Phishing EHR Medical Records

880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack

Posted by HIPAA Journal

Baptist Health in Louisville, KY has notified 880 patients that some of their protected health information has potentially been accessed and stolen.

The security breach was discovered on October 3, 2017, when irregular activity was detected on the email account of an employee. Baptist Health was able to determine that a third party sent a phishing email to the employee, who responded and disclosed login credentials allowing the email account to be accessed.

Those login credentials were subsequently used by an unknown individual to gain access the email account. The email account contained the protected health information of 880 patients, although it is unclear whether any of the emails were viewed. The motive behind the attack may not have been to gain access to sensitive information.

What is known, is access was used to send further phishing emails to other email accounts. Following the discovery of the breach, Baptist Health responded quickly to limit the potential for harm and disabled the affected email accounts and performed a password reset to prevent further unauthorized access.

Due to the actions taken by the hacker once access to the account was gained, Baptist Health does not believe any information contained in the emails has been used inappropriately.

A review of all emails in the account showed the types of information potentially compromised included names, medical record numbers, dates of birth, clinical information, and treatment information. A limited number of Social Security numbers were also exposed.

Since the possibility of PHI access and misuse cannot be ruled out with a high degree of certainty, all 880 patients impacted by the breach have been notified and patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services for one year without charge.

Staff have also received additional training in relation to phishing emails, and the login process for remote access has been strengthened to prevent similar breaches from occurring in the future.

The post 880 Patients Potentially Impacted by Baptist Health Louisville Phishing Attack appeared first on HIPAA Journal.

18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised

Posted by HIPAA Journal

The Detroit-based Henry Ford Health System has started notifying almost 18,500 patients that some of their protected health information has potentially been accessed by an unauthorized individual.

The breach was detected on October 3, 2017 when unauthorized access to the email accounts of several employees was detected. While protected health information was potentially accessed or stolen, the health system’s EHR system was not compromised at any point. All data was confined to the compromised email accounts.

It is currently unclear exactly how access to the email accounts was gained. Typically, breaches such as this involve phishing attacks, where multiple emails are sent to healthcare employees that fool them into disclosing their login credentials. An internal investigation into the breach is ongoing to determine the cause of the attack and how the login credentials of some of its employees were stolen.

Henry Ford Health System has conducted a review of all emails in the accounts and has determined that 18,470 patients have been affected. The emails contained a range of information on patients including names, medical record numbers, dates of birth, provider’s name, department’s name, location, dates of service, medical diagnoses, and the name of health insurers. Each patient impacted by the breach had some or all of the above information exposed. Financial information and Social Security numbers were not present in any of the compromised email accounts.

At this stage in the investigation it is unclear whether the person who accessed the accounts viewed or stole any information, and whether any of the PHI has been used inappropriately.

A spokesperson for Henry Ford Health System said, “We take very seriously any misuse of patient information, and we are continuing our own internal investigation to determine how this happened and to ensure no other patients are impacted,” and “To reduce future risk of this happening again, we are strengthening our security protections for employees, all of whom will be educated about this measure in the coming weeks.”

Henry Ford Health System will also be reviewing its policies on email retention and the use of two-factor authentication.

The post 18,500 Patients PHI Exposed After Multiple Email Accounts Were Compromised appeared first on HIPAA Journal.

Survey Reveals Poor State of Email Security in Healthcare

Posted by HIPAA Journal

A recent survey showed 98% of top healthcare providers have yet to implement the DMARC (Domain-based Message Authentication, Reporting & Conformance) email authentication standard.

The National Health Information Sharing and Analysis Center (NH-ISAC), the Global Cybersecurity Alliance (GCA), and cybersecurity firm Agari investigated the level of DMARC adoption in the healthcare industry and the state of healthcare email security.

For the report, Agari analyzed more than 500 domains used by healthcare organizations and pharmaceutical firms, as well as more than 800 million emails and over 1,900 domains from its Email Trust Network.

The report – Agari Industry DMARC Adoption Report for Healthcare – shows that while DMARC can all but eliminate phishing attacks that impersonate domains, only 2% of the top healthcare organizations and fewer than 23% of all healthcare organizations have adopted DMARC.

