Ransom Payments Exceeded $1 Billion in 2023

Posted by Steve Alder

A new report from Chainalysis has revealed victims of ransomware attacks paid hackers $1.1 billion in 2023 to obtain the keys to unlock their data and to prevent the release of information stolen in the attacks. Last year was the first time that ransom payments exceeded $1bn and the annual total was a sizeable jump from the $567 million that was paid in 2022. These are also conservative figures, as the researchers are unaware of all of the cryptocurrency wallets used by ransomware gangs.

Ransom payments have been increasing each year but there was a fall in ransom payments in 2022, which dropped from $983 million in 2021 to $567 million in 2022. The researchers believe this anomaly is linked to the Russia-Ukraine war. Many hackers changed their operations from ransomware attacks to attacks focused on espionage and destruction on Ukrainian targets and those that did continue with ransomware found it harder to get paid as Western targets became concerned about sanctions risks, given that many ransomware groups are based in Russia.

In 2023, there was a shift back to ransomware attacks with ransomware actors choosing to attack high-profile institutions and critical infrastructure, including schools, hospitals, and government agencies and the attacks increased in scope and complexity. There were also mass extortion-only attacks by the Clop ransomware group on file transfer solutions such as GoAnywhere MFT and MOVEit, with Clop getting paid at least $100 million for the attacks that exploited the vulnerability in MOVEit.

Chainalysis has observed a trend for big game hunting, which has become the dominant strategy in recent years but there is considerable variety across the ransomware ecosystem with RaaS operations such as Phobos having low payments but making up for that with volume. These groups lower the entry barrier and make it easy for relatively low-skilled hackers to start conducting attacks.

Several trends were observed in 2023, including astronomical growth in the number of threat actors carrying out ransomware attacks. Recorded Future reported 538 new ransomware variants in 2023, which suggests the emergence of many new, smaller ransomware groups. There has also been a shortening of the dwell time, with ransomware deployed more rapidly after initial access, and ransomware groups have been developing more efficient and aggressive tactics.

There were some success stories in 2023 due to law enforcement operations, including the takedown of the Hive group and the disruption of Alphv. The FBI reports that it the Hive operation allowed it to provide the decryption keys to many victims, saving $130 million in ransom payments, although Chainalysis estimates the impact was far greater, with the disruption caused preventing an estimated $210.4 million in payments.

The post Ransom Payments Exceeded $1 Billion in 2023 appeared first on HIPAA Journal.

CISA Pre-Ransomware Alerts Helped 154 Healthcare Organizations Save Millions in Costs

Posted by Steve Alder

In the past year, more than 150 healthcare organizations have benefitted from alerts from the Cybersecurity and Infrastructure Security Agency (CISA) about vulnerabilities and intrusions that have helped them to implement mitigations before harm has been caused. These alerts have helped victims of attacks avoid delays to patient care and saved millions of dollars in costs.

In March 2023, CISA launched its Pre-Ransomware Notification Initiative which sees alerts issued if vulnerabilities are detected that are known to be actively exploited by ransomware groups to allow organizations to take action to prevent the vulnerabilities from being exploited. There is a dwell time after vulnerabilities have been exploited before ransomware is deployed, which can be a few hours to a few days. If organizations are alerted about an attack in the early stages, it is possible to block the attack before data theft and file encryption. Since launching the pilot program in January 2023, CISA has sent more than 1,200 such notifications, including to 154 healthcare organizations about early-stage ransomware activity.

When CISA’s Joint Cyber Defense Collaborative (JCDC) gets tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity, JCDC notifies the affected company and provides specific mitigation advice to help them rapidly respond. There have been cases where the advice has come after file encryption, and in those cases, JCDC has worked closely with the organizations to help them with their remediation efforts. One of the successes of this program was an early notification to a mass transport partner that prevented an estimated $350 million attack on critical transportation infrastructure.

In some cases, JDCD has been able to identify the exfiltrated data and provide detailed information about the intrusion to support the investigative and remediation efforts. In 2023, a Fortune 500 organization suffered a $60 million ransomware attack and CISA was able to help establish a CISO position and provided guidance to help it improve its IT infrastructure and security controls to better defend against future attacks.

The post CISA Pre-Ransomware Alerts Helped 154 Healthcare Organizations Save Millions in Costs appeared first on HIPAA Journal.

Azura Vascular Care Reports Data Breach Affecting 348,000 Patients

Posted by Steve Alder

Azura Vascular Care, a Pennsylvania-based operator of 70 outpatient vascular centers and ambulatory surgery centers in 25 states and Puerto Rico, notified the HHS’ Office for Civil Rights last month about a cybersecurity incident involving the protected health information of 348,000 patients.

