Blackbaud SEC Filing Gives Additional Details on Data Breach and Expenditures of Mitigation

The number of entities submitting reports of being impacted by the Blackbaud cyberattack and security breach has increased in the past few weeks. The Department of Health and Human Services’ Office for Civil Rights breach site is regularly being kept up to date to record healthcare victims. The entities lately included are OSF HealthCare System, Geisinger and Moffitt Cancer Center. The three organizations reported that the breach has affected a total of 276,600 persons.

Though Blackbaud did not reveal the total number of affected people, no less than 250 healthcare providers, nonprofits, and educational bodies are acknowledged to have been affected. Reports of healthcare companies reveal that the breach impacted over 10 million people.

It is not shocking considering that the breach costs sustained by companies and the number of persons who had their personal data compromised, Blackbaud is looking at a lot of class action lawsuits. About 23 proposed class-action lawsuits were filed thus far in the U.S and Canada, based on its 2020 Q3 Quarterly Report given to the U.S. Securities and Exchange Commission (SEC). Of all the lawsuits, 2 were submitted in Canadian courts, 17 in the United States federal court, and 4 in state courts.

The lawsuits assert that victims have suffered hurt due to the breach and claim that there were a few regulations violations. Hence, the lawsuits want damages, injunctive relief, and attorneys’ fees, and close to 160 claims were obtained from Blackbaud’s clients from the U.S., Canada, and the U.K.

Besides the legal cases, regulators are investigating Blackbaud in relation to violations of data privacy laws violations. The investigating organizations are the Federal Trade Commission, the Department of Health and Human Services, and globally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. 43 state attorneys general and the District of Columbia likewise started a joint investigation.

As per the SEC records, Blackbaud has already sustained expenditures of more than $3.2 million in addressing the cyberattack from July to September 2020, and $3.6 million in expenses in the last 9 months. That number is countered by $2.9 million accumulated in insurance recoveries between July and September.

Costs is going to continue to accumulate in resolving the breach and though those expenditures are very likely to be sizeable. But Blackbaud says its cyber insurance protection will cover most of the breach costs.

While cyber insurance protection has actually paid for part of the expenses, there is no assurance that the plans will pay for all expenditures. The likelihood of loss can’t be established yet until a court has eventually decided that a plaintiff has fulfilled the pertinent class action procedural specifications.

In the meeting with financial analysts, Blackbaud mentioned that the forensic investigation discovered just how the hackers became successful in gaining access to its networks. The hackers took advantage of a vulnerability that was found in its early generation products that was repaired by now and steps were already undertaken to solidify security. Blackbaud furthermore mentioned that a huge amount of money was spent in cybersecurity and employees before the breach to prepare for this kind of an attack.

Blackbaud was able to contain the attack yet was unable to avoid the exfiltration of certain customer information. The organization paid the ransom to avert data exposure and is convinced that the payment stopped any more data exposures.

Most Microsoft 365 Admins Have Not Setup Multi-Factor Authentication

CoreView published a new report revealing that a lot of Microsoft 365 admins haven’t activated multi-factor authentication to keep their accounts secure from suspicious remote access and are unable to implement other fundamental security procedures. Based on the report, 78% of Microsoft 365 administrators have yet to activate multi-factor authentication while 97% of Microsoft 365 users aren’t using MFA.

This is a big security risk notably when almost all workers are remote. The IT departments should see this concern and correct it to be able to appropriately stop cyberattacks and fortify their organization’s security posture.

The SANS Institute mentions that 99% of data breaches are preventable by employing MFA, whilst Microsoft discussed in an August 2020 blog posting that MFA is the one particularly important measure to carry out to stop unauthorized account access, conveying that 99.9% of account breaches could be avoided by utilizing MFA.

