Integris Health Reports 2.39 Million People Impacted by Cyberattack

Integris Health has finished the analysis of the files that were viewed/stolen as a result of a cyberattack in November 2023. It has submitted the breach report to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicating that 2,385,646 individuals were affected. The breach notifications state that the stolen data … Read more

$4.75 Million HIPAA Penalty on Montefiore Medical Center Due to Malicious Insider Incident

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported the first financial penalty issued in 2024 to settle alleged HIPAA violations. Montefiore Medical Center has consented to pay a $4.75 million penalty to settle the supposed HIPAA violations. This one penalty already exceeded OCR’s total collections in 2023 from its … Read more

Patch for Fortra GoAnywhere Critical Vulnerability and Unauthorized Remote Access Using the ScreenConnect Tool

Fortra has announced a critical vulnerability identified in its GoAnywhere Managed File Transfer (MFT) solution and also issued a patch. Vulnerability CVE-2024-0204 is an authentication bypass bug caused by a path traversal weakness. An unauthenticated user can exploit the vulnerability and make a new admin user through the admin portal then remotely manage the customer’s … Read more

Data Breach Reports by Columbus Regional Healthcare System, Senior PsychCare, and Aria Care Partners

133K Record Data Breach at Columbus Regional Healthcare System Columbus Regional Healthcare System located in Whiteville, NC, has informed the Maine Attorney General about a patient data theft due to a cybersecurity incident. Unauthorized people got access to its system from May 19, 2023, to May 21, 2023 and extracted files. The file analysis was … Read more

Data Breach Reports by Electrostim Medical Services, Meridian Behavioral Healthcare and Network 180

543,000 Electrostim Medical Services Patients Affected by Data Breach The medical device firm Electrostim Medical Services, Inc. in Florida, which is also called EMSI, has reported that it encountered a cyberattack in May 2023 which involved access to sections of the network that contain patient files. Electrostim Medical Services has submitted the data breach report … Read more

Cyberattack and Data Breaches at Anna Jaques Hospital, NYC Health + Hospitals, and Corewell Health Business Associate

Anna Jaques Hospital Cyberattack on Christmas Day Anna Jaques Hospital located in Newburyport, MA, encountered a cyberattack on Christmas Day that caused an interruption to its health record system. It was decided to redirect ambulances to other nearby hospitals until the restoration of systems. On December 26, 2023, patients were accepted in the emergency department … Read more

New York Presbyterian Hospital Pays $300K Fine for Using Website Pixel

New York Presbyterian Hospital has decided to resolve alleged Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule violations by paying the New York Attorney General a $300,000 financial penalty. NYP manages 10 hospitals around New York City and has roughly 2 million patients annually. In June 2016, NYP put tracking pixels and tags on … Read more

Urgent Action Needed on Citrix Bleed Vulnerability as Ransomware Attacks Increase

Ransomware groups are exploiting a critical vulnerability identified in NetScaler ADS (earlier known as Citrix ADC) and NetScaler Gateway (Citrix Gateway) devices, referred to as Citrix Bleed. On October 10, 2023, Citrix released a security alert concerning the vulnerability and made a patch available to resolve the vulnerability, which could be used to get around … Read more

Data Breaches Reported by State of Maine, Affinity Legacy, The Charles Lea Center and Detroit Chassis

State of Maine Data Breach Impacts 450,000 Records The State of Maine has reported the theft of the protected health information (PHI) of 453,894 persons in the latest mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution by Progress Software. Progress Software introduced a patch to resolve the vulnerability on May 31, 2023; … Read more

Advisories on Critical ownCloud Vulnerabilities, Critical FortiSIEM Vulnerability and Emotet Malware Threat

HC3 Alerts HPH Sector Regarding Critical FortiSIEM Vulnerability and Ongoing Emotet Malware Threat The Health Sector Cybersecurity Coordination Center (HC3) has alerted healthcare companies that utilize Fortinet’s FortiSIEM platform to fix a critical vulnerability that is probably exploited by malicious actors and has released a threat summary on Emotet malware. FortiSIEM Command Injection Vulnerability – … Read more

