HIPAA Breach News

Utah Pathology Services Email Breach Potentially Affects 112,000 Patients

Posted by HIPAA Journal

Utah Pathology Services has announced an unauthorized individual has gained access to the email account of an employee and attempted to redirect funds from Utah Pathology. The breach was detected promptly, the compromised email account was secured, and the attempted fraud was unsuccessful and did not involve any patient information.

Independent IT and forensic investigators were engaged to assist with the investigation and help determine the extent of the breach. The investigation is ongoing, but it has now been confirmed that the compromised email account contained the personal and protected health information of around 112,000 patients.

The purpose of the attack appears to have been to redirect funds to an account under the control of the attacker, rather than to steal patient data; however, the possibility of data theft could not be ruled out and affected individuals are now being notified about the breach.

The compromised email account contained the following types of information in addition to patient names: Gender, date of birth, mailing address, phone number, email address, health insurance information, internal record numbers, and diagnostic information related to pathology services. A small number of affected individuals had their Social Security number exposed.

No evidence of misuse of patient information has been found to date but, out of an abundance of caution, affected individuals have been offered 12 months complimentary membership to Cyberscout’s identity monitoring service.

Utah Pathology Services is reviewing its privacy and security measures and additional safeguards will be implemented, as appropriate, to prevent further breaches in the future.

Valley Health Systems Suffers Ransomware Attack

Valley Health Systems, a healthcare provider serving around 75,000 patients in southern West Virginia, southeastern Ohio and eastern Kentucky, was attacked with ransomware on or around August 22, 2020.

As is common in manual ransomware attacks, prior to the encryption of data, files were exfiltrated by the attackers and were used to pressure the healthcare provider into paying the ransom. Some of the data stolen in the attack has been published on a leak site.

Valley Health Systems continued to provide medical services to patients while recovering from the attack and patient care was unaffected. Several systems are still affected and are being slowly restored and brought back online. Third-party cybersecurity experts have been assisting with the investigation and recovery.

According to a statement VHS provided to databreaches.net, “Unfortunately, the threat actor has released some of our information. We are doing everything we can to understand what information is at risk and to protect patient information.” Databreaches.net confirmed that the attack involved Sodinikibi (REvil) ransomware.

VHS said, “We are committed to completing a full forensic review following the resolution of this outage, and we will take all appropriate action, which may include notifying affected patients, in response to our findings. We have also taken steps to notify the FBI and intend to fully cooperate with any investigation into this incident.”

The breach has yet to appear on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

The post Utah Pathology Services Email Breach Potentially Affects 112,000 Patients appeared first on HIPAA Journal.

Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000

Posted by HIPAA Journal

A former nursing home employee has been accused of stealing the identities of dozens of nursing home residents and using their accounts to pay her bills.

The woman, Anna Zur, 39, of Franklin Park, IL, previously worked in the corporate office of a care facility and abused her access rights to residents’ information to obtain documents and financial information, which she sent to a personal email account. She has been accused of stealing the identities of residents and using their accounts to purchase goods and services and pay her bills.

The Palos Heights Police Department conducted a year-long investigation into cases of identity theft and fraud and issued a warrant for the woman’s arrest. She was taken into custody on August 26, 2020 and has been charged with felony counts of wire fraud and continuing a financial crimes enterprise. The woman has been linked to 35 cases of identity theft and is alleged to have defrauded individuals out of $25,000.

Patient Data Stolen in Ventura Orthopedics Ransomware Attack

The Californian healthcare provider Ventura Orthopedics has experienced a manual ransomware attack and has had patient information stolen and published online. The stolen data was identified by Databreaches.net when checking the new data leak site used by the operators of Conti-Ryuk ransomware. Data from the attack was also found on the leak site used by the Maze ransomware operators.

The dumped data was found to contain patient information such as names, dates of birth, medications, and lab test results. In total, more than 1,800 files have been leaked online.

