Latest HIPAA News

Reports Flood in on New ‘Unprecedented’ Global Ransomware Attack

A major global cyberattack involving Petya ransomware is currently underway, with firms across Russia, Ukraine and Europe affected. The attack is understood to involve Petya ransomware, in what appears to be a similar incident to the WannaCry ransomware attacks last month.

Companies confirmed as being infected with the ransomware include the Russian oil firm Rosneft, the Russian metal maker Evraz, French construction materials firm Saint Gobain, many Russian banks, the international Boryspil airport in Ukraine, the Ukraine government, two Ukrainian postal services, the Ukrainian aviation firm Antonov, shipping firm A.P. Moller-Maersk, legal firm DLA Piper, food manufacturer Mondelex and the advertising group WPP.  Many more companies are believed to have have been attacked with the list of victims certain to grow. Attacks now occurring in the UK and India and may spread further afield. Ukraine’s Prime Minister Volodymyr Groysman has said the ransomware attack is unprecedented.

The attacks appear to have started Tuesday, with Russian cybersecurity firm Group-IB suggesting ransomware was installed using some of the NSA exploits published by Shadow Brokers – two of those exploits were also used to install WannaCry ransomware on organizations around the globe last month.

In contrast to WannaCry, Petya ransomware is not understood to have a kill switch. Recovery from the attack will only be possible if data backups exist and have not been encrypted in the attack or if the ransom is paid. The ransom demand is understood to be $300 per infected device.

Petya ransomware is different to many other ransomware variants as it does not encrypt files. Instead, the ransomware attacks and replaces the Master File Table (MFT). The MFT is needed by computers to determine the location of files stored on the hard drive. Without access to the MFT, files cannot be located. Files are not encrypted, but since the files cannot be located the end result is the same. Files cannot be opened.

At this stage, the infection process is not fully understood, with some news outlets claiming the attacks are occurring via malicious email attachments, while others report they involve exploits for unaddressed vulnerabilities.

Further information will be published when it becomes available.

The post Reports Flood in on New ‘Unprecedented’ Global Ransomware Attack appeared first on HIPAA Journal.

World’s Largest Data Breach Settlement Agreed by Anthem

The largest data breach settlement in history has recently been agreed by the health insurer Anthem Inc. Anthem experienced the largest healthcare data breach ever reported in 2015, with the cyberattack resulting in the theft of 78.8 million records of current and former health plan members. The breach involved names, addresses, Social Security numbers, email addresses, birthdates and employment/income information.

A breach on that scale naturally resulted in many class-action lawsuits, with more than 100 lawsuits consolidated by a Judicial Panel on Multidistrict Litigation. Now, two years on, Anthem has agreed to settle the litigation for $115 million. If approved, that makes this the largest data breach settlement ever – Substantially higher than $18.5 million settlement agreed by Target after its 41 million-record breach and the $19.5 million paid to consumers by Home Depot after its 50-million record breach in 2014.

After experiencing the data breach, Anthem offered two years of complimentary credit monitoring services to affected plan members. The settlement will, in part, be used to pay for a further two years of credit monitoring services. Alternatively, individuals who have already enrolled in the credit monitoring services previously offered may be permitted to receive a cash payment of $36 in lieu of the additional two years of cover or up to $50 if funds are still available. The settlement also includes a $15 million fund to cover out-of-pocket expenses incurred by plaintiffs, which will be decided on a case-by-case basis for as long as there are funds available.

Anthem has also agreed to set aside ‘a certain level of funding’ to make improvements to its cybersecurity defenses and systems, including the use of encryption to secure data at rest. Anthem will also be making changes to how it archives sensitive data and will be implementing stricter access controls. While the settlement has been agreed, Anthem has not admitted any wrongdoing.

Anthem Spokesperson Jill Becher explained that while data were stolen in the attack, Anthem has not uncovered evidence to suggest any of the information stolen in the cyberattack was used to commit fraud or was sold on. Becher also said, “We are pleased to be putting this litigation behind us, and to be providing additional substantial benefits to individuals whose data was or may have been involved in the cyberattack and who will now be members of the settlement class.”

