Excellus Health Plan Pays $5.1 Million Penalty to Settle HIPAA Violation Case

The Department of Health and Human Services’ Office for Civil Rights has reported that health insurance provider Excellus Health Plan has consented to pay a $5.1 million fine to resolve its HIPAA violation case arising from a data breach that impacted 9.3 million people in 2015.

Excellus Health Plan discovered the breach in 2015. The large-scale data breaches associated with health insurance providers Anthem Inc. (78.8 million breached records) and Premera Blue Cross (10.6 million breached records) were discovered that year. The three companies have already resolved the breach investigations and paid OCR sizeable financial penalties.

Excellus Health Plan, dba Excellus BlueCross BlueShield and Univera Healthcare operates in Western and Upstate New York. In August 2015, the health insurance provider uncovered hackers had acquired access to its computer programs. The breach investigation showed that the hackers first accessed its systems around December 23, 2013 up to May 11, 2015. Excellus reported the breach to OCR on September 9, 2015.

The hackers infected its systems with malware, conducted reconnaissance, and accessed the healthcare information of about 7 million members of Excellus Health Plan and roughly 2.5 million members of Lifetime Healthcare, a non-BlueCross subsidiary. The hackers accessed information such as names, contact details, birth dates, health plan ID numbers, Social Security numbers, claims information, financial account data, and clinical treatment details.

OCR began investigating the Excellus breach in June 2016 to find out if Excellus Health Plan complied with the HIPAA Security, Privacy, and Breach Notification Guidelines. The investigation discovered five requirements of the HIPAA Rules that Excellus likely failed to comply.

OCR confirmed the health plan did not perform a correct and comprehensive company-wide risk analysis to determine risks and vulnerabilities to the integrity, confidentiality, and availability of its members’ electronic protected health information (ePHI). There were not enough measures enforced to minimize risks and vulnerabilities to ePHI to a good and acceptable level, nor technical policies and procedures that made it possible for authorized individuals and applications to access systems that contain ePHI. Because of these problems, unauthorized people acquired access to the PHI of 9,358,891 members. Excellus only discovered the breach after over 18 months. OCR discovered the lack of policies and procedures necessitating routine checks of data system activity.

Excellus Health Plan agreed to pay the financial penalty to end the further investigation and official proceedings without admission of liability. Aside from paying the financial charges, Excellus followed a corrective action plan that addresses all aspects of potential noncompliance determined by OCR in the course of the investigation. Excellus will be under OCR’s monitoring for 2 years to make sure continued HIPAA compliance.

Hacking is still the biggest threat to the security and privacy of PHI. In this instance, the health plan failed to stop hackers from accessing its health record system and did not detect them for over a year which compromised the privacy of millions of people. Hackers are innovative and persistent, so health care organizations should step up to safeguard the privacy of health data from hackers.

This is OCR’s second HIPAA enforcement action in 2021. The first was the $200,000 settlement with Banner Health to take care of potential HIPAA Right of Access violations.

Data Breaches at Agency for Community Treatment Services, Proliance Surgeons and Leon Medical Centers

Agency for Community Treatment Services, Inc. (ACTS) in Tampa, FL is notifying a number of patients regarding the potential compromise of their protected health information (PHI) because of a cyberattack in October 21, 2020.

The security breach was uncovered on October 23 when deployment of the ransomware (|occurred}. The hackers obtained access to sections of the ACTS server and data system and performed file encryption to avert access. Systems had to be taken down to avert unauthorized access. To know the extent of the breach, third-party computer forensic professionals looked into the occurrence.

Even though it’s likely that there was unauthorized data access, the investigators didn’t get any particular information to suggest the access or exfiltration of patient information. ACTS stated that this was a result of the attackers making substantial efforts to cover up their malicious actions. The attackers could thus have viewed or taken data kept on the breached systems.

The evaluation of the breached systems showed that they comprised patient names, dates of birth, Social Security numbers, and health files with information like diagnoses, treatment details, and health insurance information connected to the services given to patients from 2000 and 2013.