There has been no announcement made by Ventura Orthopedics about the ransomware attack at the time of writing and no information is detailed on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected by the attack.

Comanche County Hospital Authority Impacted by Magellan Health Ransomware Attack

Comanche County Hospital has announced that the protected health information of 1,112 individuals was compromised in the ransomware attack on the pharmacy benefits vendor, Magellan Health in April 2020.

Magellan Health’s investigation revealed limited health information of benefit plan members was compromised in the attack such as names, addresses, payment, health insurance account information, and treatment information. No Social Security numbers or financial information were compromised.

The post Former Nursing Home Employee Accused of Defrauding Residents Out of $25,000 appeared first on HIPAA Journal.

Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals

Posted by HIPAA Journal

Severna Park, MD-based Dynasplint Systems, a manufacturer of proprietary stretching devices to improve joint motion, has experienced a cyberattack in which personal and protected health information may have been accessed or stolen.

The security breach occurred on May 16, 2020. Assisted by a digital forensics firm, Dynasplint Systems determined on June 4, 2020 that information such as names, addresses, dates of birth, Social Security numbers, and medical information was accessed by the attackers. The cyberattack was reported to the FBI and Dynasplint Systems is cooperating with the investigation to hold the individuals responsible accountable.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 102,800 individuals were potentially affected by the attack. Those individuals were notified on August 8, 2020 and have been offered complimentary identity monitoring and recovery services for 12 months through Kroll.

Texas Medical Clinical Research Organization Suffers Phishing Attack

Pinnacle Clinical Research, a San Antonio, TX-based medical clinical research organization that runs hepatological and gastroenterological clinical trials in San Antonio and Austin, TX has announced it has suffered a phishing attack.

The email account breach was detected in April 2020. Assisted by independent IT security and forensic investigators, Pinnacle Clinical Research determined on or around May 8, 2020 that the compromised email account contained the sensitive information of clinical trial participants.

The breach was limited to a single email account which was found to contain information such as names, mailing addresses, telephone numbers, medical histories, and treatment information. A subset of affected individuals may also have had one or more of the following data elements exposed: Date of birth, Social Security number, driver’s license number, state ID number, taxpayer ID number, passport number, credit card/financial account number, associated PIN or password, email address, and/or health insurance individual policy number.

The compromised email account was immediately secured when the breach was discovered and steps have since been taken to improve the privacy and security of information stored in its systems. Affected individuals have been offered complimentary identity theft protection and credit monitoring services for 12 months.

Phishing Attack Reported by the Institute for Integrative Nutrition

The Institute for Integrative Nutrition in New York City has discovered personal information has potentially been compromised in a March 2020 phishing attack. The email account breach was detected on June 22, 2020. The investigation revealed a single email account was accessed by an unauthorized individual between March 3-4, 2020.

Third party cybersecurity professionals assisted with an extensive forensic investigation and the manual document review confirmed that names and personal information, including Social Security numbers, had potentially been accessed, although no evidence was found suggesting data were stolen in the attack.

Out of an abundance of caution, affected individuals have been offered complimentary identity theft protection services and “significant measures” have been implemented to prevent further breaches in the future.

PHI Potentially Compromised in Phishing Attack on Colorado Mental Health Center

Lafayette, CO-based Mental Health Center of Boulder County Inc., aka Mental Health Partners, experienced a phishing attack in late March in which employee information and the protected health information of some of its clients were potentially compromised.

Assisted by forensic investigators, Mental Health Partners determined on July 22, 2020 that the following information may have been subjected to unauthorized access or could have been stolen in the attack: names; dates of birth; Social Security numbers; driver’s license or state identification card numbers; passport numbers; financial account information; medical record numbers; medical treatment information, including symptom, diagnosis, treatment, medication, and doctor information; and/or health insurance information.

Affected individuals have been offered complimentary credit monitoring services. No evidence was found to indicate data were stolen or misused. Mental Health Partners has reviewed its internal policies and procedures following the attack and additional safeguards are being implemented to enhance digital security.

