Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida

Posted by Steve Alder

Dozens of lawsuits that were filed in response to the mass exploitation of a vulnerability in Fortra’s GoAnywhere MFT file transfer solution have recently been consolidated into a single lawsuit that will be heard in the Southern District of Florida.

The lawsuits stem from the mass exploitation of a vulnerability by the Clop group. The Clop group, aka Cl0p, is a financially motivated threat actor known for ransomware and extortion-only attacks, which has a history of exploiting vulnerabilities in file transfer solutions. Clop exploited flaws in the Accellion File Transfer Appliance in December 2020, SolarWinds Serv-U Managed File Transfer and Secure FTC software in November 2021, and Fortra’s GoAnywhere MFT solution between January and February 2023. Later in the year, Clop went on to exploit a zero-day vulnerability in Progress Software’s MoveIT Transfer solution.

More than 2,700 users of MOVEit software suffered attacks, the Fortra GoAnywhere vulnerability was exploited to attack around 130 organizations, and Accellion attacks affected more than two dozen organizations. In these attacks, Clop opted for data theft and extortion and chose not to encrypt files, even though the group claimed that it could have done so. Without encryption, attacks are faster and more efficient and there were no apparent attempts at wider compromises. The attacks have certainly proven to be profitable for Clop, which has raked in over $100 million in ransom payments this year from its mass exploitation attacks.

While these mass hacking incidents were similar and the subsequent lawsuits in each made similar claims, the U.S. Judicial Panel on Multidistrict Litigation opted not to consolidate the lawsuits against Accellion and its customers but did consolidate lawsuits related to the GoAnywhere and MoveIT hacking incidents. Organizations that were against consolidation in the Fortra lawsuits argued that the Judicial Panel on Multidistrict Litigation should similarly rule against consolidation as it did with the Accellion actions.

The decision to deny centralization in the Accellion actions, of which there were 26, was due to most parties opposing centralization organizing the litigation and preferring to cooperate informally, and because there were likely to be allegations specific to each defendant’s role in the breach of plaintiffs’ data since the vulnerability was present in a legacy file transfer solution that Accellion had been encouraging customers to migrate away from. The Fortra GoAnywhere solution is actively used by more than 100 organizations and is not a legacy product, therefore, there are likely to be significant questions about Fortra’s role in the ultimate exploitation of the vulnerability.

All of the GoAnywhere lawsuits are expected to share common and complex factual questions surrounding how the vulnerability occurred, the unauthorized access and data exfiltration, Fortra’s role in the vulnerability and the response to it, and the plaintiffs bringing largely overlapping putative nationwide class actions. Centralization of the actions offers substantial opportunities to streamline pretrial proceedings, reduce duplicative discovery and conflicting pretrial obligations, prevent inconsistent rulings on common evidentiary challenges and summary judgment motions, and conserve the resources of the parties, their counsel, and the judiciary.

The decision to centralize 46 actions across seven districts was supported by several of the organizations named in the lawsuits, including Aetna, Community Health Systems, Brightline, and Fortra. Anthem Insurance Companies Inc. was named in a single action and was against centralization, and plaintiffs in the District of Minnesota held no position on consolidation, although favored Minnesota if consolidated. The Judicial Panel on Multidistrict Litigation chose the Southern District of Florida to hear the case as that is where 18 of the lawsuits were filed, more than in any other appropriate transferee district.

The consolidated data breach litigation includes 18 actions against NationBenefits LLC/NationBenefits Holdings in the Southern District of Florida, 8 against Community Health Systems Inc./CHSPSC LLC in the Middle District of Tennessee, 7 against Intellihartx in the Northern District of Ohio, 4 actions against Brightline Inc in the Northern District of California, 4 against Aetna Inc/Aetna International and 3 against NationBenefits LLC in the District of Connecticut, 1 against Anthen Insurance Companies Inc in the Southern District of Indiana, and 1 against Fortra LLC in the District of Minnesota.

The post Fortra GoAnywhere Hacking Lawsuits Consolidated in the Southern District of Florida appeared first on HIPAA Journal.

Healthcare Sector Warned About Akira Ransomware Attacks

Posted by Steve Alder

The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.

Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.

Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.

Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.

The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.

The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.

Healthcare Sector Warned About Akira Ransomware Attacks

Posted by Steve Alder

The Healthcare and Public Health (HPH) Sector has been warned about cyberattacks involving Akira ransomware, of which there have been at least 81 since the new ransomware variant was discovered in May 2023. This is the second alert to be issued by the HHS’ Health Sector Cybersecurity Coordination Center in the past 6 months, with the latest alert including updated information on the tactics, techniques, and procedures (TTPs) used by the group.

Since the group operates out of Russia, attacks on targets in the Commonwealth of Independent States (CIS) are prohibited. The majority of Akira ransomware victims are located in the United States and most of its victims have been located in California, Texas, Illinois, and states on the East Coast, especially the Northeast. The group has conducted attacks on targets in multiple sectors, with materials, manufacturing, goods and services, construction, education, finance, legal, and healthcare favored.

Akira is a ransomware-as-a-service (RaaS) operation that is thought to have ties to the Conti ransomware group. Conti was a prolific ransomware group that wreaked havoc over a two-year period from 2020 but was suddenly shut down in 2022. The TTPs used by Akira are similar in many areas to Conti, which suggests that the groups are linked and that Akira is a highly capable and sophisticated threat group. In 2017, another ransomware variant was identified that was also called Akira but the latest attacks do not appear to be related.

