Russian National Sanctioned for Medibank Ransomware Attack

Posted by Steve Alder

A Russian national who was involved in a ransomware attack on the Australian health insurance provider Medibank in 2022 has been sanctioned by the governments on Australia, the United States, and the United Kingdom.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, is believed to have been a member of the now-disbanded ransomware group REvil. REvil was one of the most notorious cybercriminal groups until July 2021 when the group ceased operations and disappeared. Prior to that, the group was a ransomware-as-a-service group that encrypted appropriately 175,000 computers and was paid an estimated $200 million in ransom payments from its attacks.

In October 2022, REvil gained access to the Medibank network and stole the data of approximately 9.7 million of its customers and then used ransomware to encrypt files. The stolen data included names, dates of birth, Medicare numbers, and highly sensitive medical information including mental health, sexual health and drug use data.

As a Russian national, Ermakov is unlikely to face justice for the Revil attacks as there is no extradition treaty with Australia, the United States, or the United Kingdom and Ermakov is unlikely to travel to any country where there is a risk of arrest. The U.S. Department of the Treasury criticized Russia for allowing ransomware gangs to operate within its borders and freely conduct attacks around the world, and for enabling ransomware attacks by cultivating and co-opting criminal hackers. The Treasury has called for Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

The sanctions mean that it is a criminal offence to provide any assets to Ermakov or to use or deal with any of his assets, which includes making ransom payments through cryptocurrency wallets. Australia was the first to sanction Ermakov, closely followed by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the UK government. OFAC said all property and interests in property of Ermakov that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC. Any entities that are directly or indirectly 50% or more owned by Ermakov are also blocked. Violation of the sanctions is punishable by up to 10 years’ imprisonment.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson. “Today’s trilateral action with Australia and the United Kingdom, the first such coordinated action, underscores our collective resolve to hold these criminals to account.”

The post Russian National Sanctioned for Medibank Ransomware Attack appeared first on HIPAA Journal.

Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit

Posted by Steve Alder

A $7.25 million settlement has been proposed to resolve a class action lawsuit – In re: Lincare Holdings Inc. Data Breach Litigation – filed against Lincare Holdings over a September 2021 data breach that affected 2,918,444 individuals.

Lincare Holdings is a provider of in-home respiratory care and equipment. In September 2021, unauthorized activity was detected within its network and the forensic investigation confirmed an unauthorized third party had gained access to files containing patient data. The exposed protected health information included names, addresses, Lincare account numbers, dates of birth, treatment information, provider names, dates of service, diagnosis and procedure information, account or record numbers, health insurance information, and prescription information, and for a small number of affected individuals, Social Security numbers.

Legal action was taken by the affected individuals who alleged that Lincare Holdings was negligent for failing to implement reasonable and appropriate cybersecurity measures, and had those measures been implemented, the data breach could have been avoided. Lincare has not admitted any wrongdoing but has proposed a settlement to end the litigation.

Class members will be permitted to submit claims for up to $5,000 as reimbursement for out-of-pocket losses fairly traceable to the data breach, including up to 4 hours of lost time at $20 per hour. Recoverable losses include bank fees, credit fees, communication costs, unreimbursed fraudulent charges, and losses to identity theft. Individuals who were California residents at the time of the breach can also claim an additional $90.

All class members are eligible to receive a one-year membership to Medical Shield services, which includes medical record monitoring, health insurance monitoring, dark web monitoring, real-time authentication alerts, high-risk transaction monitoring, Medicare monitoring, provider monitoring HSA monitoring, ICD monitoring, credit freeze assistance, and identity theft remediation services. They will also be covered by a $1 million identity theft insurance policy.

Claims must be submitted by April 15, 2024, and any class member wishing to object to or exclude themselves from the settlement must do so by March 14, 2024. The final hearing has been scheduled for June 12, 2024.

