More Patients Affected by Quest Health Systems Phishing Attack in 2018

Health Quest, which is presently a part of Nuvance Health, learned that the impact of the phishing attack in July 2018 was more extensive than first believed.

Some staff were deceived into revealing their email account details by phishing emails, therefore letting unauthorized persons to access their accounts. A prominent cybersecurity company helped with the investigation to find out if there was a breach of patient data.

In May 2019, Quest Health found out that the email messages and attachments in the breached accounts contained 28,910 patients’ protected health information (PHI) therefore the health system dispatched notification letters to the impacted people. The details contained in the breached accounts included patient names, contact details, claims data, and some medical information.

Another investigation of the breach showed on October 25, 2019 the compromise of yet another email account of an employee containing PHI. As per the substitute breach notification published on the Quest Health site, the compromised details were varied from one patient to another, nevertheless, the names and one or more of these data elements might have been included:

Birth dates, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), Social Security numbers, provider name(s), treatment dates, treatment and diagnosis data, medical insurance plan member and group numbers, medical insurance claims data, financial account data with PIN/security code, and payment card data.

There is no proof uncovered that unauthorized persons viewed patient information. There is likewise no report acquired about the misuse of patient data. For security reasons, on January 10, 2020, Health Quest mailed another notification letter to patients.

As a result of the breach, Quest Health currently implements multi-factor authentication for email accounts and toughened security systems and offered staff more training about phishing and other cybersecurity concerns.

There is no certain statement as to the number of more patients were impacted by the breach. To date, the number of people impacted as stated on the HHS’ Office for Civil Rights breach portal is still 28,910 people.

Microsoft Finally Stops Support for Windows 7

Microsoft will not provide support anymore for Windows 7, Windows Server 2008, and Windows Server 2008 R2 starting on January 14, 2020. Microsoft will not release any more patches to correct OS vulnerabilities. Office 2010 will not be supported as well.

Microsoft will update the operating systems on January 14, 2020 and fix all known vulnerabilities, however, it will just be some time before cybercriminals would find exploitable vulnerabilities to steal information and install malware.

Although Microsoft gave notice about the end of life of the operating system long ago, it remained the second most utilized operating system after Windows 10. NetMarketShare reported that in December 2019, 33% of all desktop and laptop computers use Windows 7.

A lot of healthcare companies continue to use Windows 7 on some devices. The persisted use of those devices even without support increases the risk of cyberattacks and consequently HIPAA Security Rule violation.

The obvious resolution is to upgrade Windows 7 to Windows 10, though that might not be easy. Besides buying licenses and updating the OS, hardware might also need upgrading and certain applications might not function on more recent operating systems. The upgrade is consequently a major task that could require a lot of time.

If it’s not possible to update Windows 7 and Windows 2008 systems, steps must be taken to secure the devices and lessen the probability of a compromise and the effect of a cyberattack.

To minimize the odds of a compromise, the following best practices should be observed:

Stop Windows 7 devices from linking to untrusted content. This means that the devices should not be used for browsing the web or accessing email accounts. Avoid using removable media and portable storage devices as well.

Remove local administrator rights from all Windows 7 units and strengthen firewall protection. Don’t use the devices for accessing sensitive information, like protected health information (PHI). Transfer sensitive data found on the devices to devices using supported operating systems.

Malware infection is more likely to occur on devices that run using unsupported operating systems. Be sure to install updated anti-virus software. Scans the devices for malware regularly and monitor the devices for possible cyberattacks.

Microsegmentation may be beneficial in limiting the resulting harm in case of a compromise. All devices using unsupported operating systems must be separated from other systems and the devices must only be permitted to connect to critical services. Remove access to core servers and systems. Review and modify business continuity plans to make sure that critical business operations will go on in case of a compromise. Although extended support is very expensive, it is strongly advised.

These options can minimize risk, however, they won’t remove it. Organizations must consequently speed up their plans to update their operating systems and computer hardware. Using a supported OS is the only means to completely secure devices.

Hospital Staff Pleads Guilty to Patient Account Intrusion for Five Years

The U.S. Department of Justice (DOJ) reported that an ex-staff of an unnamed hospital in New York City pleaded guilty to utilizing malicious software programs to get the credentials of fellow-workers, which he later misused for stealing sensitive data.

