Longhorn Imaging Center Cyberattack Affects More than 100,000 Patients

Posted by Steve Alder

Data breaches have recently been announced by Longhorn Imaging Center in Texas, Woodfords Family Services in Maine, Prestige Care/Prestige Senior Living in Washington, WellLife Network Inc. in New York, and Frederiksted Health Care in the U.S. Virgin Islands.

Longhorn Imaging Center Data Breach

South Austin Health Imaging LLC, which does business as Longhorn Imaging Center in Austin, TX, has recently reported a hacking incident to the HHS’ Office for Civil Rights that has affected 100,643 patients. According to the breach notice submitted to the Texas Attorney General, the breached information included full names, addresses, dates of birth, medical information, and health insurance information. Notification letters are now being sent to the affected individuals.

There is currently no substitute breach notice on the Longhorn Imaging Center website and the imaging center has yet to confirm exactly what happened, including when the breach occurred and when it was detected; however, this appears to have been an attack by the SiegedSec threat group – the group behind the recent attack on the Idaho National Laboratory.

In early June, the group added Longhorn Imaging Center to its data leak site and claimed it had exfiltrated a database that included “physician full names, patient full names, patient treatment info, patient data of birth, patient gender, treatment date, institution name, and lost more.”

Woodfords Family Services Data Breach

Woodfords Family Services, a Westbrook, ME-based provider of services to people with special needs and their families, has recently reported a data breach to the HHS’ Office for Civil Rights that has affected 6,691 individuals.

According to its substitute breach notification, the forensic investigation confirmed that its network was accessed by an unauthorized third party on or around June 19, 2023, and files containing a limited amount of personal information may have been removed from its network. The document review confirmed the files contained full names in combination with one or more of the following: address, date of birth, phone number, email address, Social Security number, driver’s license number, government-issued identification number, medical record number, full face photo, unique identifier, certificate/license number, financial account information, credit/debit card information, passport number, medical treatment/diagnosis information, and/or health insurance policy information.

Affected individuals were notified on November 10, 2023, and complimentary credit monitoring services have been offered to individuals whose Social Security numbers were exposed.

Prestige Care Data Breach

Prestige Care/Prestige Senior Living in Washington has recently announced that it fell victim to a cyberattack that was detected on or around September 7, 2023, that resulted in its network being infected with malware that prevented access to certain files. The investigation confirmed the unauthorized actor accessed files on its systems the same day the breach was detected.

The investigation and file review are ongoing, and the total number of individuals affected has yet to be determined, although Prestige has said the information of current and former employees and residents was compromised in the attack. The impacted information varies from individual to individual and may include names, Social Security numbers, dates of birth, medical information, and health insurance information. Notification letters will be sent to the affected individuals when the review is completed. To meet regulatory breach reporting requirements, the incident has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the review is completed.

The HIPAA Journal previously reported that the ALPHV/BlackCat ransomware group claimed responsibility for the attack and had added Prestige to its data leak site and claimed to have stolen 260 GB of data. While the listing is still on the leak site, no data is currently downloadable.

WellLife Network Inc. Data Breach

WellLife Network Inc., a New York-based provider of behavioral health services, has recently issued an interim notification about a cyberattack that was detected on September 7, 2023. Third-party cybersecurity specialists were engaged to investigate unauthorized network activity and confirmed that an unauthorized third party accessed its network between August 26, 2023, and September 7, 2023, and viewed and/or copied files containing patient information.

The WellLife Network has started a manual and programmatic review of the affected files to determine the affected data and the number of individuals impacted. That review is ongoing, but it appears that the types of information involved include name, date of birth, demographic information, and/or other personal or health information. Individual notifications will be sent to the affected individuals when the review is completed. To meet regulatory breach reporting requirements, the incident has been reported to the HHS’ Office for Civil Rights as affecting at least 501 individuals. The total will be updated when the review is completed.

Frederiksted Health Care Data Breach

Frederiksted Health Care, Inc., a healthcare provider serving patients in the St. Croix community in the U.S. Virgin Islands, confirmed to local media in late October that it had suffered a cyberattack. Steps were immediately taken to secure its systems and an investigation was launched to determine the nature and scope of the incident. Local media reports indicate this was a ransomware attack. The healthcare provider has recently reported the incident to the HHS’ Office for Civil Rights as affecting 600 individuals.

The post Longhorn Imaging Center Cyberattack Affects More than 100,000 Patients appeared first on HIPAA Journal.

Warren General Hospital Data Breach Affects 169,000 Patients

Posted by Steve Alder

Data breaches have recently been reported by Warren General Hospital in Pennsylvania, Southwest Behavioral Health Center in Utah, CareTree in Illinois, and the Medical University of South Carolina.

Warren General Hospital Data Breach

On November 9, 2023, Warren General Hospital (WGH) in Warren, PA, announced it had fallen victim to a cyberattack that potentially affected the confidential information of current and former patients and employees. Suspicious activity was detected within its network on September 24, 2023. Assisted by third-party cybersecurity experts, WGH determined that an unauthorized actor had access to its network between September 15, 2023, and September 23, 2023, and during that time, downloaded files from its network.

The review of the files confirmed they contained names, in combination with one or more of the following:  address, date of birth, Social Security number, financial account information, payment card information, health insurance claims information, and medical information, which may have included diagnosis, medications, lab results, and other treatment information.

WGH said existing policies and procedures have been reviewed, administrative and technical controls have been enhanced, and additional security training has been provided to the workforce. The breach was recently reported to the HHS’ Office for Civil Rights as affecting 168,921 patients.

Southwest Behavioral Health Center Data Breach

Southwest Behavioral Health Center, a Saint George, UT-based provider of mental health treatment and psychiatric services, has recently reported a data breach to the HHS’ Office for Civil Rights that affected 17,147 current and former patients.

