What is Ransomware?
Ransomware attacks against healthcare organisations are becoming increasingly common. However, many individuals are still uncertain as to what constitutes a ransomware attack, and the potential consequences it has on an organisation. This article provides some background on ransomware attacks, outline how these attacks occur, and offer some guidance on how employees can mitigate the risk of such an attack befalling their organisation....
Cottage Health Pays $3,000,000 to OCR for HIPAA Violations
Cottage Health has agreed to pay a $3,000,000 settlement to the Department of Health and Human Services’ Office for Civil Rights (OCR) for two data breaches resulting from HIPAA violations. Cottage Health is a non-profit health provider based in Santa Barbara, California. The organisation operates four hospitals-Santa Barbara Cottage Hospital, Santa Ynez Cottage Hospital, Goleta Valley Cottage Hospital, and Cottage Rehabilitation...
New Trojan Horse Malware Campaign Targeting Linux Servers Identified
Security researchers have discovered a new Trojan horse malware campaign used by hackers to launch attacks on Linux servers. Trojan horses are malware variants that are disguised as benign or useful pieces of software. They are installed under false pretences, as the user if often tricked into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable...
ICS-CERT Issues Medical Advisory for Vulnerabilities Found in BD FACSLyric Flow Cytometry Solution
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about vulnerabilities found in the BD FACSLyric flow cytometry solution. ICS-CERT is a governmental organisation that works to reduce the risk of cybercrime to US businesses. The medical advisory stated the flaw in the device, manufactured by Becton, Dickinson, and Company (BD) required a low level of skill to exploit. The flaw was...
HITRUST Incorporates GDPR into the CSF
The Health Information Trust Alliance (HITRUST) has incorporated the European Union’s General Data Protection Regulation (GDPR) into the HITRUST Cybersecurity Framework (HITRUST CSF). HITRUST is a US-based organisation which, in collaboration with the healthcare, technology and information security sectors, has established a Common Security Framework (CSF). The CSF offers guidance to organisations across all industries that create,...
Mozilla Official Predicts Stricter GDPR Enforcement in 2019
A senior official at Mozilla has predicted that 2019 will see much stricter enforcement of GDPR across Europe. The Senior Policy Manager and European Union Principal for Mozilla, Raegan MacDonald, has said that she believes that 2019 will see enhanced resources dedicated to the enforcement of the European Union’s General Data Protection Regulation (GDPR). Mozilla is a computer software organisation well known for its stance on the...
FilesLocker Master Key Released, File Decryptor Made Available for Free
Following the leaking of the master key for the FilesLocker ransomware on Pastebin, a decryptor has been made available to allow a victim’s files to be recovered for free. The master key is the key used by those behind a ransomware campaign to decrypt files that have been encrypted by the ransomware. FilesLocker is a ransomware distributed as a Ransomware as a Service, or RaaS; that is to say, even novice cybercrinimals can sign up to...
HHS Guidelines on Cybersecurity Best Practices for Healthcare Organisations Released
The U.S. Department of Health and Human Services has issued a four-volume publication on voluntary cybersecurity best practices for healthcare organisations. The publication includes guidelines for managing cyber threats and protecting patients. It is hoped that the guidelines will help all organisations that handle the protected health information (PHI) and other sensitive information of patients create a robust cybersecurity...
Cyberattack Disrupts Printing of Major Newspapers
An investigation has been launched into a recent cyberattack that disrupted the printing of several major newspapers. The cyberattack on Tribune Publishing, attributed to a malware infection, caused disruption to several newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal. The cyberattack occurred on Thursday December 28, 2018, and...
Global Netflix Phishing Scan Identified
A new global phishing scam has been identified in which hackers target customers of Netflix, the world’s largest streaming organisation. The U.S. Federal Trade Commission, an independent agency of the United States government, issued a warning about the Netflix scam late in December 2018. The phishing scam attempts to fool Netflix subscribers into handing over account information and payment information by telling them that there has...
