Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack

Posted by Steve Alder

Grace Lutheran Communities in Wisconsin, a provider of rehabilitation services, assisted living, independent living, and skilled nursing, has experienced a ransomware attack. The incident was detected on January 22, 2024, and while the investigation is ongoing, Grace Lutheran Communities has confirmed that patient data was stolen including names, addresses, Social Security numbers, and health insurance information.

On February 17, 2024, Grace Lutheran Communities discovered that a ransomware group – ALPHV/Blackcat – had published some of the stolen data on its data leak site. Grace Lutheran Communities said it is committed to ensuring the privacy and security of patient data and is enhancing network security to prevent similar attacks in the future. Grace Lutheran Communities has yet to confirm how many individuals have been affected.

Washington County Hospital and Nursing Home Falls Victim to Ransomware Attack

Washington County Hospital and Nursing Home has notified 31,125 individuals about a December cyberattack that may have resulted in an unauthorized third party accessing their sensitive information.  On December 24, 2023, network disruption occurred which prevented access to internal systems. A third-party cybersecurity firm was engaged to help secure its systems and conduct a forensic investigation, and evidence was found of unauthorized access to files containing patient data. Those files included tax forms and Social Security numbers (SSNs); however, no reports have been received of any actual or attempted identity theft or fraud as a result of the data breach.

Washington County Hospital and Nursing Home has augmented its security measures and is offering the affected individuals complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Bay Area Anesthesia Patients Affected by Cyberattack on Business Associate

Bay Area Anesthesia in Clearwater, FL, has been affected by a data security incident at a former business associate, Bowden Barlow Law. The law firm identified suspicious activity within its network and the investigation confirmed that there had been unauthorized access by a third party between November 17, 2023, and December 1, 2023, and during that time, files were exfiltrated from its network that contained the protected health information of 15,196 individuals. Bay Area Anesthesia has notified the affected individuals and has offered them complimentary credit monitoring and identity theft protection services for 12 months.

Cardiothoracic and Vascular Surgeons Alerts Patients About December Data Breach

Cardiothoracic and Vascular Surgeons in Austin, TX, has confirmed that unauthorized individuals accessed its network between October 12, 2023, and October 13, 2023, and exfiltrated files containing patient data. A review of the affected files was completed on January 22, 2024, and confirmed that the protected health information of 2,345 individuals was present in those files, including names, driver’s licenses, and/or government-issued IDs. Notifications were issued to the individuals on February 16, 2024, and credit monitoring and identity theft protection services are being made available.

The post Grace Lutheran Communities Falls Victim of ALPHV/Blackcat Ransomware Attack appeared first on HIPAA Journal.

Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations

Posted by Steve Alder

Indiana Attorney General Todd Rokita has filed a lawsuit against Apria Healthcare alleging violations of the Health Insurance Portability and Accountability Act (HIPAA) and state laws following a cyberattack and data breach that affected 1,869,598 individuals, including 42,000 Hoosiers.

Apria Healthcare is an Indianapolis, IA-based provider of home healthcare equipment and related services. Apria Healthcare was notified by the Federal Bureau of Investigation (FBI) on September 1, 2021, about unauthorized access to its internal systems. The investigation confirmed that between April 5, 2019, and May 7, 2019, and again from August 27, 2021, to October 10, 2021, an unauthorized third party accessed its internal systems, including several employee email accounts. The electronic protected health information exposed included names, birth certificates, financial information, Social Security numbers, medical histories, and health information. Apria Healthcare determined that the reason for the intrusion was to obtain funds from Apria Healthcare rather than patient data.  Notifications were mailed to the affected individuals in May 2023, more than 20 months after being notified about the breach by the FBI.

Attorney General Rokita alleged that Apria Healthcare deliberately concealed the data breach by failing to issue notifications for 629 days and that the delay violated the HIPAA Breach Notification Rule, which requires individual notifications to be issued to the affected individuals within 60 days of the discovery of a data breach. The delayed notification also violated Indiana’s Disclosure of a Security Breach Act, which requires notifications to be issued without undue delay and not more than 45 days after the discovery of a data breach. Owens and Minor acquired Apria Healthcare in March 2022. Attorney General Rokita alleged that Owens and Minor was aware of the data breaches yet still failed to issue timely notifications.

Attorney General Rokita also alleged violations of the HIPAA Privacy and Security Rules – the failure to implement appropriate technical safeguards to ensure the confidentiality, integrity, and availability of ePHI, and the impermissible disclosure of the ePHI of more than 1.8 million individuals – and violations of the Indiana Deceptive Consumer Sales Act. “Patients should be able to trust their medical providers at all times,” said Attorney General Rokita. “All Hoosier patients deserve their privacy, especially when it comes to medical care. When your private information is accessible or leaked to a stranger, you’re susceptible to life-altering threats, such as identity theft and financial ruin. Our office has adamantly fought back against careless companies who disregard major cybersecurity threats.”

The post Indiana Attorney General Files Lawsuit Against Apria Healthcare Alleging HIPAA Violations appeared first on HIPAA Journal.

Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws

Posted by Steve Alder

The Five Eyes Cybersecurity Agencies have issued a warning that previously disclosed vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways are being actively exploited by multiple threat actors and have been since early December 2023.

The flaws – CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893 – affect all supported versions (9.x and 22.x) and can be chained to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges. According to the alert, Ivanti’s internal and previous external Integrity Checker Tool (ICT) failed to detect malicious activity associated with exploitation. CISA demonstrated in a test environment that the ICT is not sufficient to detect compromise and that it is possible to gain root-level persistence despite issuing factory resets.

Alphabet’s Mandiant has been investigating the exploitation of the zero day vulnerabilities and said the exploitation had likely impacted thousands of devices across multiple industry verticals. Some of those attacks were linked with a suspected Chinese cyber espionage group it tracks as UNC5325. The threat actor used living-of-the-land techniques and novel malware to achieve persistence. Mandiant said the patches released by Ivanti are effective at preventing exploitation, provided UNC5325 did not exploit the vulnerability before the patches were applied. Mandiant said UNC5325 has maintained access even after customers have initiated factory resets, patching, and applying the recommended security updates.

The Five Eyes agencies recommend that network defenders assume that user and service account credentials stored in affected Ivanti VPN appliances are likely compromised and should hunt for malicious activity using the detection mechanisms and IoCs details in its alert, and should also run the latest version of Ivanti’s external ICT. If the vulnerabilities have yet to be patched, network defenders should ensure they are applied as soon as possible and should follow the recommendations detailed in the latest Ivanti security advisory. Mandiant also recommends following the guidance provided in its updated Ivanti Connect Secure Hardening Guide.

The post Five Eyes Agencies Warn of Ongoing Exploitation of Ivanti Connect Secure and Policy Secure Flaws appeared first on HIPAA Journal.