Sen. Wyden Urges FTC to Take Action Against Microsoft for “Gross Cybersecurity Negligence”
Senator Ron Wyden (D-OR) has written to Andrew Ferguson, Chair of the Federal Trade Commission (FTC), requesting the FTC investigate Microsoft and hold it responsible for “gross cybersecurity negligence,” which Sen. Wyden believes has contributed to the barrage of ransomware attacks on critical infrastructure entities.
In the letter, Sen. Wyden cites figures from a February 2025 report published by the Director of National Intelligence (DNI) indicating more than 5,000 ransomware attacks in 2024, a 15% increase from 2024, and a 103% increase from 2022. Around half of the victims of those attacks are located in the United States. Those attacks have caused enormous harm to healthcare providers, put patient care at risk, and pose a continuing threat to national security.
Sen. Wyden believes Microsoft is at fault for many of these attacks because of its de facto monopoly on operating systems, combined with dangerous software engineering decisions that have made the Windows operating system vulnerable to ransomware attacks. Sen. Wyden explained that Microsoft chooses the security measures enabled by default in the Windows operating system, and while any user can alter the settings, many do not, as they are unaware of the risks associated with the default security settings.
Cybersecurity Vulnerability Exploited in Ascension Ransomware Attack
Sen Wyden used the 2024 hack of Ascension, one of the largest health systems in the United States, as an example of how easy it is for ransomware groups to breach the networks of critical infrastructure entities. The ransomware group gained access to privileged accounts on Ascension’s Active Directory Server using a privilege escalation technique called kerberoasting, after an Ascension contractor clicked a malicious link in a Bing search result on an Ascension laptop and inadvertently downloaded malware.
The malware provided the attacker with initial access, they moved laterally, and gained administrative privileges to the Microsoft Active Directory Server. The attacker exfiltrated data, then used ransomware to encrypt files. The electronic protected health information of 5.6 million patients was compromised in the attack. The attack was made possible due to a long-standing post-exploitation vulnerability.
Kerberoasting is an attack technique that exploits Microsoft’s continued support for an insecure encryption technology – RC4 – from the 1980s. Microsoft is well aware of the risk from kerberoasting, and how it can be exploited to obtain Active Directory credentials. For more than a decade, cybersecurity experts have warned of the dangers of kerberoasting, yet no action has been taken by Microsoft to mitigate the threat, even though more secure methods of encryption are supported by Windows.
The Advanced Encryption Standard (AES) is vastly superior to RC4, is supported by Windows, and recommended by the U.S. government, yet Microsoft does not use AES by default in Windows. The result of that software engineering decision is that hackers with access to a corporate network can exploit the weaknesses in RC4 encryption technology to crack administrators’ privileged accounts.
Sen. Wyden said Microsoft has stated that the risk can be mitigated by setting long passwords of 14 or more characters, yet Microsoft does not require passwords of that length to be set for privileged accounts by default. Sen. Wyden wrote to Microsoft in July 2024, warning about the threat of kerberoasting, and in October 2024, Microsoft published a blog post warning about the vulnerability and how the threat can be mitigated. Microsoft also promised to issue a software update to fix the issue. Almost a year on, and no fix has been forthcoming. Also in October 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iranian hackers were using the kerberoasting technique to attack U.S. organizations.
Despite the technique being used by threat actors, the warning was added to an obscure part of its website and was not promoted. Rather than issue a prominent and easy-to-read warning as requested by Sen. Wyden, the blog post was highly technical in nature. As a result, many companies may not have seen the post or acted on the advice, leaving their crown jewels – Active Directory credentials – at risk.
FTC Action Required to Force Microsoft to Provide Secure Software by Default
Kerberoasting is just one technique that can be used to exploit vulnerabilities. Sen. Wyden provided further examples of Microsoft’s cybersecurity failures that have been exploited by nation-state actors to attack Microsoft customers, including attacks by China in 2023 and, more recently, the vulnerability in Microsoft SharePoint that was mass exploited by hackers linked to the Chinese government this year.