Richard Liriano, 33 years of age, from Bronx, New York, was a hospital’s IT employee. He enjoyed administrative-level access to the computer systems of the hospital but abused those access rights and copied patient information onto his personal computer.

Liriano employed a keylogger to acquire the credentials of a bunch of hospital co-workers from 2013 to 2018. Those credentials made it possible for Liriano to get access to the coworkers’ PCs or web accounts and acquire sensitive data including tax records, personal photos, videos, and other personal docs and files. He likewise employed other malicious software programs for surveillance of his co-workers.

Liriano took his coworkers’ sign-in data to their private webmail accounts, social network accounts, and other web-based accounts. In addition, he obtained access to the hospital computer systems that contain sensitive patient data. As per the DOJ, Liriano’s computer infiltrations cost his company close to $350,000 to remediate.

From 2013 to 2018, Liriano logged into his coworkers’ PCs and private accounts on various times trying to find sensitive data. Most of his 70+ victims were women. The DOJ information indicates that Liriano performed searches in their individual accounts trying to find sexually explicit photographs and videos.

The uncovering of the computer infiltrations got Liriano detained on November 14, 2019. On December 20, 2019, Richard Liriano pleaded guilty to 1 count of transferring software to a protected PC to purposefully bring about harm.

Geoffrey S. Berman, the U.S. Attorney for the Southern District of New York, explained that Liriano’s crimes did not merely breach the personal privacy of his co-workers; he likewise unlawfully logged into computers holding crucial healthcare and patient data, costing his ex-employer tens of thousands of dollars to fix. He is now going to be made liable for his behavior.

Liriano is due to be sentenced with a maximum jail period of 10 years on April 15, 2020 by U.S. District Judge Lewis A. Kaplan.

Ambulance Company Pays $65,000 Financial Penalty for Multiple HIPAA Violation Cases

The Department of Health and Human Services Office for Civil Rights (OCR) issued a financial penalty amounting to $65,000 to West Georgia Ambulance, Inc. to settle its multiple Health Insurance Portability and Accountability Act violations.

OCR’s investigation of the ambulance company in Carroll County, GA began after seeing the breach notification submitted on February 11, 2013 concerning the missing unencrypted laptop computer that carries the 500 patients’ protected health information (PHI). The breach report mentioned the failure of the company to retrieve the laptop computer, which fell off the ambulance’s rear bumper.

OCR’s investigation revealed that the company has longstanding noncompliance with some HIPAA Rules. West Georgia Ambulance was found in violation of the following:

  • 45 C.F.R. § 164.308(a)(1)(ii)(A) for failure to conduct a complete, company-wide risk analysis
  • 45 C.F.R. § 164.308(a)(5) for not giving its employees a security awareness training program
  • 45 C.F.R. § 164.316 for not enforcing HIPAA Security Rule policies and procedures

OCR provided technical help to West Georgia Ambulance to make it possible for the company to take care of its compliance problems, but even with that support, OCR claimed that the company did not make any meaningful step to resolve its noncompliance. Consequently, OCR issued a financial penalty.

Aside from the $65,000 financial penalty that should be paid, West Georgia Ambulance must follow a corrective action plan to fix all areas of noncompliance found by OCR. For two years, West Georgia Ambulance’s HIPAA compliance program will be under OCR’s strict monitoring to make sure it complies with the HIPAA Rules.

Patients using an ambulance’s services shouldn’t have any worries about the privacy and security of their medical information. All healthcare providers, whether big or small, should take their HIPAA responsibilities seriously.

This is OCR’s 10th HIPAA financial penalty passed in 2019. OCR got paid a total of $12,274,000 in financial fines for the resolution of noncompliance issues in 2019.

10,000 Medicare Beneficiaries Impacted by CMS Blue Button 2.0 Coding Bug

The Centers for Medicare and Medicaid Services (CMS) uncovered a bug within its Blue Button 2.0 API which affected 10,000 Medicare beneficiaries’ protected health information (PHI). For this reason, CMS for the time being suspended the use of its Blue Button API as investigations and detailed code analysis is in progress. There is no word yet when the Blue Button 2.0 service will be available.

On December 4, 2019, a third-party program partner informed CMS concerning the data anomaly connected to the Blue Button API. The CMS confirmed the data problem and quickly stopped system access while looking into the problem.

