Healthcare organizations that have been unable to recover files that were encrypted in Rhysida ransomware attacks may now be able to recover the files for free as a decryptor has been released.

Rhysida is a ransomware-as-a-service operation that emerged in May 2023. Like many emerging ransomware groups, attacks have been conducted on U.S. healthcare organizations. In August 2023, following attacks on the healthcare and public health sector, the HHS’ Health Sector Cybersecurity Coordination Center issued an alert about the group. In November, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory and shared indicators of compromise and mitigations.

Organizations that were unable to prevent attacks and chose not to pay the ransom may now be able to recover their encrypted files. Researchers in South Korea identified an encryption flaw in the encryptor used by Rhysida ransomware, which has allowed them to develop a Windows decryptor. The random number generator (CSPRNG) used to generate a unique private encryption key was flawed, which allowed them to determine the initial state of CSPRNG during an attack. Since the method used does not include high entropy data sources, the seed value used when encrypting files is predictable. Knowing the initial CSPRNG state and then reviewing logs and other data at the time of the infection allowed the researchers to identify a range for the seed value. The decryptor tries potential seed values until it finds the correct value and from there it is possible to determine all random numbers used to encrypt files and recover all locked data.

An automated decryption tool was developed and has been made available free of charge on the Korean Internet & Security Agency (KISA) website along with a technical paper in English and Korean that explains how to use the decryptor. The decryptor can only be used to recover files that have been encrypted using the Rhysida Windows encryptor. Several cybersecurity firms had already found the flaw and were able to recover files encrypted by Rhysida. Unfortunately, now that the flaw has been made public, the ransomware developer is likely to fix it. When that happens, recovery of files will only be possible from backups or by paying the ransom.

The post Free Decryptor Released for Rhysida Ransomware appeared first on HIPAA Journal.

February 14, 2024 Healthcare Data Breach Round-Up

Posted February 14, 2024 by Steve Alder

Data breaches have recently been reported by the Hampton-Newport News Community Services Board, Marywood Nursing Care Center, Health Alliance, United Regional Health Care System, Nabholz Construction, and J.D. Gilmour & Co.

Hampton-Newport News Community Services Board

The Hampton-Newport News Community Services Board, a Virginia-based provider of behavioral health and intellectual and developmental disability services, has notified 44,312 individuals that some of their protected health information was compromised in a recent ransomware attack. Technical disruptions were experienced on November 12, 2023, and it soon became clear that the disruption was due to the use of ransomware. Third-party cybersecurity experts were engaged to assist with the investigation and remediation, and they determined that the attackers gained access to its network on September 26, 2023.

A review was conducted of all files that could have been accessed which confirmed that patient data had been exposed. The exposed data varied from patient to patient and may have included names in combination with Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, clinical information such as diagnosis/conditions, lab results, medications or other treatment information, claims information and insurance information. The Hampton-Newport News Community Services Board was unable to confirm if the above data was accessed or stolen in the attack. Credit monitoring and identity restoration services have been offered to the affected individuals.

Marywood Nursing Care Center

Marian Village Corporation, doing business as Marywood Nursing Care Center in Massachusetts, experienced a security breach that involved the protected health information of 6,178 individuals. The breach notification sent to the Massachusetts Attorney General does not state when the breach was detected or when it occurred, only that an unauthorized individual accessed its network and potentially stole files that contained names, claim information, and addresses. No other information was compromised in the attack. The affected individuals have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge. Marywood said it has deployed additional monitoring tools and will continue to review and enhance the security of its systems.

Health Alliance

Health Alliance in Illinois has recently confirmed that the protected health information of 6,900 of its members was exposed in a data breach at a subcontractor of one of its business associates. Health Alliance Contracted with OnTrak, which used the subcontractor Keenan. On August 27, 2023, Keenan discovered the unauthorized access and disconnected its network to contain the incident. The forensic investigation confirmed that an unauthorized third party had gained access to records containing health plan members’ data. Keenan notified Health Alliance about the breach on December 20, 2023, and provided a list of the affected members on January 10, 2024.

Health Alliance then reviewed and matched the list to the records of its members and notification letters have now been sent. Health Alliance said the following information was compromised in the incident: name, address, member number, date of birth, health coverage information, and, in some cases, Social Security number. Keenan has offered the affected individuals a 24-month membership to the Experian IdentityWorksSM Credit 3B service.

Nabholz Construction

Nabholz Construction, a provider of construction-related services in Arkansas, has been affected by a data breach at Cadence Bank, that exposed the protected health information of 5,326 members of its Corporation Employee Welfare Health Plan. Cadence Bank informed Nabholz on November 29, 2023, that data had been exposed in a cyberattack that exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. Progress Software issued a patch to fix the vulnerability on May 31, 2023; however, Cadence Bank determined that the vulnerability had been exploited between May 28, and May 31, 2023. The data compromised in the attack included names, Social Security numbers, dates of birth, addresses, medical information such as treatment information, provider names, medications, and health insurance information.

J.D. Gilmour & Co., Inc.

J.D. Gilmour & Co., Inc., a Glendale, CA-based insurance agency, discovered unauthorized access to its email environment on June 29, 2023. Third-party cybersecurity experts were engaged and conducted a forensic investigation of its entire email tenant, which confirmed there had been unauthorized access to a single employee email account. The review of the email account determined on October 27, 2023, that the protected health information of 2,481 individuals had been exposed. On December 21, 2023, J.D. Gilmour & Co. obtained the authorization to mail notification letters from the affected client. The affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no cost.

United Regional Health Care System

United Regional Health Care System has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected 36,900 patients. There is currently no mention of a data breach on the website of the Wichita Falls, TX-based health system but the breach notification submitted to the Texas Attorney General states the breach occurred on May 30, 2023, and involved names, dates of birth, medical information, and insurance information.

The post February 14, 2024 Healthcare Data Breach Round-Up appeared first on HIPAA Journal.