Only 21% of healthcare organizations are using DMARC to monitor for unauthenticated emails, yet those organizations are not blocking phishing emails. Only 2% are protecting patients from phishing attacks spoofing their domains. NH-ISC reports that only 30% of its members have adopted DMARC.

The impersonation of domains is a common tactic employed by phishers to fool victims into believing emails have been sent by trusted organizations. The healthcare industry is at the highest risk of being targeted by fraudulent email, according to the report. Over the past 6 months, 92% of healthcare domains have been targeted by phishers and scammers using fraudulent email. 57% of all emails sent from healthcare organizations are fraudulent or unauthenticated.

DMARC has been widely adopted in industry, although the healthcare industry lags behind. The same is true of federal agencies, which have been slow to implement the email security standard. Last month, the U.S Department of Homeland Security addressed this by issuing a Binding Operational Directive, which required all federal agencies to implement DMARC within 90 days.

The healthcare industry is being urged to do the same. NH-ISAC is already encouraging its members to adopt DMARC, while the GCA has launched a ‘90-Days to DMARC’ challenge, which commences on December 1. Under the challenge, GCA will be releasing guidance, conducting webinars, and making resources available to help healthcare organizations plan, implement, analyze, and adjust DMARC.

“GCA is challenging organizations in all sectors to follow the path set forward by DHS. We applaud NH-ISAC for calling upon its members to implement DMARC,” said Phil Reitinger, President and CEO of GCA.

Jim Routh, CSO, Aetna, said “The implementation of DMARC for Aetna improved the consumer experience by eliminating unwanted and fraudulent email which reduced the risk of phishing, resulting in more email engagement and healthier lives for members.”

“Successful DMARC implementations from Aetna, Blue Shield of California and Spectrum Health are leading the way for other healthcare industry organizations to restore trust in communications,” said Patrick Peterson, founder and executive chairman of Agari.

The post Survey Reveals Poor State of Email Security in Healthcare appeared first on HIPAA Journal.

9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack

Posted by HIPAA Journal

A Medical College of Wisconsin phishing attack has resulted in the exposure of approximately 9,500 patients’ protected health information. The attackers managed to gain access to several employees’ email accounts, which contained a range of sensitive information of patients and some faculty staff.

The types of information in the compromised email accounts included names, addresses, medical record numbers, dates of birth, health insurance details, medical diagnoses, treatment information, surgical information, and dates of service. A very limited number of individuals also had their Social Security numbers and bank account information exposed.

The incident occurred over the space of a week in the summer between July 21 and July 28 when spear phishing emails were sent to specific individuals at the Medical College of Wisconsin. Responding to those emails resulted in the attackers gaining access to email login credentials.

Medical College of Wisconsin brought in a computer forensics firm to conduct an investigation into the phishing attack, and while that investigation established that access to the email accounts was gained by unauthorized individuals, it was not possible to determine whether emails containing protected health information had been accessed or viewed, or if any sensitive information was stolen. Since the attack occurred, no reports of misuse of patient information have been received.

To protect individuals against identity theft and fraud, credit monitoring and identity theft restoration services have been offered to breach victims free of charge, but only to those individuals whose Social Security numbers were compromised.

Medical College of Wisconsin reports that in addition to some faculty staff and Medical College of Wisconsin patients, some individuals who received treatment at Children’s Hospital of Wisconsin and Froedtert Health have also been impacted by the breach.

The latest Medical College of Wisconsin phishing attack comes just 10 months after a similar incident resulted in the exposure of 3,200 patients’ protected health information.

The post 9,500 Patients Impacted by Medical College of Wisconsin Phishing Attack appeared first on HIPAA Journal.

November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches

Posted by HIPAA Journal

Protenus has released its November 2017 healthcare Breach Barometer Report. After a particularly bad September, healthcare data breach incidents fell to more typical levels, with 37 breaches tracked in October.

The monthly summary of healthcare data breaches includes incidents reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), and incidents announced via the media and tracked by databreaches.net.

Those incidents include several breaches that have yet to be reported to OCR, including a major breach that has impacted at least 150,000 individuals – The actual number of individuals impacted will not be known until the investigation has been completed. The numbers of individuals impacted by 8 breaches have not yet been disclosed.

Including the 150,000 individuals impacted by largest breach of the month, there were 246,246 victims of healthcare data breaches in October 2017 – the lowest monthly total since May 2017.

