Spam News

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attack was very or extremely disruptive.

Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked.

The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked about their current email security deployments, only half had a high level of confidence that their email security measures would block email-based threats.

When asked about the email threats they had experienced and which were the most disruptive, 61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive. The main losses caused by the attacks were productivity (55%), data (34%) and financial (17%).

Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them. Internet and web protection measures had only been implemented by 64% of surveyed healthcare organizations.

These technical solutions are important, but it is important not to forget the human element. Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.

“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Matthew Gardiner, director of enterprise security at Mimecast. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

It is alarming considering the number of email-based attacks that 11% of respondents said they conduct security awareness training less frequently than once a year, only during onboarding, or only after a major event such as a phishing attack or data breach.

“To better prepare, information technology and security professionals must strengthen their email security programs by combining the best technical controls with knowledgeable staff and resilient business processes to avoid disruption from email-borne attacks,” said Gardiner.

The post 90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year appeared first on HIPAA Journal.

Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign

Researchers at Proofpoint have identified a new phishing campaign targeting healthcare providers, insurance firms and pharmaceutical companies. The intercepted emails impersonate Vanderbilt University Medical Center and claim to include the results of a recent HIV test.

The emails have the subject line “Test result of medical analysis” and include an Excel spreadsheet attachment – named TestResult.xlsb – which the recipient must open to view the HIV test results. When the spreadsheet is opened, the user is advised the data is protected. To view the test result it is necessary to enable content. If content is enabled and macros are allowed to run, malware will be downloaded onto the user’s computer.

This is a relatively small-scale campaign being used to distribute the Koadic RAT, a program used by network defenders and pen testers to take control of a system. According to Proofpoint, Koadic is popular with nation state-backed hacking groups in Russia, China, and Iran. Koadic allows attackers to take control of a computer, install and run programs, and steal sensitive personal and financial data.

Proofpoint has also intercepted several Coronavirus-themed phishing emails in the past few weeks that are being used to distribute a range of malware variants including the Emotet Trojan, AZORult information stealer, the AgentTesla keylogger, and the NanoCore RAT. Several campaigns have been identified that use fake DocuSign, Office 365, and Adobe websites for harvesting credentials.

Several coronavirus-themed phishing lures have been identified. Many claim to offer further information about local COVID-19 cases or claim to include important information to prevent infection. One campaign claimed there was a vaccine and a cure for COVID-19 and it was being withheld by the government. Some of the phishing emails are extremely well written and are highly convincing and impersonate authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).

Researchers at Checkpoint have been tracking coronavirus-themed domains and report more than 4,000 new coronavirus-themed domains have been registered since January 2020. 5% of those domains are suspicious and 3% have been confirmed as malicious and are being used in phishing campaigns or for malware distribution.

“Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links, explained Proofpoint. “If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

The post Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign appeared first on HIPAA Journal.

New Report Reveals the Brands Most Impersonated by Phishers

A new report from Vade Secure has revealed the top 25 most impersonated brands in phishing attacks. The Q4, 2019 Phishers’ Favorite report confirmed PayPal is still the brand most commonly impersonated in phishing attacks, with 11,392 detected phishing URLs in Q4. This is the second successive quarter that PayPal has topped the list. PayPal phishing URL detections are up 23% year-over-year and new PayPal phishing URLs are now being detected at a rate of 124 a day.

There was an increase in phishing URL detections impersonating Facebook, which saw the social media giant leapfrog Microsoft (3rd) and Netflix (4th) into 2nd place. Facebook phishing URL detections are up 358.8% on Q4, 2018.

Microsoft may be in third place overall, but it is the most commonly impersonated brand in corporate phishing attacks. Microsoft now has more than 200 million active Office 365 business users and those users are targeted to gain access to their Office 365 credentials. Office 365 accounts can contain a wealth of sensitive information and can be used to conduct spear phishing attacks on partners and other employees within the organization.

One of the most notable changes in Q4 was a massive increase in phishing URLs impersonating WhatsApp, which saw the Microsoft-owned instant messaging service jump 63 places to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3, 2019.

The WhatsApp phishing URL detections were the main reason why the percentage share of phishing URLs for social media brands increased from 13.1% in Q3 to 24.1% in Q4. The top ten was rounded out with Bank of America in 6th position, followed by CIBC, Desjardins, Apple and Amazon. There was also a sizeable increase in phishing URLs impersonating Instagram, which saw 187.1% growth in Q4.