The incident was detected on November 9, 2023. Cybersecurity experts were engaged to assist with the investigation, which confirmed that unauthorized individuals accessed certain systems on or before September 27, 2023, and encrypted certain files. On November 15, 2023, it was confirmed that some of the files that were available to the hackers contained patient data such as names, mailing addresses, dates of birth, and other demographic and contact information, including emergency contact information, Social Security numbers, insurance information, diagnosis and treatment information, and other information from medical or billing records.

Some guarantor information was also exposed, including names, mailing addresses, telephone numbers, dates of birth, Social Security Numbers, and email addresses. Azura Vascular Care said individuals who had sensitive information exposed such as Social Security numbers have been offered complimentary identity protection, credit monitoring, and fraud resolution services.

Covenant Care California Assessing Scope of Cyberattack

Covenant Care California, LLC, which operates skilled nursing facilities and home health agencies throughout California and Nevada, has confirmed there has been unauthorized access to files containing the personal and protected health information of patients and other individuals. The cyberattack was detected on November 14, 2023, and while the investigation is ongoing, it has been determined that files were removed from its network between November 12 and November 14.

The incident has affected current and former patients, prospective patient referrals, and responsible parties of patients who received services from a facility or agency operated by Covenant Care, including rehabilitation services provided through a company called AFFIRMA and home health services provided under the names Focus Health, Elevate Home Health, Choice Home Health Care, and San Diego Home Health.

The list of affected individuals has yet to be finalized, but Covenant Care California has confirmed that the incident involved the following information: name, date of birth, medical information, and/or health insurance information, including diagnosis or treatment information and/or claims and billing information. For some individuals, the information may include also Social Security number, financial account or credit/debit card numbers, driver’s license or state/federal identification number, and/or other personal information.

The breach has been reported to the HHS’ Office for Civil Rights with an interim total of 501 individuals, which will be updated when the investigation concludes. Affected individuals are being offered credit monitoring and identity theft restoration services at no cost.

Cooper Aerobics Announces 124K-Record Data Breach

Cooper Aerobics, on behalf of Cooper Clinic, Cooper Medical Imaging, and Cooper Aerobics Enterprises in Texas, has notified 124,341 individuals that some of their protected health information was exposed in a cyberattack in early 2023. It is not clear from the notification letters when the intrusion occurred. After a comprehensive investigation and file review, Cooper Aerobics learned on December 8, 2023, that files containing the personal and protected health information of patients were potentially removed from its network on February 3, 2023.

Patients have been notified that the following information was potentially involved: name, address, phone number, email address, date of birth, credit or debit card number (including expiration date, and financial account and routing number), tax identification number, driver’s license or government identification, passport number, username and password, Social Security number, and health information (including medical record/patient account number, prescription information, medical provider, and medical procedures), and health insurance information.

Cooper Aerobics started notifying the affected individuals on January 5, 2024 and said it continually evaluates and modifies its practices and internal controls to protect against unauthorized access and will continue to do so.

6,000 Individuals Impacted by Ransomware Attack on Colorado Ophthalmology Associates

Colorado Ophthalmology Associates (COA) has recently disclosed a ransomware attack that was discovered on November 14, 2023. Data exfiltration is common in ransomware attacks, but no evidence of data theft was identified during the forensic investigation. COA said that the attack involved automated encryption and resulted in the loss of electronic medical record files for patient visits or exams conducted between April 10, 2023, and November 14, 2023.

The forensic investigation confirmed that the intrusion began as early as October 4, 2023, and ended on November 14, 2023. The types of information exposed in the attack were limited to names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, insurance information, dates of service, types of services, diagnoses, conditions, prescriptions, test results, medications, and other treatment information. The incident has been reported to the HHS’ Office for Civil Rights as affecting up to 6,020 individuals.

The post Azura Vascular Care Reports Data Breach Affecting 348,000 Patients appeared first on HIPAA Journal.

HTI-1 Final Rule Takes Effect Today

Posted by Steve Alder

The Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing (HTI-1) Final Rule takes effect today (February 8, 2024). The Final Rule was issued through the HHS’ Office of the National Coordinator for Health Information Technology (ONC) and was released on December 13, 2023.

The Final Rule implements provisions of the 21st Century Cures Act and updates the ONC Health IT Certification Program with new and updated standards to promote valid, safe, effective, and fair development and implementation of AI systems, in line with the principles and priorities of President Biden’s Executive Order 14110: Safe, Secure and Trustworthy Development and Use of Artificial Intelligence. The Final Rule is intended to advance ONC-certified health IT interoperability, algorithm transparency, and data standardization to improve patient outcomes and reduce healthcare costs and implements.