The healthcare industry has historically recorded a higher than average number of data breaches due to insiders, although over the past few months hacking has been the leading cause of breaches. That trend has continued in October. Hacking was behind 35.1% of all incidents, insider incidents accounted for 29.7% of the total, with the loss and theft of devices behind 16.2% of incidents. The causes of the remaining 18.9% of breaches is not yet known.

While hacking incidents usually result in more records being exposed or stolen, in October insider errors exposed more healthcare data. 65% of all breached records involved insider errors.

157,737 individuals had their PHI exposed due to insider errors and insider wrongdoing, while hacks resulted in the theft of 56,837 individuals’ PHI. Protenus notes that three incidents were due to the hacking group TheDarkOverlord.

In total, there were 11 breaches that were the result of insiders – five  due to errors and six due to insider wrongdoing. The biggest breach involving insider error was the failure to secure an AWS S3 bucket, resulting in the exposure of 316,363 PDF reports – containing the PHI of at least 150,000 individuals: One of two such incidents reported in October that involved unsecured AWS S3 buckets.

Another insider incident involved the mailing of flyers to individuals where PHI was visible through the envelope – A major incident that potentially caused considerable harm, as the information viewable related to patients’ HIV status.

The average time taken from breach to discovery was 448 days in October. The median time was 304 days, showing healthcare organizations are still struggling to detect data breaches rapidly.

Two HIPAA-covered entities reported breaches to OCR well outside the 60-day deadline stipulated in the HIPAA Breach Notification Rule. One of those incidents was reported three years after the breach was detected. In that case, the breach involved a nurse who was stealing patient records and using the information to file false tax returns. The median time from discovery to reporting was 59 days.

Healthcare providers reported 29 incidents, there were 7 incidents reported by health plans, one breach was reported by a school. Four incidents were known to involve a business associate.

California and Florida were the worst hit states in October with four incidents apiece, followed by Texas and New York.

The post November Healthcare Breach Barometer Report Highlights Seriousness of Insider Data Breaches appeared first on HIPAA Journal.

Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI

Posted by HIPAA Journal

UPMC Susquehanna, a network of hospitals and medical centers in Williamsport, Wellsboro, and Muncy in Pennsylvania, has announced that the protected health information of 1,200 patients has potentially been accessed by unauthorized individuals. Access to patient information is believed to have been gained after an employee responded to a phishing email.

While details of the breach date have not been released, UPMC Susquehanna says it discovered the breach on September 21, when an employee reported suspicious activity on their computer. An investigation was launched, which revealed unauthorized individuals had gained access to that individual’s device.

It is not known whether the attacker viewed, stole, or misused any patient information, but the possibility of data access and misuse could not be ruled out. The information potentially accessed includes names, contact information, dates of birth, and Social Security numbers.

The individuals potentially impacted by the incident had previously received treatment at various UPMC Susquehanna hospitals including Muncy Valley Hospital, UPMC Susquehanna Lock Haven, Sunbury Community Hospital, Soldiers and Sailors Memorial Hospital in Wellsboro, Williamsport Regional Medical Center and Divine Providence Hospital in Williamsport.

UPMC Susquehanna responded quickly to the breach, terminating unauthorized access. Staff have also been provided with “intensive retraining” on hospital policies and appropriate federal and state laws to prevent any recurrence. UPMC Susquehanna stated this training was in addition to the annual training sessions already provided to all staff members on the privacy and confidentiality of patient health information. UPMC Susquehanna has also conducted a complete review of its policies and procedures for keeping patient information secure.

All patients impacted by the incident have been offered complimentary identity theft protection services and have now received notifications in the mail. Patients have also received instructions on the steps they can take to protect their accounts and credit in case their information is misused.

The post Suspected Phishing Attack on UPMC Susquehanna Exposes 1,200 Patients’ PHI appeared first on HIPAA Journal.

October 2017 Healthcare Data Breaches

Posted by HIPAA Journal

In October 2017, there were 27 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights. Those data breaches resulted in the theft/exposure of 71,377 patient and plan member records. October saw a significant fall in the number of reported breaches compared to September, and a major fall in the number of records exposed.

