PHI Compromised Due to UNC Health and Nebraska DHHS Phishing Attacks

The Nebraska Department of Health and Human Services has reported a security incident concerning the protected health information (PHI) of clients of Aging Partners, a division of the City of Lincoln.

The Lincoln Information Services Department uncovered the breach on May 25, 2021. Workers had clicked links in phishing email messages and shared information to their email accounts, which got over 46,000 email messages. A computer forensics firm assisted in confirming that an unauthorized person accessed the email account from May 18 to May 21.

An audit of the messages in the account affirmed that some included patient details like names, dates of birth, addresses, telephone numbers, Social Security numbers, type/amount of service, dates of service, and a few health information like diagnoses, care examination, and prescription medication listings. Emails additionally included bank account numbers or other financial data of some people. 6,600 of the emails enclosed the PHI of Aging Partners’ customers, though only 1,513 persons were affected. For most affected people, only names were contained in the email accounts.

All people impacted by the attack are currently being advised and credit monitoring and identity theft protection solutions are being given to persons who had their financial details enclosed in the breached email accounts.

UNC Health Phishing Attack

UNC Health has reported that an unauthorized individual accessed an email account including the PHI of patients of the University of North Carolina at Chapel Hill School of Medicine (SOM) and the University of North Carolina Hospitals (UNC Hospitals).

On May 20, 2021, UNC Health uncovered the compromise of the email of a SOM faculty member. That person offered medical services at UNC Hospitals. The email account was made secure promptly, and an investigation was started to ascertain the scope of the breach. With the assistance of a third-party cybersecurity agency, UNC Health established that the email account breach was only on April 20, 2021. The breach didn’t affect any other systems or email accounts.

An analysis of the account showed the possible breach of these types of data: Patients’ names, birth dates, diagnosis and treatment data, and/or details concerning a research study patients might have been associated with or were qualified for at UNC Hospitals/SOM. The email account had the medical insurance data of fewer than 30 patients and the Social Security numbers of less than 10 patients. There were no documented incidents of patient information misuse.

More email security steps are being enforced and employees are given more training to help them distinguish phishing email messages.

REvil Ransomware Websites Ceased to Exist Fueling Questions of Law Enforcement Takedown

The infamous REvil ransomware gang’s Internet and dark sites have unexpectedly vanished, days right after President Biden called Vladimir Putin to do something against ransomware groups and other cyber criminals executing attacks from inside Russia on U.S.A. businesses.

At about 1 a.m. on Tuesday, the web pages that the gang uses for leaking data files of ransomware victims, their command and control system, and their ransom negotiation chat server disappeared and have continued to be offline from that time on. For one of the group’s web pages, the server IP address cannot be resolved through DNS queries.

REvil has become one of the high-profile ransomware-as-a-service operations. The gang was associated with lots of ransomware attacks in the U.S.A. and around the world, such as the new attack on JBS Foods and the supply chain attack on Kaseya. Ransomware was employed in attacks on approximately 60 managed service providers (MSPs) and approximately 1,500 of their clients on July 2. A $70 million ransom demand was set to give the keys to decrypt the victims’ files, with the demand going down to $50 million right after.

Though it is not strange for ransomware operations to proceed quietly, or for systems to be momentarily taken out, the timing of the shutdown implies either the U.S. or Russian government has made a move. The FBI hasn’t said anything on the REvil servers shut down, and the press secretary of the president of the Russian Federation, Dmitry Peskov, advised TASS reporters that he didn’t know the rationale what happened to the servers. It is likely that the loss of the system is because of hardware breakdown or basically the gang making a decision to lay low, specifically after such a serious attack.

Ransomware gangs have encountered a good deal of scrutiny subsequent to the DarkSide ransomware group’s attack on the Colonial Pipelin. Soon after the attack, the White House reported that attempts to target ransomware groups and their infrastructure will be intensified. Subsequent to the attack, the DarkSide RaaS operation closed down, as a result of the law enforcement’s subtle takedown of their infrastructure.

At the Geneva summit, President Biden chatted with Vladamir Putin concerning cyberattacks done on U.S. businesses from cybercriminal groups working within Russia and told him to take action to break up the gangs, even if the attackers weren’t state-sponsored.