The anomaly was due to a coding bug that allowed the sharing of data with the incorrect beneficiaries and Blue Button 2.0 apps. The CMS stated that the bug impacted 30 applications. Medicare beneficiaries utilize the Blue Button platform for permitting third-party apps and services to access their claims data. A CMS identity management system creates a random unique user ID and ensures sharing the correct beneficiary claims data with the appropriate third-party apps. The CMS discovered a coding bug in the Blue Button 2.0 that transforms a 128-bit user ID to a 96-bit user ID. Because a 96-bit user ID lacks randomness, a number of beneficiaries got similar truncated user IDs. That led to the disclosure of the claims information of beneficiaries with identical truncated user ID found within the identity management system to other beneficiaries and applications via the Blue Button 2.0.

Initially, it wasn’t clear how the bug began and why it was not quickly identified to stop sensitive beneficiary information exposure.

There are three things to realize from the investigation findings related to testing, code reviews, and cross-team collaboration.

Based on the CMS investigation findings, the bug came about on January 11, 2018. Usually, the changes introduced are thoroughly reviewed, but there was no detailed review in January. If perhaps a review was done, CMS most likely discovered the bug and remedied it prior to the sharing of sensitive data.

The CMS inspects Blue Button 2.0 using synthetic data to validate functionality to make sure no PHI is jeopardized. This time, integrating Blue Button 2.0 with other programs was not inspected. Subsequently, it was integrated into the identity management system without testing.

The CMS notes that a distinct identity management team works on the code that generates the user ID token. The Blue Button 2.0 team supposed that the token functioned well, and failed to validate it. Perhaps if the two teams had good collaboration, they would have the essential details to make good decisions.

CMS by now had taken the measures to do away with more errors. An improved check and verification process is right now ready and the Blue Button 2.0 team is thoroughly checking all new codes to ensure identification and correction of coding errors before having the live code changes. The Blue Button 2.0 from now on will not truncate user IDs and keep the complete user IDs.

An overall platform and coding review is being done and the API will remain unavailable until the review is done. CMS is likewise doing a comprehensive evaluation to know the likely effect on Medicare beneficiaries and decide the other essential steps to secure the beneficiaries’ data, including providing credit monitoring services.

Theft of Devices Containing PHI of Truman Medical Centers and La Clínica de La Raza Patients

Truman Medical Centers in Kansas City, MO, the city’s biggest inpatient and outpatient services provider, found out that an unencrypted laptop computer containing the protected health information (PHI) of 114,466 patients was stolen from an employee’s vehicle.

The laptop was password-protected, however, the password can be deciphered and the information on the device can be accessed. When issuing the notices, Truman Medical Centers has found no evidence that an unauthorized person has accessed or misused any patient data.

The laptop contained different types of information of each patient, but may have included the names of patients as well as at least one of the following data: birth dates, patient account numbers, Social Security numbers, medical record numbers, health insurance details, and some medical and treatment data, including dates of service, diagnoses, and names of provider.

The theft happened on July 18, 2019, however, the confirmation that the device contained patient data was only on October 29, 2019. Truman Medical Centers already notified by mail all the people whose PHI was kept on the laptop. Those whose Social Security number were potentially compromised got offered free credit monitoring and identity protection services.

Employees received additional training on portable device security. Employee laptops were also installed with additional controls to strengthen security.

Theft of Blackberry Containing the PHI of 2,477 La Clínica de La Raza, Inc. Patients

La Clínica de La Raza, Inc. provides primary health care and other services in Contra Costa, Alameda, and Solano counties in California. It recently discovered the theft of a portable electronic device on August 20, 2019.

The stolen briefcase from an employee’s vehicle contained a Blackberry device issued by La Clínica de La Raza. With the help of a computer forensics company, La Clínica de La Raza confirmed on October 16, 2019 that the device contained the PHI of 2,477 patients.

The data was contained in two email messages that were downloaded to the Blackberry device. The information in the emails included names, dates of birth, non-sensitive test data and medical record numbers.

Although it is possible that unauthorized people could access the information, La Clínica de La Raza stated that it would have been difficult to access the PHI. La Clínica de La Raza notified the affected patients about the breach via mail on December 13, 2019 and offerred them free one-year membership to credit monitoring and identity protection services.

The company is also taking steps now to strengthen the protection of portable electronic devices and gave the employees additional training on portable device security.

