Cyberattacks Have Increased but Ransomware Attacks Have Declined in 2024

Posted by Steve Alder

IT professionals and security executives believe cyberattacks have increased since 2023 according to a recent survey by Keeper Security.  The cybersecurity firm surveyed 800 IT leaders globally, and 92% said they thought cyberattacks have increased in the past year with 95% saying that cyberattacks have become so sophisticated that they feel unprepared to deal with emerging threat vectors such as AI-based attacks (35%), deepfakes (30%), leveraged 5G networks (29%), unauthorized cloud control (25%), and fileless attacks (23%). It is not only external threat actors that are conducting attacks, as 40% of respondents said they have experienced a cyberattack caused by an insider. The main types of attacks that have increased in frequency are phishing (51%), malware (49%), ransomware (44%), and password attacks (31%). A majority of IT professionals said phishing and smishing attacks have become much harder to detect, which many attribute to the use of generative AI by cybercriminals.

There was a surge in ransomware attacks in 2023; however, attacks have fallen in 2024 according to the Israeli cybersecurity firm Cyberint. In 2023, there was a 55.5% increase in victims of ransomware attacks, with 5,070 organizations reporting attacks in 2023 and 1,309 reported attacks in Q4 alone. However, in Q1, 2024, only 1,048 have been reported, down 22% from Q4, 2023.

Cyberint offers several possible explanations for the decline. There has been increased law enforcement activity, including two operations targeting two of the most active groups, LockBit and ALPHV, that disrupted their operations. In the case of LockBit, the disruption was particularly short, with the group claiming to have rebuilt its infrastructure within a week of the takedown. In Q1, 2024, 210 attacks were attributed to LockBit showing that the disruption was only temporary. In December 2023, a law enforcement operation seized some of the infrastructure of the ALPHV group, and while the group remained active, only 51 attacks were confirmed in Q1, 2024, down from 109 attacks in Q4, 2024. The group also recovered quickly and, in response, removed restrictions for affiliates, and actively encouraged attacks on healthcare targets. The ALPHV group has now shut down following the attack on Change Healthcare, although ALPHV is expected to rebrand and return.

Cyberint also suggests that the decreasing number of victims paying ransoms has made ransomware attacks less profitable, leading some affiliates to pursue other sources of income. Data from the ransomware remediation firm Coveware shows ransom payments fell to a record low in Q4, 2023, with only 29% of victims choosing to pay the ransom. Ransom payments have also fallen to an average payment in Q4, 2023 of $568,705, a 33% decrease from the previous quarter.

While some groups appear to have shut down their operations, several new groups have emerged. In Q1, 2024, Cyberint tracked the emergence of 10 new ransomware groups. While these groups have not been conducting attacks on the scale of ALPHV, there is the potential for them to scale up their operations. One of those groups, RansomHub, is attempting to extort Change Healthcare, and claims it has the data stolen in its ALPHV ransomware attack.

While the reduction in ransomware attacks is good news, it is too early to tell whether the decline will continue or if it is just a blip. What is more certain is that, in the short term at least, ransomware is likely to continue to be one of the biggest cyber threats faced by organizations.

The post Cyberattacks Have Increased but Ransomware Attacks Have Declined in 2024 appeared first on HIPAA Journal.

Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook

Posted by Steve Alder

Children’s Healthcare of Atlanta is one of the latest healthcare providers to face a class action lawsuit over the use of website tracking technologies. According to the lawsuit, Children’s Healthcare of Atlanta added Meta pixel tracking code to its CHOA.org website and its MyChart patient portal. The tracking code was used by Children’s Healthcare of Atlanta to collect data to use for marketing purposes and transmitted the collected data to Facebook and was used to serve targeted ads.

The lawsuit was filed in the Superior Court of DeKalb County State of Georgia and alleges the tracking code was knowingly configured to collect user data from the website and patient portal, and that the code transmitted data to Facebook, including sensitive health information such as information about patients’ health concerns, appointment details, and treatments. The information was not anonymous, as it was tied to individuals via identifiers such as IP addresses, Facebook IDs, and browser and device information.

The lawsuit alleges that the addition of the tracking code to the website and patient portal, and the subsequent disclosures of protected health information to Facebook, violated the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Healthcare of Atlanta privacy policy. The plaintiff, who filed the lawsuit individually and on behalf of her two children, alleges that at no point was she told that Children’s Healthcare of Atlanta would be sharing her and her children’s data with third parties for profit, did not provide her consent, and was not made aware that the data would be provided to Facebook, which the lawsuit described as, “a company with a sordid history of violating consumer privacy in pursuit of ever-increasing advertising revenue.”

The lawsuit alleges the plaintiff and class members have been harmed by the disclosures, including but not limited to an invasion of their privacy rights, and bring causes for negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and bailment. The lawsuit seeks damages and other relief that the court deems just and proper. The plaintiff and class are represented by attorneys from the law firms Alonso Wirth; Cohen & Malad; Stranch, Jennings & Garvey; and Turke & Strauss.