Boxes of Medical Records Found at Texas Recycling Center

More than 2 dozen boxes of old medical records have been found at an Odessa, TX recycling center. The records appear to have come from West Texas Orthopedics, which is part of Midland Health. It is not known how the records came to be at the recycling center and why they were not disposed of securely in accordance with HIPAA Rules.

“We have a team on-site at Odessa Recycling Center. They have looked through all records and determined that they do not belong to us. The name West Texas Orthopedics has been used by other entities in the past, but these records predate our ownership,” said Midland Health in a statement issued about the breach.

The post Dynasplint Systems Data Breach Impacts Almost 103,000 Individuals appeared first on HIPAA Journal.

AI Company Exposed 2.5 Million Patient Records Over the Internet

Posted by HIPAA Journal

The personal and health information of more than 2.5 million patients has been exposed online, according to technology and security consultant Jeremiah Fowler.

The records were discovered on July 7, 2020 in two folders that were publicly accessible over the Internet and required no passwords to access data. The folders were labeled as “staging data” and had been hosted by an artificial intelligence company called Cense AI, a company that provides SaaS-based intelligent process automation management solutions. The folders were hosted on the same IP address as the Cense website and could be accessed by removing the port from the IP address, which could be done by anyone with an Internet connection. The data could have been viewed, altered, or downloaded during the time it was accessible.

An analysis of the data suggests it was collected from insurance companies and relate to individuals who had been involved in automobile accidents and had been referred for treatment for neck and spinal injuries. The data was quite detailed and included patient names, addresses, dates of birth, policy numbers, claim numbers, diagnosis notes, payment records, date of accident, and other information. The majority of individuals in the data set appeared to come from New York. In total, there were 2,594,261 records exposed across the two folders.

Fowler identified extremely uncommon names and performed a Google search to verify those individuals were real, checking the name, region and demographic data. Fowler was satisfied that this was a real data set and not dummy data. Fowler made contact with Cense via email and while no response was received, the data was no longer accessible on July 8, 2020.

Fowler suspects that the data had been temporarily loaded into a storage repository prior to being loaded into Cense’s management or AI system. There was no way of determining how long the data had been exposed.

Currently, there is no breach notice on the Cense website and the incident has not appeared on the HHS’ Office for Civil Rights website. Fowler said he only accessed a limited amount of data for verification purposes and did not download any patient information; however, during the time the folders were exposed, it is possible that other individuals may have found and downloaded the data.

Data leaks such as this are all too common. Misconfigurations of cloud resources such as S3 buckets and Elasticsearch instances frequently leave sensitive data exposed. Cybercriminals are constantly searching for exposed data and it does not take long for data to be found. Once study conducted by Comparitech showed that it takes just a few hours for exposed Elasticsearch instances to be found.

Cloud services offer many advantages over on-premises solutions, but it is essential for protections to be put in place to secure any cloud data and for policies and procedures to be implemented to allow misconfigurations to be rapidly identified and corrected.

The post AI Company Exposed 2.5 Million Patient Records Over the Internet appeared first on HIPAA Journal.

July 2020 Healthcare Data Breach Report

Posted by HIPAA Journal

July saw a major fall in the number of reported data breaches of 500 or more healthcare records, dropping below the 12-month average of 39.83 breaches per month. There was a 30.8% month-over-month fall in reported data breaches, dropping from 52 incidents in June to 36 in July; however, the number of breached records increased 26.3%, indicating the severity of some of the month’s data breaches.

 

1,322,211 healthcare records were exposed, stolen, or impermissibly disclosed in July’s reported breaches. The average breach size was 36,728 records and the median breach size was 6,537 records.