The CoreView study furthermore showed that 1% of Microsoft 365 administrators tend not to use strong passwords, despite the fact that hackers are proficient at breaking passwords with automatic brute force attacks. Even if using strong passwords, there is no promise that a breach will be averted. A strong password provides no security in case a user fall victim to a phishing scam. In the event of stolen passwords, MFA gives security and should keep those passwords from being employed to obtain access to accounts.

The CoreView M365 Application Security, Data Governance, and Shadow IT Report pointed out that Microsoft 365 administrators are provided extreme control and they own access to valuable sensitive information. 57% of Microsoft 365 admins were identified to have substantial permissions to access, alter, and expose business-critical data. In addition, 36% of Microsoft 365 administrators are worldwide administrators. They acquire total command over their organization’s existing Microsoft 365 environment. 17% of Microsoft 365 admins are likewise Exchange admins and possess access to the entire company’s email accounts, as well as C-Suite accounts. In case Microsoft 365 admin accounts are compromised, cyber hackers can access the whole Microsoft 365 environment along with the big volumes of sensitive information. The Microsoft 365 environment doesn’t just consist of a large amount of quickly monetized data, the accounts are at the same time connected to other systems and can be utilized for a much larger attack on the company.

The study additionally showed that firms have spent greatly in productivity and operations programs that authorize personnel to communicate, work together, and work more proficiently, yet there has been a surge in shadow IT, specifically SaaS applications. SaaS programs are frequently employed by personnel without the IT department’s awareness. Many of those SaaS apps lack suitable security and let preventable cyberattacks to occur.

At a basic level, malicious applications can siphon off critical information. Users may furthermore likely be sharing sensitive firm data via these applications to compromised parties so that organizations are in considerable danger of a data breach. It’s crucial that companies adequately keep an eye on these programs for possible security gaps.

Businesses that use Microsoft 365 usually take their security and governance responsibilities too lightly, erroneously believing that Microsoft 365 is safe by default and has the needed protections to stop data breaches. Though Microsoft 365 can be protected, businesses need to be proactive and make sure that security is tackled, there is enough supervision of shadow IT, and appropriate data governance.

HITRUST Certification Shows LuxSci’s Dedication to Safeguarding Data Privacy and Security

LuxSci, a HIPAA-compliant email communications services provider located in Massachusetts, has publicized that it has obtained HITRUST CSF Certification.

The HITRUST Common Security Framework (CSF) is an extensive, certifiable system for companies that produce, access, save, or send sensitive and controlled information. The HITRUST CSF is made up of a prescriptive collection of scalable controls that validate various regulations and benchmarks, which include those of the ISO/IEC 27000-series and Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
With the incorporation of federal and state policies, criteria, and frameworks, and employing a risk-based tactic, the HITRUST CSF helps establishments deal with compliance problems and put into practice safety measures to be sure of the integrity, availability and confidentiality of sensitive data. HITRUST CSF Certification is the standard for security and the most frequently implemented cybersecurity system in the medical field.

LuxSci used the HITRUST CSF and carried out its guidelines and settings to all its units of servers that are utilized to send email, promotion, forms, SMS and web hosting solutions. LuxSci not long ago had a detailed third-party review alongside the HITRUST CSF regulations and was proven as having realized HITRUST CSF certified standing for data security.

Clients of service providers for instance LuxSci need clear data that their services are HIPAA compliant and employ the required measures to safeguard privacy and security. HITRUST CSF certification presents that proof.

Acquiring HITRUST CSF certification shows the top priority given to security by LuxSci, as per its CEO and President, Erik Kangas. Security is not realized with only a one-step procedure. The HITRUST CSF framework grows with the security setting and it is best to utilize it as a standard for calculating and handling security and compliance.

LuxSci is dedicated to making certain that its servers continue to be protected and customer information is continually protected. By using security recommendations, the company will make sure that it steadily preserves its HITRUST CSF Certification status and will support its customers to keep the best standard of security and compliance, by helping them address their specified business difficulties.

