Phishing Attacks Reported by LifeSprk, University of Utah Health and Oregon DHS

The senior care provider LifeSprk based in Minnesota is sending notifications to 9,000 of its clients regarding the potential compromise of some of their protected health information (PHI) because of a phishing attack in November 2019.

Lifesprk discovered on January 17, 2020 that an unauthorized person had accessed the email account of an employee. The email account was secured promptly and investigation of the breach by a third-party cybersecurity company was launched. The cybersecurity company confirmed the compromise of some employee email accounts from November 5 up to November 7, 2019.

For most of the impacted persons, the compromised information in the accounts included names, medical record numbers, medical insurance details, and certain health data. The financial data and/or Social Security number of some patients were also exposed.

The breach investigation is still ongoing. Thus far, there is no evidence found that indicate the theft or misuse of data or PHI.

The sending of breach notification letters to affected patients began on March 17, 2020. It was delayed because of the unparalleled actions that need to be taken to cope with the Covid-19 pandemic. Lifesprk offered free credit monitoring and identity theft protection services to the people whose Social Security number was compromised. Lifesprk is currently improving email security and is going to reinforce the awareness of employees regarding phishing emails.

Patients’ PHI Potentially Compromised at University of Utah Health

The University of Utah Health made an announcement that unauthorized persons accessed the email accounts of some of its employees from January 7 to February 21, 2020 and possibly accessed patients’ PHI.

The University of Utah Health found out on February 3, 2020 that there was malware installed on the workstation of an employee and that potentially allowed unauthorized persons to access the PHI of patients.

The PHI contained in the email accounts and on the compromised computer included names, dates of birth, medical record numbers, and certain clinical data associated with the healthcare services given by the University of Utah Health.

The University of Utah Health already notified the affected patients, reviewed the security procedures and made necessary updates, and will further provide security training to the employees.

The number of patients affected by the breach is uncertain at this time.

Spear Phishing Attack at the Oregon Department of Human Services

The Oregon Department of Human Services found out that an unauthorized person accessed the email account of an employee because of responding to a spear-phishing email.

There are information technology security processes in place, which identify email account compromises swiftly, therefore the possibility for data theft was limited. The Oregon DHS discovered the email security breach on March 6, 2020 and secured the account quickly. A third-party firm will give assistance in reviewing the incident to figure out what data was exposed and who were the people affected. The affected persons will be notified sooner or later.

At this time, there is no evidence that the hacker accessed, copied or misused any PHI; nevertheless, the Oregon DHS will offer identity theft protection services to all impacted clients.

Rising Number of Medical Devices are Vulnerable to Exploits Like BlueKeep

The healthcare sector is digitizing business operations and data management procedures. New technology is being employed to enhance efficiency and save money. However, that technology, most of the time, is integrated with infrastructure, processes, and software programs from another time and consequently introducing many vulnerabilities.

Cybercriminals are targeting the healthcare industry more than any other industry with one-third of U.S. data breaches happening in hospitals. They are seeking any loophole to launch their attacks, and plenty of those attacks are succeeding.

Based on the latest published CyberMDX 2020 Healthcare Security Vision Report, about 30% of healthcare delivery organizations (HDOs) had encountered a data breach last year, obviously showing the struggle of the healthcare industry to deal with vulnerabilities and stop cyberattacks.

One reason is the huge attack surface considering the number of hard-to-secure devices connected to the healthcare network. Approximately, there are 450 million medical devices hooked up to healthcare networking globally with 30% of the devices located in the U.S.A. That equals about 19,300 linked medical devices and clinical assets for every U.S. hospital. It’s not unusual for big hospitals to have over 100,000 {connected|linked} devices. Typically, one out of 10 devices connected to hospital networks is medical equipment.

The report shows 80% of device manufacturers and HDOs noted the difficulty of securing medical devices because of a lack of (1) understanding about the ways to secure them, (2) training about protected coding practices, and (3) pressure to fulfill product due dates.

71% of HDOs state they lack an extensive cybersecurity plan that involves medical equipment, and 56% think a cyberattack targeting medical devices would happen next year. That number gets to 58% if you ask medical device producers. Although an attack happened, only 18% of HDOs state they would be able to discover the attack.

