Boardman, OH-based N.E.O Urology has experienced a severe ransomware attack that has impacted its entire IT system. The ransomware caused widespread file encryption and locked the healthcare provider out of its computers and patient records.

While the attack was sophisticated, the notification was not. The healthcare provider was sent a fax from the attackers which demanded a $75,000 ransom payment for the keys to unlock the encryption.

N.E.O Urology contacted its IT service provider and after assessing options and the risks, the decision was taken to pay the ransom. The IT service provider made contact with the attackers through a third party and the ransom was paid to obtain the keys to unlock the encryption. Even with the decryption keys, it took the medical practice three days to restore its computer systems due to the severity of the attack and extent of the encryption. The initial investigation suggests the attackers were based in Russia.

Payment of a ransom is not without risk. The attackers may not be able to unlock files or may choose not to do so even after the ransom is paid. The FBI’s advice is never to pay the ransom as it just encourages further attacks. However, when data cannot be recovered by any other means, there may be little choice other than payment of the ransom. N.E.O Urology informed the police department that as a result of the lack of access to its computers it was losing between $30,000 and $50,000 per day.

Ransomware attacks significantly declined throughout 2018, but in Q1, 2019 there was a major uptick in attacks. Ransomware attacks increased 195% in Q1, 2019, according to Malwarebytes. More than 70% of those attacks were on small businesses. Healthcare organizations are an attractive target due to their need to have constant access to databases and patient records and are commonly attacked, much more than other industry sectors.

The inability to restore files from backups and the refusal to pay a ransom can have severe consequences. Earlier this year, Brookside ENT and Hearing Center was attacked and patient records were encrypted. After refusing to pay the ransom, the attackers deleted all the encrypted files. Faced with having to rebuild the practice from scratch, the owners chose early retirement and closed the practice.

To ensure you are not left at the mercy of cybercriminals, it is essential to adopt a robust backup strategy that sees multiple backup copies created, with one copy stored off-site in a secure location on a non-networked device and to test your backups to make sure that file recovery is possible in the event of an attack.

The post Urology Practice Pays $75,000 Ransom to Regain Access to Computer Systems appeared first on HIPAA Journal.

The Ullico Inc. subsidiary, Union Labor Life Insurance (ULLI), is notifying more than 87,000 plan members that some of their protected health information (PHI) has been exposed as a result of an employee responding to a phishing email.

As is often the case in healthcare phishing attacks, the phishing email was realistic and appeared to be a genuine request from a business partner. The email contained a hyperlink which asked for login credentials to be entered when clicked. The employee entered the credentials, which were harvested by the attacker and used to remotely access the account.

ULLI had systems in place which alerted the information technology department to the unauthorized access. The IT department blocked third-party access to the account within 90 minutes of the account being compromised on April 1, 2019 and disconnected the device from the network. The prompt action greatly limited the potential for the accessing or theft of protected health information contained in emails and email attachments.

ULLI conducted a forensic analysis and determined that access was limited to a single email account on one device. However, that email account was confirmed to contain the PHI of plan members in emails and email attachments.

While the investigation found no evidence to suggest patient information was accessed or stolen, the possibility could not be ruled out with a sufficiently high degree of certainty.

The protected health information that was potentially compromised was limited to: Names, addresses, dates of birth, Social Security numbers, and some personal health information of plan members and their family members.

As a precaution, ULLI has taken the decision to offer all affected individuals 24 months of complimentary credit monitoring and identity theft protection services.

According to the breach report submitted to the Department of Health and Human Services’ Office for Civil Rights, up to 87,400 patients have been affected by the breach.

The post PHI Exposed in Union Labor Life Insurance Phishing Attack appeared first on HIPAA Journal.

Kingman Regional Medical Center (KRMC) has discovered a flaw on its website resulted in the exposure of the protected health information (PHI) of certain patients.

KRMC became aware of the security issue on April 8, 2019 and the website was shut down while the security problem was investigated. Assisted by a third-party computer forensics company, KRMC determined that the configuration of the website was such that unauthorized individuals may have been able to gain access to patient information.

The website was housed on an isolated server, so any access to data was limited to the information stored on the server. For a small subset of patients who used the website to enter information related to their care, such as making an appointment, could have had the following information exposed: Name, date of birth, and information supplied related to a medical condition for which medical services were being requested.

Affected patients were notified of the breach by mail on June 7, 2019. The KRMC website has been offline now for more than 2 months. KRMC is in the process of rebuilding the website with enhanced privacy and security safeguards.

Rosenbaum Dental Group Discovers Malware Infection

Rosenbaum Dental Group is notifying some of its patients that it has discovered malware on its systems, through which unauthorized individuals may have gained access to their protected health information.

The types of information stored on the affected system included names, addresses, telephone numbers, and health insurance information.

It was not possible to determine whether patients’ PHI was compromised in the malware attack. All patients who have potentially been affected have been notified by mail and have been offered one year’s membership to credit monitoring and reporting services at no charge.

A breach notice has been submitted to the Department of Health and Human Services Office for Civil Rights, but it has yet to appear on the OCR breach portal. It is therefore currently unclear how many individuals have been affected.