CISA Warns Companies to Patch Wormable ‘Bad Neighbor’ Windows TCP/IP Vulnerability Immediately

On October 2020 Patch Tuesday, Microsoft issued a patch to resolve a critical remove code execution vulnerability found in the Microsoft Windows Transmission Control Protocol (TCP)/IP stack. The flaw is brought on by the method TCP/IP stack deals with Internet Control Message Protocol version 6 (ICMPv6) Router Advertisement packets. The vulnerability was designated a CVSS v3 score of 9.8 out of 10.

Although all patches must be employed quickly to protect against exploitation, there is commonly a difference between the issuance of patches and the development of exploits for use offensively against companies; nevertheless, as a result of the severity of the vulnerability and the convenience at which to exploit it, patching this vulnerability is primarily essential. To the point that the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) used Twitter to encourage all institutions to implement the patch without delay.

An attacker can take advantage of the vulnerability wirelessly in a Denial of Service attack, creating a ‘blue screen of death’ system crash; additionally, exploitation may enable the wireless execution of arbitrary code on the unsecured systems. To manipulate the vulnerability, an unauthenticated attacker only need to transmit uniquely designed ICMPv6 Router Advertisement to an unsecured Windows computer that is operating on Windows Server versions 1903 to 2004, Windows Server 2019 or
Windows 10 1709 to 2004.

Although there were no acknowledged exploits of the vulnerability in the wild, the vulnerability is going to be alluring to attackers. McAfee Labs said that a proof-of-concept exploit for the vulnerability was delivered to Microsoft Active Protection Program members stating it is “extremely simple and perfectly reliable.” Aside from being simple to exploit, the vulnerability is most likely wormable, thus attacking one system can readily see all the vulnerable units on the network compromised in the same manner.

McAfee Labs also referred to the vulnerability “Bad Neighbor” since it is hanging out in the ICMPv6 Neighbor Discovery “Protocol”, employing the Router Advertisement type, and is a result of the TCP/IP stack erroneously managing ICMPv6 Router Advertisement packets that employ Option Type 25 (Recursive DNS Server Option) and a length field value that is even.

If it isn’t able to patch quickly, mitigations should be carried out to lessen the opportunity for exploitation.

Microsoft urges administrators to deactivate ICMPv6 RDNSS to avoid exploitation. This could be done by using a basic PowerShell command:

netsh int ipv6 set int INTERFACENUMBER rabaseddnsconfig=disable

Nevertheless, this solution will turn off RA-based DNS configuration, hence could not be applied on network infrastructure that is based on RA-based DNS setup. In addition, this mitigating step is merely beneficial on Windows 10 1709 and newer versions.

Otherwise, it is likely to avert exploitation by turning off ipv6 traffic on the NIC or at the network perimeter, nevertheless, this is just achievable if ipv6 traffic is not important.

Breaches at Legacy Community Health Services, Georgia Department of Human Services and Einstein Healthcare Network

Legacy Community Health Services Phishing Attack Affects 228,000 Persons

Legacy Community Health Services in Texas is notifying 228,009 patients concerning a data breach of their protected health information (PHI). An unauthorized individual accessed the PHI kept in an email account.

Legacy Community Health Services detected the breach on July 29, 2020, which was triggered by an employee’s response to a phishing email that disclosed the login credentials to the hacker. The email account was secured promptly and a computer forensics agency investigated the incident.

There is no evidence found that suggests the attacker viewed e-mails or stole electronic PHI. Nevertheless, the likelihood of data theft couldn’t be fully eliminated. The data found in the exposed email account were patient names, dates of service, and health details connected to medical care at Legacy, in addition to the Social Security numbers of some patients. No-cost membership to a credit monitoring and identity protection services was provided to persons whose SSN was exposed.

Legacy Community Health Services has reinforced email security and the workers got retraining on identifying and steering clear of phishing emails.