Healthcare data breaches by month (July-October 2017)

October saw a major reduction in the number of breached records, with the monthly total almost 85% lower than September and almost 88% lower than the average number of records breached over the preceding three months.

healthcare records breached July-October 2017

Healthcare providers were the worst hit in October with 19 reported data breaches. There were six data breaches reported by health plans and at least two incidents involved business associates of HIPAA-covered entities.

October 2017 Healthcare Data Breaches by Covered Entity Type

October 2017 healthcare data breaches by covered entity type

Main Causes of October 2017 Healthcare Data Breaches

Unauthorized access/disclosures were the biggest causes of healthcare data breaches in October. There were 14 breaches reported involving unauthorized access/disclosures, 8 hacking incidents, four cases of theft, and one unencrypted laptop computer was lost.

cause of october 2017 healthcare data breaches

Unauthorized access/disclosures were the leading causes of October 2017 healthcare data breaches, although hacking/IT incidents exposed more records – Over twice the number of records exposed by unauthorized access/disclosures and hacking/IT incidents exposed more records than all other breach types combined.

october 2017 healthcare data breaches - records exposed

Location of Exposed and Stolen Protected Health Information

Email was the most common location of breached PHI in October. Five of the nine incidents involving email were the result of hacking/IT incidents such as phishing. The remaining four incidents were unauthorized access/disclosures such as healthcare employees sending emails containing PHI to incorrect recipients. Five incidents involved paper records, highlighting the importance of securing physical records as well as electronic protected health information.

october 2017 healthcare data breaches - location of breached PHI

October 2017 Healthcare Data Breaches by State

In October, healthcare organizations based in 22 states reported data breaches. The state that experienced the most data breaches was Florida, with 3 reported breaches. Maryland, Massachusetts, and New York each had two breaches.

Alabama, Arizona, California, Connecticut, Georgia, Iowa, Illinois, Kansas, Kentucky, Louisiana, Missouri, North Carolina, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington each had one reported breach.

Largest Healthcare Data Breaches in October 2017

 

Breached Entity Entity Type Breach Type Individuals Affected
Chase Brexton Health Care Healthcare Provider Hacking/IT Incident 16,562
East Central Kansas Area Agency on Aging Business Associate Hacking/IT Incident 8,750
Brevard Physician Associates Healthcare Provider Theft 7,976
MHC Coalition for Health and Wellness Healthcare Provider Theft 5,806
Catholic Charities of the Diocese of Albany Healthcare Provider Hacking/IT Incident 4,624
MGA Home Healthcare Colorado, Inc. Healthcare Provider Hacking/IT Incident 2,898
Orthopedics NY, LLP Healthcare Provider Unauthorized Access/Disclosure 2,493
Mann-Grandstaff VA Medical Center Healthcare Provider Theft 1,915
Arch City Dental, LLC Healthcare Provider Unauthorized Access/Disclosure 1,716
John Hancock Life Insurance Company (U.S.A.) Health Plan Unauthorized Access/Disclosure 1,715

The post October 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Posted by HIPAA Journal

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed.

The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report

The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations.

The Poor State of Cybersecurity in Healthcare

The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable risks. 47% of the large healthcare organizations that were surveyed were using more than 5,000 devices on their networks. Securing so many devices and ensuring they are kept up to date and fully patched is a major challenge for healthcare IT and security professionals, but many organizations are unaware of all of the devices that are connecting to their networks.

Ransomware is a major issue for the healthcare industry. The scale of recent ransomware attacks has put many healthcare organizations on alert, and most hospitals are now in a much better position to deal with attacks when they occur. In the United Kingdom, 15% of respondents said they do not have a plan that could be implemented in the event of a ransomware attack. The lack of planning can result in far greater disruption when an attack occurs.

One in five respondents said devices were in use that were running on Windows XP, even though the operating system has been retired and has not been supported since April 2014. 22% said they were still using Windows 7, which had vulnerabilities that were exploited in the WannaCry attacks. Only 57% of organizations said they were patching their systems at least once a week.

18% of respondents said they had medical devices with unsupported operating systems. Infoblox drew attention to the fact that 7% of respondents didn’t know what operating system that their medical devices are running on, and out of those who do, 26% of large organizations said that they either don’t know or don’t care if they can update those systems.