The post PHI Potentially Compromised at Rosenbaum Dental Group and Kingman Regional Medical Center appeared first on HIPAA Journal.

Mercy Health has discovered a limited amount of patient data had been saved on a private server which was used for other activities such as online scheduling and electronic physician office check-ins. As a result, patient information could potentially have been accessed by unauthorized individuals.

The issue has been corrected and all patient information has now been secured. The investigation did not uncover any evidence of unauthorized access or data theft, but it was not possible to rule out either with a very high degree of certainty.

Patient information was accessible on the server from an unspecified date in 2014 to March 25, 2019, when the problem was detected and rectified. The security issue only affected certain individuals who had received medical services at Mercy Health facilities in Grand Rapids or Muskegon in Michigan.

The types of information potentially accessed were limited to names, addresses, email addresses, and health insurance information for the vast majority of affected individuals. A limited number of patients may also have had their Social Security number and diagnosis information exposed.

The incident has been reported to the appropriate authorities and affected individuals have been sent breach notification letters.  According to the breach summary on the HHS’ Office for Civil Rights website, the protected health information of 978 patients was exposed.

The post Mercy Health Discovers PHI of 978 Patients Was Exposed appeared first on HIPAA Journal.

Employees of Turlock Irrigation District in California who are members of their employer-sponsored health plan are being notified that some of their protected health information has been exposed online as a result of an error at a business associate.

Delta Health Systems (DHS) provides administrative services related to the health plan and requires access to certain protected health information. Some of that information was made accessible over the internet through a link to a DHS webpage.

The error was made by third-party website developer. While the website had been configured to restrict access, there was a conflicting setting which provided general access to the document which took precedence.

Affected plan members have been told that their billing statement for their employee-sponsored health plan could have been accessed by unauthorized individuals during the time it was accessible over the internet. The billing statement contained the plan member’s first and last name, employer’s name and address, DHS ID number, and Social Security number.

All affected members have been offered one year of free membership to credit monitoring and identity theft protection services through Experian.

The issue was identified and corrected on April 18, 2019. It was not possible to determine when the error was introduced and for how long plan members’ personal information was exposed. It was not possible to determine whether any unauthorized individuals accessed the billing statements while they were unprotected.

In addition to correcting the problem, DHS has contacted search engines to request the removal of all cached content. DHS is also revising its security policies and procedures and has built a new, more secure website that lacks the software that was misconfigured.

The incident has been reported to the California Attorney General but has not yet been listed on the HHS’ Office for Civil Rights website, so it is currently unclear how many plan members have been affected.

Ellwood City Medical Center Investigating Cyberattack

Officials at Ellwood City Medical Center, in Ellwood City, PA, are currently investigating a cyberattack that compromised part of its systems. The attack appears to have started on or around Saturday May 27, although at this stage, no further information has been released. Analyses are ongoing to determine whether any patient records have been compromised.

The cyberattack comes at a time when the Americore Health-owned medical center is embroiled in problems associated with billing and payroll and is being investigated over late payments of wages to staff.

The post Delta Health Systems Alerts Plan Members to Exposure of SSNs Over Internet appeared first on HIPAA Journal.

It is certainly a week of massive data breaches. 11.9 million Quest Diagnostics records were exposed, 7.7 million records at LabCorp have potentially been compromised, and now University of Chicago Medicine has discovered more than 1.68 million of its records have been exposed.

The records were stored on a misconfigured ElasticSearch server which had had protections removed allowing it to be accessed over the internet without the need for any authentication. The misconfiguration allowed a database to be accessed which contained 1,679,993 records of donors and prospective donors.

The exposed database was discovered by Security Discovery researcher Bob Diachenko on May 28. Diachenko had performed a search using the search engine Shodan to identify unsecured databases. Even though awareness has been raised following the discovery of a large number of exposed ElasticSearch instances and other NoSQL databases in recent months, Security Discovery researchers are still identifying between 5 and 10 ‘big cases’ of unsecured databases every month.

The latest find was a sizable cluster containing 34GB of data. The cluster, named data-ucmbsd2, had been indexed by Shodan and could be accessed over the internet by anyone. The database contained a range of information including names, addresses, phone numbers, email addresses, dates of birth, gender, marital status, wealth information and current financial status, and notes about past communications.

Diachenko determined that the data belonged to UC Medicine and sent a notification and the ElasticSearch instance was secured within 48 hours.

UC Medicine has issued a statement confirming a comprehensive forensic investigation was conducted, which determined the database was not subjected to unauthorized access other than by Diachenko. Diachenko confirmed that he only accessed some of the records to determine who they belonged to and did not download the database. Fortunately, the window of opportunity was short. Diachenko discovered the database one day after it had been indexed by Shodan.

ElasticSearch instances should be configured so they are only accessible over an internal network and authentication controls should be implemented to ensure only authorized individuals have access. Misconfigurations not place data at risk of theft, there have also been instances where the lack of authentication has allowed hackers to encrypt databases using ransomware or even totally delete all stored data.

The post Misconfigured University of Chicago Medicine ElasticSearch Instance Exposed More Than 1.68 Million Records appeared first on HIPAA Journal.