TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center

Posted by Steve Alder

An alarm has been sounded about a relatively unknown threat group called TimisoaraHackerTeam following a recent attack on a U.S. medical facility. TimisoaraHackerTeam is believed to be a financially motivated threat group, which in contrast to many cybercriminal and ransomware groups, has no qualms about attacking the healthcare and public health (HPH) sector and appears to actively target HPH sector organizations, mainly conducting attacks on large organizations. The group was first identified in July 2018 but has largely stayed under the radar.

According to the Healthcare Sector Cybersecurity Coordination Center (HC3), which issued the alert on June 16, the group has resurfaced and conducted a June 2023 ransomware attack on a U.S. cancer center which rendered its digital services unavailable, put the protected health information of patients at risk, and significantly reduced the ability of the medical center to provide treatment for patients.

The group has exploited known vulnerabilities to gain initial access to HPH sector networks, then escalates privileges, moves laterally, and encrypts files. The group uses Microsoft’s native disk encryption tool, BitLocker, along with Jetico’s BestCrypt, rather than custom ransomware. This allows the group to encrypt files without being detected by security solutions. Previous attacks that have been loosely attributed to TimisoaraHackerTeam include an attack on a French hospital in April 2021 which involved similar living-off-the-land tactics, and an attack on Hillel Yaffe Medical Center in Israel, which resulted in the cancellation of non-elective procedures and forced the medical center to switch to alternative systems to continue to provide patient care.

According to the cybersecurity firm Varonis, the attack on Hillel Yaffe Medical Center in Israel is thought to have involved the exploitation of a known and unpatched vulnerability in the Pulse Secure VPN, with the hackers then using living-off-the-land techniques for the next stages of the attack to evade security solutions. Varonis says reports of attacks by TimisoaraHackerTeam mostly date to 2018, and while it is possible that the group has resurfaced, the DeepBlueMagic threat group may be an evolution of TimisoaraHackerTeam or DeepBlueMagic may have simply adopted the same tactics as TimisoaraHackerTeam. The same tactics have also been used by hackers in China, with those attacks attributed to an Advanced Persistent Threat Group that is tracked as APT41, although it is unclear to what extent, if any, these threat actors are linked.

In addition to exploiting Pulse Secure VPN vulnerabilities, TimisoaraHackerTeam has targeted vulnerabilities in Microsoft Exchange Server and Fortinet firewalls and uses poorly configured Remote Desktop Protocol to move laterally within networks. The recent attack on the cancer center serves as a warning that the group is still active, and that network defenders should take steps to improve monitoring and protect their networks from attacks. Further details on the group and its tactics, techniques, and procedures can be found in the HC3 HPH Sector Cybersecurity Notification.

The post TimisoaraHackerTeam Ransomware Group Linked to Recent Attack on U.S. Cancer Center appeared first on HIPAA Journal.

24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data

Posted by Steve Alder

A coalition of 24 state attorneys general has written to the Department of Health and Human Services (HHS) to confirm their support for the proposed update to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to strengthen reproductive health information privacy.

Background

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization in June 2022 overturned Roe v. Wade and removed the federal right to abortion. Many states introduced their own laws banning or severely restricting abortions in their respective states, and those laws permit criminal or civil penalties for anyone that seeks, provides, or assists with the provision of an abortion. Currently, 15 states have introduced almost total bans on abortions and several others have restricted abortions or are in the process of introducing bans or restrictions. Idaho has also recently enacted an abortion trafficking law, which aims to restrict the ability of state residents to travel out of state to receive abortion care.

Following the Supreme Court decision, the HHS’ Office for Civil Rights (OCR) issued guidance to HIPAA-regulated entities on the HIPAA Privacy Rule and how it permits but does not require disclosures of reproductive health information if the disclosure is required by law or is for law enforcement purposes. OCR confirmed that if a patient in a state that has banned abortions informs their healthcare provider that they are seeking an abortion in a state where abortion is legal, the HIPAA Privacy Rule would not permit the healthcare provider to disclose that information to law enforcement in order to prevent the abortion.

OCR subsequently issued a notice of proposed rulemaking (NPRM) about a planned update to the HIPAA Privacy Rule to strengthen reproductive health data privacy further, which would make it illegal to share a patient’s PHI if that information is being sought for certain criminal, civil, and administrative investigations or proceedings against a patient in connection with a legal abortion or other reproductive care.