Organizations in the financial services were the most impersonated in Q4 for the second successive quarter. While phishers do impersonate big banks, Vade Secure notes phishers are now favoring smaller financial institutions, which may not have such robust security controls in place to detect brand impersonation.

Vade Secure says there was a significant increase in phishing attacks impersonating note services such as OneNote and Evernote, along with increases in fake OneDrive and SharePoint notifications that lead to webpages hosting phishing kits.

The post New Report Reveals the Brands Most Impersonated by Phishers appeared first on HIPAA Journal.

Slew of Email Security Breaches Reported by Healthcare Organizations

A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates.

Email Account Breach Reported by Shields Health Solutions

Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information.

Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account.

The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or copied.

Shields Health Solutions has since taken steps to improve email security, including implementing multi-factor authentication on all employee email accounts. Notification letters were sent to affected individuals on December 16, 2019. The incident has not yet appeared on the HHS’ Office for Civil Rights (OCR) breach portal so it is currently unclear how many individuals have been affected.

Lafayette Regional Rehabilitation Hospital Email Breach Impacts 1,360 Patients

Lafayette Regional Rehabilitation Hospital in Lafayette, IN, has discovered an unauthorized individual gained access to the email account of an employee in July 2019 and potentially viewed patients’ protected health information.

The breach was detected on November 25, 2019, prompting a thorough investigation to determine whether any patient information had been accessed by unauthorized individuals. No evidence was found to indicate patient information was viewed or copied, but it was not possible to rule out the possibility. The compromised account was found to contain names, dates of birth, and clinical and treatment information related to medical services received at the hospital. A limited number of patients also had their Social Security number exposed.

Notification letters were sent to affected patients on January 24, 2019. Individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. Lafayette Regional Rehabilitation Hospital has since taken steps to improve email security and employees have had security awareness training reinforced.

The breach report submitted to the OCR indicates up to 1,360 patients were affected by the breach.

6,524 Individuals Impacted by Phishing Attack on MHMR of Tarrant County

My Health My Resources (MHMR) of Tarrant County in Fort Worth, TX, has experienced a phishing attack involving the email accounts of a small number of its employees. The phishing attack was detected on December 3, 2019.

The investigation revealed the accounts were accessed by an unauthorized individual between October 12 and October 14, 2019. Emails in the account were found to include names, Social Security numbers, Driver’s license numbers, and some information about the care received at MHMR.

It was not possible to determine whether patient information was viewed, and no information has been received to suggest that any patient information has been misused. Out of an abundance of caution, all individuals whose information was stored in emails in the compromised accounts have been notified by mail. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring and identity theft protection services.

Additional email security training has now been provided to staff and steps have been taken to enhance its security infrastructure and systems.

Reva Phishing Attack Impacts 1,000 Patients

The medical transportation service provider, Reva, has announced that the protected health information of approximately 1,000 patients has potentially been accessed by an unauthorized individual as a result of a phishing attack.

Suspicious activity was detected in the email account of an employee on September 12, 2019. The account was secured and an investigation was launched, which revealed further email accounts had also been compromised. Those accounts had been subjected to unauthorized access between July 23, 2019 and September 13, 2019.

A review of the compromised accounts revealed they contained patients’ names, travel insurance information, dates of service, limited clinical information, passport numbers, driver’s license numbers, and a small number of Social Security numbers.

Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number or driver’s license number was exposed. Affected individuals were notified by mail on January 22, 2019.

Email security has been enhanced in response to the breach, multi-factor authentication has been implemented, and further security awareness training has been provided to employees.

Lawrenceville Internal Medicine Associates Email Error Exposed 8,031 Patients’ Email Addresses

Lawrenceville Internal Medicine Associates (LIMA) in Lawrence Township, NJ, is alerting 8,031 individuals about an email error that exposed patients’ email addresses. The error also impacted certain patients of Endocrinology Associates of Princeton, LLC.

An email announcement was sent to patients on October 29, 2019. Two days later, it was brought to the attention of LIMA that the email addresses of other patients may have been visible in the BCC field of the email. No other information was exposed as a result of the error.

Additional training has been provided to the IT department, email security policies and procedures have been strengthened, and LIMA has changed the email system used to send email communications to patients.

The post Slew of Email Security Breaches Reported by Healthcare Organizations appeared first on HIPAA Journal.

