PHI of Almost 19,000 Individuals Affected by Breaches at Cook Children’s Medical Center, D&S Residential Holdings and City of Lafayette

1,768 Persons Affected by Cook Children’s Medical Center Breach

Cook Children’s Medical Center based in Fort Worth, TX discovered that a box of radiology images stored in a locked storage room was missing. Despite conducting a search for the missing items, Cook Children’s Medical Center did not succeed in locating them. The storage discs contained the protected health information (PHI) which included names, birth dates, medical record numbers, scan types, service dates, and names of physicians.

To view the images, specialist software is necessary. However, some of the PHI may be viewed even with no specialist software. The images belonged to 1,768 people who had hip and spine scans from 2005 to 2014. There is no report received that indicate the misuse of any data contained on the discs. The medical center already notified all the persons affected by the incident.

PHI of 2,102 People Potentially Compromised Due to a D&S Residential Holdings Phishing Attack

D&S Residential Holdings based in Austin, TX has found out about the unauthorized access by an individual to the email accounts of some employees from April 20, 2020 to June 15, 2020 because employees responded to phishing emails.

D&S Residential Holdings carried out a thorough investigation, with the support of a respected computer security company. However, it was not possible to establish if the attackers viewed or stole any information.

An analysis of the employees’ email accounts showed that they contained protected health information. D&S Residential Holdings offered free credit monitoring and identity theft protection services for 12 months to the individuals who had their Social Security numbers compromised in the attack. The breach report sent to the HHS’ Office for Civil Rights showed that the breach affected 2,102 individuals.

15,000 Lafayette Fire Department Ambulance Users Affected by Ransomware Attack

On July 27, 2020, City of Lafayette, CO suffered a ransomware attack that affected its email, telephone, online billing, and reservation systems so that essential systems data was inaccessible. After assessing the cost and advantages of all feasible solutions, the city opted to pay the attackers $45,000 just to steer clear of the big interruption to its online operations.

Before ransomware deployment, it’s possible that the attackers accessed personal information stored on the computer system of Lafayette, including the usernames and passwords of its online service users and the Social Security numbers of city employees. Moreover, the attackers might have obtained the names and the health insurance identification numbers of 15,000 men and women whom the Lafayette Fire Department ambulance transported prior to January 1, 2018.

The city already removed the ransomware and re-established its network servers and computers. It has also deployed crypto-safe backup systems and enforced extra cybersecurity options to block other ransomware attacks.

New FritzFrog P2P Botnet Targets SSH Servers of Banking Institutions, Educational Organizations, and Medical Centers

A new peer-to-peer (P2P) botnet was found targeting SSH servers located in IoT devices and routers that allow connections from remote devices. The botnet, known as FritzFrog, propagates like a computer worm by means of brute-forcing credentials.

Guardicore Labs security researchers analyzed the botnet and determined that it has successfully breached over 500 servers, and the number is still growing fast. FritzFrog is multi-threaded, modular, and fileless leaving no clue on its infected devices. FritzFrog sets up and deploys malicious payloads fully in the memory, so infections are difficult to identify.

Whenever a computer is attacked, a backdoor in the form of an SSH public key is produced. This key gives attackers continual device access. More payloads may then be downloaded, for example, a cryptocurrency miner. As soon as a device is compromised, the self-replicating activity begins to deploy the malware all through the host server. The device is put in the P2P network, could acquire and implement commands coming from the P2P network, and is employed to pass on the malware to other SSH servers. Since January 2020, the botnet has been working to target government, education, healthcare, and the finance industries.

Compared with other variants of a botnet, FritzFrog has more resiliency, because the command of the botnet is decentralized amid various nodes, thus there’s no one command and control (C2) server, that means no one point of failure as well. As per Guardicore Labs, FritzFrog used the Golang language, and the P2P protocol was totally exclusive, with practically everything about the botnet unique and not shared with any other P2P botnet.

To evaluate how FritzFrog worked as well as study its functionalities, Guardicore Labs’ researchers created an interceptor written in Golang which permitted them to take part in the malware’s key-swapping process and get and transmit commands. The program named frogger helped them to study the nature and extent of the network. Frogger allowed them to be a part of the network by ‘injecting’ their own nodes and contributing to the P2P traffic. Through frogger, the researchers confirmed that FritzFrog already had brute-forced millions of SSH IP addresses at banks, medical centers, educational organizations, government agencies, and telecom firms.