ACTS could recover the encrypted data from backup copies and didn’t pay the ransom demand. It took action after the breach to fortify security and avert more attacks. Considering that patient information might have been exposed, ACTS is offering all affected people free credit monitoring and identity theft protection services.

Proliance Surgeons Reports Company Website Breach

The company website of Proliance Surgeons based in Seattle, WA encountered a breach causing the likely theft of payment card data. The practice mentioned in a December 23, 2020 breach notice that attackers got access to the webpage between November 13, 2019 and June 24, 2020. In that period, the attackers likely accessed and acquired cardholder names, card numbers, zip codes and expiration dates. No other PHI was compromised. The breach just impacted persons who paid for services on the web, not persons who paid personally or over the telephone.

The cause of the breach has been identified and addressed and a new website with a different payment platform has been implemented, which has superior security protections. Proliance has coordinated with the major payment card providers to prevent unauthorized charges on the affected cards. Individuals affected by the breach have been advised to check their statements carefully and to report any unauthorized charges to their card provider.

Conti Ransomware at Leon Medical Centers Attacked

Leon Medical Centers, a group of 8 medical facilities in Hialeah And Miami in Florida, suffered a Conti ransomware attack. The attackers stole the PHI of patients prior to ransomware deployment and given a ransom demand with a warning to expose the stolen data of patients.

The attackers said the stolen data included patient names, addresses, diagnoses, treatment details, medical insurance data, patient photos and Social Security numbers. They claim to have gotten the PHI of about 1 million patients, even though Leon Medical Centers refuted that claim and explained the number of stolen information was highly overstated.

The attack took place before December 22, 2020 and Leon Medical Centers is still checking out the incident. At this point, it is uncertain specifically what information was taken and how many patients were affected.

NIST Issues Final Guidance on Safeguarding the Picture Archiving and Communication System (PACS) Ecosystem

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has issued a final guidance for healthcare delivery businesses on safeguarding the Picture Archiving and Communication System (PACS) ecosystem.

PACS is a medical imaging solution that is utilized to safely hold and electronically send medical pictures, for example, CT scans, X-rays And MRIs and connected clinical reports, and is common in healthcare. These systems do away with the requirement to save, send out, and get medical images manually, and aid healthcare delivery companies by enabling the secure and inexpensive storage of images offsite online. PACS enables easy retrieval of medical images making use of PACS application anywhere.

By design, PACS cannot function on its own. In healthcare delivery businesses, PACS is normally incorporated into highly complicated settings and interfaces with numerous interconnected systems. The sophistication of those settings means that protecting the PACS ecosystem will be a serious process and it is very easy for cybersecurity threats to be brought in that can readily damage the confidentiality, integrity, and availability of protected health information (PHI), the PACS ecosystem, and any devices linked to PACS.

In September 2019, a ProPublica document discovered 187 unsecured servers that were employed to hold and get medical photos. Those servers saved the medical images and PHI of over 5 million people in the U.S.A. In many cases, the images are accessible by utilizing a regular web browser and read employing a free software program.

This 2020, the analyst group at CyberAngel inspected around 4.3 billion IP addresses across the world and discovered 2,140 unprotected servers in 67 countries. Those servers consist of about 45 million medical photos. The images included as many as 200 lines of metadata that enclosed personally identifiable information and PHI. In the CyberAngel “Full Body Exposure” report, those images may be viewed on the web via a typical web browser. In several cases, there were login pages but they authorized blank username and password fields.

NIST published draft guidance on safeguarding the PACS ecosystem soon after the release of the ProPublica report to aid healthcare delivery companies discover cybersecurity problems linked with PACS and employ better security controls as well as reducing the impact and access to PACS and other elements.

The final version of the guidance consists of a detailed set of cybersecurity specifications and best practices to undertake to better the PACS ecosystem safety, with the guidance dealing with access control, asset management, user recognition and verification, data security, security uninterrupted checking, and response planning, and restoration.

The final practice guide included responses from the people and other stakeholders and put in remote storage functions into the PACS design. This effort provides a more thorough security alternative that showcases real-world HDO networking conditions.

