Weak Cloud Security Controls at the Administration for Children and Families Have Put Sensitive Data at Risk

Posted by Steve Alder

The Department of Health and Human Services (HHS) Administration for Children and Families (ACF) has put the sensitive data of families and children at risk by failing to address security gaps in its cloud environment, according to a recent audit by the HHS Office of Inspector General (HHS-OIG).

HHS-OIG is conducting a series of audits of HHS divisions to determine if they have implemented effective cybersecurity controls for their cloud environments and are compliant with federal security requirements and guidelines. For the audit, HHS-OIG reviewed ACF’s cloud inventory, policies and procedures, and the configuration settings of ACF vulnerability scanners. Penetration tests were also conducted internally and externally on selected cloud information systems and web applications, and phishing tests were conducted on ACF personnel.

While ACF had implemented security controls to protect its cloud information systems and data, HHS-OIG identified gaps in its security controls and vulnerabilities that could be exploited by malicious actors to gain access to systems and the sensitive data of families and children. One of the main problems stemmed from its inventory of cloud computing assets, which was not comprehensive. HHS-OIG said ACF did not accurately identify all of its cloud computing assets because ACF did not establish policies and procedures to inventory and monitor cloud information system components.

If components are missed from the inventory, security controls to prevent unauthorized access may be overlooked, resulting in those components not being adequately secured and websites may be left vulnerable because they are not kept up-to-date, with patches missed and misconfigurations not identified. While HHS-OIG did not identify compromises, the identified vulnerabilities could be exploited resulting in modifications to cloud systems and the execution of system commands to allow sensitive data to be accessed, including the personally identifiable information of families and children. If assets are not being monitored, there is a risk that threat-hunting efforts may not identify compromises, giving adversaries the freedom to attack other components undetected.

HHS-OIG also found that ACF did not perform adequate cloud and web application technical testing techniques against its systems to proactively identify the vulnerabilities HHS-OIG discovered, potentially putting data at a high risk of compromise. While ACF had implemented security controls to protect its cloud information systems, HHS-OIG identified several other security controls that had not been implemented that are stipulated in federal requirements and guidelines.

HHS-OIG made several recommendations on how ACF should improve the security of its cloud information systems. The audit uncovered 19 security controls that need to be improved, cloud security procedures should be updated, tests should be conducted on cloud information systems that emulate the tactics, techniques, and procedures of adversaries, and ACF must update and maintain a complete and accurate inventory of its cloud information systems and components. HHS-OIG also recommended that ACF leverage cloud security assessment tools to identify weak cybersecurity controls and misconfiguration. ACF concurred with all of HHS-OIG’s recommendations and described the actions that will be taken to address the identified issues.

The post Weak Cloud Security Controls at the Administration for Children and Families Have Put Sensitive Data at Risk appeared first on HIPAA Journal.

City of Hope Cyberattack Affects 827,000 Individuals

Posted by Steve Alder

City of Hope, a non-profit clinical research and cancer treatment center in Duarte, California, has confirmed that the personal and protected health information of 827,149 individuals was compromised in a 2023 cyberattack. Suspicious activity was detected within some of its systems on October 13, 2023, and after securing the systems and implementing mitigation measures, a forensic investigation was launched to determine the nature and scope of the incident. A third-party cybersecurity firm assisted with the investigation and confirmed there had been unauthorized access to some of its systems between September 19, 2023, and October 12, 2023. During that time, copies of certain files were exfiltrated from its systems.

The delay in issuing notifications was due to the time required to conduct a detailed review of all files on the compromised systems to determine the extent of the data breach. The investigation is ongoing, but City of Hope has confirmed that the files contained personal and protected health information. The types of data involved varied from individual to individual and included names in combination with one or more of the following data elements: contact information such as phone numbers and email addresses, dates of birth, Social Security numbers, driver’s license numbers, other government identification numbers, financial information such as bank account numbers and credit card details, health insurance information, medical records, medical histories, diagnoses/conditions, health insurance information, and unique internal patient identifiers.

City of Hope said additional and enhanced safeguards were implemented promptly and a leading cybersecurity firm was engaged to review the security of its network, systems, and data. The affected individuals are now being notified by mail. City of Hope is offering two years of complimentary credit monitoring and identity theft protection services to the individuals who had their data exposed in the attack.

The post City of Hope Cyberattack Affects 827,000 Individuals appeared first on HIPAA Journal.

Senators Demand Answers from the United Network for Organ Sharing About 1 Million+ Record Data Breach

Posted by Steve Alder

U.S. Senators Chuck Grassley (R-IA) and Ron Wyden (D-OR) have written to the United Network for Organ Sharing (ONOS), which administers the Organ Procurement and Transplantation Network (OPTN), demanding answers about a recently identified data breach and criticized ONOS for its apparent inability to operate the OPTN.