The malware communicates through port 1234, though not directly. Traffic at port 1234 is simple to recognize, therefore the malware utilizes a netcat utility program that is commonly employed to keep track of network traffic. A command that is transmitted via SSH is going to be utilized as netcat’s input, therefore sent to the malware. FritzFrog likewise communicates through an encrypted channel and could carry out more than 30 commands that include making a backdoor, linking to other corrupted nodes and servers in the FritzFrog network, and checking resources like CPU use.

Though the botnet is presently being utilized for planting cryptocurrency mining malware (XMRig) on products to mine Monero, the botnet can simply be repurposed to deliver other types of malware and can be utilized for many other purposes. Security researcher Ophir Harpaz at Guardicore Labs doesn’t think cryptocurrency mining is the major goal of the botnet, because of the amount of code specific to mining Monero. Harpaz is convinced the main goal is to access the organizations’ networks and sell access to the breached servers or use for other profitable attacks.

It is uncertain who made the botnet or where it came from. It has propagated worldwide, however, the geographic origin of the first attacks is unknown. FritzFrog likewise undergoes active development, as researchers identify over 20 FritzFrog binary versions.

The botnet depends on network protection solutions that impose traffic only through port and protocol, therefore process-based segmentation guidelines are needed. Networks with weak passwords are more prone to brute force attacks, thus it is essential to use strong passwords and to utilize public key authentication. The botnet locates IoT devices and routers that have exposed SSH keys, and so companies can secure themselves by altering their SSH port or deactivating access to SSH whenever not using the service. The researchers additionally suggest that it’s important to take FritzFrog’s public key from the file of authorized_keys to keep the attackers from accessing the device.

Guardicore Labs has released a script on GitHub which could be activated to determine FritzFrog infections, together with known IoCs.

657,392 Northern Light Health Foundation Donors Impacted by Blackbaud Ransomware Attack

The 10-hospital integrated healthcare system called Northern Light Health Foundation, which is located in Brewer, ME, has reported that the latest ransomware attack on Blackbaud Inc. has impacted its databases.

The impacted databases held the data of donors, would-be donors, and persons who might have gone to a fundraising event before. Patient medical information was kept separately and was not affected. The databases comprised the data of 657,392 people.

Blackbaud in South Carolina is one of the biggest companies providing education, fundraising, financial management, and administration software programs. An organization as great as Blackbaud is obviously hunted by cybercriminals. Blackbaud stated it runs into numerous attacks every month but its cybersecurity group excellently protects the corporation against those cyberattacks, even though in May 2020 one attack became successful.

The ransomware attack might have been much worse. Blackbaud became aware of the ransomware attack fairly quickly and took steps to stop the attack. Blackbaud had held back the ransomware from completely encrypting its data, and merely a part of the corporation’s 25,000+ customers was impacted. The attack didn’t have an effect on its online system and most of its self-hosted environment was not impacted.

As is currently well-known in manual ransomware attacks, before encryption of records, the attackers exfiltrated information. Blackbaud explained in its breach notice that the attackers merely copied a part of the information and didn’t steal highly sensitive data including bank account details, Social Security numbers, and credit card data.

Since securing customers’ records is Blackbaud’s number one priority, the company gave the cybercriminal’s demand with a guarantee of destroying the copied data. Based upon the result of the investigation, it is assumed that the cybercriminal had no information, and will not misuse, share, or make it available publicly.

It is at present not clear how many Blackbaud clients were affected by the cyberattack. Northern Light Health Foundation mentioned in its breach notice that it was affected. A few other healthcare institutions in Maine claimed the same. Other healthcare institutions discovered to have been affected include the Cancer Research Institute in New York City and the Prostate Cancer Foundation in Santa Monica, CA.

The BBC reports that around 10 universities in the UK, US, and Canada were affected, such as Emerson College in Boston, Harvard University, and the Rhode Island School of Design, as well as charities, media organizations, and a bunch of private-sector corporations. Though the attack happened in May 2020, the impacted clients did not get notifications until July 16, 2020. It is uncertain why notifying the affected clients was delayed, especially considering a lot of those clients are from the EU. The EU General Data Protection Regulation (GDPR) calls for the issuance of notifications to data protection regulating authorities within 72 hours of a breach occurring. Data controllers should also be notified immediately.