HIPAA covered entities and their business associates can use this practice guide to use existing cybersecurity criteria and best practices to lessen their cybersecurity risk, at the same time retaining the overall efficiency and functionality of PACS.

NIST Cybersecurity Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector is accessible on this page.

NIST/NCCoE created the guidance in cooperation with DigiCert, Cisco, Forescout, Clearwater Compliance, Hyland, Microsoft, Philips, Symantec, Tempered Networks, TDI Technologies, Tripwire, Virtua Labs, and Zingbox.

Seasonal Worker Sentenced to 42-Months Imprisonment for Theft of Data from Healthcare.Gov Database

A seasonal worker at a tech firm based in Virginia was sentenced to 42 months in prison for accessing patient files, stealing personally identifiable information (PII), and employed the PII for financial gain. The tech company provides support to the Centers for Medicare & Medicaid Services (CMS) by managing contact centers that offered assistance with Medicare enrollment and other services.

While Colbi Trent Defiore, age 27, of Carriere, MS worked at a call center located in Bogalusa, LA, he accessed the protected health information (PHI) of about 8,000 people saved in the HHS healthcare.gov database without valid work reason, stole the information, and utilized it for criminal activity, such as opening credit lines in the names of other individuals.

Defiore was employed by the organization three times in 2014, 2017, and 2018. He was discovered to have viewed data without authorization the last time he was employed at the company. The firm already took steps to ensure personally identifiable information (PII) was secured and had trained all workers on how to handle that data securely.

In November 2018, Defiore carried out bulk lookups of the database, which were not allowed, and duplicated that information to a virtual clipboard. The data was then copied into his work email account and was routed to his email account. The stolen information was then used to fraudulently sign up for no less than 6 credit cards and loan products and to get lines of credit for personal monetary gain.

The tech organization identified the unauthorized access and reported the incident to the authorities. The firm supplied law enforcement with video and audio recordings of Defiore while having a phone call with a customer on November 6, 2018. The recordings revealed Defiore performing a bulk lookup of the database utilizing first and last names not related to the call he was on. A data loss prevention application additionally identified suspicious activity connected to PII data.

It was found that Defiore has remotely used his company email account outside of his work period on several occasions to get the data. Prosecutors discussed that the data center of the company was based in Virginia, therefore when Defiore transmitted the PII to his work email account, the data crossed state lines and that makes this a federal crime.

Based on court records, Defiore’s employer had enforced security measures to stop customer service staff like Defiore from remotely accessing work email accounts. A single sign-on, multi-factor authentication program was implemented for remote access, which may be accessed from a computer or mobile app. A software token was needed to confirm a user to complete the remote login process.

Defiore utilized the multifactor authentication on a mobile phone by means of a Virtual Private Network in October 2018 and acquired the software token that would enable him to remotely gain his work email account on his personal cellular phone or PC. The investigation uncovered an IP address linked to Defiore was employed to remotely access his company email account.

Because of Defiore’s actions, his employer suffered $587,000 in losses that included breach notification expenses and providing identity theft protection services to the persons whose PII was exposed.

Defiore pleaded guilty to one count of deliberately accessing a protected computer with no permission for the intent of commercial advantage and private financial profit. Besides the 42-month in jail, Defiore must go through 3-years of monitored release and needs to pay a $100 special assessment cost. A hearing was slated for January 12, 2021 to decide the sum of restitution Defiore should pay.

Mercy Health and Montefiore Medical Center Reported Insider Data Breaches

Mercy Health And Montefiore Medical Center have reported insider data breaches recently. In the two occurrences, an employee viewed patient information although there was no legit work -associated reason to do so.

Mercy Health Detects Unauthorized Access of PHI by Former Worker

Mercy Health in Cincinnati, OH began informing some patients concerning the access of their protected health information (PHI) by personnel for reasons apart from delivering patient care.

Mercy Health identified the insider breach on October 7, 2020. The investigation discovered the employee had viewed patient data on a number of instances when it wasn’t needed for giving care to patients. The reason behind the unauthorized access was not disclosed with the public.

