Harris Health Notifies Patients About 10-Year Insider Data Breach

Posted by Steve Alder

Harris Health in Texas has recently started notifying more than 5,000 patients that their electronic health records may have been impermissibly accessed by a former employee. Concerningly, the unauthorized access had been ongoing for a decade before it was identified.

Harris Health operates Ben Taub Hospital and Lyndon B. Johnson Hospital, and a network of 37 clinics, health centers, and specialty locations in and around Houston, Texas.  While notification letters are now being mailed to the affected individuals, the unauthorized access was detected on February 10, 2021. An investigation was launched to determine the extent of the employee’s HIPAA violation, with assistance provided by a nationally recognized digital forensics firm. The investigation confirmed unauthorized access to patient records from January 4, 2011, to March 8, 2021.

After confirming that patients’ medical records had been accessed without any legitimate work purpose, the employee was terminated, and the Federal Bureau of Investigation (FBI) was notified. Harris Health has been assisting with the investigation, which confirmed that the employee had disclosed some patient information to unauthorized individuals. The substitute breach notice on the Harris Health website doesn’t provide any indication as to why patients’ records were being accessed or the purpose of the disclosure of patient data.

Harris Health was unable to determine the specific patients whose protected health information was disclosed to other individuals, so notification letters are being sent to all individuals whose data may have been impermissibly disclosed. Notification letters were delayed at the request of law enforcement so as not to interfere with the investigation. While law enforcement requests to delay notifications are not unusual, a 4-year delay is unusually long. Typically, notifications are only delayed by a few weeks or months.

Data potentially accessed and disclosed includes demographic information such as names, dates of birth, addresses, email addresses, telephone numbers, and medical record numbers; clinical information such as diagnoses, medical history, medications, immunizations, dates of service, and provider names; health insurance information, and, for a limited number of individuals, Social Security numbers. Individuals whose Social Security numbers were involved have been offered complimentary credit monitoring and identity theft protection services.

All individuals potentially affected have been advised to monitor their explanation of benefits statements and should report any suspicious activity to their health insurer. Harris Health said it is providing further training to the workforce on the importance of protecting patient privacy, and additional tools have been implemented that allow proactive monitoring of employee access to patient records and provide enhanced auditing capabilities to help Harris Health identify unauthorized access more quickly in the future.

Under HIPAA, all employees should be provided with unique logins to allow their interactions with patient information to be tracked. Logs should be maintained to support investigations of unauthorized access to patient records, and those logs should be regularly reviewed. Regular reviews of access logs will help to limit the harm caused if employees impermissibly access patient records. HIPAA-covered entities should also ensure that they provide HIPAA training to their employees during onboarding, as well as annual refresher training sessions to remind employees of their responsibilities under HIPAA and the importance of protecting patient privacy.

The post Harris Health Notifies Patients About 10-Year Insider Data Breach appeared first on The HIPAA Journal.

Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite

Posted by Steve Alder

A zero-day vulnerability in Oracle E-Business Suite is under active exploitation by the Cl0p ransomware group. The vulnerability is tracked as CVE-2025-61882 and has a CVSS base score of 9.8 out of 10. The flaw is present in the BI Publisher Integration component of Oracle’s Concurrent Processing product within the Oracle E-Business suite, and can be exploited remotely by an unauthenticated attacker, leading to remote code execution. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP and will allow Oracle Concurrent Processing to be compromised.

Google’s Threat Intelligence Group and Mandiant first warned about attacks exploiting the vulnerability on October 2, 2025, when organizations started reporting that they had received demands for payment from the Cl0p threat group. Oracle published a security advisory about the vulnerability on October 4, 2025, and released a patch to fix the flaw. CrowdStrike believes with moderate confidence that a threat group tracked as Graceful Spider is mass exploiting the vulnerability.