Children’s Hospital Colorado Phishing Attack and Hoag Clinic Laptop Computer Theft

Children’s Hospital Colorado is informing 2,553 patients concerning the possible access of their protected health information (PHI) because of unauthorized use of an email account between April 6 and April 12, 2020.

The attacker acquired the username and password to sign into the account following the employee’s response to a phishing email. The hospital discovered the attack on June 22, 2020 and promptly secured the account. An evaluation of the messages and the attachments in the account showed that they had records of patient names, medical record numbers, dates of service, clinical diagnosis details and zip codes.

Since the breach, the hospital implemented measures to fortify email security protection and assessed the platforms for training personnel with regard to cybersecurity. Technical settings linked to email were likewise evaluated.

Laptop That Contains Unencrypted PHI Thieved From Hoag Clinic

On June 5, 2020, a thief stole the laptop computer given to a worker of Hoag Clinic located in Costa Mesa, CA. The laptop computer was left in a vehicle located in the worksite parking lot in Newport Beach. The clinic found out about the thievery immediately and informed the law enforcement, nevertheless, the device was not retrieved.

The IT security team confirmed that the laptop computer comprised the PHI of 738 persons, such as first and last names, middle initial, telephone number, address, email address, birth date, age, medical record number, doctor’s name, if the patient is being observed by case management, whether a COVID-19 test was done, whether the person was moved to case management, whether a telehealth appointment was slated, communication status records, and whether the person was concerned in home health.

The Hoag clinic has re-trained its personnel on security precautions, improved policies that cover the transport of laptops to and from worksites, and an extensive security analysis was done to make sure all suitable cybersecurity measures are set up. The clinic provided the impacted persons with free one-year membership to the Experian IdentityWorks identity theft recognition and resolution service.

Breaches at Beaumont Health, Southcare Minute Clinic and Samaritan Medical Center

Beaumont Health, which is the leading healthcare organization in Michigan, began informing about 6,000 patients concerning the potential access to their protected health information (PHI) by unauthorized persons.

On June 5, 2020, Beaumont Health found out that unauthorized persons accessed email accounts between January 3, 2020 and January 29, 2020. The email accounts held the protected health information of patients including names, dates of birth, procedure and treatment data, type of treatment delivered, diagnoses, diagnosis codes, prescription details, patient account numbers, and medical record numbers.

Though unauthorized persons accessed the email accounts, there is no evidence determined that implies the hackers viewed or stolen the emails or email attachments in the accounts. There is also no report received that indicate the misuse of patient data.

This is Beaumont Health’s second notification of a phishing-related breach this year. Last April, Beaumont Health began informing 112,211 persons about the breach of their PHI held in email accounts in late 2019.

Beaumont Health already took action to enhance its internal procedures to permit it to know and avert threats a lot quicker later on. More precautions were enforced to better email security, which includes the usage of multi-factor authentication. More training on determining and controlling of malicious emails was also given to personnel.

Samaritan Medical Center Checking out Probable Security Breach

Samaritan Medical Center based in Watertown, NY announced a security event that has caused it to shut down its computer systems. Workers have used pen and paper while the breach is remediated at the same time giving medical care to patients. Patients were not transported to other hospitals, nevertheless, certain non-urgent visits were rebooked. No other details regarding the precise nature of the security breach is provided during this period.

Improper Disposal of Medical Documents by Southcare Minute Clinic

The North Carolina Department of Health and Human Services is examining the Southcare Minute Clinic based in Wilmington, NC concerning the incorrect disposal of medical documents. The Wilmington Police Department took action on a call telling them that sensitive files and unsafe waste were dumped in an ordinary dumpster in the back of the old Southcare Minute Clinic situated at 1506 Market Street.

The dumpster was identified to comprise files with patient data, used needles, and other harmful waste products. The police stated that there was HIPAA Rules violation, however, established that there was no crime undertaken. Since then, the dumpster has been cleaned up and there’s no longer any danger to people’s safety. The North Carolina Department of Health and Human Services is going to decide if it is proper to charge a financial penalty.