65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019

The 2020 State of the Phish report from the cybersecurity firm Proofpoint shows 65% of U.S. organizations (55% globally) had to deal with at least one successful phishing attack in 2019.

For the report, Proofpoint drew data from a third-party survey of 3,500 working adults in the United States, United Kingdom, Australia, France, Germany, Japan, Spain along with a survey of 600 IT security professionals in those countries. Data was also taken from 9 million suspicious emails reported by its customers and more than 50 million simulated phishing emails in the past year.

Infosec professionals believe the number of phishing attacks remained the same or declined in 2019 compared to the previous year. This confirms what may cybersecurity firms have found: Phishing tactics are changing. Cybercriminals are now focusing on quality over quantity.

Standard phishing may have declined, but spear phishing attacks are more common. 88% of organizations said they faced spear phishing attacks in 2019 and 86% said they faced business email compromise (BEC) attacks.

Phishing attacks are most commonly conducted via email, but phishing via SMS messages (Smishing), social media sites, and voice phishing over the telephone (vishing) are also commonplace. 86% of respondents said they experienced a social media phishing attack in the past 12 months, 84% experienced a smishing attack, and 83% experienced a voice phishing attack.

Source: Proofpoint State of the Phish Report, 2020.

Proofpoint’s report indicates there has been a decline in ransomware attacks since 2017, but IT professionals reported an increase in ransomware infections via phishing emails. This is due to the rise in popularity of ransomware-as-a-service, which allows individuals without the skills to develop their own ransomware variants to conduct attacks using ransomware developed by others.

When a ransomware attack is suffered, paying the ransom does not guarantee recovery of encrypted data. Only 69% of companies that paid the ransom regained access to their data after the first payment. 7% were issued with further demands which they refused to pay, resulting in data loss. 2% paid those extra demands and regained access to their files, and 22% said they did not recover data encrypted in the attacks.

Layered defenses are essential for combatting the threat from phishing, malware, and ransomware, but Proofpoint points out that technical defenses only go so far. What is also required is regular security awareness training for the workforce.

“We recommend taking a people-centric approach to cybersecurity by blending organization-wide awareness training initiatives with targeted, threat-driven education. The goal is to empower users to recognize and report attacks,” said Joe Ferrara, senior vice president and general manager of security awareness training for Proofpoint.

95% of surveyed organizations said they provide security awareness training to the workforce and 94% of those that do provide training more frequently than once a year. The figures are good, but there is still considerable room for improvement. Only 60% of companies that provide training do so through formal cybersecurity education and 30% said they only provide training to a portion of their user base.

Training certainly appears to be having a positive effect, as there was a 67% increase in reported phishing emails in 2019 compared to 2018, so employees are taking training on board, are getting better at identifying threats, and are taking the correct action – reporting suspicious emails to their security teams.

The post 65% of U.S. Organizations Experienced a Successful Phishing Attack in 2019 appeared first on HIPAA Journal.

SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites

The 2018 Verizon Data Breach Investigations Report showed phishing to be the primary method used by cybercriminals to infect healthcare networks with malware and steal financial information. Email was the attack vector in 96% of healthcare data breaches according to the report.

All it takes is for one employee to respond to a phishing email for a data breach to occur, so it is essential for a powerful email security solution to be deployed that will catch phishing emails, malware, ransomware, and other email-based threats.

Email security solutions can vary considerably from company to company. Some may be excellent at blocking email threats but can be difficult to use, others may fall short at detecting zero-day threats, and some fail to block many spam and phishing emails. All of the companies offering email security solutions claim that their products provide excellent protection, so selecting the best solution for your organization can be a challenge. Making the wrong decision can be a costly mistake.

When choosing an email security solution, third party review sites are a godsend and can save you a lot of time in your search. Well respected business software review sites allow verified users of software solutions to provide their feedback on products and let other businesses know which are easy to implement, easiest to use, which are most effective at blocking threats and which companies provide great support when help is required.

It pays to check several different review sites to find the top-rated email security solutions by end users. Our search has highlighted one solution that is consistently rated highly across the leading review platforms: SpamTitan from TitanHQ.

Listed below are some of the many positive reviews from users of SpamTitan Email Security across the top review platforms:

G2 Crowd

G2 Crowd is the largest tech marketplace for business software. The site is used by IT decision makers to learn more about software solutions to help them realize their potential and protect their networks from the full range of cybersecurity threats.