Georgia Department of Human Services Uncovers Breach of A Number of Employee Email Accounts

Unauthorized individuals accessed the email accounts of a number of Georgia Department of Human Services staff. The email accounts contained the personal information and PHI of parents and children who were engaged in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services discovered in August that the emails, which the attackers likely accessed contained personal information and PHI. The breach investigation uncovered that the unauthorized persons acquired access to the accounts between May 3, 2020 and May 15, 2020.

The types of data breached were different from one person to another and could have consisted of full names, names of family, relationship to the child obtaining services, county of residence, date of birth, age, DFCS case numbers, DFCS identification numbers, number of times contacted by DFCS, an identifier that tells if face-to-face contact was medically right, phone numbers, email addresses, Medicaid medical insurance identification number, Medicaid identification number, Social Security number, medical provider name, and visit dates.

Psychological reports, counseling notes, health diagnoses, and substance abuse data pertaining to 12 people were likewise included in the breached email accounts, in addition to the bank account information of one individual.

Phishing Attack on Einstein Healthcare Network

Einstein Healthcare Network based in Philadelphia, PA notified 1,821 of its patients about the potential access to some of their PHI by unauthorized people who obtained access to some employee email accounts. The provider discovered the email security breach on August 10, 2020. But according to the investigation, the attacker had accessed the email accounts from August 5 to August 17, 2020.

An analysis of the breached email accounts showed they held information such as patients’ names, birth dates, patient account or medical record numbers, and/or treatment or medical data, for instance, diagnoses, prescription drugs, healthcare providers names, types of treatment, or locations of treatment. The medical insurance data and/or Social Security number of some patients were likewise exposed.

It wasn’t possible to ascertain whether the attackers accessed or copied any emails, however since data theft can’t be eliminated, patients who had their Social Security numbers exposed were provided a free membership to credit monitoring and identity protection services for one year.

Einstein Healthcare Network provided its employees with further training on identifying and averting suspicious emails and took steps to enhance its email security.

Companies Facilitating or Making Ransomware Payments Could Face Sanction Risks

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has notified that firms that make ransom payments to hackers on behalf of attack victims may have to deal with sanctions risks for OFAC regulations violations. Ransomware attack victims that make ransom payments to cybercriminals could likewise face large fines from the federal government when it is learned that the attackers behind the attacks are previously with economic sanctions.

OFAC stated that ransomware payment demands has risen all through the COVID-19 outbreak as cyber hackers target internet systems that U.S. folks count on to do business. Firms that facilitate ransomware payments to threat actors on behalf of victims, which include financial establishments, cyber insurance agencies, and companies concerned in digital forensics and incident solution, not merely entice future ransomware payment demands but additionally may risk breaking OFAC rules.

OFAC sanctioned a lot of men and women engaged in ransomware attacks within the past few years:

  • Evil Corp and its boss, Maksim Yakubets, who are behind the Dridex malware
  • two Iranians assumed to be responsible for the SamSam ransomware attacks that commenced in late 2015
  • Evgeniy Mikhailovich Bogachev, who was known as the developer of Cryptolocker ransomware, first introduced in December 2016
  • the Lazarus Group from North Korea responsible for the May 2017 WannaCry 2.0 ransomware attacks

Paying ransom demands to sanctioned individuals or jurisdictions pose risks to U.S. national security pursuits. Facilitating a ransomware payment that is commanded because of malicious cyber activities might permit scammers and adversaries with a sanctions nexus to earn profit and boost their questionable purposes.

U.S. individuals are typically forbidden from having direct or indirect transactions, with people or organizations on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blacklisted people, and those included in the all-inclusive region or nation embargoes.

Civil monetary penalties may be enforced for sanctions violations, even when the man or woman violating sanctions did not know that they were carrying out a transaction with someone that is banned under sanctions laws and regulations implemented by OFAC. Any person facilitating or making ransom payments to sanctioned persons, organizations, or regimes could suffer a financial penalty of up to $20 million.