Cyberattacks at Highpoint Foot and Ankle Center and the University of Utah Affects 35,000+ Patients’ PHI

Highpoint Foot and Ankle Center based in New Britain Township, PA encountered a ransomware attack in May 2020 during which the attackers encrypted and probably accessed or exfiltrated patient information. Highpoint Foot and Ankle learned the attack on May 20, 2020 when personnel was kept from getting particular files on the system.

The investigation started and found out that an unauthorized person had downloaded ransomware remotely on its computer networks. There is no evidence obtained that suggest the attacker accessed patient data before encrypting the files. There was also no report received that suggest the misuse of patient data.

A third-party computer forensics agency was engaged to aid with the investigation and confirmed that the possible compromise of files containing the PHI of 25,554 patients. The files comprised names, dates of birth, addresses, social security numbers, treatment information, diagnoses, and release conditions.

Further precautions have now been put in place to secure patient data and all patients impacted by the data breach already received notifications via mail.

Phishing Attack on the University of Utah Affects Up to 10,000 Patients

The University of Utah has suffered a phishing attack that has most likely impacted the protected health information (PHI) of about 10,000 patients. This is the University of Utah’s fourth data breach report to be submitted to the Department of Health and Human Services in 2020. All four incidents are stated as hacking/IT incidents involving email. The previous breach reports were submitted on June 8, 2020 (impacting 1,909 persons), April 3, 2020 (impacting 5,000 persons), and March 21, 2020 (impacting 3,670 persons).

Unauthorized persons got access to personnel email accounts between January 22, 2020 and May 22, 2020, as indicated by the substitute breach notice posted on the University of Utah Health webpage. It is uncertain at this time if the most current breach report also involved getting access to personnel email accounts in an identical time period.

Kathy Wilets, Public Relations Director at the University of Utah Health gave a report to databreaches.net mentioning that the phishing occurrences were being regarded as independent incidents but might have been a part of a synchronized campaign. She explained the most current incident probably involved getting access to some amount of patient information and the number of persons affected of 10,000 is an estimation. The investigation could confirm whether fewer persons were affected. Action has been done to strengthen email security, such as the setup of 2-factor authentication.

Breaches at Quantum Imaging and Therapeutic Associates, Delaware Department of Health and Social Services and US HealthCenter

The radiology practice Quantum Imaging and Therapeutic Associates located in Pennsylvania made an announcement that they received reports concerning a non-physician worker who purportedly disclosed to a Facebook group an x-ray image of a male patient’s genitalia.

The disclosure of health-related photos on social communities, with no patient authorization, is a violation of HIPAA and patient privacy. Quantum gave an announcement on Facebook verifying the reports gotten concerning a privacy breach and explained that Quantum is dedicated to keeping its patients’ privacy and is really saddened by the reports. No other details were issued regarding the breach while the investigation is not yet complete. The Fairview Township police were notified regarding the incident and started an investigation, nevertheless, there are no apprehensions yet at this point. Some persons have left a comment on the Facebook posting saying the photo may be seen by ‘thousands’ of individuals.

Delaware Department of Health and Social Services Uncovered Impermissible Disclosure of PHI

The Delaware Department of Health and Social Services found a spreadsheet comprising PHI was disclose to four students by accident.

Four senior students at the University of Delaware asked for the information intended for a project to determine service gaps within the community and received a spreadsheet. The data requested by the senior students included the age groups of persons and their disability state. The identifying data were not deleted before giving the spreadsheet. The senior students had seen the complete names, dates of birth, diagnoses, and county data of 350 persons.

The students presented their report through Zoom on May 8, displaying the listed patients’ PHI also. The Delaware Department of Health and Social Services at once stopped the report upon knowing that PHI was listed. The students were told to remove the information while the person who gave the spreadsheet was put under discipline.

US HealthCenter Uncovered an Email Account Security Breach

The US HealthCenter, a health risk management firm, found out that an unauthorized individual got access to an email account and could have seen or acquired the private and protected health information (PHI) of the Cost Plus World Market’s (Cost Plus) Wellness Program members.