Largest Healthcare Data Breaches Reported in July 2020

14 healthcare data breaches of 10,000 or more records were reported in July, with two of those breaches involving the records of more than 100,000 individuals, the largest of which was the ransomware attack on Florida Orthopaedic Institute which resulted in the exposure and potential theft of the records of 640,000 individuals. The other 100,000+ record breach was suffered by Behavioral Health Network in Maine. The breach was reported as a “malware” attack that prevented records from being accessed. 129,871 healthcare records were compromised in that attack.

Name of Covered Entity State Covered Entity Type Individuals Affected Type of Breach
Florida Orthopaedic Institute FL Healthcare Provider 640,000 Hacking/IT Incident
Behavioral Health Network, Inc. MA Healthcare Provider 129,571 Hacking/IT Incident
NCP Healthcare Management Company MA Business Associate 78,070 Hacking/IT Incident
Walgreen Co. IL Healthcare Provider 72,143 Theft
Allergy and Asthma Clinic of Fort Worth TX Healthcare Provider 69,777 Hacking/IT Incident
WellCare Health Plans FL Health Plan 50,439 Unauthorized Access/Disclosure
Maryland Health Enterprises DBA Lorien Health Services MD Healthcare Provider 47,754 Hacking/IT Incident
Central California Alliance for Health CA Health Plan 35,883 Hacking/IT Incident
University of Maryland Faculty Physicians, Inc. / University of Maryland Medical Center MD Healthcare Provider 33,896 Hacking/IT Incident
Highpoint Foot & Ankle Center PA Healthcare Provider 25,554 Hacking/IT Incident
Accu Copy of Greenville, Incorporated NC Business Associate 21,800 Hacking/IT Incident
CVS Pharmacy RI Healthcare Provider 21,289 Loss
Owens Ear Center TX Healthcare Provider 19,908 Unauthorized Access/Disclosure
University of Utah UT Healthcare Provider 10,000 Hacking/IT Incident
Rite Aid Corporation PA Healthcare Provider 9,200 Theft

Causes of July 2020 Healthcare Data Breaches

Hacking and other IT incidents dominated the breach reports in July, accounting for 69.4% (25 incidents) of the month’s breaches and 86.3% of breached records (1,141,063 records). The mean breach size was 45,643 records with a median size of 7,000 records.

There were 6 unauthorized access/disclosure incidents reported. 76,553 records were breached in those incidents, with a mean breach size of 12,759 records and a median size of 2,123 records.  There were 4 breaches categorized as theft involving the PHI/ePHI of 83,306 individuals. The mean breach size was 20,827 records and the median breach size was 5,332 records. One loss incident was reported that involved the PHI/ePHI of 20,827 individuals.

Many pharmacies across the United States were looted during the period of civil unrest in the wake of the death of George Floyd, with the Walgreens, CVS, and Rite Aid pharmacy chains hit particularly hard. In addition to the theft of prescription medications, devices containing ePHI and paperwork containing sensitive patient information were also stolen in the break-ins.

Phishing attacks usually dominate the healthcare breach reports and while email-related breaches were the most common type of breach in July, network server breaches were in close second, most commonly involving the use of malware or ransomware. The increase in the latter is certainly a cause of concern, especially considering the rise in human-operated ransomware attacks that involve the theft of patient data prior to file encryption. These attacks see patient data exposed or sold if the ransom is not paid, but there is no guarantee that stolen data will be deleted even if the ransom is paid. Phishing and ransomware attacks are likely to continue to be the leading causes of data breaches over the coming months.

Spam filters, web filters, and end user training are essential for reducing susceptibility to phishing attacks, along with multi-factor authentication on email accounts. Ransomware and other forms of malware are commonly delivered by email and these measures are also effective at blocking attacks. It is also essential for vulnerabilities to be patched promptly. Many of the recent ransomware attacks have involved the exploitation of vulnerabilities, even though patches to address the flaws were released several weeks or months prior to the attacks. Brute force tactics continue to be used on RDP, so it is essential for storing passwords to be set. Human operated ransomware attacks often see attackers gain access to healthcare networks weeks before ransomware is deployed. By monitoring networks and event logs for anomalous user behavior, it may be possible to detect and block an attack before ransomware is deployed.