On the G2 Crowd platform, SpamTitan is the top-rated email security solution with scores of 9.0 out of 10 for ease of admin, 9.1 for ease of use, 9.2 for ease of setup and quality of support, and 9.3 for ease of doing business with and meets requirements. The scores are based on 139 reviews from verified users. Across all reviews, SpamTitan achieved a score of 4.6 out of 5.

“I really like the customization that is available for this product. We have total control over the spam filter environment for all our customers. The environment is stable which is very important to us and our customers. The support staff was great when we were getting our environment configured. They were quick to reply to emails and reach out to assist us as needed. The spam filtering is top-notch and much better than other products we have used,” said Jeff Banks, Director of Technology.

Gartner Peer Insights

Gartner Peer Insights is a peer review site that is rigorously vetted by the leading research and advisory company, Gartner.  Gartner provides impartial advice on the top software solutions without bias and with no hidden agenda. Gartner Peer Insights just contains real reviews from real business IT users.

SpamTitan has been rated by 112 users and achieved an average review score of 4.9 out of 5.

“TitanHQ claims that SpamTitan “blocks 99.9% of spam, viruses, and other threats that come through” and I can’t argue against it. It’s been running on my machines for a couple of years now and works very well. Rarely does anything useless go through to my inbox.” Information Technology Specialist, Healthcare Industry.

Capterra

Capterra is an online marketplace vendor founded in 1999 and bought by Gartner in 2015. Capterra serves as an intermediary between software buyers and sellers and is one of the leading sites where decision makers can find out more about software solutions from verified users.

There are 379 reviews of SpamTitan on Capterra. SpamTitan received an overall score of 4.6 out of 5 with individual scores of 4.4 for ease of use, 4.4 for features, 4.5 for value for money, and 4.6 for customer service.

“Overall, we are very happy with the product and the customer support. We did have to put some time into this product but now we have a custom-fit solution, with fault-tolerance (two servers at two locations, both locations have both internet and private WAN access to the Exchange server) and we’re saving thousands of dollars versus the managed solution we used to use. We can tighten things up if we wish, we have a lot of flexibility with this product. I rate it an excellent value. So much power, flexibility and fault-tolerance, for so little money.” Mike D Shields, Director of IT and Telecom.

“It’s as close to “set it and forget it” as you can come in the IT field. Right out of the box support helped me set everything up in less than 20 minutes, no hardware to worry about, nothing like that. Literally all I have to do is check to see if something was blocked incorrectly once in a while, white list it, and done. I’ve been using spam titan for almost a year and in that time we have blocked over 200k spam/malicious emails for a 30 person company before they even hit employee mailboxes. I shut off the service for 48 hours just to make sure it easy legit, it was, and I haven’t shut it off again since.” Benjamin Jones, Director Of Information Technology

Google Reviews

112 business users of SpamTitan have submitted reviews of SpamTitan to Google. The email security solution achieved an average score of 4.9 out of 5.

“The Titan Spam filter is by far one of the best email filters I have ever used. It was simple to setup, it allows users to release their own emails from quarantine quick and easy. Thank you for making such a great quality product, and for having excellent technical support.” Joseph Walsh.

“Great product. Spam reduced to almost zero and no user complaints. Configuration is simple and support is awesome. Love it!” George Homme

Software Advice

379 users have left reviews of SpamTitan on the business software review site, Software Advice.  The solution achieved an average score of 4.58 out of 5

“Our previous product was not stable and didn’t filter out spam as well as we wanted. This tool exceeds out expectations!” Jeff, CatchMark Technologies.

Spiceworks

Spiceworks is a professional network specifically for the information technology, providing educational content, product reviews, and feedback from software users. Members of the Spiceworks community similarly rate SpamTitan very highly. The solution has been reviewed by 56 members and has achieved an average score of 4.6 out of 5.

SpamTitan is also the top-rated email security solution on SpamTitanReviews, with a score of 4.9 out of 5.

The post SpamTitan Top Rated AntiSpam Solution on Business Software Review Sites appeared first on HIPAA Journal.

Microsoft Issues Advice on Defending Against Spear Phishing Attacks

Cybercriminals conduct phishing attacks by sending millions of messages randomly in the hope of getting a few responses, but more targeted attacks can be far more profitable.

There has been an increase in these targeted attacks, which are often referred to as spear phishing. Spear phishing attacks have doubled in the past year according to figures from Microsoft. Between September 2018 and September 2019, spear phishing attacks increased from 0.31% of email volume to 0.62%.

