Round-up of Cyberattacks and Data Breaches Affecting Healthcare Organizations

Multiple Vulnerabilities Discovered in OpenEMR Health Record and Practice Management Software

More than 100,000 healthcare providers across the globe use the open source electronic health record and medical practice management software called OpenEMR. They use it to document and process sensitive patient information. Over 200 million patients utilized the software to book appointments on the internet, contact their healthcare providers, and transact payments for medical bills. Lately, multiple vulnerabilities were found in OpenEMR.

Security researcher Dennis Brinkrolf discovered three vulnerabilities last year. Using Sonar’s static application security testing (SAST) engine to analyze the open source code, Brinkrolf identified three vulnerabilities that can be chained together to conduct remote code execution, command vulnerable OpenEMR instances, and swipe sensitive patient information.

A malicious actor can use a rogue MySQL server to exploit the first vulnerability, which is an unauthenticated file read vulnerability, for reading arbitrary files in OpenEMR systems. Exploited files may consist of certificates, tokens, passwords, and backups. The other two vulnerabilities that can be exploited together with the first vulnerablity are an authenticated reflected XSS vulnerability and an authenticated local file inclusion vulnerability These can be used to conduct arbitrary code execution on any vulnerable OpenEMR server and swipe sensitive information. The worst-case situation would allow the attacker to breach the organization’s entire critical infrastructure.

For example, the reflected XSS vulnerability can be taken advantage of to add a malicious PHP file to the server. The attacker can subsequently use path traversal through the Local File Inclusion bug to implement the PHP file. Although it could take a few tries to find out the correct Unix timestamp, the attacker could sooner or later accomplish remote code execution and can set up the system to permit data extraction.

Brinkrolf announced the OpenEMR vulnerabilities on October 24, 2022, and a week after, the patches became available to resolve all three vulnerabilities. Medical practices that use OpenEMR need to be sure they are using the most recent software version. Those running any version earlier than 7.0.0 must upgrade the software right away.

UCLA Health Reports a Data Breach Associated with Pixel

UCLA Health has just began informing around 94,000 patients concerning the impermissible disclosure of their protected health information (PHI) to a number of unnamed service providers by means of analytics tools used on its website and mobile application.

UCLA Health stated that it used analytics tools to better understand the way patients use its website and app. It gathered the data and used it to create better communication and efficient patient services. UCLA Health mentioned it knew about the possibilities that these analytics tools are transmitting sensitive patient data to service providers last June 2022, and promptly deactivated these website and app tools. It engaged a forensics company to look at the data accumulated by these tools and possibly transmitted to third parties to confirm the magnitude of privacy violation.

The privacy violation happened because of adding these tools on the website and app with consultation scheduling forms. The following information may have been copied and transmitted: hashed values of selected fields on the consultation request form, page view, IP address, third-party cookies, and the URL/website address (which may consist of ad campaign name, provider name, or specialty). The hashed value form fields possibly contained first and last name, gender, mailing address, email address, and telephone number. UCLA Health stated that there were no tracking tools on the myUCLAhealth online patient site.

UCLA Health sent notification letters to affected individuals on January 13, 2022. It was delayed because of the time it took to carry out the forensic investigation. UCLA Health also reported the enhancement of its technology evaluation procedures.

Security Breach and Data Theft at Benefit Administrative Systems, LLC

Connected Care Health Plan is managed by Benefit Administrative Systems, LLC based in Homewood, IL. Benefit Administrative Systems
sent notifications to selected individuals concerning the breach of an electronic document that held sensitive personally identifiable information (PII). A notification was created when unauthorized individuals accessed the file. Steps were promptly taken to secure its systems. On November 1, 2022, the forensic investigation reported the exfiltration of a file that listed first/last names, medical insurance member numbers, medical insurance group numbers of selected members, and email addresses.

Benefit Administrative Systems offered free credit monitoring and identity theft protection services to affected individuals for 12 months. It took steps to strengthen its security to stop identical breaches later on.

DDoS Attacks on U.S. Hospitals by Killnet

Killnet, the pro-Russian hacking group, is carrying out a Distributed Denial of Service (DDoS) attacks campaign on U.S. hospitals as a retaliation on U.S. for supporting Ukraine. It strated the attacks a couple of days after the U.S. and other nations agreed to provide Ukraine with tanks to support its fight against the Russian attack.

Killnet has been active as a hacktivist group since around January 2022. Its activities are linked to the Russian attack of Ukraine. Although the views of the group are in line with Russia, associations with Russian Foreign Intelligence Service (SVR) and the Russian Federal Security Service (FSB) are not confirmed. The group has been recognized for carrying out denial of service (DoS) and DDoS attacks on government organizations and private groups in nations that support Ukraine.

The attacks entail sending thousands of connection requests and packets per minute to hospital servers and websites resulting in systems slow down. In certain instances, the attacks have caused the servers and websites to become unavailable for a time. DDoS attacks are usually short-lived, nevertheless, it can cause several hours or days of disruption. Though these attacks bring about disruption, it is thought that Killnet is trying to create panic, doubt, and hesitation in the capability of governments to fight against cyberattacks.

In 2022, the group carried out DDoS attacks on government sites and private businesses in Romania, Georgia, Germany, Italy, Japan, and the Czech Republic. In the U.S., the group attacked the U.S. defense company Lockheed because it provided the HIMARS systems to Ukraine. A number of U.S. airports were also attacked in October. A senior group member, called Killmilk, threatened the U.S. government saying attacks would be carried out on healthcare organizations to acquire the sensitive personal information of Americans as a form of retaliation for the U.S. Congress policy on Ukraine.

Although those threats don’t seem to have actually happened, the group’s most recent DDoS campaign targeted about 15 hospitals and health networks, which include Stanford Healthcare, University of Michigan Health, Banner Health, Atrium Health, Anaheim Regional Medical Center, University of Pittsburg Medical Center, Hollywood Presbyterian Medical Center, Jefferson Health, Duke University Hospital, Abrazo Health, Buena Vista Regional Medical Center, Cedars-Sinai Hospital and Heart of the Rockies Regional Medical Center.

University of Michigan Health stated the Mott Children’s Hospital and U-M hospital websites were attacked but have now recovered. A third-party vendor hosted the impacted websites, which didn’t contain any patient data. A third-party vendor had assisted in mitigating the attack. The influx of attacks made the Health Sector Cybersecurity Coordination Center (HC3) publish an analyst note concerning the group and offer mitigations that could help to minimize the intensity of DDoS attacks but cautioned that it isn’t possible to completely mitigate the threat of DDoS attacks.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.