While the decision to settle has been made, the settlement must now be approved by the U.S. District judge in California presiding over the case. District Judge Lucy Koh will hear the case on August 17, 2017.

The post World’s Largest Data Breach Settlement Agreed by Anthem appeared first on HIPAA Journal.

Google to Remove Personal Medical Information From Its Search Results

There are only a handful of content categories that Google will not display in its search results. Now the list has grown slightly with the addition of personal medical records, specifically, the ‘confidential, personal medical records of private people.’

The update to its policy was made yesterday, with medical records joining national identification numbers such as Social Security numbers, bank account numbers, credit card numbers, images of signatures, sexual abuse images, revenge porn, and material that has been uploaded to the Internet in violation of the Digital Millennium Copyright Act.

Google’s indexing system captures all publicly accessible information that has been uploaded to the Internet, although there has been criticism in recent years about the types of information Google allows to be listed. Even so, it is rare for Google to make changes to its algorithms to block certain types of content. The last addition to the list of material that can be removed automatically by Google was revenge porn – nude or sexually explicit images that have been uploaded to the Internet without an individual’s consent. Google added that category to its list of unacceptable web content back in 2015.

The latest addition will go some way toward protecting the privacy of individuals who have been the victims of data breaches or data leaks. One notable case of the latter came to light in December last year when an Indian pathology lab accidentally uploaded the pathology results of 43,203 individuals to a website which was indexed by Google and displayed in the search listings. Recently there have been a number of cases of stolen medical records being dumped online when ransom demands have not been paid. In such cases, the information will now be less visible.

If medical records are uploaded to the Internet, accidentally or deliberately, they will still be accessible directly and will be indexed by other search engines, but since more than 77% of people use Google as their primary search engine, it will be harder for the medical records to be found online by the general public.

The post Google to Remove Personal Medical Information From Its Search Results appeared first on HIPAA Journal.

Healthcare Data Breach Costs Fall to $380 Per Record

Healthcare data breach costs have fallen year-over year according to the latest IBM Security/Ponemon Institute study. However, for the seventh straight year, healthcare data breach costs were higher than any other industry sector.

This year, the Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. The average global cost per record for all industries is now $141, with healthcare data breach costs more than 2.5 times the global average. Last year, average healthcare data breach costs were $402 per record. The average cost of a breach in the United States across all industries is $225 per record, up from $221 in 2016.

Data breach costs have risen substantially over the past seven years, although the latest report shows there was a 10% reduction in data breach costs across all industry sectors. This was the first year that data breach costs have shown a decline. The average global cost of a data breach now stands at $3.62 million, having reduced from $4 million last year.

The study was conducted globally, with 63 organizations in the United States surveyed. Those organizations were spread across 16 industry sectors. The Ponemon Institute surveyed each company after they experienced the loss or theft of sensitive information and had issued breach notifications to affected individuals. Sensitive data was classed as “An individual’s name plus Social Security number, medical record and/or a financial record or debit card.”

In the United States, the surveyed companies experienced data breaches that resulted in the exposure or theft of between 5,563 and 99,500 records, with an average of 28,512 records per breach.

The Ponemon compared the total cost of a breach with the average cost over the past four years. In the United States, the total cost of a data breach rose from $7.01 million to $7.35 million. This was the highest total breach cost since IBM Security/Ponemon first started conducting the study.

Across all industry sectors, the cost of a data breach was higher for malicious or criminal attacks ($244 per record) followed by system glitches ($209 per record) and human error ($200 per record). The breakdown of the causes of the breaches were malicious or criminal attacks ($52%), system glitches (24%) and human error (24%).

How do Healthcare Data Breach Costs Compare to Other Industries?