The volume may seem low, but these campaigns are laser-focused on specific employees and they are often very affective. The emails are difficult even for security conscious employees to recognize and many executives, and even IT and cybersecurity staff, fall for these campaigns. The emails are tailored to a specific individual or small group of individuals in a company, they are often addressed to that individual by name, appear to come from a trusted individual, and often lack the signs of a phishing emails present in more general phishing campaigns.

These attacks are more profitable as some credentials are more valuable than others. Spear phishing campaigns often target Office 365 admins. Their accounts can allow an attacker to gain access to the entire email system and huge quantities of sensitive data. New accounts can be set up on a domain with admin credentials, and those accounts can be used to send further phishing emails. New accounts are only used by the attacker, so there is a lower chance of the malicious email activities being discovered.

Spear phishers also seek the credentials of executives, as they can be used in business email compromise attacks in which employees with access to company bank accounts to tricked into making fraudulent wire transfers. Fraudulent wire transfers of tens of thousands, hundreds of thousands, or even millions may be made, malware can be installed, or the attacker can gain access to large quantities of highly sensitive data.

Spear phishers spend time researching their targets on social media networks and corporate websites. They learn about relationships between employees and different departments and impersonate other individuals in the company. They may even already have compromised one or more company email accounts in past phishing campaigns before going for the big phish on a big fish in the company. This is often referred to as a whaling attack. Spear phishing emails are often professional, credible, and are difficult to identify by end users.

As difficult as these spear phishing emails are to spot, there are steps that healthcare organizations can take to reduce risk. Many of these measures are the same as the steps that need to be taken to detect and block more general phishing campaigns.

The best place to start is with employee education. Security awareness training should be provided to everyone in the organization who uses email. Many of these spear phishing attacks start with a more general phishing campaign to gain a foothold in the email system.

The CEO and executives must also be trained, as they are the big fish that the spear phishing campaigns most commonly target. Any individual with access to corporate bank accounts or highly sensitive information should be given more training, and the training should be role-specific and cover the threats they are most likely to encounter.

Employees should be taught not just to check the true sender of an email, but specifically look at the email address to see if something is not quite right. Phishing emails usually have a sense of urgency and usually a “threat” if no action is taken (account will be closed/suspended).

They often contain out-of-band requests that go against company policy such as fast-tracking payments, sending unusual data via email, or bypassing usual checks or procedures. The messages often contain unusual language or inconsistent wording.

When suspicious emails are received, there should be an easy mechanism for employees to report them to their security teams. A one-click email add-on for reporting messages is useful. Spear phishing campaigns are often sent to key people in a department simultaneously, so speaking to peers about messages is also useful. Policies should also be implemented that require checks to be performed before any large bank transfers are made. It should be company policy to double check atypical requests by phone, for instance.

Technical measures should also be introduced to detect and block attacks. An advanced spam filtering solution is a must. Do not rely on Exchange Online Protection with Office 365. Advanced Threat Protection from Microsoft or a third-party solution for Office 365 should be implemented for greater protection, one which incorporates sandboxing, DMARC, and malicious URL analysis will provide greater protection.

Multi-factor authentication is also essential. MFA blocks more than 99.9% of email account compromise attacks. If credentials are compromised in an attack, MFA can prevent them from being used by the attacker.

Spear phishing is the principle way that cybercriminals attack organizations and it often gives them the foothold they need for more extensive attacks on the organization. Spear phishing is a very real threat. It is therefore critical that organizations take these and other steps to combat attacks.

The post Microsoft Issues Advice on Defending Against Spear Phishing Attacks appeared first on HIPAA Journal.

October 2019 Healthcare Data Breach Report

There was a 44.44% month-over-month increase in healthcare data breaches in October. 52 breaches were reported to the HHS’ Office for Civil Rights in October. 661,830 healthcare records were reported as exposed, impermissibly disclosed, or stolen in those breaches.

This month takes the total number of breached healthcare records in 2019 past the 38 million mark. That equates to 11.64% of the population of the United States.