In response to the NPRM, a coalition of 24 state attorneys general recently wrote to the HHS’ Secretary, Xavier Becerra, and OCR Director, Melanie Fontes Rainer, to confirm their support for the proposed HIPAA Privacy Rule changes. The coalition is led by New York Attorney General, Leticia James, and the letter was signed by the state Attorneys General in Arizona, California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Nevada, New Jersey, New York, New Mexico, North Carolina, Oregon, Pennsylvania, Rhode Island, Vermont, Washington, Wisconsin, and Washington D.C. The state AGs requested the HHS “move expeditiously to issue [the proposed rule] and apply the standard compliance date of 180 days after the effective date of the final rule.”

“No one should have to worry about whether their health care information will be kept private when they go to the doctor to get the care they need,” said Attorney General James. “While anti-choice state legislatures across the nation are stripping away our reproductive freedom and seeking access to health care data, it is imperative that we take every measure to safeguard Americans’ privacy. I will always fight to defend abortion and ensure no one’s private right to choose can be used against them.”

Recommendations to Further Strengthen Reproductive Health Information Privacy

In addition to confirming their support, comment has been provided on areas where the protections stated in the proposed rule can be strengthened further. The proposed Privacy Rule update adopts a broad definition of “reproductive health care” as a subcategory of health care; however, the state AGs recommend also creating a separate definition of “reproductive health,” to make it clear that the update not only applies to providers of gynecological and/or fertility-related care but also to other HIPAA covered entities. This would help to avoid any possible ambiguities about the types of health care covered by the proposed rule and they recommend that examples of reproductive health care are incorporated into the regulatory text of the final rule.

The state AGs also call for the HHS to define “birth” and “death” separately, in order to clarify that termination of pregnancy is not a public health reporting event and is therefore not subject to the HIPAA Privacy Rule reporting requirements. They also call for tightening up of the language in the proposed rule, which prohibits “use or disclosure “primarily for the purpose of investigating or imposing liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care.” There is concern that a different primary purpose may be manufactured as a pretext for obtaining PHI for a prohibited purpose. This potential loophole could be closed by dropping the word ‘primary’.

Among the other recommendations are for the HHS to ensure that requesters and providers receive adequate guidance on the attestation requirement of the proposed rule, which requires attestation that the request is not being made to obtain reproductive health information to take legal action against an individual, and for the HHS to create a nationally available, online platform to provide patients with accurate and clear information on reproductive care and privacy rights, and to conduct a public awareness campaign to promote the website.

The post 24 State Attorneys General Confirm Support for Stronger HIPAA Protections for Reproductive Health Data appeared first on HIPAA Journal.

Kaiser Permanente Fined $450,000 for CMIA Violations Due to Mailing Error

Posted by Steve Alder

Kaiser Permanente has been fined $450,000 by the California Department of Managed Care (CDMC) for impermissibly disclosing the confidential and protected health information (PHI) of up to 167,095 health plan members. Between October 2019 and December 2019, Kaiser Permanente sent 337,755 mailings to enrollees of its health plan; however, an error updating its electronic medical record system resulted in some mailings being sent to outdated addresses.

Kaiser Permanente was contacted by 8 individuals who said they had opened the packets but realized that they were not the intended recipients and 1,788 of the packets were returned unopened as the recipients realized they had been sent to the wrong addresses. The mailings were sent to 167,095 enrollees and Kaiser Permanente could not be sure that those mailings had been received by the intended recipients, which meant thousands of enrollees’ PHI may have been impermissibly disclosed.

CDMC investigated the reported breach and determined there had been an unauthorized disclosure of medical information and negligent maintenance or disposal of medical information, both of which violated the California Confidentiality of Medical Information Act (CMIA). On November 11, 2019, Kaiser Permanente became aware that an error in its electronic medical record system that had resulted in a data breach but failed to stop the mailings until December 20, 2019, 39 days after the error was discovered. As a result of that failure to act, a further 175,000 mailings were potentially sent to incorrect addresses.

In addition to the financial penalty, Kaiser Permanente has agreed to take corrective actions to prevent further data breaches of this nature, including updating its software systems, conducting periodic checks to confirm addresses are in synch, and system checks to ensure it is using the most current physical and/or mailing addresses. Kaiser Permanente will also work with its call center employees to confirm address information, will notify all affected individuals, and will provide refresher training to its staff on the legal standards of the Health Insurance Portability and Accountability Act (HIPAA) concerning the protection of PHI.

“Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly,” said DMHC Director Mary Watanabe. “Kaiser Permanente agreed to take corrective actions to protect consumers’ confidential information and ensure this doesn’t happen again.”

The post Kaiser Permanente Fined $450,000 for CMIA Violations Due to Mailing Error appeared first on HIPAA Journal.