100 Dental Practices Impacted by Managed Service Provider Ransomware Attack

An IT business in Colorado that provides managed IT services to dental offices encountered a ransomware attack. By means of the organization’s systems, 100 other dental practices were similarly attacked by ransomware.

The ransomware attack on Complete Technology Solutions (CTS) located in Englewood, CO began on November 25, 2019. A KrebsonSecurity report mentioned that CTS got a ransom demand worth $700,000 to get the encryption unlock keys. The firm made the decision not to pay off the ransom demand.

In providing dental offices with IT services, systems access is provided to CTS with the use of a remote access device. Hackers appear to have employed that device to gain access to the systems of CTS customers and attack it with Sodinokibi ransomware.

A number of the dental practices affected by the attack had recovered their information by means of their backups, particularly those that had saved a backup of their data offsite. Several dental practices continue to be without access to their information or systems and are declining patients as a result of prolonged system breakdowns.

KrebsonSecurity remarks that a number of those dental practices are seeking to bargain with the attackers to acquire the keys to recover their information.

Because of various file extensions and ransom notes, file recovery has been problematic. And thus, restoration of a number of encrypted data was possible after paying off the demanded ransom. To recover other encrypted data, it needed paying more ransom. Black Talon Security said to KrebsonSecurity the situation of one dental practice which had 50 encrypted devices and was given above 20 ransom demands. There were a number of payments made to retrieve files.

There was an identical attack on the Wisconsin organization PerCSoft, which led to the ransomware attack of close to 400 dental offices in August 2019. PerCSoft is a business providing dental practices with digital data backup services. The hackers deployed the Sodinokibi ransomware.

Ransomware gangs are increasingly attacking managed service providers. By means of just one attack on a managed service provider, the hackers can hit a lot of other organizations, making the profits are a lot higher.

In a Kaspersky Lab’s latest report, it mentioned that ransomware attackers are aiming for backups and Network Attached Storage (NAS) gadgets to make it more difficult for victims to retrieve their files at no cost and not pay the ransom demand.

The newest attack highlights the value of making backups of all critical files. Therefore make sure to at least create one backup copy of data files to be kept safely off-site, on a non-networked gadget that is not connected online.

Theft at Loyola Medicine and Main Street Clinical Associates Affected Patients’ PHI

Because the devices were stolen from the offices of Main Street Clinical Associates, PA. based in Durham, NC, some patients received notifications concerning the likely compromise of their protected health information (PHI).

The theft transpired after the employees of Main Street evacuated the offices because of a dangerous gas explosion. The employees left the office after being instructed to do so on April 10, 2019 after an adjoining building exploded. The evacuation was so urgent that the employees just abandoned the records and equipment on the tables. They also did not lock the room where the patient records were kept. The property had substantial damages, hence until September 9, 2019, nobody was allowed to go within the building. When the employees went back to their workplaces, they found out that the equipment, which includes two laptop computers, a clinician’s mobile phone, and a printer containing patient data, were stolen by burglars.

Main Street gave a press release not too long ago saying that the laptop computers, the mobile phone and the files with patient information were protected with a password. Nevertheless, the devices had not been encrypted, therefore, an unauthorized person could have accessed the patient data. The data contained in the devices included names, medical insurance information, diagnosis and treatment data, Social Security numbers, and driver’s license numbers.

To stop further unauthorized access to patient data, Main Street already changed all passwords and is looking out for attempts of device misuse. Patients affected by the breach received notification letters via mail. Since there is no way of knowing accurately the affected patients, Main Street informed several media outlets about the security breach.

Autopsy Pictures of Loyola Medicine Patients Stolen

Maywood, IL Loyola Medicine reported that the Loyola University Medical Center camera was stolen. The camera stored the autopsy images of 18 deceased patients. The images of nine individuals were gone for good because they were not yet saved to their respective medical record files.

The photos were not yet saved to the hospital records system because the newly installed camera did not have a cable that connects to the records system to upload the images. Therefore, the photos are merely stored on the camera’s memory card.

A Loyola Medicine representative said that steps had been carried out to avert the same breaches. Employees received extra training and there had been improvements in physical security.

Loyola Medicine informed the patients’ families that the photos were lost and submitted a privacy breach report to the Department of Health and Human Services’ Office for Civil Rights.

