Category: Cybersecurity Attacks

Although a number of threat groups have mentioned that they are not going to attack healthcare institutions on the frontline responding to the COVID-19 crisis, that definitely does not apply to the NetWalker ransomware operators.

The latest research performed by Advanced Intelligence LLC showed that the operators of the ransomware are extensively attacking healthcare industry targets and expanding their operations.

The majority of ransomware attacks done by Russian-speaking threat actors use massive phishing campaigns instead of targeted attacks. The NetWalker ransomware has spread all through the COVID-19 pandemic by means of spam emails making claims to give details about cases of SARS-CoV-2 and COVID-19. The emails have an attached Visual Basic script file named as CORONAVIRUS_COVID-19.vbs, which retrieves the ransomware from a remote server.

Although still using phishing emails, the group now engages in massive network infiltration. The group’s representatives are posting ads on top-tier darknet forums about a different affiliate program with the ransomware-as-a-service model. Though a lot of threat groups are not notably choosy concerning who they get to spread their ransomware, the NetWalker gang is looking out for quality instead of quantity approach and is merely wanting to get competent affiliates who have or can access business networks.

The gang chooses first affiliates who previously have access to business networks and hackers who have got substantial experience in executing regular attacks. Just like Russian threat groups, affiliates are banned from targeting Russia or the CIS.

The group states it could exfiltrate information before data encryption and the information stolen from victims will be posted on its blog when no ransom is paid, just like with other ransomware groups. The group additionally says that it always decrypt files after receiving ransom payment.

To entice seasoned hackers, the group is giving a high proportion of the ransom payment to affiliates. A lot of affiliate programs have a 30/70 sharing of ransom payments, with the affiliate getting 70%. NetWalker is giving 80% of ransom payments when below $300K, and 84% when over $300K. The group demands a ransom payment in amounts of a few hundred thousand bucks to millions.

The group has performed attacks on a number of healthcare institutions, such as the Champaign-Urbana Public Health District in Illinois, the Australian shipping company Toll Group, and the Australian customer experience company Stellar.

The group is utilizing fileless ransomware as per Trend Micro. Fileless ransomware does not need a disk, just the memory, so that security solutions are unable to identify attacks. Microsoft has cautioned healthcare organizations that attackers employed misconfigured IIS-based apps to utilize the Mimikatz credential-stealing application, and PsExec to install NetWalker.

The modification in strategies, techniques and processes favoring extremely targeted attacks, the present affiliate recruitment strategy, and the high percentage given to affiliates will possibly see NetWalker ransomware turn into an even greater risk in the next months as the group takes other manual ransomware threat groups like Maze and REvil.

Considering the growing manual ransomware attacks on healthcare corporations, network defenders must take preemptive steps to minimize risks like:

• dealing with known vulnerabilities,
• protecting vulnerable internet-facing systems
• examining servers and apps for misconfigurations
• keeping track of the use of penetration testing apps, security log tampering, and credential theft activities that could show a prior system breach

The Little Clinic, which manages a network of over 215 medical care clinics established in Kansas, Kentucky, Tennessee, Ohio, Arizona, Georgia, Colorado, Virginia and Indiana, found a bug in its web-based appointment system that likely made possible the unauthorized disclosure of PHI of patients.

The Little Clinic identified the bug and confirmed that it was brought in on October 7, 2018. The network corrected the problem on February 13, 2020 and implemented measures to avert the same breaches from now on.

Because of the coding error, when a patient booked an appointment and afterward altered it on the internet, the patient’s name, birth date, phone number and address can be seen by other domains. The investigation results showed that about 10,974 patients were likely impacted and might have had a number of their personal data exposed.

The Little Clinic didn’t find any proof to indicate the access or improper use of patient information however concluded on April 7, 2020 that the occurrence was regarded as a data breach. Hence, the clinic sent notification letters by mail to all persons likely affected.

Ransomware Attack at Mat-Su Surgical Associates

Mat-Su Surgical Associates based in Palmer, AK reported that it experienced a ransomware attack last March. The employees found out about the attack on March 16 when they were unable to access the computer systems due to the encryption of key files.

A group of third party computer forensics detectives checked out the nature and extent of the attack and to verify if the attackers viewed or took any patient information. It wasn’t possible to ascertain if the attacker could exfiltrate information or view patient data before encryption, however, the investigators cannot exclude unauthorized information access. The attacker was persistent to have obtained access to sections of its computer system that held the protected health information (PHI) of 13,146 patients.

The following data were likely breached in the ransomware attack: names of present and past patients of Mat-Su Surgical Associates and Valley Surgical Associates coupled with addresses, diagnoses, treatment details, laboratory test findings, medical insurance details, Social Security numbers, and other advice connected to the obtained medical care.

Mat-Su Surgical Associates delivered breach notification letters via mail to all impacted patients and provided them free credit monitoring and identity theft protection services via ID Experts.

Mat-Su Surgical Associates likewise did necessary security enhancements, such as applying more measures to prevent unauthorized remote access to its systems.

 

The Verizon Data Breach Investigations Report for 2020 indicates that malware attacks are dropping because threat actors target data stored in the cloud. Verizon has been producing a report for 13 years. This year’s report includes an analysis of 32,002 security cases and 3,950 validated data breaches from 81 contributors located in 81 countries around the world.

