Most Popular Malware Variants in 2021

The U.S. Cybersecurity and Infrastructure Security Agency has released a listing of the top malware variants discovered in 2021. Threat actors use malware to attack devices, allowing them an entry point into devices and systems to do a variety of nefarious activities. Malware is detrimental to sabotage systems, for instance, wipers that erase all information in systems. The surge in the price of cryptocurrencies resulted in a growth in the usage of cryptocurrency miners that hijack the information of systems for mining cryptocurrencies. Worms and other malware can breach one device and likewise self-propagate and affect all other vulnerable gadgets on a system.

Recently, the use of ransomware greatly increased. Ransomware encrypts data on attacked systems to make information inaccessible. Ransom demand is sent to the victim in exchange for the decryption keys. The majority of ransomware variants support information exfiltration. Before encryption, files are stolen. The ransom payment should then be given to decrypt files and also to stop the public posting or sale of the stolen information. Although ransomware is a kind of malware, it is usual for threat actors to use it like the Remote Access Trojans (RATs) to obtain preliminary access to systems, and sell the access to ransomware groups.

Malware is downloaded utilizing different attack vectors. Malware is often sent through email, upon the exploitation of vulnerabilities in Remote Desktop Protocol, and by taking advantage of identified vulnerabilities in software programs. Preliminary access to accounts may be obtained by using brute force tactics to figure out weak credentials. Because of different attack vectors, there is no one cybersecurity control that could be employed to prevent all malware attacks. It must additionally be mentioned that although antivirus software program can identify malware according to malware signatures available in the definition lists of the software program, it can’t prohibit malware except if the signature is found in the definition list. Different variants of malware are launched, and small adjustments could be all that are needed to avert antivirus remedies.

In 2021, the most popular types of malware employed in attacks are banking Trojans, remote access Trojans, malware, and information stealers. The leading malware variants were:

Information Stealers – Agent Tesla, AZORult, Formbook, NanoCore
Information Stealer and Banking Trojan – Ursnif
Trojon Information Stealer – LokiBot
Ransomware dropper – MOUSEISLAND
Banking Trojan – Qakbot – This is often utilized for reconnaissance and information exfiltration, and sending more malware payloads
Remcos – Remote management and pen testing tool employed to develop a backdoor in system of victims
Banking Trojan cum botnet cum malware dropper – TrickBot
Malware loader – GootLoader

These malware variants have been employed in attacks for many years and have progressed to become more elusive and offer them new functionality. AZORult, Agent Tesla, Formbook, NanoCore, LokiBot, TrickBot, and Remcos have all been employed for over 5 years, whereas Qakbot and Ursnif have been used for over 10 years.

Besides giving malware gangs access to victims’ systems, TrickBot and Qakbot work as malware droppers and were broadly employed to provide ransomware groups such as Conti with systems access. The Conti group is recognized to have performed a minimum of 450 ransomware attacks in the first 6 months of 2021. All through 2021, the malware variants Agent Tesla, Formbook, and Remcos were substantially used in phishing emails, exploiting the pandemic and making use of COVID-19-inspired baits.

Mitigations

CISA has given a listing of proposed mitigations for preventing malware threats and minimizing the effect of successful attacks, the most critical of which are to update software programs and patch immediately, implement multifactor authentication, protect and keep track of RDP and other possibly dangerous services, and give consumer security awareness instruction.

Ransomware Attacks Lower by 23% Worldwide Yet Higher by 328% in Healthcare

SonicWall has updated its mid-year 2022 Cyber Threat Report, which shows the worldwide cyberattack developments in H1 of 2022. The information for the report was gathered from over 1.1 million worldwide sensors in 215 nations and reveals a global drop in ransomware attacks, with a significant rise in malware attacks. This trend is a first in three years.

Ransomware

SonicWall states a 23% drop in ransomware attacks worldwide in H1 of 2022 with only 236.1 million attempted attacks. The downhill trend continues for the past four quarters. The lowest number of ransomware attacks was in June 2022. Although ransomware attacks decreased overall, that isn’t true for the healthcare sector with 328% higher attacks in H1 2022.

Although the decrease in attacks is good news, it ought to be mentioned that the year-to-date numbers of ransomware attacks continue to be greater than in 2017, 2018, and 2019. SonicWall documented 707 ransomware attempts on average per client in the first half of 2022 in the U.S.A. SonicWall states that the reduction in attacks is due to the mix of geopolitical forces, unpredictable cryptocurrency rates, and a greater government and law-enforcement emphasis on ransomware groups.

Malware

Ransomware attacks had grown for two years, however, malware attacks are at low figures. 2021 had the lowest malware attacks in 7 years. H1 2022 saw a sharp rise in malware attacks. It is 11% more compared to H1 2021. There were 2.8 billion malware attacks in H1 2022 with 8,240 attempts on average per customer. There was a noticeable increase in new malware variants in 2022, which grew by 45% compared to H1 2021. Cryptojacking has grown by 30% in comparison to H1 2021, despite the sharp drop in the price of cryptocurrencies. Cryptjacking attacks in healthcare dropped by 87%.

The largest upsurge in malware was observed in IoT malware, which grew by 77% from H1 2021 having 57 million detections. That is the maximum rate of detection since SonicWall started tracking the attacks. The number of attacks in H1 2022 was just somewhat less than the total attacks documented in 2021. IoT attacks in America grew by 228% in June while IoT malware attacks on the healthcare sector grew by 123%.

Malicious Files

SonicWall revealed in its mid-year 2021 report that the number of malicious Office files dropped by 54% and malicious PDF files dropped by 13%. However, the decrease in number was brief, as this year saw a boost in detections of malicious files. In the H1 of 2022, malicious Office file detections went up by 18%, while malicious PDF file detections grew by 9%. Currently, 18% of malicious file types are PDF files, while 10% are Office files and over 84% are Excel files. 64% of malicious Excel files are Excel Macro 4.0 (XLM) files. Executable files remain the most popular malicious file types, with over 33% of malicious files.

Encrypted Attacks

SonicWall noticed a 132% rise in encrypted attacks in H1 2022, which is a continuation of the past two years’ trends. May 2022 had the second highest number of malware over HTTPS ever documented. Encrypted threats were most common in the U.S., which is 41% of the worldwide volume, having a 284% growth over the equivalent period in 2021. There was a 6% drop in encrypted attacks in healthcare.

Intrusion Attempts

Intrusion attempts increased by 18% worldwide in H1 2022, however, the number of malicious intrusions dropped by 19%. In North America, there was a rise in intrusion attempts yet the attacks seem to have reached the maximum in June. Intrusion attempts grew by 39% in the healthcare sector, 46% in government, and 200% in the retail industry. Despite these surges, the H1 2022 statistics are less than in 2021.

Survey Shows Bad Practices in Cyber Security and Poor Password

The majority of Americans are certain regarding their knowledge of cybersecurity based on a newly released AT&T survey of 2,000 Americans. However, bad cyber hygiene and poor password routines continue to be prevalent. OnePoll conducted the survey on behalf of AT&T and discovered that 70% of respondents felt they were proficient concerning cybersecurity with 69% stating they were assured in their capability to be able to recognize suspicious websites quickly, but the typical person still lands on a suspicious online page or social media page 6.5 times a day.