Medical Devices Vulnerable to BlueKeep

CyberMDX’s study showed that 61% of medical devices are vulnerable to a level of cyber risk as follows:

  • 15% are vulnerable to BlueKeep
  • 25% are vulnerable to DejaBlue
  • 55% of imaging devices operate on out-of-date software that is prone to exploits like BlueKeep and DejaBlue

In general, about 22% of Windows medical devices linked to hospital networks are susceptible to BlueKeep.

An attacker can exploit the BlueKeep and DejaBlue vulnerabilities via Remote Desktop Protocol (RDP) and take complete control of vulnerable devices. And because BlueKeep is wormable, malware can be deployed to infect other vulnerable devices connected to a network without the need for user interaction.

BlueKeep impacts earlier Windows versions including Windows XP, Windows, Windows Server 2003 to 2008 R2. However, a lot of medical devices use those outdated OS and were not updated to safeguard against exploitation. DejaBlue impacts Windows 7 as well as subsequent versions.

Linux-based OS is also vulnerable. Around 30% of medical devices and 15% of linked hospital assets are susceptible to a vulnerability called SACK Panic. About 45% of medical devices are susceptible to at least one vulnerability.

Prompt Patching Needed

CyberMDX’s research discovered that 11% of HDOs fail to fix their medical equipment and when applying patches, the process is slow-moving. After 4 months from the discovery of BlueKeep, a typical hospital had patched just about 40% of vulnerable gadgets.

The report further reveals that 25% of HDOs have no full inventory of their linked devices and 13% have no reliable inventory. 36% have no official BYOD policy and CyberMDX states a typical hospital is not tracking about 30% of its linked devices.

It’s not easy to patch medical devices. Patching these devices requires technicians to personally investigate and physically inspect the impacted devices.

Alarmingly, although medical devices are prone to attack, most of HDOs overlook granular network segmentation. They segment their networks not considering security, therefore the segments have many different connected devices open to the web.

In case of an attack of the vulnerability, a lot of HDOs would have difficulty detecting it. Over 33% of HDOs don’t continually track their connected devices and 21% tag, profile, and track their devices physically.

The Solution

Strengthening the security of medical devices needs a consistent review of a lot of things including configuration practices, network restrictions, segmentation, credential administration, vulnerability tracking, patching & updating, access and function controls, compliance assurance, live context-aware traffic monitoring & analysis, and third-party security practices. Additionally, not being aware that the devices have networked, it would be impossible to fully fully grasp their specific attack vectors.

Fortifying security is surely a challenging task, however, the goal is not to have a 100% secure organization 100% secure. The goal must be to deal with the most crucial concerns and to substantially minimize the attack surface.

Healthcare Organizations Have Misplaced Confidence on Their Ability to Secure PHI and Manage Data Sharing

Healthcare companies are confident they are securing regulated information and are taking care of data sharing. However, that confidence seems to be misplaced in a lot of cases as per the latest report from Netwrix.

If data is not required anymore, it must be deleted, although quite often sensitive information could stay hidden on networks for a long time. Documents that contain sensitive data could be saved in the wrong location where they are not protected from unauthorized access. Misplaced information could be exposed for months or weeks.

A current survey done by Netwrix has uncovered the severity of the issue. Netwrix surveyed 1,045 IT experts from a variety of industries for its 2020 Data Risk & Security Report and discovered that 91% were positive about the safe storage of their sensitive information. But one-fourth of the survey participants said they had discovered sensitive information stored outside the specified storage areas in the last year, proving the misplaced confidence. 43% of survey participants said they had found sensitive information in the wrong location exposed for days and 23% said it was exposed for weeks before being discovered.

Healthcare companies that participated in the survey were less convinced about the secure storage of all sensitive information. 52% of healthcare participants expressed their certainty that all regulated information was stored safely. Of the 52% that were sure they were keeping all regulated information safely, 24% stated they had found sensitive information in the wrong location in the last year.

65% of surveyed healthcare companies felt confident that their employees aren’t using cloud applications to share sensitive information to circumvent controls used by the IT division, however that confidence seems to be misplaced. 32% of survey respondents who were certain that there is no unauthorized data sharing taking place could not validate their claim since they don’t monitor data sharing by any means, and 17% could only monitor data sharing via a manual process.

