Long Island Plastic Surgical Group Confirms 161K-Record Data Breach

Posted by Steve Alder

Long Island Plastic Surgical Group, a network of 13 plastic surgery practices in New York, has confirmed to the HHS’ Office for Civil Rights that the protected health information of 161,707 individuals was compromised in a hacking incident earlier this year.

According to its substitute breach notice, external cybersecurity professionals were engaged to investigate the incident and confirmed that a network intrusion occurred between January 4, 2024, and January 8, 2024, involving the exfiltration of a limited amount of patient data. The file review was completed on September 15, 2024, and confirmed that full names had been stolen in combination with some or all of the following: date of birth, Social Security number, driver’s license number/state identification number, passport number, financial account information, medical information, biometric information, health insurance policy information, and clinical photographs.

Long Island Plastic Surgical Group said it is unaware of any improper use of the affected information as a direct result of the incident; however, as a precaution, individuals whose Social Security numbers were involved have been offered complimentary credit monitoring services. Long Island Plastic Surgical Group said it had implemented many safeguards to protect patient data and will continue to evaluate and modify its internal controls to further enhance security.

Long Island Plastic Surgical Group did not state in its notification letter whether this was a ransomware attack; however, the Radar threat group claimed responsibility. In a conversation with databreaches.net, a spokesperson for the group said the attack was conducted in conjunction with the ALPHV threat group, where ALPHV handled the intrusion and Radar handled the data exfiltration. Radar claimed that ALPHV was paid a ransom but Radar was not given its cut of the ransom payment. Radar subsequently issued its own ransom demand to prevent the publication of the stolen data; however, the ransom was not paid. The Federal Bureau of Investigation (FBI) has now seized the Radar data leak site.

Dr. Daniel J. Leeman, M.D.

Dr. Daniel J. Leeman, M.D., a Texas-based board-certified plastic surgeon and ENT specialist, has reported a hacking-related data breach to the HHS’ Office for Civil Rights that involved the protected health information of 50,000 patients. This appears to have been a cyberattack on his practice rather than through a business associate. Dr. Leeman filed a breach notice with the Texas Attorney General on September 4, 2024, confirming names, addresses, dates of birth, Social Security numbers, driver’s license numbers, government-issued ID numbers (such as passport numbers or state IDs), financial information (such as account numbers, credit/debit card numbers), medical information, and health insurance information were involved. The affected individuals have now been notified by mail.

Clay Platte Family MedicineBarry Pointe Family Medicine ClinicSummit Family and Sports Medicine ClinicCobblestone Family Medicine Clinic

The protected health information of patients of Clay Platte Family Medicine and Barry Pointe Family Medicine Clinic in Kansas City, MO; Summit Family and Sports Medicine Clinic in Summit, MO; and Cobblestone Family Medicine Clinic in Liberty, MO was compromised in a June 2024 data security incident. Suspicious network activity was detected on June 26, 2024, and immediate action was taken to secure its network. A cybersecurity firm was engaged to investigate the activity and confirmed that an unauthorized third party had access to the network and potentially viewed or acquired files containing patient information.

On September 10, 2024, the affected clinics confirmed names, addresses, Social Security numbers, dates of birth, and health insurance information were involved. Individual notifications were mailed on October 16, 2024, and complimentary credit monitoring and identity theft protection services have been made available. The breach was reported to the Maine Attorney General as involving the personal information of 53,916 individuals, including 4 Maine residents. The clinics said they are reviewing and enhancing their data security policies and procedures to prevent similar breaches in the future.

Wellfleet Group, LLC

Wellfleet Group, a Massachusetts-based third-party administrator for Wellfleet Insurance Company and Wellfleet New York Insurance Company that provides health insurance solutions and services to students at post-secondary education institutions, is notifying 22,959 individuals that some of their protected health information has been compromised.

Wellfleet Group learned on August 1, 2024, that student medical referral information could be accessed online via search engines and launched an investigation to determine the cause and extent of the data exposure. The investigation revealed a previously unknown misconfiguration on its website “allowed deep-links to the medical referral print page of users to be accessible without authentication.” Search engine web crawlers scraped the referrals and indexed them, allowing them to be found by performing Internet searches using the students’ names.