Patients affected by the breach were instructed to keep track of their credit reports and billing/accounts transactions and to report any unauthorized transactions. As a preventative measure against identity theft and fraud, Mercy Health provided the impacted patients with free membership to IDX identity theft protection services for one year.

For most of the affected patients, the data accessed was restricted to name, address, demographic details, birth date, medical record number, clinical details, radiological photos and/or treatment data. The ex-employee also accessed the medical insurance ID numbers of a few patients.

Since that time, Mercy Health upgraded processes to avert identical incidents later on and the personnel were re-trained on compliance with the guidelines and procedures of Mercy Health.

When this was penned, the breach is not yet appearing on the HHS’ Office for Civil Rights breach site thus the number of impacted patients is still uncertain.

Montefiore Medical Center Ex-Employee Viewed Patient Information for Billing Fraud

Montefiore Medical Center located in New York City has uncovered that a past employee acquired access to patient data and used it for a billing scam. The employee accessed patient names, medical record numbers, and surgery schedules and utilized them to make invoices for untouched surgical items, in association with a vendor.

Montefiore Medical Center learned about the scam after it paid for the invoices and started an investigation that showed the unauthorized access of the ex-worker. Around 4,000 patients’ information was accessed with no authorization between January 2018 and July 2020.

The ex-employee didn’t view Social Security numbers, medical records, and financial data. The investigators found no proof that indicates that patients or their insurance agencies were conned. The fraud report was submitted to the police and the investigation is in progress.

Montefiore Medical Center stated the former worker died at the time of the investigation and the supplier has been barred from going into all Montefiore campuses.

Montefiore Medical Center took steps to avoid comparable occurrences later on. The paper documents involved in the fraud aren’t used any longer and the way of processing invoices for medical merchandise is being evaluated.

Criminal background verifications are now performed before an appointment and all staff get instruction on privacy policies and are advised that the medical center doesn’t tolerate employees who access health records except when there is a legitimate work-associated reason for doing this.

Healthcare Data Breaches at Fairchild Medical Center, Indian Health Council Inc. and Harvard Pilgrim Health Care

Fairchild Medical Center located in Yreka, CA, started informing a number of patients about the likely access of their protected health information (PHI) by unauthorized individuals online.

In July 2020, a third-party security company advised Fairchild Medical Center regarding a misconfigured server, which permitted access over the web. With the assistance of third-party computer experts, the medical center confirmed that unauthorized persons
could have accessed patient information.

The server stored medical images that include patient names, dates of birth, exam identification numbers, patient ID numbers, names of ordering provider, and dates of examination. The misconfiguration transpired on December 16, 2015 and was just fixed on July 31, 2020. A third-party security firm validated the security of the server after making the required adjustments.

A forensic investigation cannot ascertain if unauthorized persons accessed patient data in the period the server was open, however, the possibility can’t be eliminated.

Indian Health Council Inc Experiences Ransomware Attack

A ransomware attack on Indian Health Council Inc. in Valley Center, CA happened in September 2020 bringing about file encryption that likely affected the PHI of patients. Indian Health Council discovered the ransomware attack on September 22, 2020 and called in third-party computer forensic specialists to help with the investigation.

An analysis of the files the attacker got access to shows that some files included patient data for instance names, birth dates, health details, and health insurance data and, for some people, details about medical conditions, treatment, or diagnosis data.

After the cyber attack, Indian Health Council Inc altered passwords and toughened security to avert more attacks. It also carried out extra measures or controls such as remote access and multi-factor authentication.

All patients affected by the attack have now gotten notification letters. The breach report sent to the Office for Civil Rights shows that the attack possibly impacted 5,769 persons.

Mismailing Incident At Harvard Pilgrim Health Care

Harvard Pilgrim Health Care is informing 8,022 people concerning a software mistake in its enrollment data management system. The error resulted in the association of an individual’s mailing address with another address linked to the health plan of that individual. Due to the error, certain mailings were misdirected to the address of a subscriber of the person’s health plan or to a past address. Harvard Pilgrim Health Care tracked back the problem to an error that took place in 2013.