The report explains that the primary motivating factor for running attacks is financial gain. Here are some relevant statistics:

• 86% of all security breaches were financially inspired
• 70% were because of external actors
• 55% were performed by cybercriminals
• 22% were caused by human error
• 25% were caused by phishing and other social engineering attacks
• 37% were caused by brute-forcing of weak credentials
• 67% were caused by credential theft

Only 20% of breaches were because of the exploitation of vulnerabilities. It is worth noting that it is a lot easier to perform attacks by means of stolen credentials instead of exploiting vulnerabilities. This is the reason for the fairly low number of vulnerability-related attacks and it’s not due to the fact that organizations are patching vulnerabilities quickly.

The simplicity of performing attacks utilizing stolen passwords or brute-forced credentials made malware attacks less widely used. That said, ransomware is showing to be an appealing choice, with increasing malware-related attacks from 24% to 27% of all breaches.

There was a considerable rise in web application attacks in the last 12 months, which increased twofold to 43% of all breaches. 80% of those breaches were associated with credential theft. With many more organizations transmitting their information from established domain controllers and internal infrastructure, it is not surprising that there was a big increase in attacks online.

The information gathered for the report does not cover the period of the COVID-19 public health emergency, when a lot of organizations sped up their cloud migration plans to enable more workers to work from home. It is very likely that the report next year will see a greater percentage of attacks on cloud data.

Tami Erwin, CEO of Verizon Business, states that with the increase of remote working during the global pandemic, end-to-end security covering the web up to employee PC becomes very important. In addition to safeguarding their systems from attack, all organizations should continue employee education as phishing schemes are increasingly sophisticated and malicious.

Cyberattacks and Insider Breaches in the Field of Healthcare

Financially inspired cyber attacks accounted for 88% of all healthcare breaches, the majority of which involved ransomware. 4% of healthcare cyberattacks were performed for pleasure and 3% were done due to convenience.

Verizon reports a substantial number of healthcare data breaches in the last 12 months. The report last year listed 304 healthcare data breaches, however, this year’s report covered 521 breaches. The most common type of attack on healthcare providers is crimeware, which includes ransomware and malware. Just as in other industry sectors, the attacks on cloud applications are growing.

The healthcare industry generally has a higher than the average number of cases of privilege misuse. Such involves insiders that have access to sensitive and abuse their access rights to commit theft or misuse of data. With so many employees with authorized access to patient records and its big value on the black market, this is expected.

This year’s report has some wonderful news though. It’s the first time that privilege misuse is not among the top three causes of healthcare data breaches. This is part of a pattern that can be seen across all fields of industry, which indicates that employees are more mindful about accessing data without permission and healthcare organizations are better able to protect data.

Another good news is a lower number of breaches involving multiple actors, which typically refer to a third-party, for instance, an identity thief partnering with an insider who gives the data. In the 2019 report, multiple actors were involved in 4% of breaches whereas in 2020 the percentage slipped to 1%. The percentage of breaches due to internal actors vs external actors likewise changed considerably. In the 2019 report, internal actors caused 59% of healthcare breaches and external attackers caused 42% of breaches. This year’s report finds that internal actors are to blame for 48% of breaches with external actors account for 51% of breaches.

This year, the top reason behind healthcare breaches were miscellaneous errors and web application breaches. Miscellaneous breaches were brought about by misdirection, or the sending of emails not to the correct recipients and mass mailings that deliver the letters to the wrong patients, like when a mail merge error happens.

Mille Lacs Health System located in Onamia, Mn has encountered a phishing attack that likely caused the exposure of over the protected health information (PHI) of 10,000 patients.

Some employees of Mille Lacs Health System received phishing emails containing url links that directed them to a web page that requested their email information. Some employees were fooled by the scam.

Mille Lacs Health System discovered about the phishing attack on November 14, 2020 and started an investigation to determine the scope of the breach. The investigators confirmed on February 24, 2020 that the attacker used the stolen email information to access email accounts from August 26, 2019 to January 7, 2020. A assessment of the compromised email accounts was finished on April 22, 2020 and affirmed that the attacker could have accessed the patient information.

The compromised information likely included first and last names, dates of birth, addresses, provider names, clinical details, dates of service, treatment data, procedure types, and for some persons, Social Security numbers. There is no evidence found that suggest the attackers obtained or misused patient information.

Mille Lacs Health System secured all accounts by performing a full password reset for all email accounts, and implementing additional measures to strengthen email security. Affected people received notification about the breach through mail on May 11, 2020 and received offers of complimentary credit monitoring services.

The breach report submitted by Mille Lacs Health System to the Department of Health and Human Services’ Office for Civil Rights reveals that the breach affected 10,630 patients.

Ransomware Attack on North Shore Pain Management

North Shore Pain Management based in Massachusetts has encountered a manual AKO ransomware attack and theft of some patient data.

The HHS’ Office for Civil Rights has not reported the incident yet on its breach portal, at the time of writing. There is likewise no substitute breach notice posted on the company’s site. Databreaches.net reported the breach mentioning that around 4GB of data relating to the company were posted on the Tor site utilized by the attackers. The exposed data online contained more than 4,000 files of patient and employee data.

The files included a variety of sensitive protected health information which includes Social Security numbers, health data, and insurance information.