 

United States Data Breach Costs

Industry Average Cost per Record (USD)
Healthcare 380
Financial Services 336
Services 274
Life Sciences 264
Industrial 259
Technology 251
Education 245
Transportation 240
Communications 239
Energy 228
Consumer 196
Retail 177
Hospitality 144
Entertainment 131
Research 123
Public Sector 110
Average Cost 225

 

The study showed the United States has higher breach costs than Europe, where the average cost of a data breach declined by 26% year-over-year. The Ponemon Institute attributed this, in part, to the centralized regulatory environment in Europe. In the United States, organizations have to comply with federal regulations as well as separate regulations in 48 of the 50 states. This makes the breach response labor intensive and extremely costly.

The report suggests the reason for the rise in breach costs in the United States was the result of compliance failures and a rush to notify individuals, with the latter costing organizations 50% more than in Europe. The study revealed the cost of issuing breach notifications was $690,000 on average in the United States – twice the figure of any other country.

The study showed that when third parties were involved in a breach there was an increase in data breach costs, typically adding an extra $17 per record.

As in previous years, a rapid response to a data breach saw organizations limit the cost. When an incident response plan was in place prior to a breach, organizations were able to save an average of $19 per record. There was an average reduction in breach costs of $1 million when organizations were able to contain the breach within 30 days. However, on average, companies took more than six months to discover a breach and more than 66 days to contain it.

Other factors that led to a reduction in breach costs were the use of encryption, which saw a $16 reduction in costs per record and employee education which saw breach costs reduced by $12.50 per record.

Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute said, “Data breaches and the implications associated continue to be an unfortunate reality for today’s businesses,” explaining, “Year-over-year we see the tremendous cost burden that organizations face following a data breach.

The post Healthcare Data Breach Costs Fall to $380 Per Record appeared first on HIPAA Journal.

May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover

The May 2017 healthcare Breach Barometer Report from Protenus shows there was an increase in reported data breaches last month. May was the second worst month of the year to date for healthcare data breaches with 37 reported incidents, approaching the 39 data breaches reported in March. In April, there were 34 incidents reported.

So far, each month of 2017 has seen more than 30 data breaches reported – That’s one reported breach per day, as was the case in 2016.

In May, there were 255,108 exposed healthcare records representing a 10% increase in victims from the previous month; however, it is not yet known how many records were exposed in 8 of the breaches reported in May. The number of individuals affected could rise significantly.

The largest incident reported in May was the theft of data by TheDarkOverlord, a hacking group/hacker known for stealing data and demanding a ransom in exchange for not publishing the data. The latest incident saw the data dumped online when the organization refused to pay the ransom.

While April saw a majority of healthcare data breaches caused by hackers, in May it was insiders that caused the most data breaches. Insiders were responsible for 40.54% of data breaches (15 incidents) in May, with 10 the result of insider errors and 5 incidents the result of insider wrongdoing. In total, 39,491 healthcare records were exposed as the result of insiders.

Hacking was the second biggest cause of data breaches, accounting for 35.14% of the month’s reported breaches. As is typical, hacking resulted in the exposure of the most records – 203,394. At least three of those hacking incidents involved ransomware.

This month’s report proved problematic, as several hacking incidents were discovered after data were posted on black market websites, yet it is unclear whether the incidents are genuine as efforts to verify the data proved inconclusive.

Loss or theft of unencrypted devices and physical records accounted for 13.51% of breaches. Those incidents resulted in the exposure of 4,122 records, although it is unclear how many records were exposed in one of the 4 breaches involving theft/loss. The cause of the 10.81% of incidents is still unknown.

Healthcare providers reported 81% of the months’ breaches, followed by business associates (11%) and health plans (8%).

Over the past two months there has been an improvement in the reporting of healthcare data breaches, with more covered entities reporting incidents inside the 60-day limit of the HIPAA Breach Notification Rule. This month 83% of covered entities reported their breaches on time, an improvement from last month when just 66% of breaches were reported within 60 days. One covered entity took 77 days to report a breach while another took 140 days; more than twice the allowable time. The improvement could be due, in part, to OCR’s decision to fine a covered entity $475,000 for the late issuing of breach notifications to patients.