When asked about Internet use, merely 39% of participants claimed they knew that online sites could download malware to their computers and merely 45% stated they were aware that suspicious websites can bring about identity theft. 54% did not know the difference between an active threat – one that demands some user action – and an inactive threat – where a device is attacked without any activity from the user.

Though thinking they could distinguish suspicious online sites, for example, unverified internet sites, HTTP sites, and websites having a lot of pop-ups, the potential security threats from accessing those internet sites were frequently overlooked. 38% of respondents stated they go to those websites for streaming sporting events, 37% utilize the internet sites to download music and video games that are not easy to get, and 36% reported they would check out those sites if they have good discounts on purchases.

The risks due to bad cybersecurity practices are not only theoretical. Poor cyber hygiene is taken advantage of by threat actors and often allows compromise of accounts. When asked about threat experiences, 45% of respondents mentioned they had received a telephone call from somebody saying to be from the government and 36% of participants mentioned they would reply to communication if it looked like it came from an official company.

Under 40% of people consider the security problems of accessing the Web such as potential device or network attacks, malicious applications, or malware downloads. The number of survey respondents affected by password security risks is worrying. One of the biggest password security errors is utilizing the same password on several accounts. When passwords are obtained during a data breach of an organization, a credential stuffing attack may be done that would permit access to every account where that password has been utilized. 42% of survey respondents mentioned they reuse passwords across various accounts.

The best practice for creating passwords is to utilize a mix of numbers, upper and lower-case letters, and symbols, and to refrain from using personal data in passwords. 31% of participants confessed they use their birthday as their password, although many people will know the details and even find it on social media profiles pages. The survey additionally revealed that 34% of men and women are reactive and not proactive with regards to password security, and would just modify a password if they receive a security advisory regarding an attempt to access their account via an unrecognized IP address. These bad password practices continue even if a lot of people assert they know about cybersecurity, and password managers are extensively offered for free or at a low price that can significantly enhance password security.

These bad cyber practices ought to be a concern for companies. In case individuals are lax concerning personal security in spite of knowing the threats of identity theft and fraud, it is probable that those poor practices may likewise happen at work. Employers must make sure they offer regular security awareness training to show their workers how taking risks like these could put the company in danger.

Tenet Healthcare Cyberattack Resulted in $100 Million Unfavorable Effect in Q2 of 2022

Tenet Healthcare lost $100 million in income and mitigation expenses because of a cyberattack and data breach in Q2, 2022. Tenet Healthcare based in Dallas, TX is one of the biggest healthcare companies in the U.S. operating 65 hospitals and over 450 healthcare centers across the United States through its brands and subsidiaries. Last April 2022, Tenet encountered a cyberattack that prompted serious interruption to its IT programs and acute care procedures for a few weeks. The attack compelled the employees to work using pen and paper throughout the recovery phase, and at least one impacted hospital needed to briefly reroute ambulances to other hospitals. The attack likewise interfered with its telephone system, so doctors had to leave the building to make telephone calls. The cyberattack started on April 20, 2022 and impacted at least two hospitals. Tenet didn’t give to the public any details of the attack like whether it involved ransomware.

Based on Tenet’s Q2 2022 revenue report shows that the attack has got a $100 million unfavorable EBITDA (earnings prior to interest, taxes, amortization, and depreciation) effect. Adjusted admissions dropped by 5.3% year-over-year, with total admissions decreasing 8% from Q2 of 2021, and same-hospital net patient service income dropped 0.2% because of the cyberattack. Over the quarter, Tenet had a lower income of 68% in comparison to Q1 of 2021, which dropped to $38 million, and its operating income dropped by 6.4% to $4.6 million for the quarter. The attack was furthermore partially the reason for a 2.8-day growth in its outstanding accounts receivable.

CEO Saum Sutaria of Tenet mentioned that IT systems at the impacted hospitals needed to be completely rebuilt, and although the cyberattack had a considerable business and financial effect, Tenet continued to have a strong quarter. Sutaria stated the company got enough cybersecurity insurance coverage which helped to minimize the overall financial effect of the cyberattack. Its insurance plan covered $5 million in Q2 of 2022. Tenet shouldered a substantial cost because of the attack, however, it is similar to other cyberattacks like the Scripps Health ransomware attack. Five hospitals and 19 outpatient centers were affected, which resulted in $112.7 million in lost income and remediation expenses.

Tenet will additionally need to take care of other costs including the class action lawsuit filed against it in Florida in June. Allegedly, Tenet didn’t use enough security measures to secure against cyberattacks and didn’t give enough notifications to impacted persons. The lawsuit additionally claims that notification letters were not sent to all persons impacted by the data breach.

Cyber Safety Review Board States Log4j Vulnerabilities Endemic and Will Continue for Years

The Cyber Safety Review Board (CSRB), created by President Biden in February 2022, has released a report about the Log4j vulnerability (CVE-2021-44228) and related vulnerabilities that were found in late 2021. The vulnerabilities impact Log4j, the open source Java-based logging tool. CSRB states that they are very prevalent and will probably stay in a lot of systems for a long time.

The Log4j vulnerability could be exploited remotely to do code execution on susceptible systems and was designated a maximum CVSS severity score of 10 out of 10. Based on the report, the vulnerabilities are considered one of the most serious to be identified in the past few years.

The CSRB consists of 15 cybersecurity heads from the private industry and government and was designated to conduct reviews of big cybersecurity occurrences and make suggestions for bettering public and private segment cybersecurity. The Log4J vulnerability report is the first to be publicized by the CSRB.

According to Secretary of Homeland Security Alejandro N. Mayorkas, the country’s cybersecurity is at a critical juncture, as the ability to deal with risk is not keeping pace with developments in the digital space. Thus, the Cyber Safety Review Board is an institution seeking to improve cyber resilience in unprecedented means. The CSRB’s first-of-its-kind evaluation has provided the government and the industry with clear, actionable advice that DHS can help put into action to reinforce cyber resilience and enhance the public-private relationship that is so essential to collective security.

For the Log4j vulnerability evaluation, the CSRB engaged with about 80 organizations to have a knowledge of how the vulnerability is being mitigated, so as to develop actionable recommendations to avoid and successfully respond to future incidents similar to this.

The report is divided into three sections, offering factual details regarding the vulnerability and what took place, the results and conclusions according to the evaluation of the information, and a list of suggestions. The 19 actionable recommendations are split into four categories: Deal with the ongoing threats from theLog4j vulnerabilities; drive current best practices for safety hygiene; create a better software system; and investments in the future.

One of the most crucial recommendations is to make and keep an accurate IT asset inventory, as vulnerabilities cannot be resolved if it is unfamiliar where the vulnerabilities are found. It is important to have a complete software bill of materials (SBOM) that has all third-party software parts and dependencies utilized in software solutions. One of the greatest issues with dealing with the Log4j vulnerabilities is understanding which products were affected. The report additionally suggests that enterprises develop a vulnerability response plan and a vulnerability disclosure and handling process and recommends the U.S. government to inspect whether a Software Security Risk Assessment Center of Excellence is practical.

This is the first time the industry and government cyber leaders joined together like this to evaluate serious incidents, find out what happened, and advise the entire community on how to do much better later on.

