Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns

Posted by Steve Alder

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

The post Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns appeared first on The HIPAA Journal.

I’m a HIPAA Privacy Manager. What’s That Mean?

Posted by Amy Schultz

The Privacy Department is led by the HIPAA Privacy Manager, but who is the Department? For some small organizations, it’s just the Privacy Officer. For others, there is a team of people who work diligently to keep the Privacy Officer informed and the organization compliant. When someone asks what you do for a living, how would you explain it? If I say to staff that I’m a Privacy Manager, I typically get blank stares. I then mention HIPAA or Patient Rights, and that’s when I get a head nod or two.

Privacy Officer sounds official, but honestly, what I do every day is way more involved in privacy operations than your typical privacy officer. This is the time to learn and soak up everything you can. Having a team is so important, even if it’s just one extra person. The Privacy Officer is limited without the people who make the department functional every day. Whether you’re a specialist just starting out or a manager like me with years of experience, the daily grind is tackled by us. We are diligent and timely in keeping our patients’ PHI safeguarded, giving our colleagues guidance, and keeping our organization compliant. It really falls to the department team. With that said, credit is due to the unicorns of the privacy world who work for smaller organizations and run the whole privacy office by themselves. I know they are out there, and I applaud you all.

The daily operations are our bread and butter. From handling the daily investigations and incident reports to addressing patients’ requests and helping our colleagues with privacy concerns/questions. All the daily tasks add up to enable us to be the privacy subject matter experts for our company. But is it enough? How many years of experience or certifications does it take to rise to the privacy officer title? What other traits are required?

I’m fortunate to work in a multifunctional healthcare organization that has allowed me to experience a variety of privacy scenarios over my time, from occupational health to continued care, urgent care, and hospitals. I think it’s important to experience as much as you can to really feel confident in your decisions and take accountability for the department. This can be the difference between a team member and a department leader. I think a lot can be said about being not only a sponge for information but also motivational. A positive mindset has always been a strong trait I would encourage any leader to possess. We should be thinking of this as we continue to strengthen our craft.

In the healthcare privacy space, where do you see yourself in five or ten years? For me, it’s always been as a Privacy Officer, the end game. But what does it take to get there? I have spent over 13 years in the healthcare compliance/privacy industry and still feel like I’m learning something new every day. The policies, rules, and laws change, so we adapt. This industry keeps evolving and growing, so my advice is to do the same. 

Helping people must be a big part of this journey, personally and professionally. Learning and becoming an expert in the healthcare privacy field can make it possible to help fellow colleagues and patients every day. As I continue my role, I hope to never forget this. What we do as privacy experts is important. We may be behind the scenes, but we keep our company compliant and lawful. We keep striving to be better than we were yesterday and help those who need it. Continue to do the work, keep your company HIPAA compliant, and never stop learning. One day, you might be a Privacy Officer. 



The post I’m a HIPAA Privacy Manager. What’s That Mean? appeared first on The HIPAA Journal.

Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million

Posted by Steve Alder

The Danville, Pennsylvania-based healthcare provider Geisinger Health and its former IT vendor Nuance Communications, Inc., have agreed to a $5 million settlement to resolve class action litigation over a 2023 insider data breach involving a former Nuance Communications employee.

On or around November 29, 2023, Geisinger Health learned that a former Nuance Communications employee, Andre J. Burk (also known as Max Vance), accessed the sensitive data of Geisinger Health patients two days after he was terminated by Nuance Communications. The data had been provided to Nuance Communications in connection with the services the IT company was contracted to provide. The breach was detected by Geisinger Health, rather than Nuance Communications, and it alerted its IT vendor about the breach.

Under HIPAA, business associates of HIPAA-regulated entities must comply with the HIPAA Security Rule, one of the requirements of which is to ensure that access rights are immediately revoked when employees are terminated. When notified about the unauthorized access, Nuance Communications terminated the former employee’s access rights and launched an investigation, which revealed that the former employee had potentially obtained the protected health information of more than 1.2 million Geisinger Health patients, including names, dates of birth, Social Security numbers, medical information, and health insurance information.

The affected individuals started to be notified about the data breach on June 24, 2024. The delay in notification was at the request of law enforcement. The HHS’ Office for Civil Rights was informed that the protected health information of 1,276,026 individuals was involved. Max Vance is now facing criminal charges over the data theft – one count of obtaining information from a protected computer – and his trial is scheduled for early January 2026.