The types of information that might have been exposed differed from mailing to mailing and probably involved the name of the member, ID number, date of birth, phone number, provider names, dates of service, treatment data, deductibles, charges for services, co-pay amount, and co-insurance details linked to healthcare coverage.

The matter has already been fixed and the method of system updates has been assessed and improved. Impacted persons were advised to look at their Activity Summaries and to send a report on any shady entries to Harvard Pilgrim without delay.

Cyberattackers Ask for Ransom Demands from Advanced Urgent Care of Florida Keys and Galstan & Ward Family and Cosmetic Dentistry

Advanced Urgent Care of Florida Keys began sending breach notifications to patients on November 6, 2020 concerning a ransomware attack that transpired on March 1, 2020. Though not mentioned in the breach notice, on March 14, 2020, Databreaches.net documented the stealing of patient information during the attack. The attackers exposed the stolen data on the internet because there was no ransom payment received.

Based on the Advanced Urgent Care breach notice, after the ransomware attack, an investigation to find out whether patient information was compromised proceeded up to September 11, 2020. The attack ended in the encryption of files located on a backup drive that included protected health information (PHI) such as names, dates of birth, medical treatment details, laboratory results, medical diagnostic data, medical insurance data, medical record numbers, Medicaid or Medicare beneficiary numbers, medical billing details, bank account data, credit or debit card details, CHAMPUS ID numbers, driver’s license numbers, Military and/or Veterans Administration numbers, Social Security numbers and signatures.

Advanced Urgent Care provided free credit monitoring services to individuals who had their Social Security numbers potentially exposed and have taken steps to enhance security to protect against more attacks and to detect and remediate potential threats.

Galstan & Ward Family and Cosmetic Dentistry, GA

Galstan & Ward Family and Cosmetic Dentistry based in Suwanee, GA, reported a ransom incident associated with a computer virus that infected one of its servers. This incident is not like ransomware attacks that leave encrypted files and a ransom note on infected computer systems. According to Galstan & Ward, someone contacted the practice via telephone and told about the virus that infected its computer server. That person also demanded a ransom payment over the phone.

Galstan & Ward had already noticed the server’s suspicious activity and had contracted a third-party vendor to clean the server and bring back the data kept in a backup. Galstan & Ward did not pay any ransom and reported no considerable interruption to services or loss of data. But on September 11, 2020, Galstan & Ward found out that there were some stolen files, which the attacker published on a dark web site. Those stolen files, however, didn’t include any patient data.

The contracted IT company affirmed the removal of the malware and said that there was no indication of access of patient information within its dental practice software. More investigations likewise found no proof that suggests the access or acquisition of patient data.

Galstan & Ward issued notifications to patients as a safety precaution given that it wasn’t possible to eliminate the probability of unauthorized access of PHI. In case the attackers got access to the dental software program, they potentially have viewed names, addresses, birth dates, Social Security numbers, and dental files.

The Galstan & Ward comprehensive substitute breach notice stated that it is now using cryptographic technology to secure patient information. More data security measures were added to its web server infrastructure. The practice also offered the affected persons free identity theft protection services via IDX.

Zoll Takes Legal Action Against IT Vendor for Breach of 277,000-Records

The US District Court in Massachusetts filed a legal action on behalf of the medical device supplier Zoll against its IT service vendor Barracuda Networks in Campbell, CA. Purportedly, Barracuda Networks was at fault for botching a server migration that led to the breach of the protected health information (PHI) of 277,139 individuals.

The breach concerned archived emails that were being moved to a new email storage service. A configuration problem led to the breach of those email messages for over 2 months between November 8, 2018 and December 28, 2020. The settings error was resolved, but Zoll did not get any notification concerning the breach until January 24, 2019. The breach investigation revealed that the exposed emails comprised the following patient information: names, contact details, birth dates, health data, and Social Security numbers for a number of patients.