Data Breaches Reported by University Pediatric Dentistry, Eye Care Practices, OrthoNebraska, and Michigan Avenue Immediate Care

University Pediatric Dentistry based in Buffalo, NY, has begun informing 6,843 patients about the exposure of some of their protected health information (PHI) because of an email security incident.

The provider secured its email system right away after detecting the breach. Forensic specialists confirmed that an unauthorized third party accessed two email accounts from January 12, 2022 to January 19, 2022. According to University Pediatric Dentistry, it was discovered on April 25, 2022, that the compromised email messages and file attachments contained patient information, which was likely viewed or stolen.

The exposed data included patient names, contact data, birth dates, Social Security numbers, government ID numbers, driver’s license numbers, treatment and diagnosis details, names of providers, patient account numbers, medical record numbers, prescription details, dates of service and/or medical insurance data. The financial account data of some patients were also exposed.

People whose driver’s license numbers or Social Security numbers were exposed received free credit monitoring and identity theft protection services. University Pediatric Dentistry stated that technical security procedures will be put in place to safeguard and keep track of its email system.

Eye Care Leaders Data Breach Impacts Several More Eye Care Practices

The number of eye care centers affected by the data breach at Eye Care Leaders is still growing. Aloha Laser Vision in Hawaii, Mattax Neu Prater Eye Center in Missouri, and Sight Partners Physicians in Washington are among the latest known to be impacted. No less than 33 eye care companies have stated they were affected by the cyberattack and the data of more than 2.9 million people were potentially exposed.

Cyberattack Announced by Michigan Avenue Immediate Care

Michigan Avenue Immediate Care (MAIC) located in Chicago, IL, has just reported a hacking incident by which an unauthorized third-party gained access to its computer system and exfiltrated files that contain sensitive patient information. The cyberattack was identified on May 1, 2022. MAIC confirmed on May 12, 2022 that the files taken from its network included some patient data.

The types of records contained in the files varied from one person to another and may possibly include names, telephone numbers, addresses, dates of birth, Social Security numbers, driver’s license numbers, treatment details, and/or health insurance data. Affected persons were notified via mail and were given complimentary membership to the Experian IdentityWorks Credit 3B service for one year.

The incident is not yet posted on the HHS’ Office for Civil Rights breach website, thus it is currently not clear how many people were impacted.

OrthoNebraska Email Account Compromised

Orthopedic clinic OrthoNebraska located in Omaha, NE has lately reported that an unauthorized individual accessed the email account of an employee. The breach happened in early December 2021 and was discovered because the email account was utilized to send spam emails. An analysis of the affected email account showed that the emails and file attachments included protected health information (PHI) of some patients, and that sensitive information could have been seen or obtained.

The exposed details contained names, demographic data, Social Security numbers, state ID numbers, driver’s license numbers, usernames/passwords, medical insurance, claims information, and medical histories. Impacted persons were informed through the mail and credit monitoring and offered identity theft protection services. Up to now, there was no evidence found that indicates the actual or attempted misuse of any patient information. OrthoNebraska said it has offered additional data security training to the employees and implemented additional safeguards to enhance email security.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

Bipartisan Legislation Presented to Improve Cybersecurity for Medical Devices

A bipartisan bill called The Strengthening Cybersecurity for Medical Devices Act was introduced which requires the U.S. Food and Drug Administration (FDA) to evaluate and revise its policies on the cybersecurity of medical devices more often to make sure devices are secured from cyberattacks and potential hacking.

Sen. Jacky Rosen (D-NV) with co-sponsor Sen Todd Young (R-IN) introduced the bill calling for the Secretary of the Department of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to give updated policies on medical device cybersecurity to FDA annually, and for the FDA to give updated policies and recommendations on medical device cybersecurity once every two years. The regularity of updates must be enhanced to make sure the guidelines stay up-to-date, particularly considering the quick-changing threat landscape and the degree to which the healthcare sector is being attacked by cyber threat actors.

Sen Young stated that medical devices are more and more linked to the web or other medical care facility systems to give features that enhance the capability of health care companies to treat individuals. The bill helps to make sure medical devices are secured from cyberattacks and utilized safely and securely so as to minimize threats and vulnerabilities for individual patients.

The bill additionally requires the FDA to publish facts publicly regarding government resources for healthcare experts, medical device producers, and health systems that will enable them to determine and deal with vulnerabilities and to make sure they can acquire proper support. The Strengthening Cybersecurity for Medical Devices Act additionally calls for the Government Accountability Office (GAO) to put together a report about cybersecurity vulnerabilities impacting medical devices and to give suggestions for enhancing government coordination to help cybersecurity for medical devices.

Senator Rosen said that because of growing cyber threats, the health care system’s cyber infrastructure must be strengthened. This bipartisan will make sure that medical devices and systems are updated with the most recent cybersecurity, safeguarding patients and health care networks.

Verizon Data Breach Investigation Report Shows 2021 Data Breach Statistics

For the past 15 years, Verizon has been making annual Data Breach Investigation Reports (DBIR). The report this year confirms just how terrible the last one year has been. Verizon explained the last 12 months as representing an unrivaled year in the history of cybersecurity. The financially inspired crooks and nefarious nation-state actors have seldom if ever, emerge swinging the way they did over the past year, explained Verizon.

The 2022 DBIR was put together along with 87 partner companies utilizing data from 23,896 security incidents. 5,212 of the cases were confirmed data breaches, 849 of the cases assessed in the report happened in the healthcare industry and 571 of those cases resulted in affirmed data breaches.

The report confirms that there was a significant surge in ransomware attacks in 2021, growing by 13% from the prior year. To include some opinion, the growth is bigger than the mixed increases in the past five years. As Verizon remarks in the report that ransomware is simply a means of using access to victims’ systems, however, it has proven to be specifically effective at making money with illegal access to sites and private information. 25% of data breaches in 2021 used ransomware.

The most typical vectors in ransomware attacks entailed the use of stolen credentials, mainly for desktop sharing software programs, which offered initial access in 40% of ransomware attacks. Phishing was the second most popular vector in ransomware attacks, offering preliminary access in 35% of attacks, then the exploitation of vulnerabilities in web programs and direct installs. The substantial percentage of attacks associated with remote desktop software and email shows the value of locking down RDP and protecting email.

The rise in ransomware attacks is worrying, and so is the increase in supply chain attacks, which are the reason for 62% of system interruptions. Supply chain attacks could be carried out by financially driven cyber actors, although quite often they are utilized by nation-state actors to obtain persistent access to systems for spying purposes.

Protecting against cyberattacks demands action be done to deal with the four major ways that result in gaining initial access to systems, which are botnets, phishing, credentials, and exploitation of vulnerabilities. Although insiders can and do bring about data breaches, definitely the primary cause is external actors. Breaches caused by external actors exceed insider breaches by four to 4. Though external attacks are a lot more likely, the median number of records impacted in insider breaches is a lot higher.

Human error continues to play a big part in data breaches. 13% of data breaches were misconfigurations, typically of cloud storage solutions, and 82% of all data breaches assessed in the previous year had a human component. 25% of all breaches in 2021 were due to social engineering attacks, showcasing not just the significance of employing advanced email defenses but additionally giving recurrent security awareness training to the staff.