Healthcare Data Breaches by Covered Entity Type

There were 26 data breaches reported by healthcare providers in July 2020, 4 by health plans, and 6 breaches were reported by business associates of HIPAA-covered entities. A further three breaches were reported by a covered entity but had some business associate involvement.

July 2020 Healthcare Data Breaches by State

The 36 data breaches were reported by HIPAA-covered entities and business associates in 21 states. California and Texas were worst affected with 4 breaches apiece, followed by Florida and Pennsylvania with three breaches, and two breaches in each of Illinois, Massachusetts, Maryland, North Carolina, and Wisconsin. One breach was reported in each of Alaska, Arizona, Colorado, Connecticut, Michigan, Nebraska, New Mexico, New York, Ohio, Rhode Island, Utah, and West Virginia.

HIPAA Enforcement in July 2020

The HHS’ Office for Civil Rights has issued multiple notices of enforcement discretion this year spanning the duration of the nationwide COVID-19 public health emergency; however, that does not mean that OCR has scaled back enforcement of HIPAA Rules. OCR accepts that it may be difficult to ensure continued compliance with all aspects of HIPAA Rules during such difficult times, but entities that are discovered to have violated the HIPAA Rules can and will still face financial penalties for noncompliance.

In July, OCR announced two settlements had been reached with HIPAA covered entities to resolve HIPAA violation cases. A settlement of $1,040,000 was agreed with Lifespan Health System Affiliated Covered Entity to resolve HIPAA violations discovered during the investigation of a 2017 breach report submitted following the theft of an unencrypted laptop computer.

OCR discovered multiple compliance failures. Lifespan had not implemented encryption on portable devices that stored ePHI, even though Lifespan was aware of the risk of ePHI exposure. There were also device and media control failures, the failure to enter into business associate agreements with vendors, and an impermissible disclosure of 20,431 patients’ ePHI.

Metropolitan Community Health Services dba Agape Health Services was investigated over a 2011 data breach of 1,263 patient records and OCR discovered longstanding, systemic noncompliance with the HIPAA Security Rule. A settlement of $25,000 was agreed with OCR to resolve the violations, with the small size of the healthcare provider taken into consideration when determining an appropriate penalty amount.

The post July 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

R1 RCM Medical Collection Agency Suffers Ransomware Attack

Posted by HIPAA Journal

One of the largest medical debt collection agencies in the United States has suffered a ransomware attack. Chicago-based R1 RCM, formerly Accretive Health Inc., generated $1.18 billion in revenue in 2019 and works with more than 750 healthcare clients. It is currently unclear how many of its clients have been affected by the attack.

The breach was recently reported by Brian Krebs of Krebs on Security. R1 RCM confirmed that it was attacked with ransomware and its systems were taken down in response to the attack. Recovery efforts are ongoing.

No information has been released on the type of ransomware used in the attack and it is unclear if patient data was stolen prior to files being encrypted. Krebs spoke to a source close to the investigation who suggested the ransomware used in the attack was Defray. Defray ransomware is usually spread via malicious Word documents sent via email in small, targeted campaigns. The threat actors behind the ransomware have previously targeted education and healthcare verticals.

In 2019, the medical debt collection agency, American Medical Collection Agency (AMCA), was attacked with ransomware. Prior to data encryption, approximately 27 million records were stolen, making it the largest data breach of the year. The cost of the attack proved too much, and AMCA was forced into bankruptcy. With many more clients than AMCA, this ransomware attack has the potential to be far larger, although the operators of Defray ransomware are not known to steal data prior to file encryption.

Beaumont Health Phishing Attack Impacts 6,000 Patients

Beaumont Health, Michigan’s largest healthcare system, has started notifying 6,000 patients that some of their protected health information may have been accessed by unauthorized individuals as a result of a phishing attack.