Guidance on Managing Legacy Medical Devices and Advisory Against Rhysida Ransomware Attacks

FDA Releases Guidance on Managing Legacy Medical Device Cybersecurity Risks The U.S. Food and Drug Administration (FDA) has released a report that recommends how to handle the cybersecurity problems of legacy medical gadgets. Legacy medical gadgets are considered devices that are not reasonably protected against present cybersecurity risks, although they may still sufficiently do their … Read more

Data Breaches at Medical Eye Services, PeakMed, Prospect Medical Services, and 4 More Healthcare Providers

Medical Eye Services Says PHI of 370,000 Patients Stolen in MOVEit Transfer Hack Medical Eye Services, Inc. based in California recently reported the theft of the protected health information (PHI) of 346,828 persons. The PHI was stolen from the MOVEIt Transfer server employed by MESVision, a vision benefits management provider, from May 28, 2023 to … Read more

HIPAA Cases Against Doctors’ Management Services and Wright & Filippis Resolved

Doctors’ Management Services Resolves OCR HIPAA Case for $100,000 The HHS’ Office for Civil (OCR) has consented to resolve an investigation of a ransomware attack and data breach that revealed several potential HIPAA Security Rule violations of Doctors’ Management Services (DMS) for $100,000. The medical management company, Doctors’ Management Services based in Massachusettes provides medical … Read more

Cyberattacks on Westchester Medical Center Health Network, Fellowship Village, Meadville Medical Center, and BHI Energy Health Plan

Westchester Medical Center Health Network (WMCHealth) has encountered a cyberattack that impacted its IT systems. The health network discovered the attack last week. On October 20, 2023, at 10 p.m., all connected systems were shut down. The downtime was estimated to continue for 24 hours. The restoration of systems online was on an ongoing basis … Read more

Data Breaches Reported by Fairfax Oral and Maxillofacial Surgery, Henwood Family Dentistry, Piedmont Healthcare and Surround Care

Fairfax Oral and Maxillofacial Surgery Ransomware Attack Impacts 236,000 Individuals Fairfax Oral and Maxillofacial Surgery based in Virginia has reported the potential compromise of the protected health information (PHI) of around 235,931 persons in a ransomware attack last May 2023. The healthcare provider detected the security incident on May 16, 2023, upon noticing the encryption … Read more

Warning Against LokiBot Malware and Increasing Remote Access Software Threats

HHS Publishes Alert Against LokiBot Malware The Health Sector Cybersecurity Coordination Center (hC3) has publicized an Analyst Note regarding LokiBot – one of the most common and persistent malware variants. LokiBot, also known as Loki PWS, has been employed in attacks on some industries in the last eight years, which include critical infrastructure organizations; nevertheless, … Read more

Community First Medical Center Data Breach, AlphV and CommonSpirit Health Ransomware Attack

Community First Medical Center based in Chicago, IL started telling 216,047 patients about a cyberattack that allowed an unauthorized entity to obtain access to its computer system on July 12, 2023. According to the September 26, 2023 breach notification, the forensic investigation affirmed the third party access to patients’ files with PHI on July 28, … Read more

Advisory on Snatch Ransomware and the Lazarus Group

Feds Release Snatch Ransomware Alert After an Attack on Hospital The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint security alert regarding Snatch ransomware. The Snatch ransomware group carried out an attack on a hospital in Maine and has professed to attack the Florida Department … Read more

Cyberattacks and Data Breaches Reported by Texas Medical Liability Trust, Bloom Health Centers and Other Healthcare Organizations

60,000 People Impacted by Texas Medical Liability Trust Data Breach The Texas Medical Liability Trust (TMLT) submitted a data breach report to the Maine Attorney General representing itself and its affiliate companies, Physicians Insurance Company, Texas Medical Insurance Company, and Lone Star Alliance, Inc., a Risk Retention Group with 59,901 people impacted. TMLT detected suspicious … Read more

Finding the Common Causes of Hacking/IT Incidents

The common source of healthcare data breach data is HHS Office for Civil Rights Breach Report. Although it is an important source of data to know the developments in data breaches, the Breach Report has limited scope since it merely shows data breaches impacting five hundred or more persons. In addition, when covered entities and … Read more