The top three attack strategies were just like last year, though switching positions. System intrusions took the number one spot, next was web application attacks, and then social engineering. In healthcare, the top causes of data breaches were web application attacks, miscellaneous errors, and system intrusions, which caused 76% of all data breaches.

Verizon mentioned that although insiders have always been a top reason for data breaches in medical care, the growth in web application attacks has resulted in external threats exceeding insiders. Healthcare staff prompted 39% of breaches in 2021, which is significantly greater than the 18% across all other industry groups. Although there will continually be malicious insiders in the healthcare industry, workers are 2.5 times more probable to make a mistake than to maliciously exploit their access to information, with misdelivery and loss the most typical errors made in medical care.

Average Ransom Payment Decreased by 34% in 1st Q of 2022

The average ransom payment associated with ransomware attacks diminished by 34% in Quarter 1 of 2022, from a record high in 4th Q of 2021, based on ransomware incident response company Coveware. The average and median ransom payment in Quarter 1 of 2022 was $211,259 and $73,906, respectively.

The drop in total ransom payments was related to a number of factors. Coveware says ransomware groups were targeting smaller businesses and issuing lesser ransom payments, because of the growing scrutiny by law enforcement whenever attacks are done on large companies. The median organization size is dropping since Quarter 4 of 2020, and is currently with about 160 workers. This seems to be the sweet spot, where the organizations have enough income to get big ransom payments, however not so big that attacks will prompt appreciable scrutiny by authorities.

One more reason why total ransom payments have dropped is the reduced number of victims of ransomware attacks who were paying the ransom. The number of subjects of ransomware attacks that pay the ransom is gradually declining, from 85% of victims in 1st Q of 2019 to 46% of victims in Quarter 1 of 2022. Also, a few of the most well-known ransomware operations had been quiet, like Maze and REvil (Sodinokibi).

LockBit and Conti are the most high profile ransomware operations, accounting for 16.1% and 14.9% of ransomware attacks respectively, then BlackCat/Alphv (7.1%), Hive (5.4%), and AvosLocker (4.8%). Coveware advises that the affiliates who partner with ransomware-as-a-service operations seem to be less eager to work together with large RaaS groups because those groups are usually targeted by law enforcement. It is currently common for affiliates to try scaled-down RaaS operations or possibly make their own ransomware variants using leaked source code.

The most typical attack vectors in ransomware attacks are exploiting unpatched vulnerabilities in software apps and operating systems, phishing, and Remote Desktop Protocol connections. Coveware has seen a rise in other attack vectors as of 2nd Q, 2021, for instance, social engineering and the direct compromise of insiders. Social engineering attacks are comparable to phishing however are remarkably targeted and usually include preparing or grooming targeted staff members before convincing them to give access to the network. There has additionally been a growth in solitary wolf attackers. Coveware knew the development in late 2021, and it has carried on all through the 1st Q of 2022. Attacks by these threat actors are generally carried out on businesses that have much better security than the common ransomware victim, like multi-factor authentication appropriately enabled for all workers and critical resources.

The Maze ransomware operation began utilizing double extortion tactics in late 2019.  That is, data is stolen from victims prior to file encryption. Payment is then demanded for the decryptor and to avoid the publication or sale of stolen information. These tactics were quickly followed by numerous ransomware operations and grew to be the norm, even though there was a fall in attacks concerning encryption and extortion in Quarter 1 of 2022. Double extortion was utilized in 84% of attacks in 4th Q of 2021, and 77% of attacks in 1st Q of 2022. Although double extortion is probably broadly employed in attacks for the near future, Coveware thinks the change from data encryption to data extortion will keep on, because data theft and naming and shaming of affected individuals will only call the interest of authorities. Data theft without encryption leads to no operational interruption yet maintains the capability of the threat actor to extort the affected individual. We anticipate this change from Big Game Hunting to Big Shame Hunting to carry on, explained Coveware in the report.

Coveware warned about giving the ransom demand to avert the posting or selling of data, as there are no guarantees that payment will bring about data deletion. In 63% of attacks wherein a ransom payment was made to stop the publication or selling of stolen information, the attackers gave no proof of data removal. In the rest of the attacks where evidence was offered, it could very easily be faked. When videos, screenshots, live screen shares, or deletion logs are given as proof, victims should have faith that a copy of the information was not made. In one prominent case, a threat actor explicitly stated that the stolen data will not be deleted if paid, and would keep it for future use against the victim, stated Coveware.

Microsoft Sinkholes Infamous ZLoader Botnet

Microsoft’s Digital Crimes Unit (DCU) disabled the well-known ZLoader cybercrime botnet that was utilized to transmit Ryuk ransomware in attacks on healthcare companies. Microsoft recently acquired a court order from the United States District Court for the Northern District of Georgia approving the seizure of 65 hard-coded domains the ZLoader botnet uses for command-and-control communications. Those websites were now sinkholed, stopping the botnet operator from connecting with devices attacked with ZLoader malware.

ZLoader malware contained a domain generation algorithm (DGA) which is activated when it’s not possible to communicate with the hard-coded domains, which works as a failsafe against any takedown attempts. The court order additionally permitted Microsoft to grab 319 DGA-registered domains. Microsoft is taking steps to prohibit the registration of any more DGA domains.

ZLoader is associated with a family of malware variants that came from the ZeuS banking Trojan. In the beginning, ZeuS was employed for credential and financial theft, with the purpose of getting money from victims’ financial accounts. The threat actor behind the malware then started a malware-as-a-service operation to send malware and ransomware to other threat actors like Ryuk.

Ryuk ransomware was broadly utilized in attacks on the healthcare sector since its appearance in 2018, and ZLoader was one way of delivering the ransomware. ZLoader could disable a well-known antivirus solution to avert detection, and the malware was installed on lots of devices, which are mostly in education and medical care.

The takedown of the botnet is substantial; nevertheless, the botnet operators are probably already working to create new command and control infrastructure. Microsoft stated the seizure was a success and resulted in the short-term disabling of the ZLoader system, which has made it harder for the organized criminal gang to carry on with its malicious activities.

The case has been referred to law enforcement, who are monitoring this activity directly and will carry on and work with our partners to keep track of the conduct of these cybercriminals. Microsoft will work together with internet service providers to determine and remediate victims. Microsoft additionally affirmed that it is ready to take further legal action and employ technical procedures to handle ZLoader and other botnets.

Microsoft furthermore named Denis Malikov, who resides in Simferopol on the Crimean Peninsula, as someone who is considered to be accountable for making a component of the malware that was employed for transmitting ransomware. This suggests that cybercriminals are not allowed to hide behind the anonymity of the internet to commit their criminal offenses.

Microsoft mentioned that the cybersecurity firm ESET, Black Lotus Labs, and Palo Alto Networks’ Unit 42 team assisted with its investigation of the ZLoader operation. The Health Information Sharing and Analysis Center (H-ISAC), the Financial Services Information Sharing and Analysis Centers (FS-ISAC), the Microsoft Threat Intelligence Center, and the Microsoft Defender Team also provided additional insights.