Unauthorized individuals gained access to multiple employee email accounts between January 3, 2020 and January 29, 2020. Beaumont Health learned on June 5, 2020 that one or more of the breached email accounts contained patient data, including names, dates of birth, diagnoses, diagnosis codes, procedures performed, treatment location, treatment type, prescription information, Beaumont patient account numbers, and Beaumont medical record numbers. Affected patients were notified about the breach on July 28, 2020.

This is the second phishing-related breach to be reported by Beaumont Health in 2020. In April, 112,000 individuals were notified about a separate phishing attack that occurred in 2019. Following the attacks, Beaumont Health took significant steps to improve email security, including improving its multi-factor authentication software, conducting a risk analysis, and providing additional training and education to Beaumont employees on the identification and handling of malicious emails. Changes have also been made to internal policies and procedures to identify and remediate future threats to minimize the risk of a similar incident occurring in the future.

PHI of 3,736 Patients Potentially Compromised in Phishing Attack on The Connection, Inc.

The Connection, Inc., a Middletown CT-based provider of community-based behavioral health and substance use services, has discovered the email accounts of two of its employees have been accessed by unauthorized individuals. The security breach was discovered on February 13, 2020 when one of the employees started experiencing problems with their email account. The subsequent investigation confirmed that two email accounts had been breached between January 4, 2020 and February 13, 2020.

The individual(s) behind the attack attempted to change employees’ direct deposit information through payroll. While that appears to be the sole purpose of the attack, The Connection, Inc. could not rule out the possibility that information in the email accounts was stolen.

The email accounts contained information on current and former clients including names, dates of birth, mailing addresses, Social Security numbers, driver’s license numbers, financial account information medical record or patient account numbers, treatment and clinical information, prescription information, diagnoses, provider names, dates of treatment, and/or affiliation with The Connection. The Connection is unaware of any attempted misuse of client information.

Notification letters started to be sent to affected individuals on July 24, 2020. Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity protection services.

The Connection has provided further training to the workforce on cybersecurity and multi-factor authentication has been implemented on email accounts.

The post R1 RCM Medical Collection Agency Suffers Ransomware Attack appeared first on HIPAA Journal.

Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors

Posted by HIPAA Journal

The Brewer, ME-based 10-hospital integrated healthcare system, Northern Light Health Foundation, has announced it has been affected by the recent ransomware attack on Blackbaud Inc.

The databases affected contained information about donors, potential donors, and individuals who may have attended a fundraising event in the past. Patient medical records were stored separately and were unaffected. The databases contained the records of 657,392 individuals.

South Carolina-based Blackbaud is one of the world’s largest providers of education, administration, fundraising, and financial management software. A company as large as Blackbaud is naturally a target for cybercriminals. Blackbaud explained it encounters millions of attacks each month and its cybersecurity team successfully defends the company against those attacks, although in May 2020 one of those attacks succeeded.

The ransomware attack could have been far worse. Blackbaud detected the ransomware attack quickly and took action to block the attack. Blackbaud was able to prevent the ransomware from fully encrypting its files, and only a subset of the company’s 25,000+ clients were affected. The attack did not affect its cloud environment and the majority of its self-hosted environment was unaffected.

As is now common in manual ransomware attacks, prior to file encryption data was exfiltrated by the attackers. Blackbaud said in its breach notice that only a subset of data was copied by the attackers and highly sensitive information such as Social Security numbers, credit card information, and bank account information were not stolen in the attack.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” explained Blackbaud in its substitute breach notice.

It is currently unclear how many Blackbaud clients have been affected by the attack. Northern Light Health Foundation said it was one of thousands affected in its breach notice, including several other healthcare organizations in Maine. Other healthcare organizations known to have been affected include the New York City-based Cancer Research Institute and the Santa Monica, CA-based Prostate Cancer Foundation.