This month’s Breach Barometer report shows that while breach reporting is improving, breach detection remains a problem. April’s breaches took an average of 51 days to detect, whereas in May it took an average of 441 days for healthcare organizations to discover a breach had occurred. Three healthcare organizations took more than three years to discover a breach had occurred. One healthcare organization took almost three and a half years (1,260 days) to discover a breach, another took 1,125 days and one took 1,071 days.

California was once again the worst affected state with 6 breaches, closely followed by Florida with 5 incidents.

The post May’s Healthcare Data Breach Report Shows Some Incidents Took 3 Years to Discover appeared first on HIPAA Journal.

Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG

A data breach that occurred in October 2015 should have seen affected individuals notified within 2 months, yet it took CoPilot Provider Support Services Inc., until January 2017 to issue breach notifications.

An administration website maintained by CoPilot was accessed by an unauthorized individual on October 26, 2015. That individual also downloaded the data of 221,178 individuals. The stolen data included names, dates of birth, phone numbers, addresses, and medical insurance details.

The individual suspected of accessing the website and downloading data was a former employee. CoPilot contacted the FBI in February 2016 to receive help with the breach investigation and establish the identity of the unauthorized individual.

However, notifications were not sent by CoPilot until January 18, 2017. CoPilot says the delay was due to the time taken for the FBI to investigate the breach; however, since CoPilot was aware that reimbursement-related records had been stolen, notifications should have been sent sooner. Further, law enforcement did not instruct CoPilot to delay the issuing of breach notifications as doing so would not have impeded the investigation.

There is some debate as to whether CoPilot is a HIPAA covered entity. CoPilot has previously said it is not covered by HIPAA Rules, although a breach report was sent to the Department of Health and Human Services’ Office for Civil Rights. If CoPilot is a HIPAA covered entity, it would be necessary for breach notifications to be sent within 60 days of the discovery of the breach.

OCR is investigating and trying to determine whether CoPilot is classed as a business associate and therefore must comply with HIPAA Rules. If OCR determines CoPilot is a HIPAA-covered entity, the decision may be taken to issue a financial penalty for the delayed breach notifications. Earlier this year, OCR fined Presense Health $475,000 for delaying breach notifications for three months. A fine for CoPilot would likely be considerably higher considering the number of individuals impacted by the breach and the length of the delay.

HIPAA fines may or may not result from the notification delay, but the New York attorney general has now taken action. On Thursday last week, Eric Schneiderman announced that CoPilot has been fined $130,000 for the breach notification delay, not for a breach of HIPAA Rules but for a breach of General Business Law § 899-aa. The law requires businesses to send timely breach notifications to individuals impacted by a data breach. In addition to the fine, CoPilot is required to improve its notification and legal compliance program.

Announcing the fine, Schneiderman said, “Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” explaining that “Waiting over a year to provide notice is unacceptable.”

The financial penalty sends a message to all businesses that unnecessary breach notification delays will not be tolerated. Schneiderman said “My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

The post Delayed Breach Notification Sees CoPilot Fined $130,000 by NY AG appeared first on HIPAA Journal.

OCR’s Wall of Shame Under Review by HHS

Since 2009, the Department of Health and Human Services’ Office for Civil Rights has been publishing summaries of healthcare data breaches on its website. The data breach list is commonly referred to as OCR’s ‘Wall of Shame’.

The data breach list only provides a brief summary of data breaches, including the name of the covered entity, the state in which the covered entity is based, covered entity type, date of notification, type of breach, location of breach information, whether a business associate was involved and the number of individuals affected.

The list includes all reported data breaches, including those which occurred due to no fault of the healthcare organization. The list is not a record of HIPAA violations. Those are determined during OCR investigations of breaches.