PsyGenics Employee Emailed Client Information to Personal Email Account

PsyGenics, Inc. based in Detroit, an occupational therapy, family therapy and speech therapy provider, found out that one of its employees emailed a spreadsheet made up of customer information to a personal email account. The breach was noticed on March 25, 2020 while doing a standard security review. The employee sent the email on March 24, 2020.

The spreadsheet included the following data: customers’ names, diagnosis codes, provider names, and appointment times. No other data like treatment notes were specified in the spreadsheet. No reason was provided regarding why the employee sent the spreadsheet to their personal email account. PsyGenics states it found no proof of attempted or actual misuse of client data.

A ransomware attack on Magellan Health, a Fortune 500 company, last April resulted in file encryption and theft of certain employee data.

Magellan Health detected the ransomware attack on April 11, 2020 when files encryption happened on its systems. The breach investigation results showed that the attacker was able to access its systems after an employee responded to a spear-phishing email received on April 6. The attacker fooled the employee by impersonating a Magellan Health client.

Magellan Health hired the cybersecurity company Mandiant to help with the breach investigation, which revealed that the attacker accessed a corporate server containing employee data and exfiltrated a part of that information before the file encryption. The attacker additionally downloaded malware which was employed to steal login information.

The information which the attacker stole were about the present employees of the company and included their names, employee ID numbers, addresses, W-2 and 1099 information, which listed the employees’ Social Security numbers and taxpayer IDs. The usernames and passwords of some employees were also stolen by the attacker.

Magellan Health is not aware of any efforts of using that information but instructed affected people to be careful as to the probability of identity theft and data misuse. Impacted persons were offered a free membership to Experian’s IdentityWorks identity theft detection and resolution service for three years.

Magellan Health is working with the authorities, who are strongly investigating the incident and have already taken steps to strengthen security to avert the occurrence of the same breaches later on.

It is still uncertain at this time how many people were impacted by the breach.

The ransomware attack occurred just a couple of months after Magellan Health found out that a few of its subsidiaries encountered phishing attacks, which enabled unauthorized persons to access the email accounts of employees in July 2019. The emails in the breached accounts held the protected health information (PHI) of 55,637 members from the following entities: Magellan Healthcare, Magellan Rx Management, and National Imaging Associates. The breach announcements were given in September and November 2019.

The World Health Organization (WHO) is a prominent agency that is combating COVID-19. Hackers and hacktivists have increased attacks on WHO as it deals with the COVID-19 pandemic. WHO gets five times more cyberattacks now compared to the same time last year.

Last month, WHO affirmed that hackers had tried to access its network as well as those of its partners by means of spoofing an internal email system of WHO and since then the attacks have kept coming. Last week, SITE Intelligence Group identified the credentials of a huge number of people engaged in the battle against COVID-19 that were dumped on the web on Pastebin, 4chan, Twitter and Telegram. Roughly 25,000 email and password information was revealed, which include about 2,700 credentials of WHO personnel. WHO mentioned the data were derived from an old extranet system and the majority of the credentials were not legit any more, but 457 were new and still active.

As a response to the situation, WHO performed a password reset to make sure that the credentials aren’t usable, strengthened internal security, implemented a more secure authentication system, and improved the employees’ security awareness training.

The other dumped credentials were from institutions like the Centers for Disease Control and Prevention, the Gates Foundation and the National Institutes of Health. It isn’t clear where the data came from or who exposed it on the internet, but the credentials were used for the right groups to attack agencies making vaccines and performing other activities associated with COVID-19.

WHO CIO, Bernardo Mariano, stated that making sure that the safety of health data for member states and the privacy of users interacting with us is WHO’s top priority at all times, but also particularly throughout the COVID-19 pandemic.

Mariano additionally affirmed that continuing phishing campaigns are performed that spoof WHO to mislead individuals into giving donations to a fictitious fund like the COVID-19 Solidarity Response Fund which is overseen by WHO and the United Nations. Nation-state hacking groups also conduct campaigns that spoof WHO to mislead individuals into downloading malware which is used for espionage.

COVID-19 and coronavirus themed malicious attacks have skyrocketed over the past few weeks. Data revealed by cybersecurity company Zscaler indicates that COVID-themed attacks increased by 30,000% in March with about 380,000 COVID-19 themed attacks attempted in contrast to January’s 1,200 or February’s 10,000.

COVID-19-themed phishing attacks on remote enterprise users increased by 85%. Threats directed at enterprise clients increased by 17%. In March, the company prevented 25% more malicious sites and malware samples. The company likewise identified 130,000 suspicious or malicious newly created domains that used words such as mask, Wuhan, test, and kit.

A lot of the attacks are successful. Statistics from the FTC suggest about $19 million went to COVID-19 associated scams since January 2020, while $7 million was lost within the past 10 days. Google shared statistics earlier this month that in one week it prevented 18 million COVID-19 phishing emails. Though the number of COVID-19 themed attacks has gone up dramatically, overall the number of attacks has stayed fairly steady. Microsoft information cited that cyberattacks did not significantly increase throughout the COVID-19 crisis. Threat actors are just repurposing their infrastructure and transitioning from their normal campaigns to COVID-19 related attacks.

The orthodontics practice Andrews Braces based in Sparks, NV has encountered a ransomware attack that resulted in patient data encryption. Andrews Braces discovered the attack on February 14, 2020 and the following investigation revealed that the ransomware was downloaded the preceding day.