Several lawsuits were filed against Geisinger Health and Nuance Communications, Inc. in response to the data breach, which were consolidated into a single action in July 2024 – In re: Geisinger Health Data Security Incident Litigation – in the U.S. District Court for the Middle District of Pennsylvania. The consolidated lawsuit alleged that the defendants failed to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard the plaintiffs’ and class members’ personal and protected health information.

The lawsuit alleged that Geisinger Health failed to ensure that its vendors employed reasonable security measures, that Nuance Communications failed to properly monitor systems for intrusions, there was insufficient network segmentation, and a failure to comply with FTC guidelines, the HIPAA Rules, and the defendants did not adhere to industry standard cybersecurity measures. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgment and injunctive relief against both defendants, and breach of fiduciary duty against defendant Geisinger Health.

The defendants disagree with the claims in the lawsuit; however, they chose to settle with no admission of wrongdoing to avoid the expense and uncertainty of a trial and related appeals. The settlement received preliminary approval from District Court Judge Matthew W. Brann on November 18, 2025. Under the terms of the settlement, the defendants will establish a $5,000,000 settlement fund, from which attorneys’ fees and expenses, service awards, and settlement administration costs will be deducted. The remainder of the funds will be used to pay benefits to the class members.

The class consists of 1,308,363 class members who may choose to receive a one-year membership to a credit monitoring and identity theft protection service. In addition, a claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket losses due to the data breach up to $5,000 per class member. Alternatively, instead of a claim for reimbursement of losses, class members may choose to receive a pro rata cash payment. The final approval hearing has been scheduled for March 16, 2026, and claims must be submitted by March 18, 2026.

June 24, 2024: Geisinger: Former Business Associate Employee Unlawfully Accessed PHI of More Than 1.2 Million Patients

More than one million Geisinger patients are being notified that their protected health information has been unlawfully accessed by a former employee of one of its business associates, Nuance Communications.

Nuance Communications provides information technology services to Geisinger, which requires access to systems containing patient information. On November 29, 2023, Geisinger detected unauthorized access to patient data by a former Nuance employee and immediately notified Nuance about the incident. Nuance immediately terminated the former employee’s access and launched an investigation, which confirmed that the former employee accessed patient data two days after they were terminated.

The former employee may have viewed and acquired the data of more than one million Geisinger patients. The data varied from patient to patient and may have included names, addresses, phone numbers, dates of birth, admission/discharge/transfer codes, medical record numbers, facility name abbreviations, and race and gender information. Nuance has confirmed that the employee did not have access to Social Security numbers, financial information, or claims/insurance information.

The Department of Justice can pursue criminal charges for HIPAA violations under the Social Security Act when individuals knowingly violate HIPAA. When an employee of a HIPAA-covered entity or business associate has their employment terminated, HIPAA still applies. The penalties for accessing and obtaining protected health information are severe and can include a hefty fine and jail time. A tier 1 violation carries a maximum penalty of up to a year in jail, a tier 2 violation carries a jail term of up to 5 years, and a sentence of up to 10 years in jail is possible for a tier 3 violation – obtaining PHI for personal gain or with malicious intent. Geisinger has confirmed that the unauthorized access was reported to law enforcement and the former Nuance employee has been arrested and is facing federal criminal charges.

Due to the high risk of unauthorized access to patient data by former employees, HIPAA-covered entities and their business associates are required to develop and implement procedures for terminating access to electronic protected health information when employment comes to an end under the workforce security standard of the HIPAA Security Rule – 45 CFR § 164.308 (3)(ii)(C). This incident clearly shows why it is vital to revoke access immediately upon termination of employment. The HHS’ Office for Civil Rights has taken action over violations of this Security Rule provision in 2020 (City of New Haven) and 2018 (Pagosa Springs Medical Center).

The Risant Health-owned health system has confirmed that Nuance Communications is mailing notifications to the affected individuals. Patients have been advised to review the statements they receive from their health plans and contact their health insurer if any services appear on their statements that they have not received. A helpline has been set up for individuals requiring further information about the breach – 855-575-8722. The helpline is manned from 9 a.m. to 9 p.m. ET Monday to Friday. Callers should quote engagement number B124651.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,276,026 individuals.

This article has been updated to state the number of people affected by the breach, as that information was unavailable at the time of the initial post.

The post Geisinger Health & Nuance Communications Data Breach Litigation Settled for $5 Million appeared first on The HIPAA Journal.