FBI: Plastic Surgery Offices Targeted by Extortion Groups

Posted by Steve Alder

U.S. plastic surgery offices are being targeted by cybercriminal groups that gain access to their networks, steal data, and attempt to extort the practices and their patients, according to a recent public service announcement from the U.S. Federal Bureau of Investigation (FBI).

There have been several attacks on plastic surgery providers in recent months. While ransomware may be used in these attacks, the primary purpose of the attacks is to steal sensitive patient data, which can include medical records and sensitive pre- and post-surgery photographs. Plastic surgery centers are issued with a ransom demand, payment of which is required to prevent the release of the stolen data. In some cases, sensitive patient data and images have been released online, and the threat actors have attempted to extort the patients directly. One attack on the Hollywood, CA-based plastic surgeon, Gary Motykie, M.D. in May 2023, required payment of a $2.5 million ransom to prevent the release of the stolen data. Some of the practice’s patients were contacted directly and told to pay to have their sensitive information unpublished.

According to the FBI, the threat actors use technology to hide their true phone numbers and email addresses and use phishing emails to distribute malware. The malware provides access to internal protected computers, allowing them to harvest sensitive data, including photographs. The threat actors have been observed enhancing the stolen data with information gathered from social media platforms, and have also used social engineering techniques to enhance the harvested ePHI data of plastic surgery patients. The enhanced data is used as leverage for extortion and for other fraud schemes. The threat actors contact plastic surgery surgeons and their patients via the telephone, email, SMS messages, and social media platforms. Sensitive ePHI is also shared with the patients’ friends, family, colleagues, and contacts, and public-facing websites are created to share the stolen data.

The FBI has shared tips on how to improve security and reduce the risk of falling victim to these attacks. These measures include reviewing the privacy settings of social media accounts and ideally making accounts private to limit what others can see and what can be posted by others on profiles. Care should be taken accepting friend requests, and audits should be conducted of friends to ensure they are all known individuals. Accounts should be configured to make friend lists visible only to known individuals. Strong, unique passwords and MFA should also be used for all accounts, especially email, financial, and social media accounts. A password manager is recommended for generating strong, unique passwords for accounts and storing them securely. Bank accounts and credit reports should also be routinely checked for suspicious activity.

While not mentioned in the announcement, plastic surgery offices should ensure that they follow cybersecurity best practices such as setting strong passwords and enabling multifactor authentication, and they should deploy endpoint detection solutions and robust anti-phishing controls.

The post FBI: Plastic Surgery Offices Targeted by Extortion Groups appeared first on HIPAA Journal.

Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million

Posted by Steve Alder

Inmediata has agreed to a $1.4 million settlement to resolve a multi-state investigation of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) and state breach notification laws.

On January 15, 2019, the Department of Health and Human Services’ Office for Civil Rights (OCR) notified the Puerto Rico-based healthcare clearinghouse that a server containing the protected health information that it maintained had not been properly secured, resulting in files being indexed by search engines that could be found, accessed, and downloaded by anyone with Internet access. The files on the server contained the protected health information of 1,565,338 individuals and some of those files dated as far back as May 2016.

The HIPAA Breach Notification Rule requires HIPAA-covered entities to issue notifications to individuals affected by a data breach without undue delay and no later than 60 days from the discovery of a data breach. Despite being notified about the breach by OCR, the primary HIPAA regulator, Inmediata waited three months to mail notification letters, and when notification letters were mailed, a mailing error occurred, resulting in letters being sent to incorrect addresses.

Many Americans are unaware of the services provided by healthcare clearinghouses as they do not have any direct contact with them. Healthcare clearinghouses such as Inmediata facilitate transactions between healthcare providers and insurers and are classed as HIPAA-covered entities, which means they must ensure they are fully compliant with the HIPAA Privacy, Security, and Breach Notification Rules. The multi-state investigation found the content of the letters to lack clarity which resulted in confusion for some consumers as to why Inmediata had their data and caused some individuals to dismiss the notification letters as illegitimate.

The multi-state investigation was led by the Indiana Attorney General, assisted by an Executive Committee consisting of the attorneys general in Connecticut, Michigan, and Tennessee. Alabama, Arizona, Arkansas, Colorado, Connecticut, Delaware, Georgia, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Montana, Nebraska, New Hampshire, North Carolina, Oklahoma, Oregon, Pennsylvania, Puerto Rico, Rhode Island, South Carolina, Tennessee, Utah, Washington, West Virginia and Wisconsin also participated.

The attorneys general alleged violations of the HIPAA Security Rule for failing to implement reasonable and appropriate data security safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, a failure to conduct a secure code review at any point prior to the data breach, and violations of the HIPAA Breach Notification Rule and state data breach notification laws for failing to provide the affected individuals with timely and complete information about the data breach.

The $1.4 million settlement will be divided among the participating states and Inmediata has also agreed to strengthen its data security and breach notification practices. The requirements include the implementation and maintenance of a comprehensive information security program, which must include secure code reviews and search engine crawling controls. An incident response plan must also be developed that includes specific policies and procedures regarding consumer notification letters, and Inmediata must undergo annual third-party security assessments for the next five years. Last year, Inmediata settled a class action lawsuit over the data breach for $1.125 million.

“Inmediata maintained some of our most sensitive and private health information and they had an obligation to keep it secure. Their coding error left sensitive patient information exposed on public online searches for months, with no notification to impacted patients. Their failures violated numerous state consumer protection laws, breach notification laws, and HIPAA requirements. Our multistate settlement forces Inmediata to pay a significant fine and requires strong security practices going forward to ensure these types of inexcusable security lapses never occur again,” said Connecticut Attorney General, William Tong.

The post Healthcare Clearinghouse Settles Multi-state HIPAA Investigation for $1.4 Million appeared first on HIPAA Journal.