Numerous entities don’t tell about ransomware attacks or report them to law enforcement officials to stay away from damaging publicity and legal concerns, nevertheless by not reporting they are working against attack investigations by authorities. OFAC described in its warning that the financial intelligence and enforcement bureau will look at a company’s opportune and comprehensive report of a ransomware attack to law enforcement to be a considerable mitigating factor in pinpointing a good enforcement end result in case the situation is later on confirmed to have a sanctions nexus.

The announcement furthermore lists contact details for victims of ransomware attacks to learn when there are sanctions charged on cybercriminals, and whether or not payment of a ransom may include a sanctions nexus.

OFAC has cautioned against making ransom payment. Not only does it risk breaking OFAC rules, but it also doesn’t give assurance that the cybercriminals will give the valid keys, that the stolen records will be deleted, and the attackers would not demand an additional ransom. The payment of a ransom could also embolden cybercriminals to perform more attacks.

OFAC has just presented advice and made aware of sanctions risks in case payments are given to any threat actor. Apart from having a prohibition on paying a ransom, the attacks are most probably to continue because of being profitable. Only when the attacks aren’t profitable anymore will cybercriminals possibly stop doing attacks.

Premera Blue Cross HIPAA Penalty of $6.85 Million is the 2nd Largest HIPAA Violation Penalty Ever

The Department of Health and Human Services’ Office for Civil Rights (OCR) has required a $6.85 million HIPAA fine on Premera Blue Cross to settle the HIPAA violations uncovered during its investigation of a 2014 data breach regarding the electronic protected health information (ePHI) of 10.4 million people.

Premera Blue Cross in Mountainlake Terrace, WA is the major health plan within the Pacific Northwest and serves over 2 million people in Washington and Alaska. In May 2014, a state-of-the-art persistent threat group acquired access to Premera’s computer network and continued to be undetected for about 9 months. The hackers sent the health plan with a spear-phishing email that deployed malware. The malware enabled the APT group to access ePHI that include names, dates of birth, addresses, email addresses, Social Security numbers, bank account details, and health plan clinical data.

Premera Blue Cross uncovered the breach in January 2015 and notified OCR concerning the breach in March 2015. OCR began an investigation and found “systemic non-compliance” with the HIPAA regulations.

OCR learned that Premera Blue Cross was not able to:

  • Carry out a thorough and accurate risk analysis to find all risks to the integrity, confidentiality, and availability of ePHI.
  • Lessen risks and vulnerabilities to ePHI to a good and ideal level.
  • Use adequate hardware, software application, and procedural systems to log and examine activity relating to information systems that contain ePHI, prior to March 8, 2015.
  • Block unauthorized access to the ePHI of 10,466,692 persons.

Considering the nature of the HIPAA violations and the severity of the breach, OCR determined that a financial fine was just right. Premera Blue Cross resolved the HIPAA violation case with no liability admission. Aside from paying the HIPAA violation penalty, Premera Blue Cross consented to execute a corrective action plan to take care of all areas of non-compliance identified by OCR. Premera Blue Cross will be under close supervision by OCR for two years to make certain of its compliance with the CAP.

Roger Severino, OCR Director, said that in case big health insurance entities do not devote the time and effort to recognize their security vulnerabilities, be they technical or human, hackers definitely will. This situation clearly reflects the problems that result when attackers are granted to roam unnoticed in a computer system for approximately nine months.

Last year, Premera Blue Cross accepted to pay a $10 million HIPAA violation legal action due to the breach. 30 state attorneys general had reviewed the health plan and established that Premera Blue Cross failed to meet its requirements under Washington’s Consumer Protection Act and HIPAA. Premera Blue Cross furthermore agreed to resolve a $74 million lawsuit filed by people whose ePHI was disclosed in the breach.

