ALPHV/BlackCat Ransomware Operation Disrupted by FBI

Posted by Steve Alder

The ALPHV/BlackCat ransomware group has been disrupted by the Federal Bureau of Investigation, in partnership with Europol and law enforcement agencies in Denmark, Germany, Australia, Spain, Austria, the Netherlands, and the United Kingdom, in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

ALPHV/BlackCat ransomware group first emerged in November 2021 and became one of the most prolific ransomware groups of recent years, second only to the LockBit ransomware group. ALPHV/BlackCat is a ransomware-as-a-service operation that uses affiliates to conduct attacks for a cut of any ransoms they generate. In its 2 years of operation, the group has claimed more than 1,000 victims worldwide and has collected hundreds of millions of dollars in ransom payments.

In early December 2023, the group’s Tor negotiation and data leak sites were taken offline which led to several security researchers suggesting that the group may have been the subject of a law enforcement operation, although a spokesperson for the group refuted those claims and said the websites were down due to a hosting issue. However, the U.S. Department of Justice (DoJ) has now confirmed that the outage was due to a law enforcement operation that saw the FBI successfully gain access to ALPHV’s infrastructure.

The law enforcement operation has been ongoing for several months. After breaching the servers, the FBI silently monitored operations and was able to obtain decryption keys, which allowed the FBI to develop a decryption tool that has helped more than 500 ALPHV victims decrypt their data without paying the ransom. According to the DoJ, the decryption tool has prevented the payment of around $68 million in ransom payments. The FBI was also able to seize the ALPHV data leak site, which now displays a banner stating the domain has been seized as part of an international law enforcement operation. The FBI obtained 946 public and private key pairs for the group’s affiliate panel, communication sites, and Tor sites that supported its operations.

ALPHV/BlackCat started out under the name DarkSide in the summer of 2020 and was behind the ransomware attack on Colonial Pipeline in May 2021. The high-profile attack on a U.S. critical infrastructure organization attracted considerable attention from law enforcement, and the group promptly shut down its operation and reformed under the name BlackMatter. In June 2021, the Department of Justice announced that it had seized $2.3 million in cryptocurrency from the DarkSide affiliate responsible for the attack. The BlackMatter operation was short-lived and was shut down in November 2021 after a decryptor was developed and law enforcement seized its servers; and was immediately replaced with ALPHV/BlackCat, which has been highly active until the recent takedown.

“Today’s announcement highlights the Justice Department’s ability to take on even the most sophisticated and prolific cybercriminals,” said U.S. Attorney Markenzy Lapointe for the Southern District of Florida. “As a result of our office’s tireless efforts, alongside FBI Miami, U.S. Secret Service, and our foreign law enforcement partners, we have provided Blackcat’s victims, in the Southern District of Florida and around the world, the opportunity to get back on their feet and to fortify their digital defenses. We will continue to focus on holding the people behind the Blackcat ransomware group accountable for their crimes.”

While the law enforcement operation has been successful, the group is likely to rebrand as it has done in the past and continue its attacks under a different name. In the meantime, affiliates that have been working with ALPHV/BlackCat may choose to join other ransomware groups such as LockBit.

The post ALPHV/BlackCat Ransomware Operation Disrupted by FBI appeared first on HIPAA Journal.

Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation

Posted by Steve Alder

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has agreed to settle alleged violations of the HIPAA Privacy Rule with Optum Medical Care of New Jersey for $160,000.

Optum Medical Care of New Jersey, formerly known as Riverside Medical Group and Riverside Pediatric Group, is a private multi-specialty physician group with approximately 150 locations in New Jersey and Southern Connecticut. In the Fall of 2021, OCR received six complaints from individuals who had not been provided with their records after sending a request to Optum Medical Care. The requests were to obtain a copy of an individual’s own records or requests from parents for copies of their minor children’s records.

The HIPAA Privacy Rule gives individuals the right to obtain a copy of their medical records and those of their minor children. When a request is received by a HIPAA covered entity, the records must be provided within 30 calendar days, although under certain limited circumstances, a 30-day extension is possible.

OCR launched an investigation in February 2022 in response to the complaints and determined that Optum Medical Care had exceeded the allowed timeframe for providing those records. The complainants had to wait between 84 days and 231 days to receive their requested records.

Optum Medical Care chose to settle the alleged violations and agreed to pay a $160,000 financial penalty and adopt a corrective action plan (CAP) that includes reviewing and revising its policies and procedures for individual access to PHI, providing training to the workforce on those new procedures, and ensuring that all patients are provided with their requested records within 30 days. In the event of a right of access request being denied, OCR must be informed and provided with documentation to support that denial. OCR will monitor Optum Medical Care for compliance with the CAP for a period of one year.

OCR launched its HIPAA Right of Access enforcement initiative in the fall of 2019, and this is the 46th investigation to result in a financial penalty. “Healthcare providers must make responding to parents’ or patients’ request for access to their medical records in a timely manner a priority,” said OCR Director Melanie Fontes Rainer. “Access to medical records is a fundamental right under HIPAA, and one for which OCR receives thousands of complaints each year.  This is the law—providers must proactively respond to record requests and ensure timely access.  Access to medical records empowers patients and their families to make decisions about their health care and improve their health overall. It is critical that providers follow the law.”

This is the 13th HIPAA enforcement action of 2023 to result in a financial penalty. In 2023, OCR has imposed $4,176,500 in financial penalties. The average penalty was $321,269 and the median penalty was $100,000.

OCR has also stated in its Healthcare Sector Cybersecurity Strategy that it is working with Congress to increase the penalties for HIPAA violations.

The post Optum Medical Care of New Jersey Settles OCR HIPAA Right of Access Investigation appeared first on HIPAA Journal.