HC3 Issues Warning About Scattered Spider Threat Actor

Posted by Steve Alder

A warning has been issued by the HHS’ Health Sector Cybersecurity Coordination Center (HC3) about a financially motivated group known as Scattered Spider. Many cybercriminal groups are Russian-speaking and are based in Russia or the Commonwealth of Independent States; however, Scattered Spider is a native English-speaking group and its members are believed to be mostly located in the United States and the United Kingdom. There have been four arrests in those countries but the group remains active. Intelligence gathered on the group suggests the members are mostly in the 19-22 age group.

Rather than develop their own malware payloads and attack tools, Scattered Spider uses publicly available tools and malware developed by other threat actors. Legitimate tools known to have been leveraged by the group include remote monitoring and management solutions such as AnyDesk, Connectwise Control, ASG Remote Desktop, Screenconnect, and Splashtop; Mimikatz and LaZagne for credential theft; and Ngrok to create secure tunnels to remote web servers.

The group has previously used multiple malware variants in its operations including Atomic, Racoon Stealer, VIDAR Stealer, and Meduza Stealer, as well as phishing kits such as EIGHTBAIT and Oktapus, and the BlackCat and Ransomhub ransomware variants. The group has also collaborated with the Qilin threat group.

Information stealers are commonly used to obtain credentials for initial access, and then living-off-the-land techniques are used to evade security solutions while the group moves laterally within networks, disabling security solutions and stealing sensitive data. Attacks often end with the deployment of ransomware.

Scattered Spider uses advanced social engineering tactics, with its members well-versed in spear phishing, smishing, and voice phishing. One campaign attributed to Scattered Spider involves spear phishing voice techniques, where members of the IT Help Desk are targeted over the phone with the group posing as employees, sometimes aided by artificial intelligence to impersonate voices.

The aim is to trick the IT Help Desk into performing password resets and registering their own devices to receive multifactor authentication codes. The Help Desk is provided with personal information about the person they are impersonating and usernames and employee IDs obtained in previous stages of its attacks. HC3 has previously issued a warning about this campaign as healthcare organizations were among the group’s victims.

Scattered Spider has been active since at least 2022 and was initially focused on customer relationship management (CRM), business process outsourcing (BPO), telecommunications, and technology companies; however, the group has since expanded its targeting and has been attacking a broader range of sectors. While the healthcare industry has not been extensively targeted by the group, healthcare organizations have been attacked. The Scattered Spider threat actor profile shares indicators of compromise and recommended mitigations to improve defenses.

The post HC3 Issues Warning About Scattered Spider Threat Actor appeared first on The HIPAA Journal.

Wichita County and Parkland Health Suffer Data Breaches

Posted by Steve Alder

Wichita County in Texas experienced a cyberattack in May 2024 that exposed the sensitive data of 47,784 individuals, the majority of which are residents of Wichita County. According to County officials, the incident was detected on May 7, 2024, when network disruption was experienced. Immediate action was taken to secure its network and prevent further unauthorized access and independent forensics experts were engaged to investigate the security breach.

Experts were engaged to conduct a data review to determine the types of data that may have been acquired in the incident, and the review was completed on September 3, 2024. Contact information was then verified contact information to allow the notification letters to be sent. That process was completed on October 2, 2024, and notifications were mailed to the affected individuals on October 22, 2024.

The types of data involved varied from individual to individual and may have included name along with one or more of the following: date of birth, Social Security number, driver’s license number, other government ID, passport number, financial account information, health insurance information and medical information related to the treatment of mental or physical health conditions.

Complimentary credit monitoring and identity theft protection services have been made available to the affected individuals for 2 years. The Medusa ransomware group appears to have been responsible for the attack, although that has not been confirmed by Wichita County officials.

Parkland Health Investigating Cyberattack and Data Breach

Parkland Health, the community public health system for Dallas County in Texas which includes Parkland Memorial Hospital in Dallas, has experienced a cyberattack involving unauthorized access to the protected health information of 6,523 patients. In an October 22 notice to the Texas Attorney General, Parkland Health confirmed that the breach included names, dates of birth, and medical information.

No other details about the breach are known at this stage. Parkland Health said it is still investigating the cyberattack and will release further information when the investigation is concluded. Individual notifications have been mailed to the affected individuals.

The post Wichita County and Parkland Health Suffer Data Breaches appeared first on The HIPAA Journal.

HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) has identified potential misuse of health risk assessments (HRAs) and HRA-linked chart reviews by Medicare Advantage (MA) companies, which may have resulted in millions of dollars in overpayments.

The Centers for Medicare and Medicaid Services (CMS) pays MA companies higher risk-adjusted payments for sicker enrollees to cover costlier care and each year, MA companies receive millions in overpayments based on unsupported diagnoses for MA enrollees. When diagnoses are reported only using enrollees’ HRAs and HRA-linked chart reviews and there are no follow-up visits, procedures, or tests, HHS-OIG is concerned that the diagnoses may be inaccurate and therefore the payments made by the CMS may be improper. Alternatively, the lack of follow-up visits and tests suggests that if the diagnoses are accurate, enrollees have not received the necessary care for serious health conditions.

HHS-OIG’s analysis of MA encounter data identified 1.7 million MA enrollees whose diagnoses were only reported using HRAs and HRA-linked chart reviews and did not include any follow-ups. Out of the 17 million MA enrollees, 19,028 enrollees had no other service records at all in 2022 apart from a single HRA. HHS-OIG estimates that around $7.5 billion in MA risk-adjusted payments were made for 2023 and that 80% of those payments were made to just 20 MA companies.

Almost two-thirds of those payments were based only on In-home HRAs and HRA-linked chart reviews, which have a higher risk of misuse as they are usually administered by MA companies and their third-party vendors rather than enrollees’ own providers. In fiscal year 2023, the CMS identified $12.7 billion in net overpayments due to plan-submitted diagnoses that were not supported by documentation in enrollees’ medical records and concerns have been raised by oversight entities that MA companies are using HRA and HRA-type assessments to maximize their risk-adjusted payments rather than to improve the care provided to enrollees. HHS-OIG says the risk-adjustment payment policy creates a financial incentive for MA companies to misrepresent health statuses and submit unsupported diagnoses to inflate their risk-adjusted payments.

HHS-OIG recommended the CMS take steps to identify and prevent misuse of HRAs and HRA-linked chart reviews. HHS-OIG suggested the CMS impose additional restrictions on the use of diagnoses reported only on in-home HRAs or chart reviews linked to in-home HRAs for risk-adjusted payments, conduct audits to validate diagnoses reported using only HRAs and HRA-linked chart reviews, and determine whether certain health conditions such as diabetes and congestive heart failure that drove payments on in-home HRAs and chart reviews are more vulnerable to misuse by MA companies. The CMS only concurred with the last recommendation.

The post HHS-OIG Identifies Potential Misuse of HRAs and Chart Reviews by MA Companies appeared first on The HIPAA Journal.