Files of 93,000 California Addiction Treatment Center Patients Accessible Online

Sunshine Behavioral Health, LLC’s AWS S3 storage bucket was misconfigured resulting in the exposure of sensitive patient information. This network of drug and alcohol addiction rehabilitation centers is established in San Juan Capistrano, CA.

Databreaches.net was the first to receive the report about the misconfigured AWS S3 storage bucket in August 2019. Databreaches.net got in contact with Sunshine Behavioral Health and the addiction center immediately secured the bucket. Sunshine Behavioral Health did not submit the data breach report to the HHS’ Office for Civil Rights nor mentioned the breach on its website, although over 60 days have passed since it had known about the breach. The incident was also not published on the California Attorney General’s website.

Databreaches.net analyzed the incident in November and identified some files that stayed exposed. Anyone with the PDF file URLs could view the files from the bucket without needing a password. If the URLs were obtained simultaneously with the compromise of the bucket, the PDF files URLs of 93,000 patients probably have been accessed and downloaded.

According to Dissent, the PDF files and the 93,000 patients do not match. There were a number of patients with a few files and many files come with test findings or templates. Dissent tried to contact Sunshine Behavioral Health, but there was no reply. But the treatment center has read the email because the URLs are not available anymore.

The correct number of patients impacted, the time frame of the file exposure online, and the unauthorized individuals who accessed the URLs are not known at this time. The files were primarily billing information, that contains complete names, dates of birth, postal and email addresses, telephone numbers, credit card numbers, date of expiry, CVV codes, and health insurance information.

Greenbone Networks Gives An Updated Report on Unsecured PACS and the 1.19 Billion Exposed Medical Images

Greenbone Networks, a German vulnerability analysis and management platform provider, discovered 60 days ago the magnitude of the exposure online of medical images stored in Picture Archiving and Communication Systems (PACS) servers. In a current report, the company revealed the worsening problem.

Healthcare providers use Picture Archiving and Communication Systems (PACS) servers for storing and sharing medical images with doctors for their review. However, a lot of healthcare providers do not use PACS servers that are secured enough. Therefore, medical images (MRI, CT Scans, X-Ray), together with personally identifiable patient data, are exposed online. Anybody who knows where and how to search for the files could find them, access them and, oftentimes, download the medical images without authorization. The images aren’t accessible because of software vulnerabilities. Access to data is possible due to the wrong configuration of the system and PACS servers.

From July to September 2019, Greenbone Networks worked to identify unsecured PACS servers worldwide. The study revealed the enormity of the problem. In the U.S., there were 13.7 million data sets on unsecured PACS servers and 45.8 million of 303.1 million medical images were accessible.

On November 18, Greenbone Networks’ updated report showed that 1.19 billion medical images were already identified globally. The previous total of 737 million increased by 60%. The findings of 35 million medical exams are exposed online, it was 24 million previously.

In the U.S., the researchers identified 21.8 million medical exam results and 786 million medical photos. There were 114.5 million photos accessible from 15 systems that permit unsecured Web/FTP access and directory website listing. In just one PACS, the researchers discovered 1.2 million exam results and 61 million medical photos. The researchers were able to fully access the data, including the images and related personally identifiable information.

In early November, Sen. Mark. R. Warner expressed his concern over the obvious lack of action by OCR regarding the exposed files. It seems that not much is being done to protect the PACS servers and prevent more data exposure.

The types of data exposed in the images include Protected Health Information (PHI) such as names, birth dates, examination dates, the extent of the investigations, imaging techniques done, attending doctors’ names, scanning location, number of images and Social Security numbers for 75% of the exposed images.

Data exposure puts patients vulnerable to identity theft and fraud, though there are actually other risks. In the past, security researchers showed that the DICOM image format is flawed allowing the inclusion of malicious code. Hence, images can be downloaded, contain malicious code, and be uploaded to the PACS without the data owner’s knowledge. In the Greenbone Networks study, only reading access was investigated and not image manipulation or upload.

Access and viewing of images can be done using the RadiAnt DICOM Viewer. There is free information online on setting up the RadiAnt DICOM Viewer to view images, including the viewer and the listing of IPs of the stored images.

It is estimated by Greenbone Networks that the value of exposed medical images and PHI is over $1 billion dollars. The data might be utilized for different nefarious purposes such as social engineering and phishing, identity theft, and blackmail.

Data exposure violates the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR) of the EU, and other data privacy and security regulations. The data exposure impacts people in over 52 countries.