Rhode Island and Illinois Healthcare Clinics Hit by Ransomware Attacks
The Center for Vitreo-Retinal Diseases in Libertyville, IL, has announced that it was recently the victim of a ransomware attack. The attack was first noticed on September 18, 2018, and resulted in the encryption of data on the organisation’s servers. The investigation into the breach suggests the attacker may have gained access to the protected health information of 20,371 patients that was stored on the affected servers. Ransomware...
ICS-CERT Discovers Vulnerability in Philips Health App
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a medical advisory about a vulnerability that has been identified in the Philips HealthSuite Health Android App which would only take a “low level” of skill to exploit. The Philips HealthSuite Health Android App is used by individuals to help them achieve activity targets and health goals. The app collects user...
Adobe Releases Patch for Flash Player Vulnerability
On Wednesday, December 5, 2018, Adobe issued an update to correct a vulnerability in Adobe Flash Player. The vulnerability had been identified in late November by Gigamon, held network visibility and traffic monitoring technology vendor. Qihoo 360, a Chinese internet security company, recently discovered an advanced persistent threat campaign that was exploiting the vulnerability in Adobe’s software. The vulnerability was being...
Cancer Centers of America Falls Victim to Phishing Attack
Cancer Centers of America’s Western Regional Medical Center in Bullhead City, Arizona, has recently fallen victim to a phishing attack which has exposed the protected health information (PHI) of over 41,000 individuals. The attack occurred due to one of its employees responding to a phishing email. The email was designed to appear as if it had been sent from the email account of an executive employee of Cancer Treatment Centers of...
GDPR Violation Penalty Levied Against Hospital for First Time
The Centro Hospitalar Barreiro Montijo, near Lisbon, Portugal, has become the first hospital to be issued a penalty for violating the EU’s new General Data Protection Regulation (GDPR). The Comissão Nacional de Protecção de Dados (CNPD), the body which oversees issues relating to data protection, prosecuted the Barreiro Montijo hospital for failing to ensure that adequate access restrictions were in place to protect the integrity of...
President Trump Signs Opioid Bill into Law
On October 26, 2017, President Donald Trump declared the opioid crisis a national public health emergency. According to the National Institute on Drug Abuse, over 100 people die every day in the United States from overdosing on opioids. Hundreds more suffer due addiction to opioids, which include drugs such as pain relievers, heroin, and fentanyl (a synthetic opioid). According to the Centers for Disease Control and Prevention, the...
Ransomware Attack on Jones Eye Clinic Affects 40,000 Patients
The Jones Eye Clinic and its affiliated surgery, CJ Elmwood Partners, based in Sioux City, Iowa, has announced that up to 40,000 patients may have had their data compromised following a ransomware attack on their systems. The ransomeware attack was discovered on August 23, 2018. Ransomware is software which denies the user access to their device, or certain files on the device, until a ransom has been paid to the scammer. The...
Radisson Hotel Data Breach Response Potentially in Violation of GDPR
The Radisson Hotel Group may be fined for non-compliance with the General Data Protection Regulation (GDPR) following a data breach earlier this year. The Radisson Hotel Group is a chain with over 1,400 hotels in over 70 countries and incorporates hotel brand such as the Park Plaza, Country Inn & Suites, Park Inn, and Radisson Collection. As their headquarters is based in Brussels, Belgium, the group is required to comply...
Beazley’s Publishes Breach Insights Report for Q3 2018
Beazley’s, a specialist insurance group, has released their quarterly Breach Insight Report for Q3 2018. The report concerned the attacks managed by Beazley Breach Response Services, which deals with the aftermath of an attack, including the investigation and the breach response. One of the most prevalent findings of the report is the huge rise in the number of ransomware incidents seen in comparison to previous months. Q3 saw a total...
Phishing Attack Causes Breach at Catawba Valley Medical Center
Catawba Valley Medical Center (CVMC), a medical center serving the greater Catawba County area based in Hickory, North Carolina, has recently announced that an unauthorised individual gained access to their systems following a successful phishing attack. It is estimated that up to 20,000 people may have been affected by the breach. The discovery was made on August 13, 2018. The organisation acted quickly to secure the account and...