Sentinel Event Alert and State of External Exposure Management

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack The Joint Commission has published a Sentinel Event Alert offering guidance on keeping patient safety after a cyberattack. There has been an increase in sophisticated healthcare cyberattacks. The question is not if a healthcare provider will be attacked but when. Cyberattacks could result in … Read more

Vulnerabilities Found in 1,900 Citrix NetScaler Devices and Limited Use of Generative AI by Malicious Actors

Malicious Actors Still Limit the Use of Generative AI It is feared that malicious actors will take advantage of generative AI to support their malicious pursuits; nevertheless, the use of generative AI by malicious actors seems to be minimal, definitely for attack campaigns. Mandiant states that it is monitoring the interest of threat actors in … Read more

Data Breaches Reported by Cummins Behavior Health, Redwood Coast Regional Center and Other Healthcare Entities

Data of 4 Million Coloradans Exposed in MOVEit Transfer Attack The Colorado Department of Health Care Policy and Financing (HCPF), which supervises the Medicaid program of the state and the Child Health Plan Plus (CHP+) program, has just reported the compromise of the protected health information (PHI) of 4,091,794 people. The attack happened at IBM, … Read more

Top Industries Targeted by Cyber Threat Actors and 2022’s Most Often Exploited Vulnerabilities

Top Targets for Cyber Threat Actors According to Blackberry’s most recent Global Threat Intelligence Report, the two most attacked sectors are healthcare and financial services. The information for the report was gathered between March and May 2023 from its cybersecurity systems, which stopped over 1.5 million attacks at about 11.5 attacks every minute and discovered … Read more

VUMC and Norton Healthcare Face Class Action Lawsuit

Class Action Lawsuit Filed Against Norton Healthcare Over BlackCat Cyberattack Norton Healthcare based in Kentucky operates over 140 clinics and hospitals all across Kentucky and Southern Indiana. It is confronted with a class action lawsuit in association with a cyberattack and data breach in May 2023. Norton Healthcare has just exposed limited data regarding the … Read more

Approved Information Blocking Penalties and the Mission of OSHA

Approved Final Rule for Information Blocking Penalties of Up to $1 Million for Health IT Companies HHS-OIG already approved the civil monetary penalties for health IT companies that are found engaging in information blocking. Penalties of as much as $1 million may be issued for every violation. In 2016, sharing electronic health data became normal … Read more

Delaware’s Comprehensive Data Privacy Law and HSCC’s Coordinated Healthcare Incident Response Plan Template

Comprehensive Data Privacy Law Passed by the Delaware Legislature The Delaware legislature passed a comprehensive new data privacy law. Delaware Governor John Charles Carney Jr is likely to sign the Personal Data Privacy Act making Delaware the 12th U.S. state to implement a comprehensive data privacy law. Unlike the data privacy laws in the other … Read more

Cyberattacks at Precision Imaging Centers, Atrium Health Wake Forest Baptist, Marshall & Melhorn, and Murfreesboro Medical Clinic & SurgiCenter

Precision Imaging Centers located in Jacksonville, FL recently informed 31,010 patients with regards to a security breach that took place on or about November 2, 2022. Unauthorized persons acquired access to its system and extracted files that contain sensitive patient data. The breached data differed from one patient to another and might have involved first … Read more

Final Rule on Cyber Incident Disclosures and New Nevada Consumer Health Data Bill

SEC Postpones Final Rule on Cyber Incident Disclosures The Securities and Exchange Commission (SEC) was scheduled to release a final rule, mandating publicly traded companies to disclose important cyber breaches in their regulatory filings within four days of discovering a breach. The decision has been postponed until October 2023, prolonging the process. In March 2022, … Read more

New MOVEit Zero-Day Vulnerability, Critical Vulnerability in VMware Aria Operations for Networks, and CISCO AnyConnect Secure Vulnerability

Progress Software Alerts of New MOVEit Zero-Day Vulnerability – Quick Action Necessary Progress Software has released an alert concerning a new vulnerability identified in its MOVEit Transfer file transfer software program. It is an exploit that is available in the public domain. The announcement is given since the Clop ransomware group begins to identify organizations … Read more