The plaintiff and class members were represented by John A. Yanchunis of Morgan & Morgan; Stephen R. Basser of Barrack Rodos & Bacine; Raina Borrelli of Turke & Strauss LLP; Alexandra M Honeycutt of Milberg Coleman Bryson Phillips Grossman PLLC; and Carl V Malmstrom of Wolf Haldenstein Adler Freeman & Herz LLC

The post Lincare Holdings Proposes $7.25 Million Settlement to Resolve Data Breach Lawsuit appeared first on HIPAA Journal.

Patch Fortra GoAnywhere Now: Exploit Code Released for Critical Flaw

Posted by Steve Alder

Fortra has disclosed and patched a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) solution. The vulnerability – CVE-2024-0204 – is an authentication bypass bug due to a path traversal weakness. If exploited, an unauthenticated user can create a new admin user via the administration portal and remotely take control of the customer’s environment and gain access to their network. The vulnerability has a CVSS severity score of 9.8 out of 10.

Fortra explained in its security advisory that the vulnerability affects all versions of GoANywhere MFT prior to 7.4.1. All users of the file transfer solution should ensure they update to version 7.4.1 as soon as possible. If it is not possible to immediately upgrade, Fortra has suggested temporary workarounds.

For non-container deployments, users should delete the InitialAccountSetup.xhtml file in the install directory and restart the services. For container deployments, the InitialAccountSetup.xhtml file should be deleted and replaced with an empty file, followed by a restart.

Managed file transfer solutions are attractive targets for hackers. Last year, the Clop ransomware group exploited a vulnerability in Fortra’s GoAnywhere MFT – CVE-2023-0669 – and attacked 129 of the company’s clients, including several healthcare organizations. Exploitation of the flaw is likely and according to Searchlight Cyber threat intelligence engineer, John Honey, a proof-of-concept exploit for the vulnerability is being circulated on at least one Telegram channel.

After upgrading to version 7.4.1 or implementing the workaround, an audit should be conducted to see if any new admin users have been added to the admin users group in the GoAnywhere administrator portal Users -> Admin Users section. The cybersecurity firm Horizon3 also recommends checking the logs for the database -\GoAnywhere\userdata\database\goanywhere\log\*.log. – as they include the transactional history of the database and will contain entries if new admin users have been added.

The post Patch Fortra GoAnywhere Now: Exploit Code Released for Critical Flaw appeared first on HIPAA Journal.

HC3 Warns of Threat of Unauthorized Remote Access via ScreenConnect Tool

Posted by Steve Alder

The ScreenConnect remote access tool has been abused by a threat actor to gain access to the networks of organizations in the healthcare and public health (HPH) sector. According to a sector alert from the Health Sector Cybersecurity Coordination Center (HC3), between October 28 and November 8, 2023, an unknown threat actor abused a locally hosted ScreenConnect instance to gain remote access to victims’ networks.

Once access was gained, the threat actor installed further remote access tools including SecureConnect and AnyDesk instances to allow persistent access to victims’ networks. Researchers at the cybersecurity company Huntress identified two attacks on distinct healthcare organizations and the threat actor’s activity suggests network reconnaissance was being conducted in preparation for attack escalation.

On November 14, the vendor of ScreenConnect said the threat actor gained access to an unmanaged on-premises instance of ScreenConnect that had not been updated since 2019. The ScreenConnect vendor said the organizations affected had gone against recommended best practices. In the attack, the threat actor leveraged local ScreenConnect instances used by the pharmacy supply chain and management systems solution provider Transaction Data Systems (now Outcomes). The company makes Rx30 and ComputerRx software that is used by pharmacies in all 50 states. The Huntress researchers have not been able to determine the impact of the attack, but say it could be substantial.

HC3 has provided Indicators of Compromise (IoCs) associated with the attack and advises all clients of the pharmacy supply chain and management systems solution provider to take immediate action and examine their systems and networks for the IoCs. If any of the IoCs are identified they should be taken seriously and warrant a prompt and thorough investigation and comprehensive breach response.

According to HC3, the compromised endpoints used an unmanaged instance of a Windows Server 2019 system and organizations should take concerted steps to safeguard their infrastructure. HC3 recommends implementing enhanced endpoint monitoring solutions, robust cybersecurity frameworks, and engaging n proactive threat hunting to mitigate potential threat actors’ intrusions.