Anthem Settles for Record $16 Million with OCR
Anthem, Inc., a health insurance company and the largest for-profit managed health care company in the Blue Cross and Blue Shield Association, has been levied the largest ever fine for a HIPAA violation for the February 2015 attack on their servers which saw over 78.8 million records stolen. The Anthem data breach settlement of $16 million is nearly three times the previous record-holder for largest HIPAA fine ($5.55 million) and...
ERS Texas Data Breach Caused by Error in Online Portal’s Code
The Employees Retirement System of Texas (ERS) has discovered a flaw in its ERS OnLine portal which allowed some users to view other members’ details upon logging into the portal. Up to 1.25 million records may have been exposed as a result of the error. ERS, a public pension fund with over $21 billion in assets under management, has explained that an error in the website’s code affected the “Annual Out-of-Pocket Premium” function of...
FirstCare Health Plans Data Breach Caused by Mailing List Error
FirstCare Health Plans, a Texan health insurance organisation, has revealed that more than 8,000 of its members may have had some of their personal data breached due to an email error made by one of its staff. The organisation is in the process of notifying 8,056 plan members plan members that may have had some of their sensitive personal information impermissibly disclosed to an unauthorised individual as a result of automated...
Twin Phishing Attacks on Children’s Hospital of Philadelphia’s Results in Data Breach
Children’s Hospital of Philadelphia (CHOP) has announced that the email accounts of two employees have been compromised following cyberattacks on two August 23 and August 29, 2018. On August 24, CHOP, a paediatric healthcare facility and primary care provider, discovered an unauthorized individual had gained access to the email account of one of the physicians working at the facility. An investigation was launched into the incident,...
Report Reveals Spike in Data Breaches Reported Under GDPR
The General Data Protection Regulations (GDPR) came into effect in the European Union in May 2018. The regulations served to replace the existing regulations covering data protection, which were woefully out-of-date with modern technology and inadequate to deal with major cybersecurity risks. The creators of GDPR hoped that the regulations would reduce the risk of data theft to a minimum by requiring that a number of safeguards are in...
New York Hospital Fires Employees Following Security Breach
A hospital in New York has fired several employees following a security breach. Claxton-Hepburn Medical Center, a not-for-profit 115-bed community hospital in Ogdensburg, NY, announced that several employees accessed patient protected health information (PHI) without proper authorisation to do so. This violates the Health Insurance Portability and Account Act (HIPAA). Officials at the hospital discovered the mishandling of PHI during...
SecureWorks Discovers Cobalt Dickens URL Spoofing Campaign
SecureWorks has discovered Cobalt Dickens, an Iranian threat group, has launched a URL spoofing campaign targeting universities in more than a dozen countries. On their website, SecureWorks stated that security researchers working in their Counter Threat Unit discovered the phishing campaign. Threat actors spoofed a university login page to steal the login credentials of university staff. Further research revealed that sixteen...
Reliable Respiratory Falls Victim to Phishing Attack
Reliable Respiratory, a respiratory care provider, has announced that it has fallen victim to a phishing attack. Reliable Respiratory, based in Norwood, MA, stated that IT staff discovered the breach when they detected suspicious activity on an employee’s email account on July 3. The organisation immediately launched an investigation, which revealed that a hacker had gained access to the email account when the employee responded to a...
Kroll Survey Shows Increase in Number of Data Breaches Reported Post-GDPR
Kroll, a data security company, has released the results of a survey which shows that the number of data breaches reported to the UK’s Information Commissioner has increased by 75% since the introduction of the General Data Protection Regulation (GDPR). GDPR became EU law in May 2018. Its introduction revolutionised the data security landscape in the EU. One of the most crucial aspects of GDPR is how it has changed how organisations...
New Closed-Loop Email Analysis and Response Solution Launched by Proofpoint
Proofpoint, the Californian cybersecurity company, has launched a new Closed-Loop Email Analysis and Response (CLEAR) solution. Proofpoint’s website states that the solution reduces “threat triage time from days to minutes without requiring additional work from human analysts”. Proofpoint CLEAR utilises a complete closed-loop approach to automatically analyse suspicious emails reported by end users to security teams, identify real...