The latest penalty is OCR’s second greatest HIPAA penalty required of a covered entity or business associate in connection to HIPAA violations. The biggest financial penalty is the $16 million imposed on Anthem Inc. because of a 2015 data breach that involved the ePHI of 79 million persons.

The fine is the 11th penalty to be reported by OCR in 2020. It is the 8th to be published this month. Thus far in 2020, OCR received $10,786,500 to resolve HIPAA violations uncovered during investigations of security breaches and HIPAA complaints.

Athens Orthopedic Clinic Settles its HIPAA Violation for $1.5 Million

The HHS’ Office for Civil Rights made an announcement regarding a settlement it has arrived at with Athens Orthopedic Clinic PA to take care of multiple Health Insurance Portability and Accountability Act (HIPAA) rules violations.

OCR performed an investigation into a data breach that a healthcare provider based in Athens, GA reported on July 29, 2016. On June 26, 2026, Dissent of notified Athens Orthopedic Clinic that a database that contains the electronic protected health information (ePHI) of its patients had been posted for sale on the internet by a hacking group identified as The Dark Overlord. The hackers are noted for infiltrating systems, data theft, and demanding ransom payments. If the victims don’t pay the ransom, the stolen information is published online.

Athens Orthopedic Clinic looked into the breach and confirmed that the hackers acquired access to its systems on June 14, 2016 by using vendor credentials and stole records from its EHR system. The data of 208,557 patients were taken in the attack, which includes names, Social Security numbers, birth dates, procedures performed, test findings, clinical data, payment details, and medical insurance information.

OCR admits that it’s not possible to stop all cyberattacks, nevertheless when data breaches take place due to the inability to adhere to the HIPAA Rules, financial charges are issued.

Hacking is the top source of big healthcare data breaches. When medical companies are not able to adhere to the HIPAA Security Rule, their patients’ health information become an appealing target for threat actors.

The OCR breach investigation uncovered the following systemic non-adherence with the HIPAA regulations:

Athens Orthopedic Clinic didn’t conduct an appropriate and detailed review of the potential risks and vulnerabilities to the confidentiality, availability, and integrity of ePHI, which violates 45 C.F.R. § 164.308(a)(1)(ii)(B).

Security measures were not put in place to decrease the potential risks to ePHI to a good and suitable level, which infringes 45 C.F.R. § 164.308(a)(1)(ii)(A).

Between September 30, 2015 and December 15, 2016, Athens Orthopedic Clinic was unable to employ the correct hardware, software program, and processes for documenting and examining information system activity, which violates 45 C.F.R. §§ 164.312(b).

The provider took until August 2016 for HIPAA guidelines and procedures to be kept, which infringes
45 C.F.R. § 164.530(i) and (j), and before August 7, 2016, the clinic didn’t enter into business associate agreements with three vendors, which violates 45 C.F.R. § 164.308(b)(3).

Before January 15, 2018, Athens Orthopedic Clinic did not have a HIPAA Privacy Rule training to its existing employees, which infringes 45 C.F.R. § 164.530(b).

Due to the failure to comply, Athens Orthopedic Clinic was unable to avoid hackers from obtaining unauthorized access to the PHI of 208,557 patients, which violates 45 C.F.R. §164.502(a)).

Aside from the financial fine, Athens Orthopedic Clinic has consented to adopt a corrective action plan that covers all areas of noncompliance found in the OCR audit. The clinic resolved the violation without admission of liability.

This is OCR’s 6th HIPAA settlement reported in September and the 9th HIPAA penalty in 2020. Prior to this month, OCR published having five settlements with HIPAA-covered entities in accordance with its HIPAA Right of Access initiative for being unable to provide patients with their health records copy.

OCR Issued Five HIPAA Fines for HIPAA Right of Access Failures

The Department of Health and Human Services’ Office for Civil Rights reported five settlements that resolved HIPAA violations related to patient complaints on getting a copy of their medical records.