A few days ago, President Biden talked with Putin demanding action against ransomware gangs working outside of Russia. Biden stated to reporters right after the call that the U.S. is going to make a move to take down the ransomware gangs’ servers if Russia failed to.

A number of news outlets, like the BBC, have announced the shutdown was a result of action undertaken by the U.S.A. to cut off the group’s system. A BBC reporter chatted with one person, presumably an REvil affiliate, who mentioned the group had closed its infrastructure right after a partial takedown by federal authorities and growing pressure from the Kremlin.

Bitali Kremez of Advanced Intel stated that according to uncorroborated facts, REvil server infrastructure acquired a [Russian] government legal request pressuring REvil to fully get rid of server infrastructure and go away. Nonetheless, it isn’t confirmed.

It is very premature to tell what has occurred and if the shutdown will be short-lived or long-term. As is usually the case right after shutting down a Ransomware-as-a-Service operation, the gang may merely come back with another name, as REvil did before.

Kaseya Security Update Corrects Vulnerabilities Exploited in KSA Ransomware Attack

Kaseya has made an announcement of a security update issued for the Kaseya KSA remote management and monitoring software tool to correct the zero-day vulnerabilities, which the REvil ransomware gang lately exploited in attacks targeting its customers and their prospects.

The vulnerabilities exploited in the attack were part of a set of seven vulnerabilities that the Dutch Institute for Vulnerability Disclosure (DIVD) reported to Kaseya last April 2021. Kaseya had created patches to fix four of the seven vulnerabilities identified in its Virtual System Administrator program and launched these during its April and May security releases; nevertheless, before the release of the patches for the last three vulnerabilities, an REvil ransomware affiliate exploited at least one of them.

The attack impacted roughly 60 clients including managed service providers (MSPs) that used the Kaseya VSA on-premises. The REvil ransomware group acquired access to their servers, encrypted them, and transmitted their ransomware to roughly 1,500 business customers of those firms.

After the attack on July 2, 2021, Kaseya told its consumers to turn off their on-premises VSA servers until the exploited vulnerabilities were resolved and its SaaS servers were de-activated as the SaaS software also had vulnerabilities, though its cloud-based service wasn’t affected by the attack. Those servers are currently being restarted incrementally and the last three patches were launched in the VSA 9.5.7a ( update.

The three vulnerabilities resolved in the most recent security update are

CVE-2021-30116 – a business logic and credential leak vulnerability
CVE-2021-30119 – a cross-site scripting vulnerability
CVE-2021-30120 – a 2FA bypass vulnerability.

Kaseya states that a further three vulnerabilities in the software were likewise sorted out by the new update. These are a failure to utilize a secure flag for user portal session cookies, a vulnerability that permitted files to be uploaded to a VSA server, and an issue where a password hash was compromised, which caused weak passwords to become prone to brute force attacks.

Kaseya has proposed a procedure for using the update to reduce risk. This entails making sure the VSA server is separated and not linked online, looking for Indicators of Compromise (IoCs) to know if servers or endpoints had been breached, then implementing the update.

The complete method to update on-premises VSA servers and protecting them is pointed out in the Kaseya On Premises Startup Readiness Manual.

PHI Exposed in Email Security Incidents at Discovery Practice Management and Peoples Community Health Clinic

Discovery Practice Management Alerts Folks Regarding June 2020 Email Incident

Administrative support services provider Discovery Practice Management to Cliffside Malibu and Authentic Recovery Center facilities based in California has issued notices that unauthorized persons obtained access to the email system it provides for those companies.

Suspicious email activity was noticed in the email environment on July 31, 2020. An investigation into the incident was started which disclosed there were unauthorized logins to personnel email accounts at the two facilities between June 22, 2020 and June 26, 2020.

The accounts were quickly secured and a third-party cybersecurity company was employed to look into the breach yet it wasn’t possible to verify whether or not protected health information (PHI) in the accounts was viewed or copied.

PHI probably exposed included names, dates of birth, addresses, patient account numbers, medical record numbers, health insurance data, financial account/payment card details, driver’s license number, Social Security numbers, and clinical data, for instance, diagnosis, treatment details, and doctor prescribed medicine data.