Lawsuit Against Blackbaud and the New Limits of the Identity Theft Legislation

Blackbaud Had No Common Law Duty to Protect the Confidentiality of Trinity Health’s Records An Indiana district court judge has decided in support of the plaintiff in a lawsuit that alleged negligence for not preventing a breach of protected health information (PHI), stating that there is no common law duty in Indiana to protect the … Read more

Trends in Data Breaches According to the 2023 Verizon Data Breach Investigations Report

Trends in Data Breaches According to the 2023 Verizon Data Breach Investigations Report Verizon 2023 DBIR: Rising Social Engineering Attacks While Ransomware Plateaus The Verizon 2023 Data Breach Investigations Report (DBIR) was published to offer insights into the present threat landscape and trends in data breaches. This 2023, the report analyzed 16,312 security events, where … Read more

Latest News About Cyberattacks and Email Account Compromise on Healthcare Providers

Ohio Hospital Exposed Nurses and Other Staff to Workplace Violence The Occupational Safety and Health Administration (OSHA) has confirmed that a children’s hospital based in Columbus, Ohio didn’t sufficiently safeguard healthcare staff from violence in the workplace. Patients assaulted nurses and other medical specialists and their kicks, bites, punches, and other attacks resulted in the … Read more

Revised Pennsylvania Breach of Personal Information Notification Act and New StopRansomware Guide

The 2022 change to the Pennsylvania Breach of Personal Information Notification Act (BPINA) is currently in force. The revision extended the definition of personal data adding medical data, medical insurance details, and usernames along with a security question/answer or a password that enables access to an account. The change to BPINA was approved on November … Read more

The BianLian Ransomware Group and Vulnerabilities on Illumina Sequencing InstrumentsIllumina Sequencing Instruments

FBI and CISA Warn About BianLian Ransomware and Extortion Group The Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory with regard to the BianLian ransomware and data extortion group. The BianLian group is attacking organizations in America since June 2022 and … Read more

SuperCare’s Proposed Data Breach Settlement and the Lawsuit Against University of Iowa Hospitals and Clinics

SuperCare Offers to Pay $2.25 Million to Resolve Data Breach Lawsuit SuperCare, a home care service provider in California, has offered to pay $2.25 million to settle a class action lawsuit associated with a 2021 hacking incident wherein the protected health information (PHI) of 318,379 patients was exposed. SuperCare noticed a network attack on July … Read more

Lawsuits Against One Brooklyn Health, 90 Degree Benefits, and Lehigh Valley Health Network

One Brooklyn Health Faces Lawsuit Over 235K-Record Data Breach One Brooklyn Health based in New York City manages three acute care hospitals, namely Interfaith Medical Center, Brookdale Hospital Medical Center, and Kingsbrook Jewish Medical Center. A class-action lawsuit has been filed against One Brooklyn Health associated with a data breach that was uncovered in November … Read more

Recent Data Breaches Reported by Santa Clara Family Health Plan and Other Healthcare Organizations

Santa Clara Family Health Plan Encountered a Clop GoAnywhere Hack On March 30, 2023, Santa Clara Family Health Plan reported a 276,993-record data breach to the HHS’ Office for Civil Rights that was a result of a Clop ransomware group hacking incident involving Fortra’s GoAnywhere MFT solution. The group took advantage of an earlier unidentified … Read more

Arizona Veterans’ Healthcare Facility Exposed Staff to Potentially Fatal Conditions and Other Data Breaches Reported

The investigation of an Arizona Department of Veteran Affairs (VA) healthcare facility showed that workers were put at risk because they were exposed to potentially fatal hazards on steam lines. Workers were permitted to do work on the steam lines without making sure the necessary safety protocols are in place. Government agencies like the VA … Read more

Proposed HIPAA Privacy Rule Update and CISA’s Updated Zero Trust Maturity Model

The HHS’ Office for Civil Rights has issued a Notice of Proposed Rulemaking (NPRM) concerning a  HIPAA Privacy Rule update to reinforce the protection of privacy for reproductive health information. The proposed revision is in response to the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization as well as the overturning of Roe v. Wade, which … Read more

