Data Breaches Reported by Mystic Valley Elder Services & St. Anthony Regional Hospital

Posted by Steve Alder

Mystic Valley Elder Services, a Malden, Massachusetts-based non-profit agency providing home and community-based care to elders and adults living with disabilities, has started issuing individual notifications about a cyberattack and data breach that was identified on April 5, 2024.

A digital forensics company was engaged to investigate the unauthorized activity and confirmed that there had been unauthorized access to its internal systems on April 5, 2024, during which time files may have been acquired. A review was conducted of all affected files which confirmed on July 11, 2024, that protected health information had been exposed. The data involved varied from individual to individual and may have included names, dates of birth, passport numbers, financial account numbers, payment card numbers, online credentials, taxpayer identification numbers, Social Security numbers, driver’s license numbers, health insurance information, and medical information.

Notification letters are now being mailed to the affected individuals and complimentary credit monitoring and identity theft protection services have been made available. Mystic Valley Elder Services said it is enhancing its technical safeguards to prevent similar breaches in the future. The HHS’ Office for Civil Rights shows two listings about this incident, one involving the records of 85,133 individuals in its capacity as a healthcare provider and a breach involving the protected health information of 2,402 individuals in its capacity as a business associate.

St. Anthony Regional Hospital, Iowa

St. Anthony Regional Hospital in Carroll, Iowa, has recently announced it fell victim to a cyberattack in August. Suspicious activity was identified within its network on August 26, 2024, and the forensic investigation confirmed there had been unauthorized access to a subset of its network between August 14, 2024, and August 28, 2024. During that time, the threat actor accessed or downloaded files on the network that contained patients’ protected health information.

St. Anthony Regional Hospital said it is still reviewing the affected files to determine the patients and data involved but has confirmed that the breached information is likely to include names, addresses, dates of birth, Social Security numbers, financial information, and medical information such as diagnosis and treatment information. Notification letters will be mailed to the affected individuals when the investigation is concluded. St. Anthony Regional Hospital is unaware of any misuse of the affected information; however, patients have been advised to remain vigilant against incidents of identity theft and fraud by reviewing their account statements, credit reports, and explanation of benefits statements.

The breach has been reported to the HHS’ Office for Civil Rights using a placeholder figure of 501 affected individuals. The total will be updated when the file review has been completed.

The post Data Breaches Reported by Mystic Valley Elder Services & St. Anthony Regional Hospital appeared first on The HIPAA Journal.

HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems

Posted by Steve Alder

A critical vulnerability affecting multiple Oracle products is being exploited in the wild. The vulnerability was dubbed The Miracle Exploit by the security researchers who discovered it, due to its severity and the number of products they affected – all products based on Oracle Fusion Middleware and Oracle online systems. The vulnerability is one of a pair of related vulnerabilities that were discovered two years apart. The vulnerabilities can be chained, and both can lead to remote code execution.

The Oracle Fusion Middleware products are used to build web interfaces for Java EE applications and any website developed by ADF Faces framework is affected. The vulnerabilities also affect Oracle Business Intelligence, Enterprise Manager, Identity Management, SOA Suite, WebCenter Portal, Application Testing Suite, and Transportation Management. The vulnerabilities are tracked as CVE-2022-21445 (CVSS 9.8) and CVE-2022-21497 (CVSS 8.1) and can be exploited easily by an unauthenticated attacker with network access via HTTP for an application takeover. Successful exploitation can lead to a full system compromise and lateral movement within a network. The vulnerabilities could be exploited to steal sensitive data and could be leveraged by ransomware groups in the future.

CVE-2022-21445 is a deserialization of untrusted data vulnerability and CVE-2022-21497 is a server-side request vulnerability. The first vulnerability allows remote code execution, and the second one could be exploited for lateral movement to other Oracle systems and can also lead to remote code execution. Oracle released patches to fix the vulnerabilities in April 2022, 6 months after the CVE-2022-21445 vulnerability was discovered. In September, the Cybersecurity and Infrastructure Security Agency (CISA) added the CVE-2022-21445 Miracle Exploit vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. No information was released about the extent to which the vulnerability has been exploited, and there have been no public reports of exploitation, although CISA does receive some reports privately.

Due to the severity of the vulnerabilities and their impact, the Health Sector Cybersecurity Coordination Center has recently released an analyst note warning the healthcare and public health sector about the risk of exploitation. Healthcare organizations could be vulnerable if they use Oracle Fusion products that rely on the ADF Faces framework. HC3 warns that if the vulnerable Oracle middleware components are integrated into their software for managing electronic medical records or other critical systems, exploitation of the vulnerabilities could result in data breaches, operational disruptions, and potentially regulatory penalties.

HC3 recommends applying the latest patch for Oracle JDeveloper, segmenting networks and ensuring environments that use JDeveloper are isolated from production systems, and limiting access to JDeveloper environments to trusted users only and enforcing strong authentication mechanisms.

The post HPH Sector Warned About Exploitation of Miracle Exploit Vulnerabilities in Oracle Systems appeared first on The HIPAA Journal.