A security breach was detected on March 13, 2023, and a third-party cybersecurity firm was engaged to investigate and determine the extent to which patient data had been compromised. The investigation revealed an unauthorized third party gained access to parts of its system containing files that included patient data prior to March 13, 2023l however, it was not possible to determine the specific files that may have been accessed or copied from its network.

The review of the files potentially involved confirmed they contained patient data such as names, dates of birth, Social Security numbers, personal health record information, and medical information. After verifying contact information, notification letters started to be issued on November 9, 2023, to all patients that had potentially been affected.

Medical University of South Carolina Data Breach

The Medical University of South Carolina (SUMC) in Charleston has been affected by a data breach at one of its third-party vendors. Westat collects data from SUMC patients on behalf of the Centers for Disease Control and Prevention (CDC) for public health reporting purposes. Westat used Progress Software’s MOVEit Transfer file transfer solution, a zero-day vulnerability in which was exploited by the Clop hacking group between May 28 and May 29, 2023. Westat has already reported the breach to the HHS’ Office for Civil Rights in two separate reports, one affecting 50,065 individuals and a second affecting 20,045. SUMC reported the breach as affecting 1,758 individuals and said it involved names, addresses, dates of birth, diagnoses, provider names, and insurance information.

CareTree Data Breach

CareTree Inc., a Chicago, IL-based provider of smart care management and patient advocate software for care providers, has recently confirmed there has been unauthorized access to the CareTree platform. Suspicious activity was detected within its platform on or around August 16, 2023. The forensic investigation confirmed access to the platform was gained on July 21, 2023.

The review of the affected files confirmed that they contained the information of 1,097 CareTree patients; however, CareTree was unable to confirm the specific information exposed for each patient because the information is no longer available. The types of information potentially compromised included names, addresses, driver’s license numbers, Social Security numbers, financial account information, dates of birth, medical information including diagnosis, lab results, medications or other treatment information, and/or health insurance information. In its substitute breach notice, CareTree said, “CareTree will provide notice of this event to all individuals whose personal information was involved, along with information and steps potentially impacted individuals can take to better protect their information.”

The post Warren General Hospital Data Breach Affects 169,000 Patients appeared first on HIPAA Journal.

HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat

Posted by Steve Alder

The Health Sector Cybersecurity Coordination Center (HC3) has warned healthcare organizations that use Fortinet’s FortiSIEM platform to patch a critical vulnerability that is likely to be targeted by malicious actors and has issued a threat brief on Emotet malware.

FortiSIEM Command Injection Vulnerability – CVE-2023-36553

A critical vulnerability has been identified by Fortinet in its FortiSIEM platform. The vulnerability has been assigned a CVSS v3.1 severity score of 9.8 out of 10 and can be exploited remotely by malicious actors to execute arbitrary commands. The flaw is related to a bug discovered and patched by Fortinet in October 2023 – CVE-2023-34992. While there have been no known instances of the vulnerability being exploited in attacks, Fortinet vulnerabilities are actively targeted by malicious actors and exploitation of the flaw is likely.

“An improper neutralization of special elements used in an OS command vulnerability in FortiSIEM report server may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests,” said Fortinet in a recent security advisory.

The vulnerability affects the following FortiSIEM versions: 4.7, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, and 5.4. Users should upgrade to a fixed version as soon as possible. The vulnerability has been fixed in versions: 7.1.0, 7.0.1, 6.7.6, 6.6.4, 6.5.2, 6.4.3, or later.

Emotet Malware – A Persistent Threat to the HPH Sector

Emotet malware was first identified in 2014 and started life as a banking Trojan; however, the malware has evolved over the years and is now commonly used as a first-stage malware for delivering other malware payloads such as banking Trojans, multi-purpose malware, information stealers, and ransomware, including the infamous TrickBot Trojan. Devices infected with Emotet are added to a botnet under the control of the operator of the malware, a group tracked as Mummy Spider, also known as TA542, GOLD CABIN & Mealybug, which is believed to operate out of Ukraine.

At its height, Emotet was called the world’s most dangerous malware by Europol, and Check Point data suggests one in every 5 organizations worldwide has been infected with Emotet. Emotet activity follows a rhythm of around 2-3 months of attacks followed by a period of little to no activity, which can last between 3 and 12 months. In January 2021, an international law enforcement operation took control of the botnet’s infrastructure, and an update was pushed out that uninstalled the malware from all infected devices. 10 months later, the botnet had been rebuilt.

While activity did not recover to the levels at the height of its success, the botnet continues to grow and still poses a significant threat. There were activity spikes in late spring 2022 before activity dropped off, and activity spiked again in Spring 2022. According to Check Point, the botnet now consists of around 130,000 unique devices in 179 countries and Emotet was the most prolific malware variant in February 2023. Emotet is used to gain initial access to networks, can elevate privileges, evade defenses, steal credentials, move laterally, exfiltrate data, and download other malware payloads and has been, and still is, one of the most potent weapons against the health sector. Recent activity includes the delivery of ransomware variants such as Quantum and BlackCat.

Emotet malware is most commonly delivered via phishing emails containing malicious URLs that link to a document containing a malicious macro that downloads the Emotet payload. The malware achieves persistence through Windows registry keys which ensure the malware executes on each reboot. The malware may also achieve persistence via the Windows Startup folder or via scheduled tasks and can also run as a Windows service that is executed automatically. HC3’s Emotet Threat Brief includes recommendations for healthcare and public health sector organizations on defense and mitigations.

The post HC3 Warns HPH Sector About Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat appeared first on HIPAA Journal.