Andrews Braces engaged a third-party forensic investigator to evaluate the extent of the attack and find out if there was access or exfiltration of patient data before encryption. Although it’s not unusual that ransomware attacks also involve data stealing, the investigators didn’t find any evidence that indicates the attackers accessed data. This attack seemed to be automated with the only purpose of encrypting data to demand ransom money from the provider.

Because the practice had regularly backed up all their patient data and had the backups stored carefully, it did not make any ransom payment and it restored the encrypted files by itself. There is no suspected data theft, yet the possibility can not be eliminated, and so Andrews Braces sent notification letters to all impacted patients. The attacker could have accessed the following types of data: names, addresses, birth dates, email addresses, Social Security numbers, and health data.

Andrews Braces has already implemented more security measures to improve security and prevent other attacks later on.

Data Breach at EVERSANA

EVERSANA is an independent global services provider in the life sciences sector. It discovered that an unauthorized person obtained access to some of its employees’ email accounts in 2019.

EVERSANA received notification about strange activity in the accounts of its employees and confirmed that an unauthorized person had accessed the accounts by using a legacy technology environment. According to the investigation, the compromise of accounts occurred from April 1 to July 3, 2019.

The information in the accounts included those from a few patient services programs. The investigators found no evidence of unauthorized data access. However, the attacker(s) could have accessed the sensitive data of some patients. A comprehensive analysis of the compromised accounts ended in February and it confirmed the potential compromise of the following data elements: names, addresses, driver’s license numbers, Social Security numbers, state identification numbers, tax identification numbers, passport numbers, debit/credit card details, financial account data, usernames and passwords, health data, treatment details, diagnoses, provider names, Medicare/Medicaid numbers, MRN/patient ID numbers, medical insurance data, treatment cost data, and/or prescription details.

EVERSANA upgraded its legacy technology environment and further enforced safety measures to bolster security. The impacted people already received notification letters and free credit monitoring and identity restoration services for 12 months.

The HHS’ Office for Civil Rights website has not published the information of the data breach yet, so the number of affected individuals is still uncertain at this time.

INTERPOL issued an advisory to hospitals concerning the ongoing ransomware attacks for the duration of the 2019 Novel Coronavirus pandemic. Although several ransomware gangs have openly expressed they will be halting attacks on healthcare companies that are directly addressing COVID-19, some are still executing attacks. Additionally, those attacks went up.

Growing Attempts of Ransomware Attacks on Healthcare Organizations over the Weekend

In the past weekend, it was discovered by INTERPOL’s Cybercrime Threat Response (CTR) team that the number of attempted ransomware attacks on healthcare providers and other establishments and infrastructure engaged with responding to the coronavirus pandemic had a great rise. INTERPOL released a ‘Purple Notice’ informing police authorities in all 194 member countries about the heightened risk of attacks. Because of the ransomware attacks, giving vital care to COVID-19 patients may possibly cause delays and can also directly cause deaths.

Hammersmith Medicines Research in the U.K., a medical research firm, is one of the healthcare companies that was just attacked. The firm is set to support the creation of a vaccine for SARS-CoV-2 when a Maze ransomware gang attacked it. The gang published the stolen sensitive data when the firm did not pay the ransom. The Maze gang gave a press release saying that all attacks on healthcare firms would be stopped during the COVID-19 outbreak and the stolen information posted on the Maze site was removed. Nonetheless, other threat groups remain highly active and target healthcare providers.

Biotechnology firm 10x Genomics based in Pleasanton, CA reported a new attack. According to the Sodinokibi (REvil) ransomware gang, it downloaded 1TB of data from 10x Genomics then deployed their ransomware payload. A part of that data was shared online in an attempt to force the company to pay the ransom.

In the latest SEC filing, the organization mentioned it is working with authorities and has hired a third-party company to assist investigate the incident. 10x Genomics states that it could bring back normal business operations quickly, without impact on daily operations. It was just notably disappointing for 10x Genomics that an attack happened at this time when researchers all over the world are extensively using our products to understand and combat COVID-19.

Support Being Provided to Healthcare Organizations

INTERPOL’s CTR team is working with hospitals and other healthcare organizations that were hit with ransomware to help them to defend against attacks and recover.

INTERPOL stated that ransomware is principally being propagated via malicious code in email attachments which activates a ransomware download upon opening. Hyperlinks are likewise often used to direct users to malicious web pages for a ransomware download.

INTERPOL tells healthcare providers to do the following actions to secure their systems from attack and make certain to have a quick recovery after a successful attack:

• Only open emails and download applications from trusted sources
• Do not click links or open attachments in emails from an unknown sender
• Set-up email security solutions to block spam
• Back-up important files regularly and keep them separately your systems.
• Install the latest anti-virus software program on all system and mobile devices
• Use strong passwords on all system accounts and change them on a regular basis

Attacks are also happening by means of exploiting vulnerabilities in RDP and VPN systems, therefore it is important to keep all software program current and to apply patches promptly. The Sodinokibi threat group exploiting vulnerabilities in VPNs upon attacking healthcare providers.

Stockdale Radiology based in California announced the compromise of patient data due to a ransomware attack that occurred on January 17, 2020.

According to its internal investigation, the attackers accessed the first and last names of patients, addresses, refund records, and personal health information (PHI), which includes the physician’s notes. Stockdale Radiology stated that the attackers publicly exposed a small number of patient records. Stockdale Radiology likewise learned on January 29, 2020, that more patient data were potentially accessed, though not exposed to the public.