Of all the surveyed industries, healthcare has the worst performance for controlling repetitive, outdated, and unimportant (ROT) files. 60% of CIOs from healthcare companies stated they have trouble identifying ROT files that must be cleared. It is easier to determine ROT with a data classification technology. 43% of healthcare providers that categorize their data claim it’s faster to determine ROT when compared to 13% that do not categorize their {records|information}.

Based on the study, just 20% of healthcare companies delete ROT data on a regular basis. The small number is because of the lack of a policy on data retention. 69% of healthcare companies have no such policy that would help them systematically remove data if it is not needed anymore. That number was the largest of all the surveyed industries.

HIPAA calls for the implementation of access controls to stop unauthorized people from viewing protected health information (PHI). Access rights need to be evaluated regularly. If access to regulated information is not required anymore, access rights should be kept up to date appropriately. Netwrix discovered that 55% of healthcare providers don’t often review PHI access rights consistently and 70% of healthcare providers don’t review access rights to archived information, thus violating HIPAA.

The HIPAA Right of Access grants patients to get a copy of their health records and the California Consumer Privacy Act (CCPA) gives people the right to access their information. 55% of healthcare companies said coping with data subject requests (DSARs) puts stress on their IT staff. The pressure could be eased by employing data classification technology. Companies that have used data classification technology and categorize information at collection say they could fulfill DSARs in 1/3 of the time.

Having the money to warrant budgeting for data classification technology can be challenging, as to be able to raise funds IT teams must have the security metrics to show the senior managers to rationalize costs. While 47% of companies expect higher budgets this year, merely 16% stated they possess the security metrics to rationalize the higher budget. Senior managers ask for metrics to explain expenses and to see a return on investment.

Cybersecurity management must look for more efficient ways to handle data security threats and present a return on investment to the executive team. Becoming more informed of the data, internal operations and user activity will allow them to prioritize their projects, offset security and compliance hazards more effectively, and validate the efficiency of their investment strategies.

MyEyeDr. Notifies Patients of Ransomware Attack and Improper Records Disposal Incident

Before the recent ransomware attack on MyEyeDr. Optometry in Colorado P.C, which is a network of offices offering vision care, some protected health information (PHI) of 1,475 Colorado residents were potentially compromised.

The attacker accessed part of the MyEyeDr. systems on December 11, 2019 then downloaded and deployed the ransomware. MyEyeDr. immediately took action to block further unauthorized access and regain all impacted patient records. The network did not pay the ransom demand.

Although most of the encrypted data can be restored, certain files were not recovered and stayed encrypted. An independent computer forensics company investigated the attack to know if the attackers stole any information before file encryption. The forensics company did not find any evidence that indicates the exfiltration of data and believed that the attackers only encrypted files with the intent to extort money from MyEyeDr.

The patient information contained in the affected systems included names, birth dates, diagnoses, clinical data, and treatment details. The attack only affected the patients who received services at Colorado MyEyeDr. locations from December 1 to December 10, 2019.

7,983 Today’s Vision Willowbrook Patients Affected by Improper Disposal Incident

MyEyeDr. also encountered another breach that resulted in the compromise of the PHI of 7,983 patients from Today’s Vision Willowbrook. Capital Vision Services, dba MyEyeDr. acquired Today’s Vision Willowbrook in February 2019.

Some time in May 21, 2019, MyEyeDr. found out that Today’s Vision Willowbrook patients’ historic records were disposed of in an inappropriate manner. The patient records should have been securely destroyed. Instead, they were discarded in a dumpster within Tomball, Texas.

The compromised records included the following patients’ data: names, addresses, birth dates, Social Security numbers, clinical data, and billing data. The information belonged to patients who went to Today’s Vision Willowbrook from 1997 t 2003.

The media reported about the improper disposal and local law enforcement officials went to the dumpster and gathered the patient records. According to MrEyeDr., because of the quick action of Tomball’s police in getting the records, it is believed that unauthorized third parties did not have any opportunity to misuse any of the information included in the patient records.

MyEyeDr. stated that no MyEyeDr. employee had possession of the records and that employees of Today’s Vision Willowbrook did not appear to have dumped the patient records.