Proof-of-Concept Exploit for Windows Task Scheduler Published
A security researcher released proof-of-concept code that would allow for a user to exploit a flaw in the Windows Task Scheduler. The flaw was discovered by Github user SandboxEscaper, who was also responsible for publishing the proof-of-concept (PoC) code. The flaw, a local privilege escalation vulnerability, was found in the Advanced Local Procedure Call (ALPC) interface. If a hacker were to exploit the flaw, they could elevate...
417,000 Files Compromised in Augusta Health Phishing Attack
Augusta University Health has announced that a successful phishing attack has resulted in a hacker gaining access to over 417,000 sensitive files. The University of Augusta announced a substituted substitute breach notice posted on its website. The announcement states that the breach was discovered on 31 July. IT security staff changed the password to the affected email accounts, thereby blocking the hacker’s access to the data stored...
Proofpoint Announces Discovery of Marap Malware Strain
Proofpoint has announced the discovery of a new malware strain called Marap. Security researchers at Proofpoint stated that Marap malware is currently being used for gathering information about victims. The threat actor’s aim appears to be the creation of a network of infected users which they can target in future attacks. The malware operates by creating a fingerprint for each infected device and sending the information back to its...
Patient Data Stolen in Legacy Health Phishing Attack
Legacy Health has announced that the PHI of 38,000 patients was stolen during a phishing attack on their facility. Legacy Health is a non-profit hospital system based in Portland, Oregon. The organisation consists of six hospitals and employs upwards of 10,000 staff. IT security staff at Legacy Health discovered the breach on June 21. The staff quickly launched an investigation to determine the cause and scope of the breach....
Whose data does GDPR protect?
General Data Protection Regulations became a part of EU law in May 2018. Before GDPR, European data protection laws were deemed unable to mitigate the risk of data theft. Furthermore, individuals had few rights over their data. EU lawmakers sought to revolutionise the data security landscape and introduce new regulations that were more fit to deal with the increasing prevalence of technology in everyday life. Whose data does GDPR...
Press America Inc Faces Lawsuit Over HIPAA Breach
Press America, Inc, a mail service used by a pharmacy benefit manager CVS Pharmacy, is being sued for the occurrence of an accidental disclosure of 41 people’ protected health information. As a subcontractor to supply a mail-order pharmacy service for the health planCVS Pharmacy is a business associate of health plan CVS Pharmacy and, as such, both bodies must adhere with HIPAA Rules. CVS Pharmacy completed a business associate...
Medical Data from Closed Pennsylvania Obs/Gyn Clinic Found at Allentown Public Recycling Center
Private Medical Data has been found at a recycling center in Allentown, Pennsylvania. Paper files containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases were located that the center by a city worker. The medical files appear to have belonged to Women’s Health Consultants, an obstetrics and gynecology firm, that is no longer in business, but that had...
12,172 Individuals Impacted by ShopRite Data Breach
Pharmacy customers of ShopRite Supermarkets, Inc. have been impacted by a security violation caused by the improper disposal of a device used to record the signatures of customers. The device was used at the ShopRite, Kingston, NY location during the time period from 2005-2015 and saved personal and medical details. Customers who went to the pharmacy to have prescriptions filled between 2005 and 2015 have potentially been affected by...
UAB Medicine Encounters PHI Breach Due to Missing Laptops
The UAB Medicine Viral Hepatitis Clinic located in Birmingham, AL has encountered a violation of patients’ protected health information (PHI). UAB Medicine employs the use of flash drives to shift data from its Fibroscan machine to a computer device. Two flash drives were discovered to be missing on October 25, 2017. The portable storage devices stored a restricted amount of PHI of 652 patients. Information captured on the devices...
Extortion Attack on Private Information of Sports Medicine Clients
7,000 patients of Sports Medicine & Rehabilitation Therapy (SMART) have been alerted of a possible breach of the private personal information. It is believed the breach, which involved an extortion attempt, may have impacted anyone whose information was taken during a visit to a SMART center before the last day of 2016. The extortion attempt occurred in September 2017 when hackers gained access to SMART systems, allegedly stole...