The BBC reports that at least 10 universities in the US, UK, and Canada have been affected, including Harvard University, Emerson College in Boston, and the Rhode Island School of Design, along with charities, media firms, and a host of private sector companies. While the attack occurred in May 2020, notifications were not sent to affected clients until July 16, 2020. It is unclear why there was such a long delay in alerting affected clients, especially considering many of those clients are located in the EU. The EU General Data Protection Regulation (GDPR) requires notifications to be sent to data protection authorities within 72 hours of a breach and data controllers to also be notified promptly.

The post Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors appeared first on HIPAA Journal.

Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed

Posted by HIPAA Journal

A new report has revealed the personal and protected health information of patients and other sensitive data are being exposed online without the knowledge of covered entities and business associates through public GitHub repositories.

Jelle Ursem, a security researcher from the Netherlands, discovered at least 9 entities in the United States – including HIPAA-covered entities and business associates – have been leaking sensitive data via GitHub. The 9 leaks – which involve between 150,000 and 200,000 patient records – may just be the tip of the iceberg. The search for exposed data was halted to ensure the entities concerned could be contacted and to produce the report to highlight the risks to the healthcare community.

Even if your organization does not use GitHub, that does not necessarily mean that you will not be affected. The actions of a single employee or third-party contracted developer may have opened the door and allowed unauthorized individuals to gain access to sensitive data.

Exposed PII and PHI in Public GitHub Repositories

Jelle Ursem is an ethical security researcher who has previously identified many data leaks on GitHub, including by Fortune 500 firms, publicly traded companies, and government organizations. Ursem decided to conduct a search to find out if any medical data had been leaked on GitHub. It took just 10 minutes to confirm that it had, but it soon became clear that this was far from an isolated case.

Ursem conducted searches such as “companyname password” and “medicaid password FTP” and discovered several hard-coded usernames and passwords could be found in code uploaded to GitHub. Those usernames and passwords allowed him to login to Microsoft Office 365 and Google G Suite accounts and gain access to a wide range of sensitive information such as user data, contracts, agendas, internal documents, team chats, and the protected health information of patients.

“GitHub search is the most dangerous hacking tool out there,” said Ursem. Why go to the trouble of hacking a company when it is leaking data that can be found with a simple search on GitHub?

Ursem attempted to make contact with the companies concerned to alert them to the exposure of their data and ensure the information was secured, but making contact with those organizations and getting the data secured proved problematic, so Ursem contacted databreaches.net for assistance.

Together, Dissent Doe of DataBreaches.net and Ursem worked together to contact the organizations concerned and get the data secured. In some cases, they succeeded – with considerable effort – but even after several months of attempts at contacting the companies concerned, explaining the severity of the situation, and offering help to address the problems that led to the exposure of data, some of that data is still accessible.

9 Leaks Identified but There are Likely to be Others

The report details 9 leaks that affected U.S. entities – namely Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, AccQData – and one unnamed entity: Unnamed because the data is still accessible.

The most common causes of GitHub data leaks were developers who had embedded hard-coded credentials into code that had been uploaded into public GitHub repositories, the use of public repositories instead of private repositories, and developers who had abandoned repositories when they were no longer required, rather than securely deleting them.

For example, Ursem found that a developer at Xybion – a software, services and consulting company with a presence in workplace health issues – had left code in a public GitHub repository in February 2020. The code included hard-coded credentials for a system user that, in connection with other code, allowed Ursem to access billing back-office systems that contained the PHI of 7,000 patients, together with more than 11,000 insurance claims dating back to October 31, 2018.

It was a similar story with MaineCare – a state- and federally-funded program that provides healthcare coverage to Maine residents. In that case, hard-coded credentials gave Ursem administrative access to the entire website, access to the internal server infrastructure of MaineCare / Molina Health, MaineCare SQL data sources, and the PHI of 75,000 individuals.

