The state of Maine has confirmed that it was affected by the mass hacking of a zero-day vulnerability in Progress Software’s MOVEit file transfer tool. The state learned of the vulnerability on May 31, 2023, when a patch was released by Progress Software to fix the flaw; however, the vulnerability had already been exploited by the Clop hacking group and files containing sensitive data were downloaded between May 28, 2023, and May 29, 2023.

The files contained the sensitive data of state residents, employees, and individuals who received services from state agencies. More than half of the employees affected worked at the state Department of Health and Human Services, and between 10% and 30% worked at the Department of Education. The breached information included names, dates of birth, driver’s license numbers, Social Security numbers, and health and medical information.

According to the notice filed with the Maine Attorney General, the data of 1,324,118 individuals was impacted, 534,194 of whom were Maine residents. Notification letters are now being issued and complimentary credit monitoring services have been offered to individuals who had their Social Security numbers exposed or stolen.

Greater Rochester Independent Practice Association Affected by MOVEit Hacks

Greater Rochester Independent Practice Association (GRIPA) in New York was also affected by the MOVEit hacks. GRIPA said it learned of the breach on May 31, 2023, when the patch was provided by Progress Software. Its forensic investigation confirmed on June 5, 2023, that files had been removed from its MOVEit server that included patients’ protected health information. A third-party vendor was engaged to review the files and the review was completed on September 1, 2023.

GRIPA said medical records were not compromised and the impacted data was very limited in nature. Affected individuals are being told what information was affected in their individual notifications. The compromised information included information such as the name of their doctor, date of last visit, and prescription information. If Social Security numbers were compromised, affected individuals can sign up for complimentary credit monitoring services.

The breach was reported to the HHS’ Office for Civil Rights as affecting up to 279,156 individuals.

Tri-City Medical Center Diverts Ambulances Following Cyberattack

Tri-City Medical Center in Oceanside, CA, is currently dealing with a cyberattack that has forced it to take certain systems offline. On November 9, 2023, the hospital was diverting ambulances to other hospitals as a precaution, although the medical center said it is prepared to manage emergency cases that may arrive in private vehicles and that it is working with other healthcare providers in the community to ensure that healthcare services are provided.

A forensic investigation has been launched to determine the nature and scope of the incident and whether sensitive data was stolen. Further information will be released in the coming days and weeks as the investigation progresses.

Optum Medical Group’s Crystal Run Healthcare Investigating Potential Cyberattack

Crystal Run Healthcare in Middletown, NY, which has been acquired by Optum Medical Group, says it is experiencing system issues that are impacting some of its services, resulting in longer than usual wait times. The disruption started on or around November 3, 2023, and as of November 10, 2023, the healthcare provider had still not recovered. The cause of the outage was not stated in the notification, but it is fair to assume that it was a cyberattack.

Butler County Confirms October Cyberattack

Butler County in Pennsylvania has confirmed that it has experienced a data security incident. The attack was detected in early October, and by the end of the month, it had been confirmed that the individual responsible had gained access to personally identifiable information, mostly relating to criminal court proceedings. The review of the affected data is ongoing and, at this stage of the investigation, the county has not yet confirmed exactly what data was stolen and how many individuals were affected.

Notification letters will be mailed to the affected individuals when the review has been completed and county officials said credit monitoring services will be offered. This is the second security breach to affect the county in as many months. In September, a jail employee’s account was accessed and personally identifiable information was compromised.

The post State of Maine Says 1.3 Million Individuals Affected by MOVEit Hack appeared first on HIPAA Journal.

Q3, 2023 Sees 76% Fall in Data Breaches

Posted November 10, 2023 by Steve Alder

The United States remains the country most targeted by cybercriminals and nation-state actors, with 8.1 million breached accounts in Q3, 2023 – 26% of the global total of 31.5 million accounts that were breached from July through September 2023, according to Surfshark’s Data Breach Statistics: Q3 2023 Report. Russia was the second most targeted country with 7.1M breached accounts, followed by France (1.6M), China (1.5M), and Mexico (1.2M).

In the United States, that amounts to one breached account per second in Q3, although that is 84% fewer breached accounts than in Q2, 2023. Globally, there was a 76% decrease in breached users worldwide compared to Q2, 2023. North America was the second most targeted region, with Europe taking the top spot with 10.9 million breached accounts, down from 48.1 million breached accounts in Q2, 2023. North America had 30% of the breaches in Q3, 2023, with 9.5 million accounts breached, down from 82% of breached accounts in Q2, 2023. The countries with the highest breach density, which is the number of breached accounts per 1,000 residents, were Russia, France, the US, Colombia, and Malaysia. Last year, data breaches increased by 70% from Q2 to Q3, rising to 108.9 million breached accounts globally in Q3 – a rate of around 14 breaches per second. The United States was the fourth most attacked country behind Russia, France, and Indonesia.

The reduction in data breaches is certainly good news but data breaches are still being reported at alarming rates. “The third quarter of 2023 shows a general decrease in data breach count. Yet every minute, over 240 online accounts were compromised globally, exposing sensitive information to malicious actors,” says Agneska Sablovskaja, Lead Researcher at Surfshark. “We recommend a vigilant approach by maintaining accounts only on actively used platforms and implementing two-factor authentication for enhanced security.”

Surfshark’s data breach statistics were compiled from data collected by independent partners from 29,000 publicly available databases, which were aggregated by email address. The locations of the breaches were determined by domains, IP addresses, locales, coordinates, currency, or phone numbers.

Massive Increase in Breached Healthcare Records, Despite Reduction in Data Breaches

The Surfshark report does not break down data breaches by industry, so how has the healthcare industry fared? The HIPAA Breach Notification Rule requires HIPAA-regulated entities to report data breaches to the Secretary of the Department of Health and Human Services, and the HHS’ Office for Civil Rights publishes a list of breaches of 500 or more records.

OCR’s breach report data show an 8.5% reduction in healthcare data breaches from Q2, 2023 to Q3, 2023, and a 5.2% reduction in breaches from Q3, 2022. The year to September 30, 2023, has seen 10 fewer breaches (-1.83%) than the corresponding period in 2022.

Data Source: HHS’ Office for Civil Rights Breach Portal

While there has been a reduction in reported data breaches, there has been an alarming increase in the number of breached records. In Q3, 2023, an astonishing 45,799,584 healthcare records were breached – 53.47% more records than the previous quarter. The Q3 total is only 74,000 records short of the total number of healthcare records breached in all of 2021.