Health-ISAC Report on Present and Upcoming Cyber Threats to the Healthcare Industry

Ransomware and phishing are still the biggest concerns in terms of cybersecurity for healthcare providers based on Health-ISAC’s Current and Emerging Healthcare Cyber Threat Landscape report for February 2023. The joint report by Booz Allen Hamilton Cyber Threat Intelligence (CTI) and Health-ISAC reveals the major threats to the healthcare industry. It is based on a … Read more

How the Federal Government Can Strengthen Healthcare Cybersecurity

The U.S. Senate Committee on Homeland Security and Governmental Affairs conducted a hearing to look at cybersecurity threats to the healthcare industry, what healthcare companies and the federal government are doing to overcome those risks, and know what the federal government must do to boost defenses against healthcare industry cyberattacks. Committee Chairman, Gary C. Peters … Read more

Lehigh Valley Health Network and Maternal & Family Health Services Face Lawsuit Over Ransomware Attack

Lehigh Valley Health Network (LVHN) is facing a lawsuit om association with its latest BlackCat ransomware attack. The attack resulted in the encryption of files after exfiltrating data as is common in ransomware attacks; nevertheless, the attack was distinct because of the aggressive step of the ransomware group to exert more pressure on LVHN to … Read more

Data Breaches Reported by Dental Health Management Solutions, Nursing Rehab Centre, The Chautauqua Center, Northeast Surgical Group, and White Bird Clinic

Dental Health Management Solutions Alerted Patients About Historic Data Breach Dental Health Management Solutions (DHMS) based in Cedar Park, TX provides the military/government and private individuals with dental services. It recently reported the exposure of the protected health information (PHI) of some patients as a result of a hacking incident in 2021. In the notification … Read more

DoppelPaymer Ransomware Core Members and Medicare Beneficiary Identifier Theft Conspirator Arrested

DoppelPaymer Ransomware Core Members Arrested in Europol-Driven Operation Two persons alleged of being key DoppelPaymer ransomware group members were detained — one by the police in Germany and another by the Ukrainian Police officers and Ukraine German Regional Police. It is This organized law enforcement operation was led by Europol. The Federal Bureau of Investigation … Read more

HPH Sector Warned Against Clop Cyberattacks and MedusaLocker Ransomware Attacks

At the beginning of February, attackers exploited a zero-day vulnerability (CVE-2023-0669) found in Fortra’s GoAnywhere MFT secure file transfer software on over 130 companies, which include a few companies in the healthcare sector, for instance, Community Health Systems (CHS) in Tennessee. That attack impacted around 1 million patients. Fortra released a notification regarding the vulnerability … Read more

Roundup of Recent Data Breaches and Cyber Attacks

mscripts Cloud Storage Misconfiguration Exposed PHI for 6 Years The mobile pharmacy company, mscripts, has just reported that its misconfigured cloud storage environment resulted in the exposure of client information on the internet for the last 6 years. mscripts discovered the misconfiguration and fixed it on November 18, 2022. Since September 30, 2016, the cloud … Read more

GoAnywhere MFT Hack Impacts Up to 1 Million Community Health Systems Patients and Growing Gootloader Attacks

Community Health Systems based in Franklin, TN recently reported being affected by a security incident that happened at cybersecurity firm, Fortra. Unauthorized people acquired access to the protected health information (PHI) of around 1 million of its patients. Community Health Systems is one of the United States’ biggest health systems. It manages 79 hospitals and … Read more

Cyber Attacks on VMware ESXi Servers, Sharp HealthCare, Regal Medical Group, and Southeast Colorado Hospital District

The French Computer Emergency Response Team (CERT-FR) issued a warning regarding a persistent ransomware campaign attacking VMware ESXi hypervisors without patching against the critical heap-overflow vulnerability monitored as CVE-2021-21974. VMware released a patch on February 3, 2021, to resolve the vulnerability; even so, hundreds of VMware ESXi virtual machines remain vulnerable to the exploit and … Read more