Stockdale Radiology quickly shut down its systems to stop the attackers from further unauthorized data access. A third-party computer forensics company investigated the breach to know how the attacker gained access to its systems and who were affected. The FBI also came to Stockdale Radiology within 30 minutes after receiving its notification about the attack. The FBI is still investigating the breach.

As a response to the attack, Stockdale Radiology reviewed its internal data management as well as its security practices. To prevent future attacks, it has also made improvements to its cybersecurity.

The breach report submitted to the HHS’ Office for Civil Rights website indicated that the breach affected 10,700 patients.

Ransomware Attack at Affordacare Urgent Care Clinics

Affordacare Urgent Care Clinics based in Abilene, TX began notifying its patients about the potential compromise of some of their PHI because of a ransomware attack. The healthcare provider discovered the attack on February 4, 2020, but it is believed that the attack started on or approximately February 1, 2020.

The breach analysis showed that the attackers accessed the clinics’ servers and deployed Maze ransomware. But before the ransomware deployment, the attackers acquired patient records. Part of the acquired patient data was disclosed to the public by the attackers.

The compromised servers contained the following types of data: names, addresses, phone numbers, birth dates, ages, dates of visit, visit locations, reasons for consultation, medical insurance provider names, medical insurance policy numbers, treatment codes and descriptions, insurance group numbers, and healthcare provider remarks. There was no financial data, Social Security numbers or electronic health records compromised.

Affected persons were provided with free identity theft protection, credit monitoring, and identity recovery services.

Systems Reboot to Manage ‘Cybersecuirty Threat’ at Arkansas Children’s Hospital

Arkansas Children’s Hospital established in Little Rock had a cyberattack impacting Arkansas Children’s Hospital and Arkansas Children’s Northwest. The hospital had to reboot its IT systems to control the cybersecurity threat and had the incident investigated by an independent digital forensics firm.

There is no report yet concerning the precise nature of the cyberattack. It is likewise not yet known when the attack is going to be resolved. All Arkansas Children’s Hospital facilities still offer patient care, though non-urgent consultations were rescheduled.

The attack is still under investigation but no evidence of patient data breach has been found yet.

Cryptominer Attack at the University of Kentucky

Last February 2020, the University of Kentucky (UK) is struggling with the removal of downloaded malware on its network. Cybercriminals had accessed the UK network and were able to download cryptocurrency mining malware which used the UK computers’ processing functionality for mining Bitcoin and a variety of cryptocurrencies.

The malware caused a massive network slowdown along with temporary computer system problems triggering repeated daily interruptions to day-to-day functions, specifically at UK healthcare.

The UK is certain that the attack was resolved after working on it for a month. On Sunday morning, the UK performed a major reboot of its IT systems, which continued for 3 hours. The UK thought the cybercriminals were ejected from its systems, but network tracking will be carefully done to ensure the barring of external access. It is believed the attacker is was not from the U.S.A.

UK Healthcare has more than 2 million patients and manages the Good Samaritan Hospital located in Lexington, KY as well as the UK Albert B. Chandler Hospital. Though the computer systems were significantly impacted at certain times, patient care and safety were not affected.

A breach investigation with the help of third-party computer forensics specialists began. University spokesman Jay Blanton stated that it is hard to ascertain cases of access or duplication of sensitive data if any. It is thought that the malware attack was specifically undertaken to hijack the “vast processing capabilities” of the UK network’s for mining cryptocurrency.

The UK had taken steps to reinforce its cybersecurity, for instance, installing a security software program like CrowdStrike. More than $1.5 million was spent to rid the network of hackers and strengthen security.

A recent report from Corvus reveal the increase of ransomware attacks on healthcare organizations by 350% in Q4 of 2019. There is no indication that the attacks would diminish in 2020. Several attacks have already been reported in 2020 by NRC Health, Pediatric Physician’s Organization at Children’s, Jordan Health, and the BST & Co. accounting company, which impacted the Community Care Physicians medical group.

To determine ransomware developments in healthcare, Corvus’s Data Science group analyzed ransomware attacks on healthcare providers from Q1 of 2017. From Q1 of 2017 to Q2 of 2019, the average of ransomware attacks reported by healthcare organizations was 2.1 per quarter. Healthcare organizations reported 7 attacks in Q3 of 2019 and 9 attacks in Q4 of 2019. Corvus found that U.S. healthcare organizations reported over two dozen ransomware attacks in 2019 and forecasts a report of at least 12 ransomware attacks in Q1 of 2020.

Other cybersecurity companies reported similar information showing an increase in healthcare-related ransomware attacks in the latter half of the year. Emsisoft’s report indicated that 764 U.S. healthcare providers were affected by ransomware attacks in 2019.

The Corvus report reveals that the healthcare organizations’ attack surface is smaller compared to the web average so that it is less difficult to protect against attacks; nevertheless, attacks remain successful indicating that healthcare organizations are having difficulties blocking the main attack vectors employed by cybercriminals to send their ransomware payloads.

The two primary ways used by threat actors to gain access to healthcare networks and install ransomware are email and Remote Desktop Protocol (RDP). Threat actors look for healthcare organizations having exposed RDP ports and employ brute force strategies to figure out the passwords. Corvus determined that with an open RDP port, ransomware attacks potentially increase by 37%. Healthcare providers on average had 9 open ports, the least number in hospitals and the biggest in medical groups.