The compromised email inbox was utilized to obtain the members’ accomplished Annual Preventive Screening affidavits. Inquiries from Wellness Program members regarding the program were at the same time forwarded to the email account. US HealthCenter learned about the unapproved access on April 13, 2020 because the hacker employed the email account to transmit phishing emails to participants of the Cost Plus wellness program. At the time the email account was accessed, the unauthorized person could see and send email messages.

The analysis of email messages in the account confirmed they comprised participants’ names, birth dates, employee numbers, doctor signatures, dates of exams, and some medical details.

US HealthCenter protected the account promptly and presently hosted the account on a new Microsoft Office 365 system, which offers better security defenses having multi-factor authentication. There is no proof identified that indicate the improper use of personal data.

Breaches at Central California Alliance for Health, Wisconsin Department of Corrections and Hutton & Hale, D.D.S., Inc.

Breaches at Central California Alliance for Health, Hutton & Hale, D.D.S., Inc. and Wisconsin Department of Corrections

The Central California Alliance for Health learned that an unauthorized person obtained access to a number of employees’ email accounts and most likely read or stolen data in email messages and file attachments. The healthcare organization discovered the breach on May 7, 2020 and took fast action to protect the impacted accounts. In all cases, the accounts were viewed for approximately an hour.

An analysis of the breached accounts showed they comprised a small amount of protected health information (PHI) of Central California Alliance for Health members like Alliance Care management program information, birth dates, claims details, demographic data, Medi-Cal ID numbers, referral data, and health care details. There was no breach of financial data or Social Security numbers.

Subsequent to the breach, Central California Alliance for Health executed a total password reset for every email account, this includes the email accounts that weren’t exposed. Employees likewise got additional training regarding email security.

Central California Alliance for Health by now submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights specifying that 35,883 members were impacted.

Wisconsin Department of Corrections Breach Affects 1,853 People

The Wisconsin Department of Corrections found out that the data of people located in its treatment centers was compromised on the sites of three vendors hired to handle canteen purchases. An employee found the information on May 15, 2020. Impacted people were alerted on June 15, 2020.

The breached data was minimal including names and data concerning the treatment facility in their location. That data needs to be encrypted on the web pages. The issue is already remedied and the data is not available any more on the web.

Hacking of Hutton & Hale, D.D.S., Inc. Affects 8,394 Patients

Dr. Ann Hale of Hutton & Hale, D.D.S., Inc. began informing 8,394 patients regarding the likely exposure of their PHI due to hacking of the practice’s stored data and computer networks on May 25, 2020.

Those systems stored patients’ medical records and PHI including names, contact phone numbers, addresses, X-ray information, and Social Security numbers.

All impacted patients were given free of charge one-year membership to identity theft protection and credit monitoring services and will be covered by a $1,000,000 identity theft insurance plan. Thus far, there are no reports obtained that indicate the improper use of any patient data.

The practice is incorporating more safety measures to its web server infrastructure to avert more security breaches.

Up to 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care

Nearly 69,000 Persons Affected by Cyberattacks on Healthcare Fiscal Management and Friendship Community Care

Healthcare Fiscal Management Inc. (HFMI) located in Wilmington, NC provides physician groups, hospitals and clinics with self-pay conversion and insurance eligibility services. HFMI suffered a ransomware attack that allowed attackers to have access to the private and protected health information (PHI) of patients of St. Mary’s Health Care System based in Athens, GA.

An unauthorized person accessed the HFMI systems on April 12, 2020 and released a ransomware payload the next day that encrypted information kept on its systems. The hacker accessed systems that have the personal and PHI of patients who obtained medical services at St. Mary’s from November 2019 to April 2020.

The attackers possibly accessed and acquired the information of about 58,000 patients, though data accessor theft cannot be affirmed. The PHI kept on the breached systems included names, Social Security numbers, birth dates, account numbers, health record numbers, and service dates.

HFMI was ready in case of this sort of event and had practical backups that were employed to reestablish information the same day to an alternative hosting provider. A forensic investigation team was hired to look into the incident. The forensic investigators stated that the attackers do not have possession of the information. The information is likewise not available over the web.

Security experts are going over security settings and, from their advice, steps are undertaken to improve security. HFMI has given all impacted persons no-cost credit monitoring and identity theft protection services as a precautionary measure against identity theft and fraud.