A lawsuit against Seattle Children’s Hospital (SCH) that made similar allegations with respect to the use of Meta pixel was recently dismissed with prejudice by a Washington court.  Seattle Children’s Hospital successfully argued that it only transmitted anonymous data to third parties, stated disclosures of anonymous data to third parties in its privacy policy, and that it had not added tracking code to its patient portal. SCH said any identifiable information that was disclosed was due to the plaintiffs using browsers that allowed them to be identified, for which they gave their consent.

The post Children’s Healthcare of Atlanta Sued for Disclosing Health Information to Facebook appeared first on HIPAA Journal.

Medicare Data Exposed in Data Breach at Boston Consulting Firm

Posted by Steve Alder

Greylock McKinnon Associates, Inc., (GMA) a Boston consulting firm that provides litigation support, has suffered a data breach affecting 341,650 individuals. According to the GMA breach notice, a security incident was detected on May 30, 2023, with the subsequent forensic investigation revealing it had fallen victim to a sophisticated cyberattack. The exposure of sensitive personal data was detected on February 7, 2024.

The breach included Medicare health insurance claim numbers (which contain Social Security numbers), health insurance information, and medical information along with names, addresses, and dates of birth. GMA said the personal data was obtained by the Department of Justice (DoJ) as part of a civil litigation matter, and that the data was provided to GMA by the DOJ in relation to the litigation support provided by the firm. GMA confirmed that the affected individuals were not the subject of the investigation or the associated litigation, and the DOJ has confirmed that the incident does not affect their current Medicare benefits or coverage. Notification letters were sent to the affected individuals on April 8, 2024, and they have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services.

Medicare data, medical information, and health insurance information are classed as protected health information under the Health Insurance Portability and Accountability Act (HIPAA), but only if that information is collected, processed, stored, or transmitted by a HIPAA-covered entity or a business associate of a HIPAA-covered entity. Neither GMA nor the DOJ are HIPAA-covered entities or business associates, so the breached information is not protected under HIPAA.

However, companies such as GMA are required to comply with the Federal Trade Commission (FTC) Act, and the FTC has taken several actions against companies over data breaches in recent months, including the failure to issue prompt notifications, as required by the FTC’s Health Breach Notification Rule. Like the HIPAA Breach Notification Rule, the FTC Health Breach Notification Rule requires individual notification letters to be issued without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach of security. GMA sent its notification letters 9 months after the security breach was detected, which could see the company investigated by the FTC. GMA is currently facing at least one class action lawsuit over the data breach, which alleges violations of the FTC Act and Health Breach Notification Rule.

The post Medicare Data Exposed in Data Breach at Boston Consulting Firm appeared first on HIPAA Journal.

Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders

Posted by Steve Alder

Investing in cybersecurity can help organizations prevent data breaches and avoid regulatory fines, but there are other benefits. A recently released report from Diligent Institute and Bitsight shows organizations that have a strong cybersecurity program tend to have better financial performance and deliver higher returns for their shareholders.

For the report, Diligent Institute and Bitsight analyzed data from 4,149 mid to large-sized organizations in multiple sectors across Australia, Canada, France, Germany, Japan, the United Kingdom, and the United States. Cybersecurity oversight at the committee level was assessed to determine the impact on cybersecurity risk ratings and each company’s cyber oversight structure was correlated with their security performance data, with each company given a security performance classification of basic, intermediate, or advanced.

The study revealed companies with advanced security ratings created almost 4 times the amount of value for their shareholders as companies with basic security ratings. Over three and five years, companies with an advanced security rating had a Total Shareholders’ Return (TSR) of 372% and 91% higher respectively, compared to companies with a basic security rating. Over three and five years, the average TSR for companies with an advanced security rating was 71% and 67%, compared to a 37% and 14% TSR for companies with a basic security rating.

The report showed that healthcare and other highly-regulated sectors appreciate the importance of cybersecurity and understand that cybersecurity is not simply an IT problem, rather it is an enterprise risk that can have an impact on the company’s short-term performance and long-term health. Healthcare outperformed other sectors in terms of cybersecurity performance and had the highest average security rating of all industries represented in the study.

In addition to the correlation between cybersecurity performance and shareholder return, the researchers found a correlation between board structure and security ratings, with companies that had specialized risk or audit committees performing better than those that did not. Companies with specialized risk or audit committees had an average security rating of 710, compared to an average rating of 650 for companies that had neither of these committees.

Integrating a cybersecurity expert into a board committee tasked with cybersecurity risk oversight makes a significant difference to an organization’s security performance; however, simply having a cybersecurity expert on the board does not mean a company will have a better security rating. Companies with cybersecurity experts on the board had an average security score of 580, compared to an average rating of 700 for companies that had cybersecurity experts on either audit committees or specialized risk committees. The researchers note that it is rare for boards to include cybersecurity experts, with only 5% of the assessed companies having cybersecurity experts on their boards. “Companies seeking to hire cybersecurity expertise for the board should first ensure that the board is appropriately organized so that expertise can be properly incorporated into the oversight mechanisms,” suggested the researchers.

The post Companies with Strong Cybersecurity Programs Deliver Higher Returns for Shareholders appeared first on HIPAA Journal.