The primary attack vector was email, which was employed in most ransomware attacks on healthcare providers. 91% of ransomware attacks were due to phishing attacks.

Email security solutions can scan emails, email attachments and hyperlinks to detect and block email-based threats; but, 75% of hospitals have not used such tools. Only 14% of healthcare providers implemented email scanning and filtering tools.

Corvus’s study indicates that if healthcare organizations would use email scanning and filtering tools, ransomware attacks could possibly decrease by 33%. The risk could be further minimized by giving employees regular security awareness training so they could recognize phishing emails and malware attacks. Email authentication procedures must also be enforced. In the case of email credentials compromise, 2-factor authentication could stop the use of stolen credentials to access internal resources.

A ransomware attack on NRC Health occurred on February 11, 2020, which impacted some of the provider’s computer systems. NRC Health is a patient survey services and software provider to over 9,000 healthcare companies, which include 75% of the biggest hospital systems in the U.S.A, and Canada.

NRC Health promptly did something to restrict the harm and closed its whole environment, which includes its client-facing websites. A prominent computer forensic investigation company was hired to ascertain the nature and magnitude of the ransomware attack. It also reported the incident to the Federal Bureau of Investigation.

The NRC Health website stated that it collects the information of over 25 million healthcare consumers in the U.S.A. and Canada every year. NRC conducts patient surveys on behalf of its clients, which shows that its patients are happy with the services they acquired. That data is essential for the improvement of patient care and knowing the amount of Medicare reimbursement received by healthcare providers under the Affordable Care Act. The patient satisfaction scores are also used to know the pay scale of executives and doctors.

NRC Health explained that it had made substantial progress in providing its customers with access to its systems and services and systems will be fully recovered in the next couple of days. NRC Health already sent notifications to its healthcare clients updating them with regards to the attack. Updates are being given to clients every day until the full resolution of the incident.

The notifications of NRC Health stated that the preliminary investigation findings indicate no compromise of any patient information or sensitive client information.

There has been a rise in ransomware attacks on healthcare companies over the last year after attacks declined in 2018. A number of threat groups are stealing patient information before deploying ransomware to compel victims to give in to their ransom demands. Based on the latest analysis by Comparitech, 172 healthcare ransomware attacks were launched since 2016. The cost of those attacks to the healthcare sector is around $157 million.

A ransomware attack on Enloe Medical Center in Chico, CA two weeks ago is still causing this California healthcare provider’s medical record system to be out of action.

Enloe Medical Center identified the attack on January 2, 2020, which resulted in the encryption of its entire network, including the electronic medical record (EMR) system so that the center staff cannot access patient information. The provider quickly implemented emergency protocols to continue providing care to patients. Only a few elective medical procedures were rescheduled.

The attack also caused the telephone system to be out of action on the day the attack occurred. Enloe Medical Center had the telephone system restored the next day however its EMR system remained out of action. Employees simply use pen and paper to record patient data.

Although some appointments were canceled one week after the attack, Enloe Medical Center is making sure that care is given to patients expediently while the technical team works on systems restoration. There is no information publicly disclosed regarding the type of ransomware used by the attacker. However, according to the initial findings of the investigation, there’s no compromise of patient data.

Enloe’s chief financial officer, Kevin Woodward, said that the company took immediate steps to restore critical operating systems and to secure the network upon knowing about this incident. At this time, there is no evidence indicating the compromise of patient medical data. Local and federal law enforcement bureaus already received Enloe’s report about the ransomware attack and the investigation has been ongoing.

There has been a continuous increase of ransomware attacks throughout 2019 and most likely it won’t slow down. Besides file encryption, a number of ransomware gangs are using a new strategy to enhance the likelihood of getting ransom payments. Before deploying the ransomware, they are stealing sensitive data.

The latest attacks used various ransomware variants, including the MegaCortex, Maze, LockerGoGa, and Sodinokibi. The attackers stole data prior to deploying the ransomware. Those that used the Maze and Sodinokibi ransomware threatened the victims to expose their stolen information if they do not pay the ransom. The threat actors actually published the sensitive data when the victims decided not to pay the ransom.

North Ottawa Community Health System (NOCH) found out that one employee at North Ottawa Community Hospital located in Grand Haven, MI, had accessed patients’ medical records without permission in a period of around 3 years.

Another employee told this matter to the health system on October 15. After two days, the alleged inappropriate access was investigated and the employee remained suspended while waiting for the investigation findings.

On November 25, 2019, NOCH confirmed the unauthorized access of the patient records of 4,013 persons by the employee from May 2016 to October 2019. The unauthorized access seemed to have no apparent pattern. Patient records were randomly accessed.

There was no proof that suggests the theft of any patient information. NOCH is convinced that the employee simply accessed patient data because of curiosity.

The employee potentially accessed the following types of information: names, birth dates, Social Security numbers, Medicaid and Medicare numbers, medical insurance details, and certain health data. NOCH offered any patient who had their Social Security number viewed free one-year credit monitoring and identity theft protection services.

All staff members received additional training on NOCH policies addressing medical record access and employee’s access to patient records was made stricter.

NOCH already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. OCR will need to decide whether there would be further action to be taken against the employee because of the HIPAA violation.

Center for Health Care Services’ Computer Systems Shutdown Due to Cyberattack

A cyberattack on the Center for Health Care Services (CHCS) located in San Antonio, TX during the holiday period compelled it to de-activate its computer systems.