The post HC3 Warns of Threat of Unauthorized Remote Access via ScreenConnect Tool appeared first on HIPAA Journal.

White House Announces New Actions in Response to Roe v. Wade

Posted by Steve Alder

To mark what would have been the 51st anniversary of Roe v. Wade, the White House Task Force on Reproductive Healthcare issued a fact sheet announcing new actions to strengthen access to contraception and medication abortions, and ensure that patients receive the emergency medical care they need.

The Task Force explained that the overturning of Roe v. Wade resulted in extreme state abortion bans. “These dangerous state laws have caused chaos and confusion, as women are being turned away from emergency rooms, forced to travel hundreds of miles, or required to go to court to seek permission for the health care they need,” wrote the Task Force.

The fact sheet explains some of the actions that have been taken by federal agencies in response to President Biden’s three Executive Orders and a Presidential Memorandum on access to reproductive health care, strengthening access to contraception and affordability for women with health insurance, reinforcing obligations to cover affordable contraception, educating patients and care providers about rights and obligations for emergency medical care, and protecting access to safe and legal medication abortion.

The Task Force has confirmed that while the overturning of Roe V. Wade removed the Federal right to abortion, it did not prohibit women from traveling to another state to seek the care they need. The Alabama Attorney General had threatened to prosecute people who provided assistance to women seeking lawful out-of-state abortions, and in November 2023, the Department of Justice filed a statement of interest in two lawsuits challenging the Alabama Attorney General’s threats stating that “prosecutions infringed the constitutional right to travel and made clear that states may not punish third parties for assisting women in exercising that right.”

The HHS has written to U.S. governors to invite them to apply for Section 1115 waivers to expand access to care under the Medicaid program to women who are prohibited from receiving abortion care in the states where they live and may be denied care under the Medicaid program. The HHS continues to encourage state leaders to consider and develop new waiver proposals to support access to reproductive health care services.

In April 2023, the HHS issued a notice of proposed rulemaking that strengthened reproductive health privacy under HIPAA. The proposed rule prevents an individual’s information from being disclosed to investigate, sue, or prosecute an individual, a health care provider, or a loved one simply because that person sought, obtained, provided, or facilitated legal reproductive health care, including abortion. The new rule will strengthen patient-provider confidentiality and help healthcare providers give complete and accurate information to patients.

The Federal Trade Commission (FTC) is taking steps to prevent the illegal use and sharing of sensitive health information, such as reproductive health information, and has already taken action against companies that are alleged to have disclosed sensitive data without consumers’ consent, including precise geolocation information that could indicate a visit to a reproductive health center. In 2022, the FTC sued Kochava over the collection and sale of precise location data and settlements have recently been proposed that prohibit the data companies X-Mode Social/Outlogic and InMarket Media from selling precise location data.

The The Federal Communications Commission (FCC) has recently published a new guide for consumers on best practices that can be adopted to protect personal data, including geolocation data on mobile phones and the HHS has also guidance for consumers on how to protect data on personal cell phones or tablets when using mobile health apps such as period trackers, which are generally not protected by HIPAA.

Guidance has also been issued by the HHS that affirms that doctors and other medical providers can take steps to protect patients’ electronic health information, including reproductive health care information, and confirms that patients have the right to ask that their electronic health information generally not be disclosed by a physician, hospital, or other health care provider. The HHS has also launched a website –  ReproductiveRights.gov – that provides individuals with timely and accurate information about their rights concerning reproductive healthcare.

The Department of Education has issued guidance to school officials reminding them of their obligations to protect student privacy under the Family Educational Rights and Privacy Act (FERPA) and that they must obtain written consent from eligible students or parents before disclosing personally identifiable information from students’ educational records, including student health information. The department has also created a new resource for students to explain their rights with respect to health information privacy.

The post White House Announces New Actions in Response to Roe v. Wade appeared first on HIPAA Journal.