Sutter Health Confirms 84K Individuals Affected by Cyberattack on Business Associate

Posted by Steve Alder

Sutter Health, a healthcare provider serving Northern California, has recently confirmed that patient data was compromised in a hacking incident at one of its business associates, Virgin Pulse. Virgin Pulse was contracted to provide important notices and communications to patients and was provided with patient data to fulfill that role.

Virgin Pulse used Progress Software’s MOVEit Transfer file transfer tool, which had a vulnerability that was exploited by the Clop Group. Progress Software released a patch to fix the vulnerability on May 31, and Virgin Pulse said it moved quickly to apply the patch and recommended mitigation steps; however, the vulnerability had already been exploited. The vulnerability was exploited in attacks on more than 2,300 organizations and the data of more than 60 million individuals was stolen, including the data of 845,441 Sutter Health patients.

Sutter Health was informed by Virgin Pulse on September 22, 2023, that it had been affected by the hack, almost 4 months after the cyberattack occurred, but did not get the final report until October 24, 2023. The compromised data included names, dates of birth, health insurance information, provider names, treatment cost information, and diagnoses/treatment information. Sutter Health said the affected individuals have been offered a complimentary 1-year membership to a credit monitoring and identity theft protection service.

Northern Iowa Therapy Confirms Extent of March 2023 Security Incident

Waverly, IA-based Northern Iowa Therapy (NIT) has recently confirmed that the records of 5,100 patients have been exposed. The privacy breach was first identified on March 10, 2023, when NIT discovered a limited number of patient records in an account unaffiliated with NIT. An investigation was launched, and third-party forensic experts were engaged to investigate. NIT first announced the security incident on June 21, 2023, and conducted a review of the documents involved. On October 4, 2023, it was determined that patient data had been exposed. Contact information was then verified, and notification letters were sent on October 27, 2023.

The exposed information varied from individual to individual and may have included names, addresses, dates of birth, email addresses, phone numbers, medical information, mental/physical condition, Medicare IDs, Social Security numbers, driver’s license numbers, diagnoses, treatment information, dates of service, billing & claims information, health insurance information, and patient account numbers.

NIT said it continuously evaluates and modifies its security practices to enhance the privacy and security of the personal information it stores and will continue to do so.

West Central District Health Department Notifies Patients About May 2023 Cyberattack

The West Central District Health Department (WDCHD) in Nebraska has recently confirmed there has been unauthorized access to its network and patient data has been exposed. The forensic investigation confirmed that certain portions of its network were accessed between May 18, 2023, and May 23, 2023, and the review of the affected files was completed on September 18, 2023.

In its November 13, 2023, breach notice, WDCHD confirmed that the exposed information included names in combination with one or more of the following: Social Security number, driver’s license number, state ID number, and/or financial account number. Complimentary credit monitoring and identity theft protection services have been offered to the affected individuals.

The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

NoEscape Ransomware Group Claims Responsibility for Attacks on 2 Healthcare Organizations

The NoEscape ransomware group has claimed responsibility for attacks on two healthcare organizations, Southeastern Orthopaedic Specialists in Greensboro, NC, and Carespring in Loveland, OH. NoEscape claims to have exfiltrated 3 GB of data from Southeastern Orthopaedic Specialists and 364 GB of data from Carespring and has issued threats on its data leak site to release the stolen data if the ransom demands are not met. In addition to data encryption and data theft/leaks, the NoEscape group often conducts DDoS attacks on victims who do not attempt to negotiate, and the group claims to have conducted such an attack on Southeastern Orthopaedic Specialists. At present no data has been released, and neither organization has publicly confirmed a cyberattack or data breach.

The post Sutter Health Confirms 84K Individuals Affected by Cyberattack on Business Associate appeared first on HIPAA Journal.

Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued an updated cybersecurity advisory about Royal ransomware, which is thought to be about to shut down and rebrand.

Royal ransomware first emerged in September 2022 and is thought to have split from the Conti ransomware operation, with a brief spell operating as Quantum in between. Royal ransomware has been a prolific ransomware operation, having conducted more than 350 attacks since September 2022 and has issued ransom demands in excess of $275 million, according to the FBI. Royal ransomware is a private ransomware group that has targeted organizations in healthcare and public health (HPH), education, manufacturing, and communications. The number of attacks on HPH sector organizations prompted an earlier cybersecurity advisory from CISA, the FBI, and the HHS, which shared the latest tactics, techniques, and procedures (TTPs) used by the group and Indicators of Compromise (IoCs). They have been updated in the latest advisory.

In May 2023, a new ransomware variant was detected that had several coding similarities to Royal ransomware, and similar intrusion techniques were used. Researchers at Trend Micro found the two ransomware variants were almost identical, with 98% similar functions, 98.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff. The two groups have been observed using similar software and open source tools in their attacks such as Chisel and Cloudflared for network tunneling, Secure Shell (SSH) Client, OpenSSH, and MobaXterm for SSH connections, Mimikatz and Nirsoft for credential harvesting, and the attacks involved similar remote access tools.

Along with those similarities was the timing of the emergence of the new ransomware variant – Blacksuit – which led security researchers to believe that Royal was about to rebrand. Royal has just conducted a major attack on the city of Dallas which attracted considerable attention from law enforcement and, as is common after major attacks, ransomware groups often rebrand. Royal did not rebrand immediately, and it has been suggested that all did not go well with the new ransomware variant, and the rebrand was delayed. Alternatively, Blacksuit could be a spinoff variant of Royal. CISA and the FBI are convinced that the two ransomware variants are linked.

LockBit 3.0 Exploiting Citrix Bleed Vulnerability

The LockBit 3.0 group has been exploiting the critical Citrix Bleed vulnerability that affects Citrix NetScaler ADC and Gateway to gain access to the systems of its victims. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix in October 2023; however, many organizations have been slow to patch and are running vulnerable appliances.

According to Security researcher Kevin Beaumont, who has been tracking the group’s attacks, several of the group’s recent victims had exposed Citrix servers that were vulnerable to the Citrix Bleed flaw, and that appears to have been exploited using a publicly available exploit.

Currently, there are more than 3,000 Citrix servers in the United States that are exposed to the Internet and vulnerable to the Citrix Bleed flaw which can be exploited remotely with no user interaction. Immediate patching is strongly recommended to prevent exploitation of the flaw.

Hunters International Ransomware Group Takes over from Hive

Hive, one of the most notorious ransomware groups in recent years, was shut down in January this year following an international law enforcement operation. The group had obtained more than $100 million in ransom payments and conducted more than 1,500 attacks worldwide, including many attacks on healthcare organizations.

Following law enforcement takedowns, ransomware groups often go quiet and then reemerge months later with a new ransomware variant. A new threat group, Hunters International, has since emerged and several similarities have been found with Hive, including coding overlaps and a 60% match between the group’s code, according to security researcher BushidoToken.

According to a recent report from Martin Zugec, technical solutions director at Bitdefender, a member of the Hunter’s International group issued a statement confirming that Hive and Hunter’s International are two separate groups and Hive’s source code and infrastructure were acquired. The Hive spokesperson said Hive sold their source code, website, and old Goland and C versions, and Hunter’s purchased them. The spokesperson for Hunter’s said encryption isn’t its primary goal, which is why the group didn’t develop everything from scratch. Bitdefender’s research uncovered evidence to suggest the adoption of Hive’s code rather than a rebrand, thus corroborating the Hunter’s International statement. Bitdefender’s analysis, recommendations, and IoCs can be found here.

The post Updates on Royal Ransomware, LockBit 3.0 and Hunters International Ransomware Groups appeared first on HIPAA Journal.