Supreme Court Ruling Narrows Reach of Identity Theft Law

Posted by Steve Alder

The Supreme Court has ruled against the government, which means federal prosecutors will have to curb identity theft charges and restrict them to cases where the misuse of another person’s identification is the crux of the criminal offense, rather than the current broad interpretation that allows identity theft charges for fraudulent billing, where the use of another person’s identification is merely an ancillary feature of a billing method.

Aggravated identity theft carries a mandatory jail term of 2 years in addition to any sentence for the predicate felony. Prior to the Supreme Court ruling, there was no distinction between an identity thief stealing an individual’s identity and running up huge debts, a lawyer rounding up bills and only charging full hours, a waitress overcharging customers, and a doctor overbilling Medicaid. The Supreme Court decision related to the latter.

William and David Dubin are father and son psychologists who ran a mental health testing company called Psychological ARTs. In 2013, David Dubin was examining a patient when he was informed by his father that the patient’s Medicaid benefits had been exhausted and cut the evaluation short. David Dubin then instructed an employee to file a reimbursement claim to Medicaid that included the patient’s name and Medicaid ID, resulting in the canceled examination qualifying for payment. That fraudulent claim resulted in a payment of $338.

In 2017, federal prosecutors indicted William and David Dubin on 20 counts related to the overbilling of Medicaid, which included 6 counts of aggravated identity theft and resulted in the practice receiving around $300,000 in fraudulent reimbursements. In 2019, David Dubin was sentenced to one year in jail for submitting inflated bills and 2 years for aggravated identity theft, with the sentences to run consecutively. Dubin’s legal team appealed but the U.S. Court of Appeals for the 5th Circuit upheld the identity theft conviction, as under the broad interpretation of the law, it is a felony to use another person’s identity without lawful authority, and David Dubin used patient’s names and Medicaid ID numbers to submit exaggerated claims. The Supreme Court unanimously ruled that it could not support “such a boundless interpretation” of the Identity Theft Penalty Enhancement Act of 2004.

Prosecutors argued that while the context of the fraud in Dubin’s case was relatively small, it was the correct reading of the statute and that the flat two-year jail term should stand regardless of the scale of the fraud. Under the letter of the law, small-scale fraud and large-scale fraud carry the same sentence for aggravated identity theft. The Supreme Court disagreed.

“Patient names or other identifiers will, of course, be involved in the great majority of healthcare billing, whether Medicare for massages, or for ambulance stretcher services,” said Justice Sonia Sotomayor in the ruling. “Patient names will be on prescriptions, and patients committing fraud on their own behalf will often have to include the names of others on their forms, such as doctors or employers. Under the Government’s own reading, such cases are ‘automatically identity theft,’ independent of whether the name itself had anything to do with the fraudulent aspect of the offense.” She also pointed out that if she sided with the government then the same interpretation could even be applied to mail fraud, where using another person’s name to address a letter to them could similarly be classed as aggravated identity theft and would be punishable with a 2-year mandatory jail term. Dubin’s attorney, Jeffrey Fisher, said the same 2-year jail term could also be imposed on any person who submits a form on behalf of another person that contains a misrepresentation.

“Whoever among you is not an ‘aggravated identity thief,’ let him cast the first stone,” said Justice Neil Gorsuch, concurring with the court’s decision that siding with the 5th Circuit would potentially lead to broad prosecutions in cases involving another person’s identity. “Depending on how you squint your eyes, you can stretch (or shrink) [the Identity Theft Penalty Enhancement Act] meaning to convict (or exonerate) just about anyone,” wrote Gorsuch, potentially putting “every bill splitter who has overcharged a friend using a mobile-payment service like Venmo,” at risk of a 2-year jail term, suggesting the law is vague to the point where it is not much better than a Rorschach test. “The statute fails to provide even rudimentary notice of what it does and does not criminalize,” wrote Gorsuch.

The post Supreme Court Ruling Narrows Reach of Identity Theft Law appeared first on HIPAA Journal.

Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms

Posted by Steve Alder

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

The post Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms appeared first on HIPAA Journal.