Zoll partnered with a business called Apptix – presently known as Fusion Connect – in 2012 and signed a business associate agreement to deliver hosted business communication services. Apptix after that contracted with a firm named Sonian to give services that include email archiving. Barracuda Networks got Sonian in 2017.

Based on the lawsuit, Barracuda Networks found out about the email breach on January 1, 2019. The investigation showed that Barracuda Networks made an error that left a data port accessible to anyone, which compromised the email search feature of the migration tool on a small section of the directories. The port continued to be open for more or less 7 weeks before the error was found and the port was secured. While the port was accessible, an unauthorized person accessed email information and did repeated automated search of the archive.

A PHI breach of this type has consequences for patients. Impacted patients sustained injury and problems because of the disclosure and theft of their private and healthcare data. In April 2019, legal action was filed versus Zoll on behalf of individuals impacted by the breach. Zoll sought indemnity from Apptix; but, the business didn’t take action. The legal case has since been resolved.

Along with the settlement and legal charges sustained, Zoll spent internal and external sources for investigation and mitigation actions, sending of breach notification letters to impacted patients, and free access to solutions that take care of patients against loss and damage. The lawsuit attempts to get back those expenses from Baracuda Networks.

Zoll claims that Barracuda Networks was negligent for implementing sensible safeguards to take care of Zoll’s information and that Barracuda Networks failed to totally help with Zoll’s investigation. Zoll states that Barracuda Networks did not provide the investigators with access to its web platform and didn’t respond to lots of the investigators’ issues. Zoll mentioned that Barracuda Networks did not give information about the dates when patient information was compromised, the types of data exposed, and if the hackers exfiltrated any data.

The lawsuit says that Barracuda Networks did answer to the breach and put in place more safety measures, policies and procedures to avert identical occurrences later on, however, breached its responsibilities to apply reasonable protections before the breach to safeguard Zoll data. Zol likewise states a breach of implied warranty of merchantability, because the email archiving solution was warranted to be appropriate for safe email archiving, when security vulnerabilities granted unauthorized people to access sensitive archived information. Zoll moreover claims the email storage service was problematic and not in shape for the purpose and as a result, Barracuda Networks broke the intended guarantee for fitness for a specific reason.

Blackbaud SEC Filing Gives Additional Details on Data Breach and Expenditures of Mitigation

The number of entities submitting reports of being impacted by the Blackbaud cyberattack and security breach has increased in the past few weeks. The Department of Health and Human Services’ Office for Civil Rights breach site is regularly being kept up to date to record healthcare victims. The entities lately included are OSF HealthCare System, Geisinger and Moffitt Cancer Center. The three organizations reported that the breach has affected a total of 276,600 persons.

Though Blackbaud did not reveal the total number of affected people, no less than 250 healthcare providers, nonprofits, and educational bodies are acknowledged to have been affected. Reports of healthcare companies reveal that the breach impacted over 10 million people.

It is not shocking considering that the breach costs sustained by companies and the number of persons who had their personal data compromised, Blackbaud is looking at a lot of class action lawsuits. About 23 proposed class-action lawsuits were filed thus far in the U.S and Canada, based on its 2020 Q3 Quarterly Report given to the U.S. Securities and Exchange Commission (SEC). Of all the lawsuits, 2 were submitted in Canadian courts, 17 in the United States federal court, and 4 in state courts.

The lawsuits assert that victims have suffered hurt due to the breach and claim that there were a few regulations violations. Hence, the lawsuits want damages, injunctive relief, and attorneys’ fees, and close to 160 claims were obtained from Blackbaud’s clients from the U.S., Canada, and the U.K.

Besides the legal cases, regulators are investigating Blackbaud in relation to violations of data privacy laws violations. The investigating organizations are the Federal Trade Commission, the Department of Health and Human Services, and globally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. 43 state attorneys general and the District of Columbia likewise started a joint investigation.

As per the SEC records, Blackbaud has already sustained expenditures of more than $3.2 million in addressing the cyberattack from July to September 2020, and $3.6 million in expenses in the last 9 months. That number is countered by $2.9 million accumulated in insurance recoveries between July and September.