The Final Rule establishes new requirements for transparency for AI and other predictive algorithms that are part of ONC-certified health IT, which is utilized by more than 96% of hospitals and 78% of office-based physicians in the United States. The transparency requirements allow clinical users of systems that incorporate AI and machine learning algorithms to access a consistent, baseline set of information about the algorithms and assess them for fairness, appropriateness, validity, effectiveness, and safety.

The Final Rule adopts the United States Core Data for Interoperability (USCDI) Version 3 (v3) as the new baseline standard within the ONC Health IT Certification Program. USCDI v3 includes updates to prior USCDI versions that are aimed at advancing more accurate and complete patient characteristics data to promote equity, reduce disparities, and support public health data interoperability. While the Final Rule is now in effect, developers of certified health IT have until January 1, 2026, to move to USCDI v3, although that can make that move sooner.

The Final Rule also introduced new information blocking requirements to support information sharing, revised some information blocking definitions, and added a new exception to encourage secure, efficient, standards-based exchange of electronic health information under the Trusted Exchange Framework and Common Agreement (TEFCA).

The Final Rule also introduced new interoperability-focused reporting metrics for certified Health IT to give better insights into how certified health IT is used to support the care delivery, such as the 21st Century Cures Act requirement to adopt a Condition of Certification for developers of certified health IT to report metrics as part of their participation in the Certification Program.

With the Final Rule now in effect, it is important to ensure that IT systems, information sharing policies, data collection, and reporting practices are assessed to ensure they are compliant with these new requirements.

The post HTI-1 Final Rule Takes Effect Today appeared first on HIPAA Journal.

Advice for New Physicians on Avoiding Medicare and Medicaid Fraud and Abuse

Posted by Steve Alder

The U.S. Department of Health & Human Services Office of Inspector General (HHS-OIG) has published a Roadmap for New Physicians on avoiding Medicare and Medicaid fraud and abuse. The guidance for new physicians is intended to explain how to comply with Federal laws that combat fraud and abuse, how to identify red flags that could lead to potential liability in law enforcement and administrative actions, and includes tips on compliance with these laws in physicians’ relationships with payers, vendors, and fellow providers.

The Federal Government places enormous trust in physicians and programs such as Medicare and Medicaid rely on physicians’ medical judgment to treat beneficiaries of these programs with appropriate services and to submit accurate and truthful claims. While most physicians work ethically and provide appropriate care to patients and submit claims accurately, there are a few who attempt to cheat the systems for personal financial gain. As a result of dishonest healthcare providers, laws have been created to combat fraud and abuse.

There are five main Federal fraud and abuse laws that physicians should be aware of:

  • The False Claims Act
  • The Anti-Kickback Statute
  • The Physician Self-referral (Stark) Law
  • The Exclusion Statute, and
  • The Civil Monetary Penalties Law

The False Claims Act protects the government from being overcharged or sold shoddy goods and services. Submitting claims for Medicare and Medicaid that are known to be fraudulent is illegal and carries a penalty of up to three times the programs’ loss plus $11,000 per claim. These penalties apply regardless of whether there was specific intent to defraud. There are whistleblower provisions that allow individuals to file suits on behalf of the United States and obtain a percentage of any recoveries. There is also a criminal False Claims Act, and physicians have received criminal fines and have served time in jail for submitting false claims.

The Anti-Kickback Statute is a criminal law prohibiting knowing and willful payment of remuneration for inducing or rewarding patient referrals and the generation of business involving items or services payable by the Federal health care programs. Penalties for kickbacks include fines, jail time, and exclusion from Federal health care programs. The penalty is $50,000 per kickback plus three times the amount of the remuneration.

The Physician Self-referral (Stark) Law prohibits physicians from referring patients to receive “designated health services” payable by Medicare or Medicaid from entities with which the physician or an immediate family member has a financial relationship unless an exception applies. As with the False Claims Act, the Stark law does not require proof of specific intent to violate the law. Penalties for self-referrals include fines and exclusion from Federal health care programs.

The Exclusion Statute requires the HHS-OIG to exclude individuals from participation in all Federal healthcare programs if they are found to have committed Medicare or Medicaid fraud, patient abuse or neglect, have felony convictions for other health-care-related fraud, theft, or other financial misconduct, or felony convictions for unlawful manufacture, distribution, prescription, or dispensing of controlled substances. Exclusion means Federal health care programs will not pay for items or services furnished, ordered, or prescribed by excluded individuals.

Under the Civil Monetary Penalties Law, the HHS-OIG may seek civil monetary penalties for a wide variety of conduct and also exclusion. Penalties range from $10,000 to $50,000 per violation.

The Roadmap for New Physicians and other guidance material is available from the HHS-OIG on this link.

The post Advice for New Physicians on Avoiding Medicare and Medicaid Fraud and Abuse appeared first on HIPAA Journal.