The company mentioned in its breach notification letter to the California Attorney General that it coordinated with both practices to affirm the contact data for the 13,611 people whose details were possibly compromised. That procedure was done on June 2, 2021. Individuals affected by the breach have now been advised and have been provided a complimentary one-year membership to credit monitoring and identity theft protection support.

Discovery Practice Management believes the attack was not carried out to steal patient records, rather it is assumed to have been intended to redirect invoice payments. Steps have already been taken to boost email security and improved training has been given to the facilities’ employees to recognize and stay clear of suspicious email messages.

Email Account Breach at the Peoples Community Health Center

Peoples Community Health Center based in Waterloo, IA learned that an unauthorized person had accessed the email account of an employee. The provider discovered the suspicious email activity on March 22, 2021 and had third-party cybersecurity professionals investigate the incident to find out the nature and extent of the breach.

The investigation established that an unauthorized individual had accessed only one email account from March 18, 2021 to March 22, 2021. An analysis of the account’s emails and file attachments was done on May 24, 2021. It was determined that these types of data were possibly exposed:

Names, dates of birth, addresses, Social Security numbers, driver’s license numbers, state ID numbers, medical diagnoses, medical treatment data, medical insurance details, payment card numbers and/or payment card CVV/expiration date.

Impacted persons are being informed via mail and steps were taken to avoid the same breaches later on, which include going over and improving policies and guidelines and giving the employees more training.

No Private Cause of Action Under HIPAA, although Probable Cause of Action for 14th Amendment Violation

The U.S. Court of Appeals for the Fourth Circuit has made a decision that there is no private cause of action in the Health Insurance Portability and Accountability Act (HIPAA) to deal with improper disclosures of protected health information (PHI); nevertheless, the ruling indicates there is possibly a cause of action with the 14th amendment in case of violation of an individual’s privacy.

The case, Payne v. Taslimi, referred to Jahal Taslimi as the defendant and Christopher N. Payne as the plaintiff. Taslimi is a prison doctor while Payne was an inmate at the Deep Meadow Correctional Center. Payne filed a case against Taslimi alleging improper disclosure of his confidential health data. Payne claimed Taslimi went to his bed and said that he had not taken his HIV medication using a voice that is loud enough for other people to hear. Payne alleged staff members, other inmates, and civilians had heard the doctor.

In the legal action, Payne stated his health records were private and Taslimi had violated his HIPAA rights at Deep Meadow Correctional Center, as per the 14th Amendment privacy conditions. The district court sacked Payne’s allegations, however, Payne filed an appeal.

The Court of Appeals for the Fourth Circuit agreed with the district court decision and stated there was no private cause of action with HIPAA. The court additionally confirmed the district court’s decision to disregard the claim of a breach of the 14th Amendment.

In the judgment, the Court of Appeals stated that a breach of the 14th Amendment depended on whether or not Payne g0t “a reasonable expectation of privacy” in relation to the information about his HIV prescription drugs. Considering that Payne was a prisoner at Deep Meadow Correctional Center, the court decided that Payne didn’t have enough reasonable expectation of privacy with regards to his diagnosis and treatment program, particularly since the data was concerning a communicable disorder.

The court decided that the test in this kind of scenario is whether there is a compelling government interest that is more important than the plaintiff’s privacy interest. The judgment indicates there could be a cause of action as per the 14th Amendment where there was a disclosure of private medical data and no prodding government interest.

Diabetes, Endocrinology & Lipidology Center Pays $5,000 to Settle a HIPAA Right of Access Case

The HHS’ Office for Civil Rights and The Diabetes, Endocrinology & Lipidology Center, Inc. (DELC) reached a settlement of a probable HIPAA Right of Access violation. This is the 8th financial penalty issued by OCR in 2021 for settling violations of HIPAA Rules. It is additionally the 19th settlement related to OCR’s HIPAA Right of Access enforcement project, which commenced at the end of 2019.

Healthcare provider DELC, which is located in West Virginia, specializes in the therapy of endocrine illnesses. Last August 2019, OCR received a complaint concerning DELC’s supposed failure to act promptly on a request by the complainant for a copy of protected health information (PHI). The HIPAA Privacy Rule requires healthcare companies to give a person his/her copy of PHI in a particular file format within 30 days of getting a request.