CHCS is a healthcare services provider for persons with mental health issues, developmental handicaps, and substance abuse disorder. It manages a number of walk-in clinics and outreach centers within San Antonio area.

The CHCS IT team reported that just one server was affected after federal officials notified them regarding the cyberattack. As a precaution, CHCS decided to shut down its computer system. The IT department already began fixing its computer systems and will be accessible again one by one, beginning with the computer systems of its biggest clinics. The repair work might take a number of days.

This cyberattack is a part of a bigger attack that began before the holidays. It is not known at this time how many organizations were impacted.

The radiology department of Roosevelt General Hospital located in Portales, New Mexico identified malware on a digital imaging server, which potentially resulted in allowing the cybercriminals to access the radiological images of about 500 patients.

The malware infection was identified on November 14, 2019 and quick action was taken to isolate the server and avoid further unauthorized access and deter communications with the command and control server of the attackers. The IT team was successful in removing the malware, rebuilding the server and recovering all patient data. A scan was performed to check for any vulnerabilities. The hospital is now pleased with the security and protection of the server.

The investigators of the breach didn’t find any information that suggests the viewing or theft of protected health information (PHI) and medical images by the hackers, nevertheless, the possibility of unauthorized data access and PHI theft cannot be ruled out.

The security breach investigation is still in progress, but the hospital’s IT team has verified that only the imaging server was affected by the breach. The breach did not affect its medical record system or billing systems. The types of information likely compromised included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, health insurance information, medical information and the genders of patients.

All patients whose information was accessible through the server received notification letters regarding the security breach by mail and were instructed to keep track of their credit reports for signs of fraudulent activity. To date, the hospital has not received any report of patient information misuse.

The Department of Health and Human Services’ Office for Civil Rights has not published the incident yet on its breach portal, thus there is no report yet about the exact number of patients affected by the breach. As per RGH Marketing and Public Relations Director, Jeanette Orrantia, the hospital submitted the breach report to OCR within 60 days after discovering the incident.

A ransomware attack on the Cancer Center of Hawaii in Oahu on November 5, 2019 led to the forced shut down of its network servers. It also resulted in the temporary inability to provide radiation treatment to people at Pali Momi Medical Center and St. Francis’ hospital in Liliha.

Though patient services experienced disruption, the center is convinced that the attackers had not accessed any patient data. The investigation of the breach still continues, but all data stored on the radiology machines had been retrieved and the network is already operational.

It is unknown how long the network was de-activated and information concerning the potentially compromised types of patient information is still unavailable.

The Cancer Center had notified the FBI concerning the breach. If the forensic investigators declare that hackers had gained access to patient data, the proper authorities will also be notified about the incident.

The breach merely affected the Cancer Center’s systems. The attack had not impacted St. Francis’ hospital and Pali Momi Medical Center since their patient records systems were separate from the Cancer Center.

Zuckerberg San Francisco General Hospital’s Improper Disposal Incident

Zuckerberg San Francisco General Hospital informed 1,174 patients about the improper disposal of meal tickets containing their protected health information (PHI).

The PHI printed on the meal tickets included the patients’ full names, their bed/unit in the hospital, birth month, dietary requirements, and their food selection. The proper method to dispose of the meal tickets is to put them in confidential garbage bins. Nonetheless, the tickets were accidentally disposed of along with common garbage.

The breach occurred because one staff didn’t know the need to shred the meal tickets. The San Francisco Department of Health learned about the improper disposal incident on November 15, 2019. The staff had thrown away meal tickets incorrectly from June 18 to November 4. After knowing about the breach, the staff was directed to adhere to the right procedures in sensitive information disposal.

LifeLabs in Toronto, one of Canada’s biggest medical testing and diagnostics firms, reported a serious data breach. Hackers potentially accessed the personal and health data of about 15 million people, the majority of whom reside in British Columbia and Ontario. Because of the number of individuals possibly impacted, this incident can be considered as one of the biggest healthcare ransomware attacks so far. The privacy commissioners in the two Canadian provinces said that this is an extremely troubling incident because of the enormity of the attack.

When the attackers accessed its systems, they downloaded ransomware and encrypted a substantial amount of client information. The investigators are still looking into the cyberattack, and so it is still uncertain what data was stolen. But it was confirmed that the attackers accessed the parts of the system containing the 2016 and earlier test data of about 85,000 Ontarians. There is no evidence that indicates access to current test data, or medical test data from clients in other places.

A few of those test data include very sensitive health data that attackers can potentially use for blackmail. The sensitive information includes names, dates of birth, email addresses, usernames, passwords, and health card numbers. At this point, it seems that the compromised data were not yet misused nor disclosed on the internet. According to the preliminary results of the investigation, the incident has a low risk to clients.

It is not clear if LifeLabs had data backups to retrieve the information, however, the company decided to pay the ransom demand. LifeLabs did not publicly disclose the amount of the ransom. LifeLabs chief executive officer Charles Brown said that they wanted the data back and thought that paying the ransom was the smart thing to do for the best interests of their customers.

Cybersecurity and computer forensics specialists are securing LifeLabs’ systems and finding out the full extent of the ransomware attack. More time may be necessary to know if the attackers stole any customer data.