Making brief details of the data breaches available to the public is an ‘unnecessarily punitive’ measure, according to Rep. Michael Burgess (R-Texas), who recently criticized OCR about its data breach list.

Burgess was informed at a cybersecurity hearing last week that HHS secretary Tom Price is currently reassessing the website and how the information is made public.

While the publication of information is under review, the publication of breach summaries is a requirement of the HITECH Act of 2009. Any decision to stop publishing breach summaries on the website would require assistance from Congress. However, it is possible for changes be made to how the information displayed and for how long the information is made available. HITECH Act only requires the information to be published. It does not stipulate the length of time that the covered entity remains on the list.

The reason behind the publication of breach information is to inform the public of data breaches and to provide some information on what has occurred. If there was a time limit placed on the length of time a covered entity remained on the list, it would not be possible for a member of the public to determine whether a breach was an isolated event or one of several suffered by a covered entity.

OCR Director Roger Severino issued a statement confirming the usefulness of the website saying, “The website provides an important source of information to the public, but we recognize that the format has become stale and can and should be improved,” explaining “OCR will continue to evaluate the best options for communicating this information as we meet statutory obligations, educate the regulated community (and the public) on lessons learned, and highlight actions taken in response.”

Burgess told Fierce Healthcare, “I am interested in pursuing solutions that hold hospital systems accountable for maintaining patient privacy without defaming systems that may fall victim to large-scale ransomware attacks, such as WannaCry.”

Of course, in the case of the WannaCry attacks, healthcare organizations may not be blameless. The attacks were only possible as a result of the failure to apply patches promptly. However, in its current form, there would be no indication on the website that a covered entity had experienced a ransomware attack as the breach list does not go into that much detail.

While options are being considered, some privacy advocates argue that the breach portal does not go into nearly enough detail and suggest even more information should be uploaded to the site to better inform the public on exactly what has occurred.

The post OCR’s Wall of Shame Under Review by HHS appeared first on HIPAA Journal.

Study: 1 in 5 Enterprise Users Have Set Weak Passwords

The sharing of passwords across multiple platforms is a bad idea. If one platform suffers a data breach, all other systems that have the same password set could also easily be compromised. Even though the reuse of passwords is unwise, and many organizations have policies in place prohibiting employees from recycling passwords, it remains a common practice.

Many organizations have implemented policies, procedures and technology to prevent weak passwords from being used and they force end users to change their passwords frequently, but it is difficult for organizations to prevent password recycling.

The practice has recently been investigated by Preempt. Preempt has developed a tool that can be used by enterprises to assess the strength of the passwords used by their employees. The tool reports on the accounts that have weak passwords set, allowing the enterprise to take action. The tool also compares passwords to a database of 10 million passwords compromised in previous data breaches that are now in the hands of cybercriminals.

An analysis of data from enterprises that downloaded the Preempt Inspector tool showed that more than 7% of employees are using passwords for their work accounts that have already been compromised in previous data breaches. Preempt also reports that 20% of passwords used by enterprise employees could easily be compromised, even though many enterprises have systems in place to ensure password complexity.

Preempt reports that 1 in 14 enterprise employees have set an extremely weak password that has appeared in a previous breach, while 13.39% of enterprise users have shared their password, either with other users, teams or the password has been used for other services. Preempt says its research shows that 1 in 7 users have disclosed their password to other users within their network.

The study revealed that an average of 19.1% of enterprise users have set poor passwords, either those that have been used elsewhere, have been shared or are particularly weak. This translates to 1 in 5 enterprise users having a password that could easily be guessed by a threat actor.

The study revealed that larger organizations tend to have a better security posture and also a lower percentage of weak passwords in use. The larger the organization, the more secure their passwords are. This has been attributed to larger organizations having more resources devoted to security, with password policies likely to have been set and systems in place to enforce strong passwords. Those organizations are also likely to have more extensive education programs to raise security awareness.

