monitoring and identity theft protection services for 12 months.

The lawsuit was filed by law firm Morgan & Morgan with Einstein Healthcare patient Nanette Katz of Blue Bell, PA named as lead plaintiff. The lawsuit alleges Einstein Healthcare failed to secure and safeguard the protected health information of patients and had not implemented or followed basic security procedures. As a result of that negligence, the lawsuit alleges sensitive patient information is now in the hands of cybercriminals and patients now face a substantial risk of identity theft. As a result of the breach, patients have had to spend, and will continue to have to spend, a significant amount of time and money protecting themselves against identity theft and fraud.

The lawsuit also alleges the healthcare provider failed to provide timely notifications to patients, with the lead plaintiff first receiving notification about the breach in January 2021, more than 6 months after the breach and alleged theft of her PHI. The lawsuit says the breach response was “untimely and woefully deficient, failing to provide basic details concerning the data breach.”

The lawsuit seeks monetary damages for the patient and class members, requests the courts order the health system to fully disclose details of the nature and extent of data compromised, and requires the health system to implement reasonably sufficient safeguards to prevent further data breaches in the future.

It is now relatively common for patients affected by data breaches to take legal action when their personal and protected health information is exposed or stolen; however, for these cases to succeed, victims of the data breach generally need to provide evidence that they have suffered harm. Many lawsuits are dismissed as the claims are deemed too speculative.

The nature of the harm and injuries suffered must also be sufficient to warrant damages. A recent lawsuit filed by a victim of an Envision Healthcare data breach – Pruchnicki v. Envision Healthcare Corp.- has recently been dismissed by the U.S. Court of Appeals for the Ninth Circuit.

In that case, the alleged harm and injuries were for time spent dealing with the breach, stress, nuisance, and annoyance from dealing with the aftereffects of the breach, worry, anxiety, and hesitation when applying for new credit cards, imminent and impending injury of potential fraud and identity theft, and diminution in value of the plaintiffs personal and financial information. The allegations of harm were sufficient for the District Court for standing purposes but were insufficient for compensable damages to be awarded.

The post Einstein Healthcare Network Facing Class Action Lawsuit over 2020 Phishing Attack appeared first on HIPAA Journal.

PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack

Posted April 29, 2021 by HIPAA Journal

An unauthorized individual gained access to the email account of an employee of River Springs Health Plans and installed malware which potentially allowed the contents of the email account to be exfiltrated. The employee responded to the phishing email on September 14, 2020. The malware was detected and removed the following day and the email account was secured.

A leading forensics firm was retained to assist with the investigation and determine whether any sensitive information was accessed or obtained by the attackers. No evidence was found which suggested any member data had been exfiltrated, but data theft could not be ruled out. A comprehensive review of the affected account revealed on February 17, 2021 that the protected health information of 31,195 River Springs Health Plans members was stored in the email account.

The types of information in the account varied from individual to individual and may have included the following information: First and last names, dates of birth, member ID, Medicare ID, Medicaid ID, Social Security number, and references to medical information such as healthcare provider information. No financial information was compromised.

River Springs Health Plans has taken steps to improve email security and has reeducated the workforce on phishing email identification and reporting suspicious emails. Affected individuals have now been notified and complimentary credit monitoring services have been offered.

Health Center Partners of Southern California Impacted by Netgain Ransomware Attack

Health Center Partners of Southern California (HCP) has confirmed it has been affected by a ransomware attack on its IT service provider, Netgain Technology LLC.

HCP provides support to community health centers in Southern California which requires access to patient information, some of which was stored on systems that were affected by the September 2020 ransomware attack. Netgain’s investigation confirmed that between October 22, 2020 and December 3, 2020, files containing protected health information were obtained by the attacker, including files containing HCP data.

Netgain paid the ransom to prevent further disclosure of the stolen data and received assurances that the attackers had deleted the data. The darkweb is being scanned and hacking forums monitored to identify any exposure of the data. HCP said in its breach notice that there is no reason to believe any data stolen in the attack will be misused but, as a precaution, affected individuals have been offered complimentary identity protection services through IDX.

The post PHI of 31,000 Individuals Potentially Compromised in River Springs Health Plans Phishing Attack appeared first on HIPAA Journal.

Wyoming Department of Health Announces GitHub Data Breach Affecting 164,000 Individuals

Posted April 28, 2021 by HIPAA Journal

The Wyoming Department of Health (WDH) has discovered the protected health information of 164,021 individuals has been accidentally exposed online due to an error by a member of its workforce.

On March 10, 2021, WDH discovered an employee had uploaded files containing medical test result data to private and public repositories on the software development platform GitHub. While security controls are in place to protect users’ privacy, an error by the employee meant the data could potentially have been accessed by individuals unauthorized to view the information from January 8, 2021.

In total 53 files were uploaded to the platform that included COVID-19 and influenza test result data, along with one file that contained breath alcohol test results. The exposed information included patient IDs, dates of birth, addresses, dates of service, and test results. The COVID-19 test result data had been reported to WDH for Wyoming residents, although the tests themselves may have been performed anywhere in the United States between January 2020 and March 2021. The alcohol test results related to tests performed by law enforcement in Wyoming between April 19, 2012 and January 27, 2021.