“There is one company benefiting from this status quo: Microsoft itself. Instead of delivering secure software to its customers, Microsoft has built a multibillion-dollar secondary business selling cybersecurity add-on services to those organizations that can afford it,” Sen. Wyden wrote in the letter. “At this point, Microsoft has become like an arsonist selling firefighting services to their victims. And yet government agencies, companies, and nonprofits like Ascension have no choice but to continue to use the company’s software, even after they are hacked, because of Microsoft’s near-monopoly over enterprise IT.”
Sen. Wyden believes that the FTC should take action to hold Microsoft to account, and if no action is taken, Microsoft is likely to continue to deliver dangerous, insecure software to critical infrastructure entities and the government, and further attacks are inevitable.
The post Sen. Wyden Urges FTC to Take Action Against Microsoft for “Gross Cybersecurity Negligence” appeared first on The HIPAA Journal.
Health-ISAC Hacking Healthcare 9-11-2025 – Health-ISAC
Health-ISAC Hacking Healthcare 9-11-2025 Health-ISAC
HHS Unveils Version 3.6 of the Security Risk Assessment Tool: What Covered Entities and Business Associates Need to Know – JD Supra
HHS Unveils Version 3.6 of the Security Risk Assessment Tool: What Covered Entities and Business Associates Need to Know – JD Supra
California Radiology Provider Announces 13,000-Record Data Breach – The HIPAA Journal
California Radiology Provider Announces 13,000-Record Data Breach The HIPAA Journal
Regulation Adds Privacy Protections for Patient Records on Substance Use Disorders – JD Supra
California Radiology Provider Announces 13,000-Record Data Breach
Data breaches have been reported by Radiology Associates of San Luis Obispo, North Oaks Health System, The Children’s Center of Hamden, Huron Regional Medical Center, and Franklin Dermatology Group.
Pacific Imaging Management (Radiology Associates of San Luis Obispo)
Pacific Imaging Management, doing business as Radiology Associates of San Luis Obispo in California, has identified unauthorized access to certain employee email accounts. Suspicious activity was identified within its email environment on March 13, 2025. An investigation was launched, which revealed that certain email accounts were accessed by an unauthorized third party at various times between February 3, 2025, and March 17, 2025.
The accounts were reviewed and found to contain the protected health information of 13,158 individuals. The types of data involved vary from individual to individual and are detailed in the individual notification letters that started to be mailed on September 10, 2025. Policies and procedures are being reviewed and enhanced, and the affected individuals have been offered complimentary credit monitoring and identity theft protection services.
North Oaks Health System, Louisiana
North Oaks Health System, one of the largest community hospital organizations in Louisiana, has experienced a breach of its email system, which exposed the protected health information of 6,243 patients. Suspicious activity was identified in certain employee email accounts on June 4, 2025. The affected accounts were immediately secured, and an investigation was launched to determine the extent of the breach.
The investigation confirmed that certain emails and attachments in the compromised accounts were accessed between May 28, 2025, and June 5, 2025, and some of those emails contained patient information such as names, birth dates, health insurance information, and clinical information related to the services received at North Oaks. A limited number of Social Security numbers were also exposed. North Oaks is enhancing its security protocols, technical safeguards, monitoring, and employee cybersecurity training to prevent similar incidents in the future.
Children’s Center of Hamden, Connecticut
The Children’s Center of Hamden (TCCOH), a nonprofit behavioral health center in Hamden, Connecticut, has recently announced a security incident that was first identified on December 28, 2025. Unusual activity was identified within its computer systems, and third-party digital forensics experts were engaged to investigate. They confirmed unauthorized access to its network, including systems that contained patient information. On June 29, 2025, it was confirmed that files containing patients’ protected health information were accessed or acquired in the attack.
The file review was completed on August 7, 2025, and confirmed that names, dates of birth, Social Security numbers, driver’s license information, passport information, biometric data, and diagnosis and treatment information had been exposed. Notification letters have been mailed to the 5,213 individuals, and steps have been taken to enhance security.
Huron Regional Medical Center, South Dakota
Huron Regional Medical Center in South Dakota identified suspicious activity within its computer network on or around May 31, 2025. An investigation was launched to determine the nature and scope of the suspicious activity, with assistance provided by third-party digital forensics experts. Unauthorized network access was confirmed, and the exposed files were reviewed and found to contain information such as names, addresses, phone numbers, dates of birth, dates of service, cost of services, health insurance information, lab results, medical diagnostic images, prescription information, Medicare/Medicaid numbers, diagnoses, and treatment information.
