The protected health information of 1.7 million Oregon Medicaid patients has been stolen by the Clop threat group, which exploited a zero-day vulnerability in the MOVEit Transfer file transfer solution on or around May 30, 2023. The data breach occurred through a contractor used by the Oregon Health Plan – PH Tech – which was informed about the vulnerability and data breach on June 2 by Progress Software. According to PH Tech, the compromised information included names, dates of birth, Social Security numbers, mailing addresses, and email addresses, along with health information such as diagnoses, procedures, claim information, and plan ID numbers. Affected individuals are being notified by PH Tech and have been offered complimentary credit monitoring services. PH Tech said it immediately disabled the MOVEit solution when it learned about the compromise. The vulnerability was patched, and it rebuilt how the solution can be accessed to ensure that no one else is able to access files through the software.

Healthcare Victim Count Continues to Grow

The Health Plan of West Virginia, Inc. has recently confirmed that 1,292 members had data stolen. United Bank provides financial services to the health plan and recently confirmed that electronic records of recent premium payment and premium payment coupons were stolen. The stolen records related to a two-week period in May 2023, and included names, addresses, phone numbers, health plan identification numbers, group numbers, and images of premium payments.

Employees, students, and patients of Johns Hopkins Health System, Johns Hopkins All Children’s Hospital, and Johns Hopkins Howard County General Hospital had data stolen from MOVEit servers after the vulnerability was exploited, although personal health records do not appear to have been obtained. Johns Hopkins Health System has reported the breach to the Office for Civil Rights as affecting 2,584 patients and Howard County General Hospital has filed a breach report indicating 2,975 patients were affected.

The academic health system, UofLHealth, was also attacked and is still investigating the incident to determine the types of information involved and the number of individuals affected. The MOVEit tool was used by a small number of UofLHealth medical practices for transferring files to third-party vendors. Other known victims include Allegheny County in Pennsylvania (689,686 individuals), Sutter Senior Care (519 individuals), Harris Health System (224,703 individuals), UT Southwestern Medical Center (98,437 individuals), and CMS contractor Maximus (612,000 individuals).

The post 1.7 Million Oregon Health Plan Members Affected by MOVEit Hack appeared first on HIPAA Journal.

Ivanti Discloses Another Maximum Severity Endpoint Manager … – HIPAA Journal

Posted August 3, 2023 by "HIPAA" - Google News

Ivanti Discloses Another Maximum Severity Endpoint Manager ... HIPAA Journal

Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability

Posted August 3, 2023 by Steve Alder

Ivanti has disclosed another maximum-severity vulnerability in its Endpoint Manager Mobile (EPMM) solution (formerly MobileIron Core). The vulnerability is tracked as CVE-2023-35082, has a maximum CVSS v3.1 severity score of 10, and affects MobileIron Core 11.2 and older versions. The vulnerability is described as a remote unauthenticated API access issue that can be exploited remotely by unauthorized users to access restricted resources without authentication, potentially allowing the theft of users’ personally identifiable information and limited changes to be made to the server. Ivanti said it does not believe the flaw has been exploited in the wild.

Since MobileIron 11.2 reached end-of-support on March 15, 2022, a patch will not be released to fix the flaw. The only way of remediating the vulnerability is to upgrade to the latest version of Ivanti EPMM. Ivanti confirmed that the latest vulnerability does not affect any version of Ivanti Endpoint Manager or MobileIron Core 11.3 and above, or Ivanti Neurons for MDM.

The vulnerability was identified by Stephen Fewer, a Rapid7 security researcher, and is linked to the recently disclosed maximum-severity zero-day vulnerability – CVE-2023-35078 – that was exploited in an attack on the Norwegian government and other entities. The CVE-2023-35078 vulnerability is an authentication bypass issue that can be chained with another vulnerability, CVE-2023-35081, to gain administrative privileges on compromised systems. Ivanti released a patch for CVE-2023-35078 on July 23, 2023, and a patch for CVE-2023-35081 was released on July 28, 2023.

On August 1, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that advanced persistent threat actors have been chaining the CVE-2023-35078 and CVE-2023-35081 vulnerabilities to gain privileged access to EPMM systems and have been deploying web shells on compromised systems. The flaws have been exploited from at least April 2023 through to July 2023 in a cyber espionage campaign that saw the networks of several Norwegian government entities compromised. CISA and the Norwegian National Cyber Security Centre (NCSC-NO) expressed concern that the vulnerabilities could be exploited in widespread attacks on government and private sector networks. Indicators of compromise (IOCs) and the threat actor’s tactics, techniques, and procedures (TTPs) have been shared by CISA, and users of vulnerable EPMM versions have been advised to update to the latest version as soon as possible.

The post Ivanti Discloses Another Maximum Severity Endpoint Manager Mobile Vulnerability appeared first on HIPAA Journal.