Phishing Attack on Friendship Community Care Affects 9,745 Patients

Friendship Community Care (FCC) based in Russellville, AR, a not-for-profit care provider of grownups and youngsters with handicaps, encountered a phishing attack last January 2020.

FCC identified the phishing attack on February 4, 2020 after seeing suspicious activity in the email account of an employee. Forensic investigators helped inspect the breach and confirmed on February 5, 2020 that an unauthorized person had obtained access to the email account, however upon additional investigation, it confirmed the breach of a number of Office 365 email accounts utilizing credentials acquired in the phishing attack.

FCC found out on February 7, 2020 that the email accounts comprised PHI. A detailed evaluation of the email accounts affirmed the probable access of 9,745 persons’ PHI, even though there is no proof received that indicate the attacker accessed or acquired the emails.

The compromised email accounts comprised names, birth dates, addresses, Client ID numbers, Social Security numbers, Medicaid IDs/Medicare IDs, employer ID numbers, patient numbers, medical data, state ID card numbers, student ID numbers, driver’s license numbers, financial account details, mother’s maiden names, marriage certificates, birth certificates, facial photographs and disability codes.

FCC provided free credit monitoring and identity protection services to impacted persons. An analysis of email security was performed, and steps are being undertaken to strengthen security to avert identical breaches later on.

Ransomware Attacks on North Shore Pain Management and Florida Orthopaedic Institute

North Shore Pain Management (NSPM) based in Massachusetts started sending notifications to 12,472 patients because hackers potentially stole some of their protected health information (PHI). NSPM became aware of the breach on April 21, 2020 and its investigation confirmed the first access of their system by hackers on April 16, 2020.

NSPM posted on its website a substitute breach notice but did not provide any data with regards to the nature of the attack. Nonetheless, Emsisoft and databreaches.net affirmed the attack where AKO ransomware was used. The group that conducted the attack posted 4GB of stolen information on their Tor website because of no ransom payment.

The posted data include various sensitive data of workers and patients. The NSPM breach notice claimed that the stolen information consists of patient names, medical insurance information, account balances, birth dates, financial details, diagnosis and treatment information. Ultrasound and MRI images were likewise compromised for For several patients. Those patients using their Social Security numbers with their health insurance /member number had exposed their SSNs as well.

Because of the exposed stolen information on the web, NSPM instructed the affected patients to monitor their explanation of benefits statements and financial accounts for any sign of information misuse. NSPM provided credit monitoring and identity theft protection services at no cost to the patients whose Social Security numbers were exposed. NSPM appointed another IT management provider to reinforce its cybersecurity.

The AKO ransomware attackers are identical to gangs that deploy ransomware manually. They engaged in data theft prior to file encryption to increase the likelihood of getting ransom payment. The AKO group typically requires companies with big revenues to pay two ransom payments – one for the price tag of the decryptor and another for stolen data deletion. The cost of deleting files may be between $100,000 and $2,000,000.

The group claimed that some healthcare providers just pay the cost of deleting data. There is no confirmation if NSPM made a ransom payment.

Ransomware Attack on Florida Orthopaedic Institute

A ransomware attack on Florida Orthopaedic Institute in Tampa, FL occurred on April 9, 2020 resulting in the encryption of patient data. An internal investigation of the breach showed there was a potential theft of patients’ personal information and PHI prior to file encryption. Nevertheless, there is no report received by Florida Orthopaedic Institute regarding any patient data misuse due to the attack.

Florida Orthopaedic Institute appointed a third-party computer forensic firm to continue the investigation. Steps had already been taken to get back the encrypted data and protect its servers. The affected patients already received breach notification letters, including the offer of free fraud consultation, credit monitoring, and identity theft restoration services.

The encrypted data and possibly obtained by the attackers included the following: names, Social Security numbers, birth dates, medical information related to appointment times, diagnosis codes, doctor’s locations, paid amount, insurance plan ID numbers, payer ID numbers, claims addresses, and/or FOI claims history.

Florida Orthopaedic Institute appointed third-party experts to enhance security to avert any more cyberattacks in the future.

The HHS’ Office for Civil Rights breach hasn’t put up yet the incident details on its breach website, hence the number of impacted patients is not known at this time.