It is believed that the attack began on or before November 1, 2019. However, the cyberattack became known to the public only on December 17, 2019. LifeLabs already notified the affected people and offered them 12 months of free credit monitoring and identity theft protection services.

A recent cyberattack on Hackensack Meridian Health, which is New Jersey’s biggest health network, resulted in the deployment of ransomware on its network. The ransomware attack caused file encryption so that the network went offline for two days.

Because there was no access to computer systems and health records, Hackensack Meridian Health had to call off non-emergency medical operations. Physicians and nurses needed to use pen and paper to continue caring for patients.

Hackensack Meridian Health detected the attack immediately and notified law enforcement and government authorities. Cybersecurity specialists were conferred with to know what is the best action to take. The health network at first said it experienced external technical problems so there would be no interference with the investigation. Later, it affirmed the occurrence of a ransomware attack.

Because of the ransomware attack, encrypted files had to be recovered from backup files. Computer systems should also be restored. That action could take many weeks. To stop continuing interruption to patient services, the provider decided to pay the ransom. Hackensack Meridian Health’s spokesperson said that it is their obligation to safeguard their communities’ access to medical care.

Hackensack Meridian Health did not disclose to the public the amount of ransom paid. However, it confirmed that its cybersecurity insurance plan will pay for a portion of the expense of the ransom payment and remediation work.

Hackensack Meridian Health has announced that the principal clinical system is now completely operational. However, other parts of the system might take a few more days to be back online.

A number of healthcare providers and business associates have likewise reported ransomware attacks in the last few weeks. Last week alone, the Cancer Center of Hawaii reported an attack and had to put off patients’ radiology treatments. A Colorado business associate also reported a ransomware attack that affected over 100 dental practices.

The HHS’ Office for Civil Rights, in its most recent cybersecurity letter, points out how HIPAA compliance could help stop ransomware attacks and make sure that healthcare companies can recover from ransomware attacks immediately when hackers are able to breach their defenses.

Nebraska Medicine found out that an employee gained access to patients’ medical files without any legit work reason for a period of roughly three months.

Nebraska Medicine discovered the privacy violation when it conducted a routine audit of its medical record system. The audit revealed that the employee’s first access to the patient records was on July 11, 2019 and kept on doing so until October 1, 2019 when the company discovered the privacy violations.

Upon discovering the breach, steps were undertaken to avoid even further unauthorized access as the investigation of the issue was ongoing. The employee in question was dismissed from work a day after the discovery of privacy violations.

Based on a statement presented by Nebraska Medicine, the affected people received notifications by mail and any person who had his/her Social Security number potentially compromised received complimentary credit monitoring services for 12 months as a precautionary measure.

Nebraska Medicine believes that no sensitive information was or will be misused, insinuating that the employee was just curious about accessing the records. The number of individuals affected at this stage is uncertain.

The breach notification letter sent to affected patients indicated that the types of information potentially accessed includes names, addresses, birth dates, Social Security numbers, medical record numbers, driver’s license numbers, clinical data, physicians’ notes, lab test results and medical pictures.

Phishing Attack at Presbyterian Healthcare Services

Presbyterian Healthcare Services announced in August 2019 the compromise of several employees’ email accounts as a result of a phishing attack.

Presbyterian Healthcare Services found out about the breach on June 9. The investigators pointed out that the affected accounts contained 183,370 patients’ protected health information (PHI). Though the provider already sent notifications, the breach investigation still continued. Presbyterian Healthcare Services now found out that the breach was bigger than earlier thought. The compromised email accounts comprised of 276,000 patients’ PHI.

More notification letters were sent to patients on November 25. The notices stressed that there was no evidence indicating that any PHI was accessed, downloaded or misused. It was additionally proven that only the email system was impacted. The attackers had no access to medical files or its billing platform.

Saint Francis Healthcare System made an announcement that there was a ransomware attack on Ferguson Medical Group’s computer network.

The attack transpired on September 21, 2019, prior to the acquisition of the medical group based in Sikeston, MO by Saint Francis Medical Center. Saint Francis Healthcare knew about the ransomware attack on the same day as the attack.

Based on the notice posted on Saint Francis Healthcare’s website, the attackers were able to encrypt the medical records of Ferguson Medical Group patients who received healthcare services before January 1, 2019. Saint Francis Healthcare reported the incident to the Federal Bureau of Investigation and took steps immediately to isolate the impacted systems.

The attackers asked for a ransom payment in exchange for the file decryption keys. Saint Francis Healthcare decided not to pay the ransom and use backups to recover files because there was no assurance that the attackers would give decryption keys able to restore the files and there were other concerns.

Although a lot of files were retrieved, some data were permanently lost and can’t be recovered. Records that can’t be recovered included any scanned documentation that was stored on its systems, and healthcare records of patients who got Ferguson Medical Group services from September 20, 2018 to December 31, 2018.

After analyzing the attack, there was no evidence uncovered that indicate the attackers acquired files that contain the protected health information (PHI) of patients before encryption. There was also no report received that suggest the misuse of any patient information. Nevertheless, unauthorized access and theft of data cannot be ruled out. So, Saint Francis Healthcare offered credit monitoring and identity theft protection services to the affected patients for free.

The breach incident is already listed on the breach portal of the Department of Health and Human Services’ Office for Civil Rights. According to the breach summary, 107,054 Ferguson Medical Group patients were impacted. There was no mention regarding the number of patients who had lost some or all their health data because of the attack.