Largest Healthcare Data Breaches in October 2019

Breached Entity Entity Type Individuals Affected Type of Breach
Betty Jean Kerr People’s Health Centers Healthcare Provider 152,000 Hacking/IT Incident
Kalispell Regional Healthcare Healthcare Provider 140,209 Hacking/IT Incident
The Methodist Hospitals, Inc. Healthcare Provider 68,039 Hacking/IT Incident
Children’s Minnesota Healthcare Provider 37,942 Unauthorized Access/Disclosure
Tots & Teens Pediatrics Healthcare Provider 31,787 Hacking/IT Incident
University of Alabama at Birmingham Healthcare Provider 19,557 Hacking/IT Incident
Prisma Health – Midlands Healthcare Provider 19,060 Hacking/IT Incident
South Texas Dermatopathology Laboratory Healthcare Provider 15,982 Hacking/IT Incident
Central Valley Regional Center Business Associate 15,975 Hacking/IT Incident
Texas Health Harris Methodist Hospital Fort Worth Healthcare Provider 14,881* Unauthorized Access/Disclosure

The largest healthcare data breach in October was reported by Betty Jean Kerr People’s Health Centers and was the result of a ransomware attack. At the time of issuing notifications, files that were encrypted in the attack remained locked. The decision was taken not to pay the ransom demand, but it was not possible to restore files from backups. Those files contained the health information of 152,000 patients.

The Kalispell Regional Healthcare data breach was due to a May 2019 phishing attack. An initial investigation did not uncover the extent of the breach. The forensic investigation revealed in August that the health information of up to 140,209 patients may have been accessed.

The Methodist Hospitals, Inc. data breach was also the result of a phishing attack. The incident was reported in October, but the initial email account compromise occurred in March 2019. Two accounts were breached for a total of four months.

South Texas Dermatopathology Laboratory is the last healthcare organization to report that its patients have been impacted by the data breach at the collection agency, AMCA. Its 15,982 records take the total number of individuals impacted by the AMCA breach to 26,059,725.

*Also of note is the data breach at Texas Health Resources. The breach makes the top 10 list of the most healthcare records exposed, but the breach was more far reaching than the table above shows. The Texas Health data breach involved a total of 82,577 records, but the breach was reported to the HHS’ Office for Civil Rights as 15 separate breaches, with one breach report submitted for each of its affected facilities. Had the incident been reported as a single incident, the month’s total would stand at 38 breaches – two more than September.

Causes of October 2019 Healthcare Data Breaches

There were 18 hacking/IT incidents reported in October involving 501,847 healthcare records. The average breach size was 27,880 records and the median breach size was 9,413 records.

There were 28 reported unauthorized access/disclosure incidents involving a total of 134,775 records. The mean breach size was 4,813 records and the median breach size was 2,135 records. Those incidents include the 15 separate breach reports from Texas Health Resources.

There were 5 loss/theft incidents involving 13,454 records. The mean breach size was 2,350 records and the median breach size was 2,752 records. One improper disposal incident was reported involving 11,754 records.

Location of Breached Health Information

Phishing continues to cause problems for healthcare organizations. Not only are healthcare providers struggling to block phishing attacks, they are also not detected quickly when they do occur. Several phishing attacks have been reported that have taken weeks to discover.

Multi-factor authentication can help to reduce the risk of stolen credentials being used by cybercriminals to access corporate email accounts, yet many healthcare organizations only implement this important security measure after a phishing attack has occurred.

This high number of “other” breaches is due to the mailing error at Texas Health, which accounts for 15 of the 19 incidents in the other category.

The majority of the network server breaches were due to ransomware attacks, which include the largest healthcare data breach of the month. That breach highlights just how important it is to ensure that a viable backup copy of all data is created, that the backup is tested to make sure data recovery is possible, and that at least one backup copy is stored on a non-networked device that is not exposed to the internet.

October 2019 Data Breaches by Covered Entity Type

Healthcare providers were the worst affected by data breaches in October with 45 reported incidents. Three breaches were reported by health plans, and four breaches were reported by business associates of HIPAA-covered entities. A further four breaches also had some business associate involvement but were reported by the covered entity.

October 2019 Healthcare Data Breaches by State

October saw healthcare organizations and business associates in 24 states report data breaches. With 15 breach reports coming from Texas Health, Texas was unsurprisingly the worst affected state with 17 incidents.

There were 4 breaches reported by entities based in Ohio, three breaches reported in California, and two breaches reported in each of Arkansas, Florida, Louisiana, Maryland, New Mexico, South Carolina, and Virginia. A single breach was reported in each of Alabama, Arizona, Georgia, Illinois, Indiana, Kentucky, Minnesota, Missouri, Mississippi, Montana, New York, Oregon, South Dakota, and Washington.