Wellfleet Group corrected the misconfiguration and worked to have the indexed referrals removed from the Internet. A review was also conducted to identify any further misconfigurations on its website, data security controls for the website were reset, and its standards for review and technical support of applications and software development processes have been updated to prevent similar incidents in the future.

The affected individuals were students participating in their educational institution’s student health plan and the compromised information included their full name, address, phone number, date of birth, insurance group/policy number, school ID number, and health/medical information such as the reason for referral and diagnosis code. The affected individuals have been offered complimentary credit monitoring services.

The post Long Island Plastic Surgical Group Confirms 161K-Record Data Breach appeared first on The HIPAA Journal.

OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks

Posted by Steve Alder

The majority of healthcare data breaches reported in the past few years are due to hacking incidents but many of these security incidents do not involve the exploitation of vulnerabilities in software and operating systems for initial access. Far more common is the exploitation of human vulnerabilities, where healthcare workers are tricked into providing cyber actors with access to internal systems and sensitive data. According to the Verizon 2024 Data Breach Investigations Report, more than two-thirds of breaches involve the human element rather than the exploitation of weaknesses and vulnerabilities in technology.

One of the most common methods used is phishing, where a cyber actor makes contact with a healthcare employee and convinces them to visit a malicious website where they are asked to enter their credentials or are convinced to download a malicious file, both of which give the cyber actor the access they need. With phishing, the initial contact is often via email, although an increasing number of phishing attacks are now occurring via SMS (smishing), instant messaging platforms, social media networks, and over the telephone (vishing).

Phishing usually involves deception and impersonation. A trusted individual, company, or institution is impersonated, and the targeted individual is provided with a seemingly legitimate reason for taking the requested action. This could be a request for collaboration on a report, a notification about a failed delivery, a missed payment of an invoice, or a security warning. There is often a threat of negative consequences if no action is taken, commonly a pressing matter such as impending loss of service, a significant charge that will soon be applied to an account, or unauthorized account access that warrants immediate steps to secure the account.

The techniques used in phishing are known as social engineering – manipulation, influencing, or deceiving someone into taking a certain action, which in cybersecurity terms involves gaining unauthorized access to computer systems, financial accounts, or sensitive data. While phishing is one of the best-known attack methods that uses social engineering techniques, cyber actors use social engineering in other types of attacks to achieve similar goals. There is baiting, where social engineering is used to trick someone into taking an action to obtain something of value, such as to be entered into a free prize draw or get an amazingly low purchase price on goods and services. In order to get what is promised, sensitive information must be disclosed such as credentials, a credit/debit card number, or personal information.

Advances in artificial intelligence (AI) technology have provided cyber actors with a new way of manipulating individuals – deepfakes. Deepfakes take impersonation and deception to a new level, where trusted individuals are impersonated via audio or video. Deepfakes of authority figures can be created that are incredibly realistic, using synthesized facial images and speech or manipulated videos, photos, and audio recordings to trick people into taking any number of actions. Deepfakes can even be created in real-time, such as impersonating a CEO in a call to a help desk to request credentials be reset or to add an attacker-owned device to receive multifactor authentication codes, or in Zoom meetings where the meeting participants are convinced they are conversing with the genuine person.

Social engineering is the subject of the October 2024 cybersecurity newsletter from the HHS’ Office for Civil Rights. In the newsletter, OCR explains how social engineering is used in attacks on healthcare organizations and how to identify and avoid social engineering attacks. The newsletter also explains how compliance with the HIPAA Security Rule can help HIPAA-regulated entities improve their defenses against social engineering and mitigate threats.

“Attackers have learned how to convincingly imitate our loved ones and our business partners, meaning that nothing can be assumed or taken at face value. Attackers continue to refine their manipulation through social engineering tradecraft. All of these threats have a common theme; they all attempt to convince an individual to do something they would not otherwise do normally, or to provide details such as credentials someplace other than where they should be used,” explained OCR in the newsletter. “Educating workforce members on these attacks is essential when it comes to an individual’s ability to identify and potentially halt social engineering attacks before they start. Such knowledge is powerful not only to protect individuals in their personal online activities, but also by extension an individual’s employer. This is especially important in the current environment where work is taken home on laptops, smartphones, and through remote work.”

The post OCR Offers Advice on Recognizing, Avoiding, and Mitigating Social Engineering Attacks appeared first on The HIPAA Journal.