In this case, the complainant asked for her minor child’s PHI copy and DELC did not provide that information in the expected 30 days. On October 30, 2019, OCR gave DELC advice while investigating its potential noncompliance with the HIPAA Right of Access (45 C.F.R. § 164.524) connected with the alleged refusal to give a patient’s mom the records she requested.

OCR stated that the failure to give the required records constitutes a violation of the HIPAA Right of Access. According to OCR’s inquiry, DELC later provided a copy of the documents asked for by the child’s mom in May 2021, approximately two years after obtaining the preliminary request.

Apart from the financial penalties of $5,000, DELC has agreed to carry out a corrective action plan that involves assessing and upgrading guidelines and processes for delivering a person’s PHI copy and giving privacy training to its workforce about personal PHI access. OCR is going to keep an eye on DELC for 2 years to ensure it complies with the Right of Access terms of the HIPAA Privacy Rules.

A HIPAA-covered entity must never wait until a federal investigation is underway before providing parent access to his/her kid’s healthcare data, explained Acting OCR Director Robinsue Frohboese. The covered entities have the responsibility to give their patients immediate access to their medical records.

Houston Hospital Workers’ Legal Action Due to Vaccine Requirement Dismissed by Federal Judge

A lot of U.S. employers have enforced a policy that necessitates their employees to be COVID-19 vaccinated, such as a few leading healthcare centers and hospitals. These guidelines are in keeping with the guidance given by the U.S. Equal Employment Opportunity Commission in May, which established that U.S. businesses are within their rights to call for their personnel to get vaccinated, with selected exemptions like on medical or faith-based grounds.

Houston Methodist Hospital in Texas launched its vaccine requirement to make certain patients were safe against COVID-19 and had a June 7, 2021 due date for workers to get vaccinated. Though the many workers at Houston Methodist Hospital have consented to get a COVID-19 vaccination, On June 7, a small group of employees had a walkout because of the vaccine conditions. On June 8, the hospital decided to suspend 178 personnel with no pay due to their noncompliance to be vaccinated.

Legal action was taken by 117 of those employees, with lead plaintiff, Jennifer Bridges, professing that if she is laid off for declining the vaccine it would be tantamount to wrongful work termination. Bridges says that the vaccines, which were given by the FDA emergency use authorizations, are experimental and unsafe. three of the vaccines included by the emergency use authorizations have undergone clinical studies and a post-market study and were confirmed to be harmless.

On June 12, U.S. District Judge Lynn N. Hughes from the Southern District of Texas made a ruling that supported the hospital’s vaccination demand. Judge Hughes explained the choice to necessitate the workforce to be vaccinated against COVID-19 was in keeping with the hospital’s public policy and denied the plaintiffs’ allegations that the vaccines were experimental and unsafe.

The hospital’s staff are not participating in a human trial, explained Judge Hughes in his judgment. Methodist is seeking to do their work of protecting lives while not giving [patients] the Covid-19 virus. It is a decision made to hold workers, patients and their family members safer.

The judge stated in the ruling that under Texas laws, companies are within their rights to call for workers to be immunized. There are regulations to safeguard employees against wrongful firing, nevertheless, in situations like this, staff members would only be shielded against termination for declining to do an action that bears criminal penalties.

The employees and doctors made their choices for the benefit of patients, who are continually at the core of all they do. Houston Methodist Hospital Chief Executive, Dr. Marc Bloom mentioned that all hospital personnel has now satisfied the prerequisites of the vaccine policy.

The hospital affirmed that 24,947 personnel received complete vaccination, 285 staff were not vaccinated because of clinical or religious exceptions, and 332 workers were issued deferrals because of pregnancy or some other reasons.

When the suspension time ends on June 21, 2021, termination measures will be enforced for all workers who still were not immunized. The legal professionals representing the plaintiffs have plans to plead the judgment.

SolarWinds Orion Hackers Attacking U.S. Businesses Utilizing New Spear Phishing Campaign

Microsoft has uncovered a massive spear phishing campaign carried out by the Russian Advanced Persistent Threat (APT) group associated with the SolarWinds Orion supply chain attack.