HIPAA Enforcement Actions in October 2019

A further two financial penalties for HIPAA violations were announced by the HHS’ Office for Civil Rights in October – One settlement and one civil monetary penalty.

OCR launched an investigation of Elite Dental Associates following a complaint from a patient who had some of her PHI publicly disclosed in response to a Yelp review. OCR found she was not the only patient to have had PHI disclosed in that manner. OCR also determined that the practice’s notice of privacy practices did not include sufficient information and was therefore not compliant with the HIPAA Privacy Rule. Elite Dental Associates agreed to settle its HIPAA violation case with OCR for $10,000.

OCR launched an investigation of Jackson Health System following the disclosure of PHI in the media. A photograph of an operating room display had been published which contained the health information of two individuals, including a well-known NFL star. The OCR investigation uncovered multiple Privacy Rule, Security Rule, and Breach Notification Rule violations spanning several years. OCR imposed a civil monetary penalty of $2,154,000 on Jackson Health System.

The post October 2019 Healthcare Data Breach Report appeared first on HIPAA Journal.

Phishing Attacks at Highest Level Since 2016

According to the Q3, 2019 Phishing Activity Trends Report from the Anti-Phishing Working Group, phishing attacks are now occurring at a rate not seen since 2016.

266,387 unique phishing sites were detected in Q3, 2019, an increase of 46% from Q2, 2019. Almost twice the number of phishing sites were detected in Q3, 2019 than in the last quarter of 2018.

APWG received data on 277,693 unique phishing campaigns from its members. That is the highest number of detected phishing campaigns since Q4, 2016. APWG also collates information from phishing attacks reported by consumers and the general public. 122,359 unique reports were received from the public in Q3, 2019, up 9.09% from Q2.

The phishing campaigns detected in Q3, 2019 impersonated more than 400 different companies, up from 313 in Q2, 2019. The types of company most commonly impersonated in the attacks are webmail and software-as-a-service providers. The main aim of the attacks on these firms is to obtain credentials that can be used to gain access to corporate email and SaaS accounts. The targets of attacks are largely unchanged from previous quarters.

Many attacks are focused on obtaining Office 365 credentials. Stolen Office 365 credentials are extremely valuable to Business Email Compromise (BEC) scammers. Once access is gained to a corporate email account, it is used to send further phishing emails to other individuals in the breached organization. The aim of many attacks is to gain access to the CEO’s email account or the account of another executive. Those accounts are then used to send emails to individuals with access to corporate bank accounts to request wire transfers and payroll changes.

While CEO fraud is still common, there has been a shift in tactics and vendors and suppliers are now being targeted much more often. The potential returns from a CEO fraud scam are higher, but attacks on vendors and suppliers can be more lucrative. One vendor or supplier account compromise allows the attacker to target all of their customers.

The attackers often spend a considerable amount of time gathering information on potential targets before the BEC attacks commence. During the research phase, rules are often set up to forward all emails sent to and from the compromised email accounts to the attackers. The attackers learn about potential targets, typical invoice amounts, and normal payment dates to maximize the chance of success. Following an email account compromise, it can be several weeks or months before the account is used for BEC attacks

Another growing trend is a shift from wire transfer requests to gift card scams. Wire transfer requests in Q3, 2019 ranged from $2,530 to $850,790. The average payment was $52,325 and the median payment was $24,958. The average gift card scam was for $1,571, with scams requesting between $200 and $8,000.

The returns from gift card scams may be lower, but it is much easier for the scammers to cash out and they offer greater anonymity. Fraudulent bank transfers are often questioned, payments can be reversed, and money mules are required. In Q3, 2019, 56% of all BEC attacks involved gift cards, 25% involved payroll diversion, and 19% involved direct bank transfers.

In Q3, SaaS and webmail accounted for 33% of attacks, followed by the payment industry (e.g PayPal) with 21% of attacks, and financial institutions (19%). Attacks on cloud storage and file hosting sites were far less popular.

An increasing number of companies have switched from HTTP to HTTPS and consumers are now much more likely to check that a website starts with HTTPS before disclosing any sensitive information such as login credentials. Cybercriminals have had to follow suit. In Q3, 68% of phishing sites were hosted on HTTPS, up from 54% in Q2, 2019.

The post Phishing Attacks at Highest Level Since 2016 appeared first on HIPAA Journal.