The Senators previously wrote to ONOS in January 2022 to express their concerns about OPTN systems, which were in desperate need of modernization to protect them from cyberattacks. There is only a short window of opportunity for matching donors with patients in need of transplants, and any disruption to the system – a ransomware attack for example – could result in the loss of many lives.

The Senators also voiced their concerns with the White House Chief Information Officer in February 2022 about the technology in use and the cybersecurity measures to protect the OPTN from cyberattacks. In September of that year, the HHS Office of Inspector General (OIG) published a report that called for the Health Resources and Services Administration (HRSA) to improve oversight of the cybersecurity of the OPTN. The OPTN had been criticized for the use of outdated IT systems and the lack of technical capabilities to upgrade the systems, secure them, and ensure they are fit for purpose.

On March 20, 2023, the Senators wrote to UNOS about an outage of the DonorNet system on February 15, 2023, which put patients’ lives at risk, and again criticized ONOS for the failure to operate the critical technology supporting the OPTN. A few days later, the Senators wrote to UNOS again about a recently discovered data breach.

In November 2023, ONOS conducted two software tests and discovered a software configuration error had exposed the sensitive data of 1.5 million organ transplant patients and DonorNet system users. Users of the system can access individual records on a case-by-case basis; however, the error allowed access to all records on the OPTN and DonorNet system, including details such as names, dates of birth, Social Security numbers, and procedures. In the latest letter, the Senators have demanded answers about the data breach and expressed their “continued concerns with the security of UNOS’s critical technology and its apparent inability to efficiently and effectively operate the OPTN”

Specifically, the Senators want to know how the data breach was identified; the root cause of the breach and any relevant investigations and reviews; the number of patients affected; whether patient records were accessed by unauthorized individuals; how many individuals were able to access patient data they were not authorized to view. They have also requested information about breach response processes at ONOS, including the response to the latest breach, whether patients have been notified, and the steps taken to prevent further breaches and cyberattacks. ONOS has been given until April 10, 2024, to provide the answers.

Sens. Grassley and Wyden have been pushing for reforms to improve the administration of the OPTN. In April 2023, they proposed new legislation – The Securing the U.S. Organ Procurement and Transplantation Network Act – to improve the management of the OPTN, which for the past 40 years has been solely administered by ONOS. The legislation was signed into law by President Biden in September 2023 and breaks up the contract for the management of the OPTN and encourages participation from competent and transparent contractors. The aim of the legislation is to improve transparency and address the many failures that have plagued the OPTN over the past 40 years and it is hoped that the breakup of the monopoly will increase competition and help to save many lives.

The post Senators Demand Answers from the United Network for Organ Sharing About 1 Million+ Record Data Breach appeared first on HIPAA Journal.

Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000

Posted by Steve Alder

Lamoille Health Partners, a Vermont health system serving patients in Lamoille County, has agreed to settle a lawsuit that was filed in response to a June 2022 ransomware attack in which the protected health information of 59,381 patients was exposed and potentially stolen. Hackers gained access to the Lamoille Health Partners network between June 12, 2022, and June 13, 2022, and used ransomware to encrypt files. The attack exposed names, addresses, dates of birth, Social Security numbers, health insurance information, and medical treatment information. The affected individuals were notified about the breach in August 2022 and individuals who had their Social Security numbers exposed were offered complimentary identity protection and credit monitoring services.

A lawsuit – Marshall v Lamoille Health Partners Inc. – was filed in the U.S. District Court for the District of Vermont on September 1, 2022, in response to the breach that alleged Lamoille Health Partners was negligent by failing to implement reasonable and appropriate cybersecurity measures and follow security best practices. The lawsuit also alleged there was an unnecessary delay in notifying the affected individuals and that Lamoille Health Partners was not compliant with the HIPAA Rules. The lawsuit claimed the plaintiff, Patricia Marshall, and the class faced an imminent and ongoing risk of identity theft and fraud due to their sensitive information being in the hands of cybercriminals.

Lamoille Health Partners has not admitted to any wrongdoing and disagrees with the claims; however, a settlement was proposed to bring the legal action to an end. Under the terms of the proposed settlement, a $540,000 fund will be created to cover claims from individuals who were affected by the breach. Class members can submit claims of up to $5,000 to cover unreimbursed, documented out-of-pocket expenses incurred as a result of the breach, including bank fees, credit expenses, travel expenses, costs of credit monitoring services, and unauthorized charges. In addition, all class members will be entitled to a pro-rata payment which will be distributed after attorneys’ fees and legal costs have been deducted and claims have been paid. The payment is anticipated to be around $50 per class member.

Important Dates:

  • Deadline for exclusion/objection: May 30, 2024
  • Deadline for submitting claims: June 20, 2024
  • Final approval hearing: September 30, 2024

The post Lamoille Health Partners Settles Class Action Data Breach Lawsuit for $540,000 appeared first on HIPAA Journal.