The HIPAA Privacy Rule states that individuals have the right to get prompt access to their medical records at a reasonable price. When a person submits a request to obtain a copy of his/her medical records, a healthcare service provider should give those records with no reasonable delay and within 30 days following the date of request.

OCR received several complaints from people who were unable to obtain a copy of their medical records, so in 2019, OCR prioritized its HIPAA right of access enforcement activities.

In 2019, there were two settlements between HIPAA covered entities and OCR over HIPAA right of access violations. Korunda Medical, LLC and Bayfront Health St Petersburg each paid $85,000 as a financial penalty and implemented a corrective action plan to process access requests promptly.

The most recent 5 settlements involved Housing Works, Inc., Beth Israel Lahey Health Behavioral Services, King MD, All Inclusive Medical Services, Inc., and Wise Psychiatry, PC. The entities paid financial penalties ranging from $3,500 to $70,000 depending on a number of factors determined by OCR.

OCR is sending a message to healthcare providers by means of the settlements that compliance with the HIPAA right of access is a must. Whenever OCR receives complaints alleging non-compliance, investigations will be conducted and entities will be penalized as deemed appropriate.

Housing Works

Housing Works, Inc. is a non-profit healthcare organization based in New York City that offers healthcare, advocacy, job training, homeless services, re-entry services, and legal support for men and women residing with and afflicted by HIV/AIDS.

In June 2019, a Housing Works patient submitted a request a copy of his healthcare records. In July 2019, the patient filed a complaint with OCR indicating Housing Works’ failure to provide the records. OCR investigated the complaint, gave the needed technical assistance, then closed the case. But Housing Works still did not provide the patient with a copy of his healthcare records. So, in August 2019, the patient filed a second complaint with OCR.

OCR re-investigated the case and issued Housing Works a financial penalty for violating the HIPAA right of access. In November 2019, Housing Works furnished the complainant his healthcare records and paid $38,000 to resolve the violation. Housing Works also adopted a corrective action plan and is under monitoring by OCR for one year.

Beth Israel Lahey Health Behavioral Services

Beth Israel Lahey Health Behavioral Services (BILHBS) is the biggest mental health and substance use disorder service provider in eastern Massachusetts. In April 2019, OCR got a complaint stating that BILHBS did not respond to a request sent by a personal representative for a copy of her father’s health records. The complainant asked for the information in February 2019, but did not provide even after two months.

OCR investigated the complaint and the patient got the requested health records in October 2019. OCR issued a financial penalty on BILHBS for violating the HIPAA Right of Access. BILHBS paid $70,000 to settle the violation and followed a corrective action plan under the monitoring of OCR for a year.

King MD

King MD is a small psychiatric services provider in Virginia. In October 2018, OCR got a complaint from a patient who did not receive a copy of medical records within two months of filing the request. OCR provided technical assistance on the case but got a second complaint in February 2019 because King MD still did not provide the requested medical records. The patient got the records in July 2020.

King MD paid OCR $3,500 as case settlement. King MD has implemented a corrective action plan under two-year monitoring by OCR.

All Inclusive Medical Services, Inc.

All Inclusive Medical Services, Inc. (AIMS) in Carmichael, CA is a family medicine clinic offering multiple specialty services such as internal medicine, rehabilitation, and pain management.

In January 2018, a patient requested a copy of her medical records, but AIMS did not provide the records. In April 2018, the patient complained to OCR, which prompted an investigation. AIMS was found to have violated the HIPAA right of access. The patient got her copy of the records in August 2020.

OCR received $15,000 from AIMS as a penalty to resolve the HIPAA violation. A corrective action plan was also undertaken to be monitored by OCR for 2 years.

Wise Psychiatry, PC.

Wise Psychiatry is a small psychiatric services provider located in Colorado. In November 2017, a personal representative requested a copy of her young son’s health records. By February 2018, no records were still provided and so she filed a complaint with OCR, which prompted an investigation. OCR gave technical assistance and closed the case.