“While WDH staff intended to use this software service only for code storage and maintenance rather than to maintain files containing health information, a significant and very unfortunate error was made when the test result data was also uploaded to GitHub.com,” said WDH Director Michael Ceballos. “We are taking this situation very seriously and extend a sincere apology to anyone affected. We are committed to being open about the situation and to offering our help.”

The files have been removed from GitHub and GitHub has confirmed that the files have been removed from its servers. WDH has taken steps to prevent similar exposures of protected health information in the future, including prohibiting the use of GitHub and other public repositories and retraining its workforce.

While no Social Security numbers, financial information, or health insurance information was involved, out of an abundance of caution, WDH has offered affected individuals complimentary identity theft protection services through IdentityForce, which includes advanced credit and dark web monitoring and an identity theft insurance policy.

This is the second GitHub-related breach to be announced in the past few weeks. Earlier this month, Med-Data confirmed that the protected health information of patients of some of its clients had been accidentally uploaded to GitHub repositories and an investigation by researcher Jelle Ursem and databreaches.net in 2020 identified many cases where healthcare data had been exposed on the platform.

The post Wyoming Department of Health Announces GitHub Data Breach Affecting 164,000 Individuals appeared first on HIPAA Journal.

Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks

Posted April 28, 2021 by HIPAA Journal

The increase in ransomware attacks in 2020 has continued in 2021 with healthcare one of the most targeted industries, according to the latest Coveware Quarterly Ransomware Report. Healthcare ransomware attacks accounted for 11.6% of all attacks in Q1, 2021, on a par with attacks on the public sector and second only to attacks on firms in professional services (24.9%).

While ransom demands declined in Q4, 2020, that trend abruptly stopped in Q1, 2021 with the average ransom payment increasing by 43% to $220,298 and the median ransom payment up 59% to $78,398. The increase in payments was not due to ransomware attacks but data exfiltration extortion attacks by the Clop ransomware gang.

The Clop ransomware gang exploited two zero-day vulnerabilities in the Accellion legacy File Transfer Appliance, exfiltrated customers’ data, then threatened to publish the stolen data if the ransom was not paid. When victims refused to pay, the stolen data were leaked on the Clop ransomware data leak site.

These attacks show that file encryption is not always necessary, with the threat of publication of stolen data often sufficient to ensure payment is made. Coveware notes that while exploitation of the vulnerabilities allowed data to be exfiltrated, it was not possible to deploy ransomware across victims’ networks, otherwise ransomware would most likely have also been used in the attacks.

The Clop ransomware gang was particularly active in Q1, 2020. The group often attacks large enterprises and demands huge ransoms and like many other ransomware gangs, steals data prior to file encryption and threatens to expose that data if payment is not made. These double extortion tactics have become the norm and most ransomware attacks now involve data exfiltration. In Q1, 77% of ransomware attacks involved data exfiltration up from 70% in Q4, 2020.

Ransomware victims may have no choice other than paying the ransom if they are unable to recover encrypted data from backups, but there are risks associated with paying the ransom demand, especially to prevent a data leak. There is no guarantee that data will be destroyed and could still be traded or sold to other threat groups after payment is made. Exfiltrated data may also be stored in multiple locations. Even if the threat actor destroys the data, third parties may still have a copy. Coveware notes that while data exfiltration has increased, a growing number of ransomware victims are electing not to give in to the attackers’ demands and are refusing to pay the ransom to prevent a data leak for these and other reasons.

“Over hundreds of cases, we have yet to encounter an example where paying a cybercriminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage.” – Coveware.

Many RaaS operations have increased the number of attacks by recruiting more affiliates, but some RaaS operations have struggled to scale up their operations. The Conti gang outsourced their chat operations which made negotiations and recoveries more difficult. The Lockbit and BlackKingdom gangs experienced technical difficulties which resulted in permanent data loss for some of their victims, and even the most prolific ransomware operation – Sodinokibi – experienced problems matching encryption keys with victims resulting in permanent data loss.

These technical problems show that even ransomware operations that intend to provide the keys to decrypt data are not always able to. Coveware also observed a worrying trend where ransomware gangs deliberately disrupt recovery after the ransom is paid. The Lockbit and Conti gangs were observed attempting to steal more data during the recovery phase and even attempting to re-launch their ransomware after victims have paid. Coveware notes that this kind of disruption was rare in 2020, but it is becoming more common. Technical issues and disruption to the recovery process have contributed to an increase in downtime due to an attack, which is up 10% in Q1 to 23 days.

In Q4, email phishing became the most common method of ransomware delivery, but Remote Desktop Protocol connections are once again the most common method of gaining access to victim networks. Phishing is still commonly used and is the method of attack favored by the Conti ransomware gang – the second most prevalent ransomware operation in Q1.

Exploitation of software vulnerabilities also increased, with unpatched vulnerabilities in Fortinet and Pulse Secure VPN appliances the most commonly exploited flaws. Coveware believes the majority of ransomware-as-a-service operators and affiliates do not exploit software vulnerabilities, instead they pay specialist threat actors for access to compromised networks. Those threat actors mostly target smaller organizations, with RDP the most common method of attack for larger organizations.

The post Ransom Payment Increase Driven by Accellion FTA Data Exfiltration Extortion Attacks appeared first on HIPAA Journal.

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information