The study was conducted on clients in multiple countries, with US-based organizations having approximately half the number of weak passwords that non-US companies. Preempt suggests that credential theft and cyberattacks are more extensively covered in the media in the United States, raising awareness of security and the need to take steps to prevent data breaches, such as setting strong passwords and not reusing passwords on multiple platforms.

The research shows that even though employees receive security awareness training and policies and technology are used to enforce the use of strong passwords, many employees are still taking big risks with their password choices. Many enterprises may believe they have tackled the issue of poor passwords, when the realty is likely quite different.

The post Study: 1 in 5 Enterprise Users Have Set Weak Passwords appeared first on HIPAA Journal.

Microsoft Patches Two Critical, Actively Exploited Vulnerabilities

Microsoft released a slew of updates this Patch Tuesday, including patches for two critical vulnerabilities that are being actively exploited in the wild. In total, 95 vulnerabilities were addressed yesterday, eighteen of which have been rated critical and 76 as important.

The two actively exploited vulnerabilities are of most concern, in fact one is so serious that Microsoft took the decision to issue a patch for Windows XP, even though extended support for the outdated operating system ended in April 2014. As with the emergency patch issued last month shortly after the WannaCry ransomware attacks, the vulnerability was considered so severe it warranted a patch.

Adrienne Hall, general manager of Microsoft’s Cyber Defense Operations Center, explained the decision to issue a patch for Windows XP saying, “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

The flaw – CVE-2017-8543 – exists in the Windows Server Message Block (SMB) service. It was also a SMB service vulnerability that was exploited in the recent WannaCry ransomware attacks that spread to more than 300,000 devices in 150 countries on May 12.

CVE-2017-8543 could similarly be exploited by cybercriminals to install malware with wormlike capabilities, allowing infections to spread rapidly across a network. The flaw exists in most Windows versions, including Windows XP, Windows 7, Windows 8.1 and Windows 10, as well as Microsoft Server 2003, 2008, 2012 and 2016. Microsoft has also issued a patch for Microsoft Server 2003.

As with the WannaCry attacks, the vulnerability could be exploited without any user interaction required. A remote unauthenticated user could trigger the vulnerability via a SMB connection. If exploited, the attacker could take control of the infected device. Since this vulnerability is being actively exploited in the wild, it is essential that the patch is applied promptly.

The other critical – and actively exploited – flaw is CVE-2017-8464: A LNK remote code execution vulnerability. This vulnerability can be exploited using a specially crafted shortcut file.

While not believed to be exploited at present, a memory corruption vulnerability in Outlook (CVE-2017-8507) is of particular concern. An attacker could exploit the vulnerability simply by sending a specially crafted message to an Outlook user. The vulnerability would be triggered when the user views the message, giving the attacker full control of their computer. No attachment would need to be opened in order for the vulnerability to be exploited.

CVE-2017-8527 could also potentially be exploited with little user interaction required. A user would only be required to visit a website with specially crafted fonts.

Patches have also been issued for remote code execution vulnerabilities in Microsoft Edge and Internet Explorer. These flaws are not being actively exploited at present, although the flaws have been publicly disclosed so it is only a matter of time before attacks occur.

In addition to the patches released by Microsoft, Adobe has similarly issued a round of updates. In total, 21 vulnerabilities have been addressed, 15 of which have been rated critical. Four products have been updated – Flash, Shockwave, Captivate and Adobe Digital Editions.

While Microsoft has now issued patches for unsupported operating systems on two occasions in the past 30 days, this should not be taken as a sign that flaws will continue to be addressed. Any organization still using unsupported operating systems should ensure those systems are upgraded to supported Windows versions as soon as possible. Further flaws are likely to be discovered, but Microsoft is unlikely to continue to release patches.

Eric Doerr, general manager of the Microsoft Security Response Center said, “Our decision today to release these security updates for platforms not in extended support should not be viewed as a departure from our standard servicing policies.”

The post Microsoft Patches Two Critical, Actively Exploited Vulnerabilities appeared first on HIPAA Journal.