Importance of HIPAA Compliance for Healthcare Specialists

Why Healthcare Experts Could Not Avoid HIPAA

One of the goals of HIPAA is to give a federal ground of privacy protections for personally identifiable health information kept by Covered Entities. To accomplish this goal, the Privacy and Security Rules put standards that Covered Entities should adhere to so as to secure the privacy of “Protected Health Information” (PHI). The inability to conform to the HIPAA standards may bring about large financial fines – even if no data breach happens and PHI isn’t exposed.

The majority of healthcare providers are Covered Entities and, therefore, need to enforce guidelines and procedures to adhere to the Privacy and Security Rule criteria. As workers of Covered Entities, healthcare experts should follow their company’s policies and procedures. For this reason, healthcare experts are not able to avoid HIPAA. Nevertheless, this isn’t the sole reason why HIPAA compliance is essential for healthcare experts.

The Advantages of HIPAA Compliance for Healthcare Experts

Trust is very important in a patient/healthcare specialist relationship. Patients rely on their healthcare specialists with personal information about their lives simply because they believe that healthcare specialists work to accomplish the best health results. Nevertheless, trust may be a delicate thing. If their personal details are compromised because of a HIPAA violation, patients may hold back data important to the giving of care in spite of the possible long-lasting effects on their wellness.

Healthcare experts can minimize the risk of breaking trust by following the guidelines and procedures enforced by their company to avoid HIPAA violations. If patients are assured their privacy is being protected, this encourages trust – which results in giving better care so as to realize optimal health results. Better patient results boost the morale of healthcare experts and bring about more gratifying work life.

The Professional and Individual Implications of Noncompliance

One of the guidelines a Covered Entity needs to impose is a sanctions policy for when the noncompliance of members of its staff with HIPAA guidelines and procedures. Covered Entities must implement the sanctions policy and address HIPAA violations by healthcare specialists since, when they don´t implement the sanctions policy, it’s a HIPAA violation by the Covered Entity. In addition, when the Covered Entity doesn’t act, noncompliance could turn into a cultural convention.

Getting sanctioned for a HIPAA violation has professional and individual effects on healthcare specialists. Penalties can vary from spoken warnings to the revocation of professional accreditation – which will make it hard for a healthcare specialist to acquire another work – and, when there’s a criminal conviction because of the noncompliance, it will probably be announced in the press which will have consequences for a healthcare specialist´s personal track record.

Who is Accountable for HIPAA Violations?

As stated earlier, the inability to follow HIPAA is not the healthcare specialist´s fault at all times. Though Covered Entities must give training about policies and procedures that correspond with healthcare specialists´ functions, they might not have the materials to give training on every imaginable situation a healthcare specialist may come across, or to keep track of compliance 24/7 so as to avoid the creation of cultural norms.

As a result, unintentional HIPAA violations can happen because of an absence of understanding. Nevertheless, Covered Entities are not ready to accept accountability for unintentional violations at all times because of a lack of understanding as it means they were unable to perform a complete risk evaluation, disregarded a threat to PHI privacy, and were unable to give required and proper training – or, when a cultural norm has been created, failed to keep track of compliance with guidelines and procedures.

How You Can Avert Unintentional HIPAA Violations

To steer clear of unintentional HIPAA violations and the professional and individual penalties of noncompliance – regardless if they aren’t your wrongdoing – it is best to make sure your understanding of HIPAA addresses every facet of your role and the cases you may come across. To attain this stage of information, you must use third-party HIPAA training programs that offer you an exhaustive understanding of HIPAA and its guidelines and regulations.

Accepting responsibility for your personal HIPAA knowledge – and utilizing that understanding to work in a HIPAA-compliant way – safeguards your career, enhances your job prospects, and allows you to get more from your career. Granted the choice, the majority of healthcare experts would choose to work in a setting that works compliantly to provide better patient results, in which morale is great, and wherein the healthcare specialist has a more fulfilling work encounter.

How Small Healthcare Organizations Differ from Big Healthcare Providers in Terms of Security

A recent Software Advice survey of healthcare organizations provides observations on healthcare data breaches, their actual causes, and the various security procedures at small and large healthcare companies.

The survey involved 130 small practices with 5 or fewer licensed providers and 129 big practices having six or more providers to know the security problems they face and the steps each group has made to protect against cyberattacks and data breaches. With both groups of healthcare providers, more than 50 percent store over 90% of patient information digitally, for instance, patient records, medical histories, and billing records. Even though digital records are more useful, there is a threat that hackers could acquire access to patient records.

Hackers have a tendency to target bigger practices rather than small practices, depending on the number of reported data breaches. 48% of large healthcare organizations stated they had encountered a data breach previously, and 16% claimed they had experienced a breach in the past 12 months. 23% of small practices had suffered a breach in past times with 5% suffering from a breach in the last year. By far the major cause of data breaches was human error. 46% of small practices and 51% of big practices stated human error was the top reason for data breaches.

23% of small healthcare practices mentioned they had encountered a ransomware attack before, compared to 45% of large practices. 5% of the attacks on small healthcare companies and 12% of attacks on large healthcare organizations happened in the last 12 months. 76% of small practices and 74% of big practices stated they had recovered at least part of their information from backups without making ransom payments, which demonstrates the great importance of having very good backup plans. That is particularly essential as paying the ransom doesn’t ensure the restoration of files. 23% of small practices made ransom payments to restore their files compared to 19% of big healthcare companies, however, 14% of small healthcare organizations stated they failed to retrieve their files after ransom payment.

11% of big practices completely lost their files because of the attack, 7% acknowledged data loss and 4% made ransom payments yet still failed to recover their files. The majority of the healthcare companies didn’t express how much was the ransom payment. Two small practices mentioned they paid approximately $5,000 -$10,000 and two paid roughly $25,000 – $100,000.

To protect against attacks, healthcare companies have put in place a variety of technical safety steps, with the most typical solutions such as firewalls, antivirus software programs, email security options, and data backup technology. Small practices were spending more money compared to large organizations on antivirus solutions, and although such options are crucial, it is likewise critical to spend on email and networks security resources. Bigger companies with more finances were more probable to purchase those resources and be better shielded because of that. Software Advice recommends that smaller healthcare organizations ought to think about lowering spending on antivirus applications and enhancing email and network protection because that could help to avert even more data breaches.

It is critical not to overlook the human aspect of cybersecurity, particularly since many data breaches were ascribed to human error. Giving security awareness training to staff is demanded by the HIPAA Security Rule, nevertheless, it shouldn’t only be a checkbox choice. Frequent security awareness training to train workers on how to identify and prevent threats can significantly minimize the risk of a successful cyberattack however 42% of small practices and 25% of large practices stated they spent under 2 hours on privacy and security awareness training for staff members in 2021.

Two-factor authentication is an essential security measure to avoid the usage of compromised credentials to acquire access to accounts. Microsoft has earlier mentioned that two-factor authentication can prohibit over 99% of programmed attacks on accounts. It is wonderful that 90% of big practices have enforced 2FA somewhat, nevertheless, small practices are a lot less likely to employ 2FA to safeguard their accounts. 22% of small practices stated they haven’t used 2FA yet and 59% just use 2FA on a few programs.

Using all data protection software available is not a wise choice as it results in your vulnerability to other ways of attack or breach, for example, circumstantial exposure or human error. Rather, protect yourself on several fronts, advises Software Advice. That entails training staff members, buying the right security tools to secure data, and creating an action plan to help offset ruin in case of a breach or attack.