The Typhoid Mary of Data Leaks

The report highlights one developer, who has worked with a large number of healthcare organizations, whose GitHub practices have led to the exposure of many credentials and the PHI of an estimated 200,000 clients. That individual has been called the “Typhoid Mary of Data Leaks”.

The developer made many mistakes that allowed client data to be exposed, including leaking the credentials of 5 employers on GitHub and leaving repositories fully accessible after work had been completed. In one case, the actions of that developer had allowed access to the central telephone system of a large entity in debt collection, and in another credentials allowed access to highly sensitive records for people with a history of substance abuse.

While it was not possible to contact that individual directly, it appears that the work of DataBreaches.net and Ursem has gotten the message through to the developer. The repositories have now been removed or made private, but not before the data was cloned by at least one third party.

This was just one example of several outsourced or contracted developers who were being used by HIPAA-covered entities and business associates, whose practices exposed data unbeknownst to the CEs and BAs.

“No matter how big or small you are, there’s a real chance that one of your employees has thrown the front door key under the doormat and has forgotten that the doormat is transparent,” explained Dissent Doe of DataBreaches.net. Regardless of whether your organization uses GitHub, HIPAA Journal believes the report to be essential reading.

The collaborative report from Jelle Ursem and DataBreaches.net explains how the leaks occurred, why they have gone undetected for so long, and details several recommendations on how data breaches on GitHub can be prevented – and detected and addressed quickly in the event that mistakes are made. You can download the full PDF report on this link.

Many thanks to Dissent Doe for notifying HIPAA Journal, to Jelle Ursem for discovering the data leaks, and for the hard work of both parties investigating the leaks, contacting the entities concerned, and highlighting the problem to help HIPAA-covered entities and their business associates take steps to prevent GitHub data breaches moving forward.

The post Healthcare Data Leaks on GitHub: Credentials, Corporate Data and the PHI of 150,000+ Patients Exposed appeared first on HIPAA Journal.

Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online

Posted by HIPAA Journal

A database containing the personal information of more than 3.1 million patients has been exposed online and was subsequently deleted by the Meow bot.

Security researcher Volodymyr ‘Bob’ Diachenko discovered the database on July 13, 2020. The database required no password to access and contained information such as patients’ names, email addresses, phone numbers, and treatment locations. Diachenko set about trying to identify the owner of the database and found it had been created by a medical software company called Adit, which makes online booking and patient management software for medical and dental practices. Diachenko contacted Adit to alert the company to the exposed database but received no response. A few days later, Diachenko discovered the data had been attacked by the Meow bot.

The Meow bot appeared in late July and scans the internet for exposed databases. Security researchers such as Diachenko conduct scans to identify exposed data and then make contact with the data owners to try to get the data secured. The role of the Meow bot is search and destroy. When exposed database are found, the Meow bot’s script overwrites the data with random numerical strings, appended with the word “meow”.

The individual or group behind the Meow bot is unknown, nor the motives behind the attacks, of which there have been hundreds. Many threat actors search for exposed cloud databases and steal or encrypt data and issue a ransom demand, but there appears to be no financial motive behind the Meow bot attacks.

It is not entirely clear whether data is stolen prior to being overwritten, but several security researchers have suggested data theft is not the aim, instead the purpose may be to prevent the information of data subjects from being obtained by cybercriminals and/or to send a message to data holders that the failure to secure data will result in data being destroyed.

The deletion of the database may have prevented the data from falling into the hands of cybercriminals, but a previous study conducted by Comparitech showed malicious actors are constantly searching for exposed data and often find exposed Elasticsearch databases and Amazon S3 buckets within hours of them being exposed. Since the database was exposed for at least 10 days before the search and destroy Meow bot attack, it is probable that it was found and obtained prior to its destruction; potentially by multiple parties.

In this case, the personal data was limited, but that information could still be of use to cybercriminals for phishing campaigns.

The post Medical Software Database Containing Personal Information of 3.1 Million Patients Exposed Online appeared first on HIPAA Journal.