Costs is going to continue to accumulate in resolving the breach and though those expenditures are very likely to be sizeable. But Blackbaud says its cyber insurance protection will cover most of the breach costs.

While cyber insurance protection has actually paid for part of the expenses, there is no assurance that the plans will pay for all expenditures. The likelihood of loss can’t be established yet until a court has eventually decided that a plaintiff has fulfilled the pertinent class action procedural specifications.

In the meeting with financial analysts, Blackbaud mentioned that the forensic investigation discovered just how the hackers became successful in gaining access to its networks. The hackers took advantage of a vulnerability that was found in its early generation products that was repaired by now and steps were already undertaken to solidify security. Blackbaud furthermore mentioned that a huge amount of money was spent in cybersecurity and employees before the breach to prepare for this kind of an attack.

Blackbaud was able to contain the attack yet was unable to avoid the exfiltration of certain customer information. The organization paid the ransom to avert data exposure and is convinced that the payment stopped any more data exposures.

Most Microsoft 365 Admins Have Not Setup Multi-Factor Authentication

CoreView published a new report revealing that a lot of Microsoft 365 admins haven’t activated multi-factor authentication to keep their accounts secure from suspicious remote access and are unable to implement other fundamental security procedures. Based on the report, 78% of Microsoft 365 administrators have yet to activate multi-factor authentication while 97% of Microsoft 365 users aren’t using MFA.

This is a big security risk notably when almost all workers are remote. The IT departments should see this concern and correct it to be able to appropriately stop cyberattacks and fortify their organization’s security posture.

The SANS Institute mentions that 99% of data breaches are preventable by employing MFA, whilst Microsoft discussed in an August 2020 blog posting that MFA is the one particularly important measure to carry out to stop unauthorized account access, conveying that 99.9% of account breaches could be avoided by utilizing MFA.

The CoreView study furthermore showed that 1% of Microsoft 365 administrators tend not to use strong passwords, despite the fact that hackers are proficient at breaking passwords with automatic brute force attacks. Even if using strong passwords, there is no promise that a breach will be averted. A strong password provides no security in case a user fall victim to a phishing scam. In the event of stolen passwords, MFA gives security and should keep those passwords from being employed to obtain access to accounts.

The CoreView M365 Application Security, Data Governance, and Shadow IT Report pointed out that Microsoft 365 administrators are provided extreme control and they own access to valuable sensitive information. 57% of Microsoft 365 admins were identified to have substantial permissions to access, alter, and expose business-critical data. In addition, 36% of Microsoft 365 administrators are worldwide administrators. They acquire total command over their organization’s existing Microsoft 365 environment. 17% of Microsoft 365 admins are likewise Exchange admins and possess access to the entire company’s email accounts, as well as C-Suite accounts. In case Microsoft 365 admin accounts are compromised, cyber hackers can access the whole Microsoft 365 environment along with the big volumes of sensitive information. The Microsoft 365 environment doesn’t just consist of a large amount of quickly monetized data, the accounts are at the same time connected to other systems and can be utilized for a much larger attack on the company.

The study additionally showed that firms have spent greatly in productivity and operations programs that authorize personnel to communicate, work together, and work more proficiently, yet there has been a surge in shadow IT, specifically SaaS applications. SaaS programs are frequently employed by personnel without the IT department’s awareness. Many of those SaaS apps lack suitable security and let preventable cyberattacks to occur.

At a basic level, malicious applications can siphon off critical information. Users may furthermore likely be sharing sensitive firm data via these applications to compromised parties so that organizations are in considerable danger of a data breach. It’s crucial that companies adequately keep an eye on these programs for possible security gaps.

Businesses that use Microsoft 365 usually take their security and governance responsibilities too lightly, erroneously believing that Microsoft 365 is safe by default and has the needed protections to stop data breaches. Though Microsoft 365 can be protected, businesses need to be proactive and make sure that security is tackled, there is enough supervision of shadow IT, and appropriate data governance.