Data Breach Reports Sent by New Jersey Brain and Spine, Dialyze Direct, and Highmark Inc

New Jersey Brain and Spine (NJBS) has lately reported it encountered a cyberattack on or about November 16, 2021, that encrypted information on its system. NJBS stated it quickly took action to protect its network and had a computer forensic company look into the security breach. Although no proof was discovered that indicates there was any improper use of patient information due to the attack, the forensics agency mentioned the attacker might have viewed files that contain patient records.

A third party vendor conducted an evaluation of all files on its network that was possibly accessed, and although the data mining procedure is in progress, it was affirmed that the files comprised data such as names, email addresses, physical addresses, birth dates, phone numbers, social security numbers, driver’s license numbers or other ID numbers, financial account details, credit or debit card data, and health details. Notification letters had been mailed to impacted people on March 10, 2022.

NJBS stated that right after the breach, a number of steps were done to better safeguard patient information, such as using two-factor authentication, migrating patient information to a third-party hosted cloud-based system, and setting up a new server. NJBS has additionally used an ongoing monitoring response solution that monitors user activity, services, and ports, and synchronizes logging.

The breach report was sent to the HHS’ Office for Civil Rights revealing that approximately 92,453 persons were affected.

Highmark Inc. Patients Impacted by Breach at Printing and Mailing Provider

Highmark Inc., a non-profit healthcare firm and Integrated Delivery Network located in Pittsburgh, PA, has just announced that certain HIPAA-protected records were compromised in a data breach at Quantum Group. Webb Mason offers marketing services to Highmark and uses the printing and mailing vendor, Quantum Group.

Webb Mason gave Quantum Group access to patient information in 2017 to help with marketing projects for Highmark, and that data was likely accessed by unauthorized people. Highmark emphasized that its own IT solutions were not exposed.

Highmark said the breach impacted around 67,147 persons, who were provided free online identity monitoring services for 12 months.

Dialyze Direct Notifies Patients Regarding PHI Breach in Cyberattack

Dialyze Direct, a provider of kidney care services based in Neptune City, NJ, has experienced a data breach that has impacted about 14,203 patients. Based on a March 10, 2022 data breach notification, Dialyze Direct mentioned it found out on February 14, 2022, that an unauthorized person got access to a worker email account from January 21, 2021 to March 4, 2021.

A thorough evaluation of the email account established it included patients’ protected health information (PHI) like names, dates of birth, Social Security numbers, government ID numbers, financial account data, payment card details, and medical data that likely includes financial identification numbers, medical diagnostic and treatment information, and/or medical insurance plan details.

Notification letters were delivered to affected persons. People whose Social Security numbers were possibly exposed were given complimentary credit monitoring services. Dialyze Direct stated it has identified no information that indicates the misuse of any patient data.

Healthcare Scores Terribly for Practicing the Cyber Incident Response

The healthcare industry had an awful 2021 in terms of data breaches with over 50 million records breached and above 900 data breaches were reported by databreaches.net. Considering the magnitude to which the healthcare sector is attacked by cyber actors, the danger of a data breach happening is high. A SecureLink/Ponemon Institute review in 2021 discovered 44% of healthcare and pharmaceutical firms encountered a data breach in the last year.

Although steps can be done to enhance defenses to avoid cyber attacks from succeeding, healthcare companies must be ready for the worse and must have an incident response plan set up that could be promptly started in the event of a cyberattack. With correct planning, when a cyberattack happens, healthcare providers will be prepared and will be able to recover in the least possible time frame.

Regular exercises ought to be done to make sure everybody knows their duties and that the plan works. Oftentimes, cyberattack victims see that their incident response plan is not enough or ineffective due to inadequate testing, which may bring about a slow and expensive response to a cyberattack.

This month, Immersive Labs issued its 2022 cyber workforce benchmark report, which contained data from about 2,100 institutions from a variety of industries that utilize the Immersive Labs platform for performing cyber crisis simulations. Remarkably prized, high profile targets such as financial and technology services conducted the most cyber crisis exercises, doing an average of 7 and 9 exercises annually respectively, nevertheless, healthcare companies were near the bottom of the list, doing an average of 2 exercises annually.

In the event of a cyberattack, a lot of different people will be engaged in the response. It is for that reason crucial for those individuals to take part in exercises. It is not surprising that the more persons who are involved in incident response exercises the more prepared an organization will be to act in response to a cyberattack. Immersive Labs measured the performance of the exercises and found that every exercise that scored over 90% for effectiveness had about 11 people taking part. All but one of the crisis situations that had a score of less than 50% for effectiveness had just one person engaging. In healthcare, an average of 4 people joined in the exercises, in comparison to 21 in education and 7 in technology.

Immersive Labs examined performance with regard to the crisis response activities and computed a score dependent on the type of choices made all through the entire simulation. The average performance score in all exercises was 68%, which indicates there is substantial room for improvement. The prominent industry was manufacturing, with a performance rating of 85%. Worryingly, medical care performed the worst out of all industries for cyber crisis response by some distance, attaining a performance score of only 18% – substantially lower than the next worst-performing segment – financial services – which scored 45%.

Immersive Labs additionally analyzed the speed at which 35,000 members of cybersecurity teams at 400 large companies took to develop the expertise, abilities, and judgment to deal with 185 breaking threats. On average, it required 96 days for teams to grow the skills to secure against breaking threats. They discovered that mitigating against a vulnerability in the Exim mail transfer agent – which affected over 4.1 million systems and was being actively exploited – took security teams more than 6 months on average to grasp. CISA states vulnerabilities must be patched within 15 days from initial detection.

Developing the human skills to fight attackers is slow, particularly in healthcare. The best performing industry was leisure/entertainment, which took typically 65 days for security groups to build the required skills. In medical care, it had taken about 116 days. Only infrastructure, consulting, and transport performed worse. Throughout all industry sectors, the average time frame to develop the competencies to respond to threats was 96 days.

The current cyber crisis is an all-encompassing organizational tension. Stopping incidents that halt operations and ruin reputation, corporate value and stakeholder relationships demands a holistic response from the entire labor force. Reaching this sort of resilience calls for a constantly maturing responsive capability for technical and non-technical teams, created by exercising with a cadence that traditional tabletop exercises struggle to reach… exercising to collect evidence, and then utilizing these insights to equip teams with pertinent skills, is crucial to ongoing resilience.

NIST Wants Feedback on How to Strengthen its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) wants to get comments on the advantages of its Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) and ideas on any enhancements that may be made.

The NIST Cybersecurity Framework was introduced in 2014 to help public and private industry institutions to follow cybersecurity requirements and best practices to enhance their cybersecurity posture, better protect against cyber threats, and immediately determine and react to ongoing cyberattacks to restrict the damage that could be caused. The NIST Cybersecurity Framework is regarded as the gold standard for cyber threat management; nonetheless, that does not indicate enhancements couldn’t be made.

The latest update to the Cybersecurity Framework happened in April 2018. In the past four years, there have been substantial improvements to the cybersecurity threat landscape. New threats have surfaced, the tactics, techniques, and procedures (TTPs) utilized by cyber threat actors have improved, there are new technologies and security features, and more resources are accessible to help with the administration of cybersecurity risk. NIST is not looking at upgrading its Framework once again to take these variables into account.