In October 2018, OCR received a second complaint from the same person. Finally, a copy of the health records was given in May 2019 after OCR’s investigation. Wise Psychiatry paid $10,000 to settle the case and adopted a corrective action plan under OCR’s monitoring for one year.

CISA Releases Technical Guidance on Finding and Remediating Malicious System Activity

The Cybersecurity and Infrastructure Security Agency (CISA) has fairly recently given guidance for network defenders and incident response teams on uncovering malicious activity and mitigating cyberattacks. The guidance specifies recommendations for uncovering malicious activity and comprehensive directions for inspecting at possible security occurrences and safe-guarding compromised systems.

The reason for providing the guidance is to optimize incident response among partners and network staff as well as offer a playbook for researching incidents. The document can guide incident response groups obtain the data required to look into suspicious activity inside the network, host-based artifacts, carry out a host analysis assessment and analysis of network tasks, and take the proper measures to offset a cyberattack.

The guidance document was produced in cooperation with cybersecurity professionals in the United Kingdom, United States, Australia, Canada and New Zealand and comes with technical assistance for security staff to help them determine ongoing malicious attacks and abate attacks while lessening the prospective adverse outcomes.

As soon as incident response teams discover malicious activity, the concentration is usually on blocking the access of threat actors to the network. Though it is vital to stop a threat actor from accessing a device, or system, it is very essential that the right procedure is undertaken to refrain from notifying the attacker regarding the detection of their presence.

While well-intentioned to control the problems of the compromise, a number of those activities could have damaging effects by altering volatile facts that could present a sense of what has been done and notifying the threat actor that the prey organization recognizes the compromise and compelling the threat actor to either cover their tracks or take on more harmful actions (including detonating ransomware.

When reacting to an assumed attack it is initially needed to acquire and take away pertinent artifacts, logs, and records that will enable the detailed scrutiny of the incident. In case these elements aren’t secured before the implementation of any mitigations, the data may readily be gone, which will impede any work to check out the breach. Systems likewise must be secured, as a threat actor may become aware that the breach was seen and adjust their methods. As soon as systems are safeguarded and artifacts gathered, mitigating actions can be done with care so as not to forewarn the threat actor that their presence in the network has been found.

Whenever a suspicious activity is found, CISA advises seeking help from a third-party cybersecurity organization. Cybersecurity organizations have the essential knowledge to get rid of an attacker from a system and make certain that security concerns are prevented that can be taken advantage of in further attacks on the firm as soon as the incident is actually remediated and finished.

Resolving a security breach calls for different technical techniques to discover malicious activity. CISA proposes doing a hunt for identified indicators of compromise (IoCs), employing proven IoCs from a large collection of sources. A frequency study is beneficial for determining anomalous activity. Network defenders have to estimate standard traffic patterns in network and host systems which may be employed to recognize the inconsistent activity. Algorithms could be utilized to discover whenever there is an activity that’s not according to normal patterns and determine disparity in timing, source position, destination place, port use, protocol observance, file storage, integrity using hash, file size, figuring out convention, and other features.

Pattern analysis is valuable for uncovering automatic activity by malicious scripts and malware, and regular reproducing behavior by human threat actors. An analyst review must likewise be carried out according to the security team’s knowledge of system operations to recognize issues in collected artifacts and locate anomalous activity that may be an indicator of hacker activity.

The guidance specifies a number of common blunders that are made if resolving incidents and gives technical measures and recommendations for scrutiny and remediation processes.

CISA likewise makes basic advice on defense tactics and programs that could make it harder for a threat actor to acquire access to the network and continue to be there undiscovered. While these actions may not prohibit a threat actor from compromising a system, they will help to slow the pace of an attack that will grant incident response squads the time they required to know and act in response to an attack.

You can read the CISA guidance Technical Approaches to Uncovering and Remediating Malicious Activity (AA20-245A) on this page.