As of January 2021, Microsoft has monitored the APT group as Nobelium and also its spear-phishing campaign. The APT group is doing trial and error different delivery tactics, which include taking advantage of the Google Firebase system to present a malicious ISO file by using HTML email attachments that give various malware payloads.

Nobelium increased the campaign on May 25, 2021 when it commenced utilizing the Constant Contact mass-mailing service to send emails to targets in a broad selection of industry verticals. The newest campaign attacked approximately 3,000 personal accounts all through 150 businesses, many of which were in the U.S. Each and every target had its own exclusive infrastructure and tooling, which has permitted the group to keep under the radar.

The attackers accessed the U.S. Agency for International Development (USAID) Constant Contact account and sent spear-phishing messages masked as a USAID Special notification. The emails include a reply-to address on the domain and were delivered from the website.

The messages mentioned that Donald Trump has released new information on election fraudulence, with the email messages having a button to click to check out the docs. In case the recipient clicks the URL in the message, they are sent to the legit Constant Contact service, and then forwarded to a website address manipulated by Nobelium that sends a malicious ISO file. The ISO file serves as a bait file and includes a .lnk shortcut that runs a Cobalt Strike Beacon loader, and also a malicious DLL file, a Cobalt Strike Beacon loader and backdoor, which Microsoft referred to as NativeZone.

When the payloads are used, Nobelium obtains persistent access to compromised systems and could later complete more targets for instance lateral movement, information exfiltration, and the sending of more malware.

A prior campaign in May additionally employed the mix of HTML and ISO files, which slipped a .NET first-stage implant, TrojanDownloader:MSIL/BoomBox, and utilized it for reconnaissance and to obtain added malicious payloads through Dropbox.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are looking into the phishing campaign. Constant Contact gave a statement affirming the breach of the account login information of one of its customers. It explained that the breach was a singled out case, and the impacted accounts had been momentarily deactivated while cooperating with customers and authorities.

Microsoft has given notice that the strategies, techniques, and processes utilized by Nobelium have had a great rate of development. It is predicted that extra activity may be performed by the group employing a changing set of techniques.

Microsoft has publicized Indicators of Compromise (IoCs) and has advised various mitigations that may cut down the effect of this threat, such as the usage of antivirus applications, employing network protection to stop applications or users from interacting with malicious domains, and using multi-factor authentication to avert using breached credentials.

Clinical Laboratory Pays $25,000 to Settle HIPAA Security Rule Violations

The Department of Health and Human Services’ Office for Civil Rights (OCR) stated that it has gotten to a settlement with Peachstate Health Management, LLC, doing business as AEON Clinical Laboratories due to a number of HIPAA Security Rule violations.

Peachstate is a CLIA-accredited laboratory that delivers a selection of services such as clinical and genetic testing solutions via AEON Global Health Corporation (AGHC), its publicly traded parent firm.

OCR started a compliance audit on August 31, 2016 right after the U.S. Department of Veterans Affairs (VA) filed a report about a breach of unsecured protected health information (PHI) involving its business associate, Authentidate Holding Corporation (AHC), on January 7, 2015. The VA had hired AHC to handle the VA’s Telehealth Services Program. The purpose of the OCR investigation was to evaluate whether or not the breach was caused by the inability to follow the HIPAA Privacy and Security Rules.

All through the breach investigation, OCR discovered that on January 27, 2016, AHC had signed a reverse merger with Peachstate and had obtained Peachstate. OCR afterward performed a compliance evaluation of Peachstate’s clinical laboratories to examine Privacy and Security Rule compliance. In the course of that investigation, OCR discovered a number of probable violations of the HIPAA Security Rule.

Peachstate was determined not to have performed an appropriate and complete review to determine risks to the integrity, confidentiality, and availability of electronic protected health information (ePHI), as mandated by 45 C.F.R. § 164.308(a)(1)(ii)(A) and was not able to lower risks and vulnerabilities to a sensible and ideal level by taking on proper security actions, as demanded by 45 C.F.R. § 164.308(a)(1)(ii)(B).

Hardware, software, and step-by-step systems had not been used to report and check activity in information systems comprising or employing ePHI, violating 45 C.F. R. § 164.312(b). Policies and procedures hadn’t been enforced to log actions, activities, and checks required by 45 C.F. R. § 164.312(b), which violates 45 C.F.R. § 164.316(b) of the HIPAA Security Rule.