Huron Regional Medical Center is reviewing its policies, procedures, and data security measures and will make enhancements to better defend against future attacks. Individual notification letters started to be mailed to the affected individuals on September 9, 2025. The data breach is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Franklin Dermatology Group
Franklin Dermatology Group in Tennessee has recently confirmed that it was affected by the cyberattack and data breach at the collections vendor, Nationwide Recovery Service (NRS). A hacking group had access to the NRS network between July 5, 2024, and July 11, 2024, and copied certain files from its network. Those files contained names, dates of birth, Social Security numbers, health insurance information, financial account information, and/or protected health information.
Franklin Dermatology Group was notified that it had been affected on February 7, 2025, and NRS said it would be issuing notifications to the affected individuals, although Franklin Dermatology Group said NRS reneged on that promise on April 3, 2025. Franklin Dermatology Group issued notifications to the affected individuals in September 2025 and has offered them complimentary single-bureau credit monitoring, credit score, and credit report services for 12 months. The breach was recently reported to the Maine Attorney General as affecting 2,457 individuals. In total, the NRS data breach has affected more than 545,000 individuals.
The post California Radiology Provider Announces 13,000-Record Data Breach appeared first on The HIPAA Journal.
Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members
Teamsters Union 25 Health Services & Insurance Plan, a health and wellness benefits plan for members of Teamsters Union Local 25, a trade union representing truck drivers, warehouse workers, clerical workers, and service and technology employees, identified suspicious activity within its computer network on or around August 1, 2025, potentially indicating unauthorized access.
Third-party cybersecurity experts were engaged to investigate the activity and confirmed unauthorized access to the network. Further investigation uncovered evidence that certain data on the network was accessed and potentially copied without authorization. The data related to members of the Teamsters Union 25 Health Services & Insurance Plan and the Teamsters Union 25 Investment Plan.
The review of the affected files was completed on August 18, 2025, and notification letters were mailed to the affected individuals on September 3, 2025. The affected individuals have been offered 12-24 months of complimentary credit monitoring and identity theft protection services, and steps have been taken to enhance security to prevent similar breaches in the future. The data involved varies from individual to individual and may include names, member IDs, Social Security numbers, health information, and health insurance information. The HHS’ Office for Civil Rights was informed that the protected health information of 19,231 individuals was compromised in the incident.
Anthony L. Jordan Health Corporation
Anthony L. Jordan Health Corporation (AJHC) in Rochester, New York, has fallen victim to a phishing attack that involved unauthorized access to the email, OneDrive, and SharePoint accounts of three employees. Suspicious activity was identified in an employee’s email account on June 30, 2025. The account was immediately secured, and an investigation was launched to determine the nature and scope of the incident.
The investigation confirmed that an unauthorized actor had accessed the accounts at various times between April 30, 2025, and July 9, 2025, after the employees responded to phishing emails. The purpose of the unauthorized access appeared to be to fraudulently obtain funds from Jordan Health, rather than to obtain patient data; however, unauthorized access to patient information could not be ruled out.
The affected accounts were reviewed and found to contain patient information such as names, dates of birth, medical record numbers, provider names, dates of service, and health insurance information. In total, 2,974 patients potentially had information compromised in the incident. Jordan Health has provided additional cybersecurity awareness training to the workforce to prevent similar incidents in the future.
Sentara Health
Last week, Sentara Health notified 696 patients about a mailing incident that disclosed a limited amount of patient data. The mailing was sent to patients of a specific Sentara Behavioral Health Specialists provider to advise them of the departure of that provider from Sentara.
An error was made when compiling the list of recipients for the mailing, resulting in the mismatching of patients’ names and addresses. Letters intended for one patient were sent to a different patient, resulting in the disclosure of the patient’s name, location of the practice, and the provider’s name. Sentara Health addressed the matter with the employee in question, according to its internal policies and procedures, and has taken steps to prevent similar incidents in the future, including evaluating additional training opportunities.
The post Teamsters Union 25 Health Services & Insurance Plan Hacking Incident Affects 19,000 Members appeared first on The HIPAA Journal.