PHI of 932 Texas Children’s Health Plan Members’ in Email Breach
An email to the personal email account of a former employee of the Texas Children’s Health Plan has been discovered to have exposed the protected health information (PHI) of 932 members. The incident was identified on September 21, 2017, although the former member of staff sent the data via email late last year in November and December 2016. The emails were seen during a routine audit process. Texas Children’s Health Plan reacted to...
Iliana Peters Now Acting Deputy at the OCR
OCR’s Iliana Peters has stepped in to replace Deven McGraw, Deputy Director for Health Information Privacy at the Department of Health and Human Services’ Office for Civil Rights (OCR), in an interim role. Peters will serve as Acting Deputy Director until a suitable replacement for McGraw can be identified. Peters has departed her role as senior advisor for HIPAA Compliance and Enforcement at OCR. There are no plans in place to bring...
Survey finds US and UK Companies Slow to Prepare for GDPR Compliance
A recent survey, conducted by Dimensional Research, has revealed that the levels of unpreparedness for both US and UK firms for compliance with the EU’s General Data Protection Regulation (GDPR) are high. Results seen in both the UK and US studies confirm the clients’ fears about the difficulty of privacy management. It also backs up the claims that technology investment will play a massive role in complying with GDPR and...
Danger of Using USB Drives to Store PHI Highlighted of Data Breach
Two USB drives holding the protected health information of almost 2,000 veterans at the Man-Grandstaff VA Medical Center in Spokane, WA have been discovered to be stolen. The two devices were storing data from a separate, external, non-networked server that was being switched off. One of the devices was the master drive used to transfer the medical center’s Anesthesia Record Keeper database to its virtual archive server. In a...
HIPAA Alliance Marketplace Matches Healthcare Organizations With HIPAA-Compliant Business
This week has seen the launch of a new platform that streamlines the process of searching for HIPAA-compliant business associates. The HIPAA Alliance Marketplace has been developed to match HIPAA covered entities with trusted vendors that have been independently verified as HIPAA-compliant. Healthcare organizations are required to comply with Health Insurance Portability and Accountability Act Rules, and so too must their business...
HIPAA Compliant Business Associates Easier to Locate with New Tool
The challenge of finding HIPAA compliant business associates has been addressed with the introduction of a new tool to simplify this task. Healthcare organizations are only allowed to use business associates that comply with HIPAA Rules and sign a business associate agreement. Finding HIPAA compliant business associates is time consuming, although locating vendors willing to follow HIPAA Rules is only part of the steps that must be...
FinSpy Malware Installed Using Adobe Flash Player Uopdate Flaw
Last week software giant Adobe issued a new patch for Flash Player to address an actively exploited weakness (CVE-2017-11292) that is being targeted by the hacking group Black Oasis to install FinSpy malware. Finspy is strictly not defined as malware, it is a legitimate software program developed by the German software company Gamma International. However, it can be used for many purposes including many malware-like functions. FinSpy...
New MyEtherWallet Phishing Attacks Witnessed
A new wave of MyEtherWallet phishing attacks has been witnessed which use a convincing domain and MyEtherWallet branding to trick MyEtherWallet users into sharing their credentials and providing criminals with access to their MyEtherWallet accounts. In the initial hours of the phishing campaign, the criminals responsible for the scam had obtained more than $15,000 of MyEtherWallet funds, including $13,000 from one MyEtherWallet user....
1300 People Impacted by RiverMend Health Breach
An unauthorized person has been found to have obtained access to the email credentials of one the employees at RiverMend Health, a provider of specialty behavioral health services including services for drug and alcohol addiction. The unauthorized access was discovered by the Augusta, GA-based group on August 10, 2017, when it was noticed that suspicious emails were being sent from the employee’s account. The suspicious email...
Attackers Decrypting WiFi Traffic Thanks to KRACK WiFi Security Weakness
A WiFi security flaw in WPA2 called KRACK has been discovered in an investigation at the University of Leuven in Belgium. The KRACK WiFi security weakness affects all modern WiFi networks and could be used for ill means with relative ease. While there have been no known attacks targeting this weakness, it is one of the most serious WiFi flaws discovered, with the potential to be used for obtaining the data millions of users. If the...