Peachstate consented to negotiate the case and make a $25,000 penalty payment and will carry out a comprehensive corrective action plan to deal with all aspects of non-compliance found by OCR while doing the investigation. Peachstate is going to be under close supervision by OCR for 3 years to make certain of compliance.

Clinical laboratories, similar to other covered health care companies, need to abide by the HIPAA Security Rule. Not implementing the essential Security Rule standards makes HIPAA governed entities interesting targets for malicious activity, and unnecessarily risks to patients’ ePHI. This settlement deal shows OCR’s determination to making certain that covered entities adhere to rules that secure the privacy and security of PHI.

Shut Down of DarkSide RaaS and Suspension of Ransomware Attacks on Healthcare Companies

The DarkSide ransomware gang has informed its affiliates regarding the shut down of its ransomware-as-a-service (RaaS) activity. The statement was made after the public infrastructure of the gang was taken off the internet in what seems to be a police campaign.

On May 13, the DarkSide data leak website was off the internet as well as much of the public infrastructure of the gang, which include the payment server employed to get the victims’ ransom payments and deliver breach data content. The ransomware gang likewise said its cryptocurrency wallets were emptied and the money was moved to an unidentified account.

Intel 471 acquired a copy of a note from the gang, which mentioned to its affiliates why its public infrastructure was gone, why its servers were inaccessible via SSH, and why its hosting panels were blocked. The gang claimed its hosting company didn’t give any more details except that the inaccessibility of the servers was requested by law enforcement.

The gang mentioned that it is going to release the decryptors for all firms that were attacked yet didn’t pay the ransom; nevertheless, the gang is releasing the decryptors to the affiliates who carried out the ransomware attacks, not to the victim firms. It will be the individual affiliates’ decision if they will give the decryptors to their victims or try to get payment.

Because of the pressure from the U.S. and the lost servers, the affiliate program is shut down, stated the gang.

On the day when that the group’s infrastructure was taken offline, President Biden conducted a press meeting concerning the Colonial Pipeline ransomware attack stating that the government’s efforts to restrict disruption and promising to take action will be counted against the DarkSide ransomware gang.

“We do not think the Russian government had anything to do with this attack, stated President Biden. There is no strong evidence that criminals from Russia did the attack. Biden said that the United States directly communicated with Moscow regarding the command for responsible nations to take action against the ransomware networks. President Biden additionally affirmed that the U.S. Department of Justice has a new task force focused on prosecuting ransomware hackers.

Before the shutdown, the hacking community had begun to avoid the DarkSide group. A top-tier dark web forum utilized by the DarkSide gang to promote its RaaS operations removed the DarkSide account as well as two threads concerning its ransomware operations, as per the Gemini Advisory. Gemini Advisory furthermore remarks to have heard from a number of reputable sources that the group has no more appearance on the dark web. Another top-tier dark web forum frequently employed by ransomware gangs has likewise enforced sanctions on ransomware activities and has blocked them completely from the forum, saying ransomware has turned out to be too toxic.

Intel 471 reports that aside from the DarkSide operations, a number of other ransomware operations also shut down their activities, though it is uncertain if the shutdown will last. Perhaps the ransomware gangs are just want to be inconspicuous and will operate again using another name. The Babuk ransomware operators said that they gave their source code to another gang and won’t do ransomware attacks anymore. They stated their ransomware will be run by another group with a different name.

The REvil ransomware gang also said that it won’t promote its ransomware operations on dark web forums anymore. It wants to make its activities private. REvil and Avaddon have decided to cease their affiliates that attack organizations in specific fields. The two ransomware gangs gave statements about the new rules for affiliates prohibiting them from executing attacks on the federal government, charities, healthcare, and educational organizations in any nation. They furthermore necessitate their affiliates to get approval from the group prior to making any attack. If an affiliate attacks a restricted target, the victim will get the decryptor for free and the affiliate will be completely expelled from the RaaS program.

Intel 471 likewise states that BitMix, a cryptocurrency mixing service utilized by REvil and Avaddon to illegally transfer the cryptocurrency acquired from ransomware attacks was shut down as well.