Those findings make it no surprise that attacks like WannaCry occurred and hit the healthcare industry in the UK so hard.

Cybersecurity Spending is Increasing, but Money is Not being Spent Strategically

The report shows that healthcare organizations are responding to the elevated threat of cyberattacks by investing more heavily in security. 85% of healthcare organizations have increased cybersecurity spending in the past year, and 12% say they have increased spending by more than 50%.

The two technologies that are most commonly chosen are anti-virus solutions (61%) and firewalls (57%), with half of surveyed organizations also having invested in network monitoring technology to identify malicious network activity. Application security solutions are also a popular choice, chosen by 37% of organizations, while one third have invested in DNS security solutions to block data exfiltration and disrupt DDoS attacks.

In the United States, approximately half of healthcare professionals said they had started encrypting their data, compared to 36% in the UK.  Healthcare organizations are now realizing the benefits of providing security awareness training to staff, although worrying, only 35% do. PhishMe reports that more than 90% of cyberattacks start with a phishing email, yet only 33% said they had invested in email security solutions.  Signing up to threat intelligence services can help organizations be more proactive about cybersecurity, yet only 30% of respondents said they had signed up to receive threat intelligence reports.

Recommendations to Improve Cybersecurity in Healthcare

Based on the findings of the report, Infoblox made several recommendations for healthcare organizations to help them mitigate the threat of cyberattacks.

Those recommendations include planning to update operating systems to supported versions. The short-term issues that software updates create are far better than the widespread disruption caused by cyberattacks that exploit vulnerabilities on those outdated systems.

Organizations were advised to know their networks better – the operating systems in use, the devices that are allowed to connect to the network, and the importance of monitoring network activity to detect intrusions.

Organizations must plan for ransomware attacks to minimize disruption. 15% of healthcare organizations still do not have a plan in place to respond if ransomware is installed, even with the elevated threat of attacks on healthcare organizations.

IT security budgets may be increasing, but those budgets must be spent wisely. Investing more money in traditional defenses may not be the best use of budgets.

“Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated,” said Rob Bolton, Director of Western Europe at Infoblox. “It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data.”

The post Cybersecurity in Healthcare Report Highlights Sorry State of Security appeared first on HIPAA Journal.

Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails

Posted by HIPAA Journal

Body:

The banking Trojan Ursnif, one of the most commonly used banking Trojans, has previously been used to attack financial institutions. However, it would appear the actors behind the malware have broadened their horizons, with attacks now being conducted on a wide range of organizations across many different industries, including healthcare.

The new version of the Ursnif Trojan was detected by researchers at security firm Barkly. The malware arrived in a phishing email that appeared to have been sent in response to a message sent to another organization.

The spear phishing email included the message thread from past conversations, suggesting the email account of the contact had been compromised. The email contained a Word document as an attachment with the message “Morning, Please see attached and confirm.”  While such a message would arouse suspicion if that was the only content in the email body, the inclusion of the message thread added legitimacy to the email.

The document contained a malicious macro that ran Powershell commands which tried to download the malicious payload; however, in contrast to many malware campaigns, rather than running the macro immediately, it is not run until the Word document is closed – an anti-sandbox technique.

If the payload is downloaded, in addition to the user’s device being compromised, their email account will be used to send out further spear phishing emails to all of that user’s contacts.

Barkly notes that If installed, the malware can perform man-in-the-middle attacks and can steal information as it is entered into the browser. The purpose of the Ursnif Trojan is to steal a wide range of credentials, including bank account information and credit card details. Ursnif Trojan is also able to take screenshots from the user’s device and log keystrokes.

Barkly reports that this is not the first time the firm has identified malware campaigns that use this tactic to spread malware, but this is the first time that the Ursnif Trojan has been used in this way, showing the threat is evolving.

Since the emails appear to come from a trusted sender, and include message threads, the likelihood of the emails and attachments being opened is far greater.

Barky reports that currently the malware is not being picked up by many anti-virus solutions, and its ability to delete itself after executing makes the threat hard to detect and analyze.

Further details on the threat, including the domains used by the malware and SHA256 hashes for the Word document, Macro, and Ursnif payload can be found on this link.

The post Ursnif Trojan Steals Contacts and Sends Spear Phishing Emails appeared first on HIPAA Journal.