Initial access is most commonly gained via compromised credentials, including credentials obtained through spear phishing, although the group is also known to exploit vulnerabilities in virtual private networks and other public-facing applications, especially those that do not have multifactor authentication enabled. Once initial access has been gained, the group establishes persistent access, uses tools to hide the malicious activity, conducts network reconnaissance to understand the operational environment, then moves laterally and establishes communications with their command-and-control center. Like many other RaaS groups, Akira engages in double extortion with sensitive data stolen before ransomware is deployed. Victims must pay two fees – one to decrypt their data and another to prevent the publication of the stolen data.

The alert includes several recommendations for improving security to prevent attacks and reducing the severity of attacks that it is not possible to prevent. Preventative measures include using multi-factor authentication wherever possible; ensuring software is kept patched and up to date, especially for VPNs and other Internet-facing applications; disabling unused remote access ports; monitoring remote access logs; reviewing domain controllers, active directories, servers, and workstations for new accounts; reviewing Task Scheduler for unrecognized scheduled tasks; setting unique complex passwords for accounts, and regularly changing passwords to network systems and accounts. Administrative credentials should be required for installing software and consider adding banners to emails that originate from external sources and disabling hyperlinks in emails. To minimize the harm caused, networks should be segmented, and backups regularly performed, with backups stored offline. Copies of critical data should not be accessible for modification or deletion from the system where the data resides.

The post Healthcare Sector Warned About Akira Ransomware Attacks appeared first on HIPAA Journal.

HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations

Posted by Steve Alder

The U.S. Department of Health and Human Services (HHS) has finalized the proposed modifications to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (Part 2). “The Final Rule strengthens confidentiality protections while improving care coordination for patients and providers. Patients can seek needed treatment and care for substance use disorder knowing that greater protections are in place to keep their records private, and providers can now better share information to improve patient care,” said OCR Director Melanie Fontes Rainer.

The Part 2 regulations have been in effect since 1975 and protect “records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder [SUD] education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” These records are subject to strict protections due to the sensitivity of the information contained in those records and avoid deterring people from seeking treatment for SUD due to fears about discrimination and prosecution.

The bipartisan Coronavirus Aid, Relief, and Economic Security Act (CARES Act) called for the Part 2 regulations to be more closely aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Breach Notification, and Enforcement Rules. On December 2, 2022, the HHS, via the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), published a Notice of Proposed Rulemaking (NPRM) to implement the changes required by the CARES Act. The comments received from industry stakeholders in response to the NPRM have been considered and appropriate modifications have been made before finalizing the changes.

The modifications include permitting the use and disclosure of Part 2 records based on a single patient consent. Once that consent has been given by a patient it covers all future uses and disclosures for treatment, payment, and health care operations. The final rule also permits disclosure of records without patient consent to public health authorities, provided the records are first deidentified using the methods stated in HIPAA. Redisclosure of Part 2 records by HIPAA-covered entities and business associates is permitted, provided those disclosures are in accordance with the HIPAA Privacy Rule, with certain exceptions. Separate consent is required for the disclosure of SUD clinician notes, which will be handled in the same way that psychotherapy notes are handled under HIPAA.

Patients’ SUD treatment records were already protected and could not be used to investigate or prosecute the patient unless written consent is obtained from the patient or as required by a court order that meets Part 2 requirements. Prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings have also been expanded in the final rule. The final rule clarifies the steps that investigative agencies must follow to be eligible for safe harbor. Before any request for records is made, the agency is required to search the SAMHSA treatment facility directory and check the provider’s Notice of Privacy Practices to determine if they are subject to Part 2.

The final rule gives patients new rights to obtain an “accounting of disclosures,” request restrictions on certain disclosures, and opt out of receiving fundraising communications, as is the case under the HIPAA Privacy Rule. Patients will also be able to file a complaint about Part 2 violations directly with the Secretary. In the event of a breach of Part 2 records, the requirements for notifications are now the same as the HIPAA Breach Notification Rule. The HHS has also been given enforcement authority, including the ability to impose civil monetary penalties for Part 2 violations. The criminal and civil penalties for Part 2 violations will be the same as those for violations of the HIPAA Rules.  Other changes that have been introduced based on comments received on the NPRM include a statement confirming that Part 2 records do not need to be segregated and that it is not permitted to combine patient consent for the use and disclosure of records for civil, criminal, administrative, or legislative proceedings with patient consent for any other use or disclosure.

“Patient confidentiality is one of the bedrock principals in health care. People who are struggling with substance use disorders must have the same ability to keep their information private as anyone else. This new rule helps to ensure that happens, by strengthening confidentiality protections and improving the integration of behavioral health with other medical records,” said HHS Secretary Xavier Becerra. “The Biden-Harris Administration has made it a priority to end the stigmatization of those living with substance use disorders and give health care providers the tools they need so they can treat the whole patient while continuing to protect patient privacy. We will not rest until behavioral health is fully integrated into health care and those struggling with behavioral health challenges get the best treatment available.”

The final rule is due to be published in the Federal Register in mid-February. The compliance date has been set as 2 years from the date of publication. A fact sheet has been published by the HHS summarizing the changes that have been made in the Final Rule.

The post HHS Issues Final Rule Modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records Regulations appeared first on HIPAA Journal.