The NIST Cybersecurity Framework has been used by numerous healthcare companies to strengthen cybersecurity, however, a number of healthcare institutions have experienced difficulties carrying out the Framework, and presently fewer than half of healthcare companies are keeping NIST standards. NIST would like to find out about the problems organizations have encountered putting into action the Framework and the commonalities and conflicts with other non-NIST frameworks and methods that are employed together with the NIST Cybersecurity Framework. There may be strategies for enhancing alignment or application of those approaches with the NIST Cybersecurity Framework. NIST wishes to receive recommendations on modifications that could be made to the characteristics of the Framework, functions that ought to be added or eliminated, and any other methods that NIST can develop the Framework to make it more beneficial.

Aside from the responses on the Cybersecurity Framework, NIST has requested feedback on potential advancements to other NIST guidance and standards, which include its guidance on bettering supply chain cybersecurity. NIST lately announced that it would start the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to deal with cybersecurity challenges in supply chains. NIST has asked for responses on challenges associated with the cybersecurity factors of supply chain risk management that can be resolved by the NIICS, and whether there are presently gaps in active cybersecurity supply chain risk management guidance and assets, such as the use of those resources to information and communications technology, operational technology, IoT, and industrial IoT.

NIST wants to receive all comments by April 25, 2022.

CISA Publishes Listing of Free Cybersecurity Tools to Improve Security Capabilities

Increasing security functions is achievable with a limited budget by utilizing free cybersecurity tools and services. Numerous tools and services were created by government institutions, the cybersecurity community, and the public and private industry that could be utilized to boost defenses against damaging cyberattacks, identify possible intrusions quickly, and help providers respond to and manage security breaches.

Getting suitable free cybersecurity tools and services is often a time-consuming undertaking. To aid critical infrastructure companies lessen cybersecurity risk, the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has put together a listing of services offered by CISA and other government agencies, open-source tools, and tools and services made and serviced by the cybersecurity community that may be used to strengthen protection, identification, response and the management of cyber threats.

The list of free cybersecurity tools and services is broken into four categories, dependent on the four goals described in already released guidance: CISA Insights: Implement Cybersecurity Measures Now to Protect Against Critical Threats.

  • Minimizing the possibility of a damaging cyber incident;
  • Identifying malicious activity fast;
  • Responding properly to verified incidents; and
  • Boosting resilience

All of the tools and services included in the listing were evaluated by CISA utilizing neutral principles and conditions; nevertheless, CISA does not confirm the suitability of any product or service, nor the efficiency of any solution for any specific use scenario. Although a number of commercial products and services were added to the list, CISA doesn’t recommend or provide any recommendations for employing those products and services. The information will be regularly modified by CISA to add new products and services and CISA welcomes any recommendations of additional products and services for future addition to the list.

Though all included tools and services may be beneficial for the enhancement or inclusion of new security features, they are no alternative for creating and enforcing a strong cybersecurity program. It is important to create such a system and make certain several foundational cybersecurity steps are implemented, such as dealing with known flaws in software and operating systems, placing strong passwords, employing multi-factor authentication, and ending bad cybersecurity practices like the extended use of legacy solutions that have arrived at end-of-life and are not supported anymore. CISA advises registering for its Cyber Hygiene Vulnerability Scanning service and obtaining sensitive Stuff of Search (S.O.S) to decrease Internet attack surfaces that are apparent to anyone making use of a web-based platform.

2021 Showed Clear Growth in Ransomware Data Leaks and Greater Ransom Demands

CrowdStrike has revealed its yearly threat report which indicates there was a serious boost in data leaks subsequent to ransomware attacks in 2021, growing by 82% from 2020. There were 2,686 ransomware attacks documented in 2021 as compared to 1,474 in 2020. The weekly average of ransomware attacks in 2021 is over 50.

Ransomware groups at the same time demanded bigger ransom payments in 2021, greater by 36% in 2021 in comparison to 2020. $6.1 million was the average ransom demand in 2021. The healthcare market was widely attacked by ransomware groups in 2021, though many threat actors claimed they wouldn’t execute attacks on healthcare companies. CrowdStrike monitored 154 ransomware attacks on healthcare companies in 2021, higher than 94 in 2020. Healthcare was number 6 out of all industry markets for information leaks. It was number 4 in 2020.

CrowdStrike mentioned the threat landscape has become far more jampacked in 2021, with many new adversaries appearing which include threat actors that have earlier not been greatly engaged in cyberattacks for example Colombia And Turkey. CrowdStrike found 21 new adversaries in 2021, with considerable growth in China-nexus And Iran-nexus threat actors.

A threat group monitored as Wizard Spider was one high-profile ransomware actor in 2021. Carbon Spider focused on big game hunting, Cozy Bear concentrated on attacking cloud systems, Prophet Spider employed the Log4j exploit for collection of credentials from online workspace services, and Aquatic Panda focused on the Log4j vulnerability and employed the Log4Shell exploit to obtain remote code execution on victims’ environments.

Iran-nexus actors substantially employed lock-and-leak tactics. Russian threat actors progressively attacked online environments. China-nexus threat actors concentrated on taking advantage of new vulnerabilities. CrowdStrike mentioned there was 6 times more vulnerability exploitation in 2021. Ten known adversaries or activity groupings engaged in those attacks. Merely 2 vulnerabilities were taken advantage of by Chinese threat actors in 2020, as opposed to twelve in 2021.

As of 2020, ransomware groups were exfiltrating sensitive information before encrypting files and were employing double extortion techniques on their victims. Victims are forced to pay money to get the keys to decrypt data files and to avert the exposure of the stolen information on data leaks websites. Though ransomware attacks were very common, there was furthermore a rise in data theft and extortion without the usage of ransomware and there was a lively market for vending stolen data on hacking communities and darknet portals.

Malware is frequently employed in cyberattacks nevertheless attackers are more and more evading the usage of malware and are employing legit credentials to gain access to systems and then living-off-the-land techniques, where current system tools are utilized as opposed to malware to evade security methods. In 2021, merely 38% of cyber attacks employed malware, 62% of attacks have nothing to do with malware.

CrowdStrike believes web-related threats will be more commonplace and grow in 2022 as threat actors choose targets that present direct access to big combined stores of high-value information. Threat actors are furthermore possible to broaden their tool arsenal to comprise of mobile malware 9nm 2022, and it is remarkably possible adversaries will still search for weaknesses in platforms employed by their targets in 2022.

To combat these threats, CrowdStrike proposes understanding the adversaries that are recognized to target your market, as this can enable you to better get ready for attacks. It is critical to secure all workloads and have a proven response plan to permit quick action to be undertaken in case of an attack. The rate of the response frequently dictates whether or not mitigations become successful or not.

Cloud misconfigurations are typically taken advantage of to obtain access to sizeable data storage. One strategy to lessen the risk of human error is to create new accounts and infrastructure making use of default patterns. Though it is necessary to employ technical steps to identify and discontinue attacks, it is furthermore crucial to invest in user awareness plans, as end-users may play a major role in avoiding data breaches, specifically identifying and averting phishing attacks and social engineering techniques.