Graceful Spider is a Russia-linked threat group known to conduct attacks with the Cl0p group. The vulnerability has been exploited in the wild since at least August 9, 2025, and a proof-of-concept exploit for the vulnerability has been published by the threat group Scattered LAPSUS$ Hunters. The threat intelligence firm WatchTowr has confirmed that the PoC exploit is real. Since valid exploit code is in the public domain, it is possible that multiple threat groups are now exploiting the vulnerability. WatchTowr reports that the exploit chain involves five separate bugs to achieve pre-authentication remote code execution, including some that were patched by Oracle in its July 2025 Critical Patch Update. WatchTowr explained that the exploit demonstrates a high level of skill and effort.

The vulnerability affects Oracle E-Business Suite versions 12.2.3 to 12.2.14, and may also exist in older, unsupported versions. Any organization that has Oracle E-Business Suite exposed to the internet is at risk, and given that the mass exploitation attempts have been ongoing for more than a month, there is a risk that the vulnerability has already been exploited and that the Cl0p group has yet to reach out to demand payment. According to the cybersecurity firm Resecurity, Cl0p has been reaching out to victims via compromised business email accounts and newly registered accounts.

Users of Oracle E-Business Suite should follow the advice in the Oracle security alert and ensure that they upgrade to a supported version and install the latest update. The update requires Oracle’s October 2023 Critical Patch Update to be applied before the patch for the CVE-2025-61882 vulnerability is applied. After applying the patch, Oracle E-Business Suite users should look for indicators of compromise to determine if the vulnerability has already been exploited. The IoCs have been shared in the above-linked Oracle security alert.

The post Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suite appeared first on The HIPAA Journal.

Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks

Posted by Steve Alder

A critical vulnerability in Fortra’s GoAnywhere MFT secure web-based file transfer tool is being actively exploited in Medusa ransomware attacks. According to Microsoft’s Threat Intelligence Team, the vulnerability is being exploited by a threat group it tracks as Storm-1175, which is known for deploying Medusa ransomware after exploiting vulnerabilities in public-facing applications.

The zero-day deserialization vulnerability is tracked as CVE-2025-10035 and has a maximum CVSS base score of 10. According to Fortra, a threat actor with a validly forged license response signature could deserialize an arbitrary actor-controlled object. Successful exploitation of the flaw can result in command injection without authorization, which can potentially lead to remote code execution. Fortra issued a security advisory about the flaw on September 18, 2025, and explained that the vulnerability affects the GoAnywhere MFT’s License Servlet Admin Console version 7.8.3 and prior versions. The vulnerability has been fixed in version 7.8.4 and the Sustain release 7.6.3.

Microsoft detected attacks exploiting the vulnerability at multiple organizations on September 11, 2025, although the threat intelligence company watchTowr believes that attacks started on September 10, 2025, more than a week before Fortra issued its security alert. Microsoft has observed Storm-1175 dropping remote monitoring and management (RMM) tools such as SimpleHelp and MeshAgent for persistence, and in some cases, creating .jsp files within GoAnywhere MFT directories.

The group establishes persistence, sets up secure C2 communications, and deploys additional tools and malware payloads to facilitate network discovery and lateral movement. The latter is achieved using mstsc.exe. The group identifies and exfiltrates sensitive data and has used Rclone for data exfiltration in at least one attack. After data exfiltration, the group deploys Medusa ransomware to encrypt files.

All users are advised to immediately ensure that the GoAnywhere Admin Console is not exposed to the Internet and to update GoAnywhere to the latest version. Since the vulnerability has been exploited since at least September 11, 2025, patching alone is not sufficient. After updating the software, users should investigate for signs of compromise. “Customers are advised to monitor their Admin Audit logs for suspicious activity and the log files for errors containing SignedObject.getObject: If this string is present in an exception stack trace (similar to the following), then the instance was likely affected by this vulnerability,” explained Fortra in its security alert.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerability Catalog on September 29, 2025, and requires all federal civilian agencies to implement Fortra’s mitigations by October 20, 2025.

The post Critical GoAnywhere Vulnerability Exploited in Medusa Ransomware Attacks appeared first on The HIPAA Journal.