Cyberattack at Taylor Regional Hospital and a Connecticut Accountancy Company

Taylor Regional Hospital Still Affected by January Cyberattack

Taylor Regional Hospital based in Campbellsville, KY has encountered a cyberattack, which led to taking down its IT and telephone systems. The hospital reported the cyberattack on January 24, 2021. To date, the hospital continues to experience outages with selected computer systems and phone lines. There were temporary telephone lines set up so that patients can get in touch with the hospital whilst resolving the cyberattack.

Cyberattacks like this usually involve ransomware, however, no information has been available up to now regarding the actual nature of the attack, nor the time its IT systems are likely to be available. At this early phase, it is not clear if any patient data has been accessed or stolen by attackers.

An announcement on the hospital’s website said that the hospital continues to provide quality care to patients and it is working as fast as possible to securely bring back its IT systems on the internet. Patients are encouraged not to postpone seeking clinical care; nonetheless, without access to computer systems, patients were requested to bring details of their prescription medication with them to any visits that were previously planned.

The hospital stated routine outpatient labs will just be conducted for a limited time until further notice, and patients were informed to have a written order and patients ought to expect extended wait times than before. The walk-in COVID-19 clinic remains open although will accept patients on a first-come, first-served basis.

Data Stolen from Connecticut Accountancy Company Due to Cyberattack

The certified public accountancy company located in Glastonbury, CT, Fiondella, Milone & LaSaracina, has reported a cyberattack in September 2021. The company detected the security breach on September 14, 2021, and based on the forensic investigation, the hackers got access to its systems from September 9, 2021.

On or about October 13, 2021, it was confirmed that the attackers copied files and folders from its system that included the sensitive data of a number of people. The information probably breached was mainly limited to names and Social Security numbers. Some individuals also had the following ambulance trips related data stolen: service level, tracking numbers and date, payor types and category, mileage details, charge/payment details, billing review data, and remittance advice details, which may have included health care details.

Fiondella, Milone & LaSaracina mentioned an analysis of security measures was conducted and more safeguards will be put in place to stop other security breaches. There is no statement in the website breach notice about credit monitoring and identity theft protection services.

The accounting firm has sent the breach report to the HHS’ Office for Civil Rights indicating that 6,215 persons were affected.

Data Breaches Reported by Memorial Health System and MedQuest Pharmacy

Memorial Health System based in Ohio has lately confirmed that the ransomware attack it encountered in August 2021 possibly impacted the protected health information (PHI) of 216,478 patients. Because of the ransomware attack, the health system had to get selected patients to other hospitals and cancel a few appointments to make sure of patient safety. The hospital announced the attack immediately after the breach, which happened on August 14, 2021. The investigation revealed the first breach of its network happened on July 10, 2021.

The health system reported the incident to the HHS’ Office for Civil Rights immediately, however, during that time it was not known how many people were affected. Memorial Health System found out that patient data may have been impacted on or around September 17, 2021, then had a thorough assessment of all affected files. On November 1, 2021, the scope of the breach was confirmed however it took until December 9, 2021, to verify the persons impacted and the specific types of information involved, consequently there was a delay in sending notifications. Written notices were delivered to affected people on or approximately January 12, 2022.

The breached and potentially exfiltrated information included names, Social Security numbers, addresses, medical/treatment details, and health insurance data. Affected persons were provided a complimentary membership to Kroll’s credit monitoring service for 12 months. Since then, Memorial Health System has used extra safeguards to enhance its security posture.

MedQuest Pharmacy Data Breach Affects 39,447 People

In mid-December, MedQuest Pharmacy started sending notifications to 39,447 individuals regarding the potential compromise of some of their PHI because of a cyberattack that was identified on November 18, 2021. With the help of its parent companies, Innovations Group and UpHealth Inc, and independent cybersecurity specialists, MedQuest confirmed the attackers first acquired access to its systems on October 27, 2021. The unauthorized access was prevented on October 30, 2021.

A detailed evaluation of all impacted systems showed the attackers possibly accessed or obtained the following types of data: Names, birth dates, addresses, email addresses, telephone numbers, genders, medical record numbers, medical information, prescription data, date(s) of treatment, referring doctor names, health insurance policy numbers (which include Medicare or Medicaid number), and internal MedQuest patient ID number.

MedQuest stated that the driver’s license number, Social Security Number, financial account/payment card details, medical insurance claim number, policy details, and/or claim/appeal data of a very small number of persons likewise had been exposed. All affected people have been given a one-year free membership to credit and identity monitoring services of Equifax.

Entira Family Clinics and Caring Communities Send Notification Letters Regarding Netgain’s Ransomware Attack in 2020

A Minnesota network of family medicine practices began sending notifications to approximately 200,000 patients concerning the potential compromise of some of their personal data and protected health information (PHI) due to a cyberattack on a business associate about a year ago.

It was stated in the breach notification letters sent by Entira Family Clinics to the affected people on January 13, 2022 that the breach happened at Netgain Technologies, which is the hosting and cloud IT solutions provider to organizations in the healthcare and accounting industries. Entira Family Clinics employed Netgain’s hosting and email services.

The healthcare organization mentioned the files likely compromised included names, Social Security numbers, addresses, and medical backgrounds. Entira said in its notification letters that they had their information technology (IT) support group working immediately upon being aware of the breach and engaged a law agency with a specialty in cybersecurity and data privacy to investigate. They also communicated closely with Netgain and its breach counsel concerning Netgain’s incident response and forensic investigation.

The investigation found no information of actual or attempted misuse of any personal records. Entira Family Clinics mentioned it is taking steps to enhance security and offset risk, and that process required an assessment and update of policies and procedures associated with the safety of its systems, servers, and life cycle administration. Security analysis was likewise done of the Netgain environment to make sure of the stronger security of the cloud hosting platform.

Entira Family Clinics offered the impacted individuals a complimentary membership to online credit monitoring services via IDX. The breach report submitted to the Maine Attorney General shows 199,628 persons were affected.

The notification letters distributed to the impacted people state that the provider found out that a data security incident on Netgain’s environment may have caused the accidental exposure of their personal data and that Netgain was recently targeted by a cybersecurity incident.

The date of the incident was not mentioned in the notification letters, therefore affected persons wouldn’t realize that the ransomware attack and data theft had happened over 12 months already on November 4, 2020.

Netgain stated the data breach in December 2020, and the majority of impacted firms were informed by February 2021. Many of the affected Netgain clients dispatched notification letters during the spring and summer months of 2021. It is uncertain why Entira Family Clinics delayed issuing notification letters for so long, and whether this was because of delayed notification from Netgain.

Additionally, this month, Caring Communities, a member-owned liability insurance provider in Illinois serving not-for-profit senior housing and care organizations, likewise sent notification letters regarding the Netgain data breach. The firm mailed notification letters on January 14, 2022, which stated the same things as those provided by Entira.

Caring Communities stated it is no longer using Netgain as its hosting provider and transferred its environment to a different service provider after being advised regarding the data breach and similar steps are being done to strengthen security. Affected persons have likewise been provided credit monitoring and identity theft protection services by means of IDX. It is currently not clear how many people were impacted. The notification letters additionally refer to the latest cyberattack on Netgain and did not talk about when the attack took place nor why the issuing of notification letters was long-delayed.