$157 Million Cost of Ransomware Attacks to the Healthcare Industry Since 2016

A new Comparitech study has revealed the degree of ransomware attacks on healthcare organizations and their real cost on the healthcare industry.

The study showed that healthcare organizations in the United States have encountered at least 172 ransomware attacks in the past three years. The attacks had affected 1,446 hospitals, clinics, and other medical facilities and at least $6,649,713 patients.

The number of attacks decreased from 53 incidents in 2017 to 31 incidents in 2018. But the attacks in 2019 had the same level as in 2017 with 50 reported attacks on healthcare companies.

Since 2016, the target of 74% of healthcare ransomware attacks were the hospitals and health clinics. The 26% of ransomware attacks were on healthcare establishments such as nursing homes, dental practices, medical testing laboratories, health insurance companies, plastic surgeons, optometry practices, medical supply firms, government healthcare organizations, and managed service providers.

Ransom demands vary substantially ranging from around $1,600 to $14 million. Some attacks on healthcare organizations had ransom demands of $16.48 million since 2016. Comparitech stated that healthcare companies have spent about $640,000 to attackers to get the keys to unlock encrypted files, nevertheless, the real cost is probably to be substantially greater as a lot of victims choose not to publicize that information.

Because of attacks, appointments are usually canceled and data could be permanently lost. The time, effort, and cost of remediating attacks can be too much for a number of smaller healthcare organizations. Two healthcare clinics have discontinued their practices because of ransomware attacks in 2019.

Ransom payments are only a small percentage of the total cost of an attack. Fixing systems from backups, or even utilizing the decryption keys from the attackers, can take a substantial amount of time. Repairing systems and data could take several hours to a number of weeks or months. The downtime as a result of ransomware attacks also adds to the total costs.

Comparitech chose several diverse data breach reports, IT news sources,, healthcare resources, and HHS’ Office for Civil Rights data, together with information from studies on the cost of downtime resulting from ransomware attacks. The researchers produced a low and high estimation of the downtime cost for all 172 verified attacks since 2016 based on that data. The low and high estimate for the downtime cost were $157,896,000 and $240,800,000, respectively.

Considering that hospitals and other health providers are often easy targets for hackers, ransomware will continue to be a rising issue for both organizations and patients. Most ransomware attacks thus far have targeted patient data and hospital systems, but the potential is a lot worse without implementing the right safety measures. Ransomware attacks may target life-saving equipment and crucial patient data and systems.

Medtronic Releases Patches for Vulnerable CareLink Programmers and Implanted Cardiac Devices

Medtronic, a manufacturer of medical device, issued patches for fixing vulnerabilities in the following devices:

  • implantable cardioverter defibrillators (ICDs)
  • CareLink 2090 and CareLink Encore 29901 programmers
  • cardiac resynchronization therapy defibrillators (CRT-Ds)

Security researchers first identified the vulnerabilities in 2018 and 2019 and informed Medtronic about it. Immediately, Medtronic published mitigations to minimize the risk of attackers exploiting the vulnerabilities and to make it possible for customers to keep on using the impacted products safely. It took a long time to develop and release the patches for the complicated and safety-critical devices because of the necessary regulatory approval process. Medtronic developed security remediations immediately at the same time ensured that the patches would sustain the products’ comprehensive security and functionality.

In 2018, Security researchers Jonathan Butts and Billy Rios discovered three flaws in Medtronic’s devices used for programming and managing implanted cardiac devices, particularly CareLink 2090 and CareLink Encore 29901. Because of the vulnerabilities, an advisory was issued in February 2018. An attacker could exploit the vulnerabilities and change the firmware through a man-in-the-middle attack, gain access to files stored in the system, get device usernames and passwords, and manipulate implanted Medtronic devices remotely.

A number of researchers also identified two more vulnerabilities in the Medtronic Conexus telemetry protocol in 2019. Thus, a second Medtronic advisory was issued in March 2019. The vulnerabilities exist because of the insufficiency of encryption, authorization, and authentication. An attacker could exploit the vulnerabilities and intercept, replay, and alter data, and modify the settings of programmers, implanted devices, and home monitors. One rated critical vulnerability, CVE-2019-6538, was designated a CVSS v3 base rating of 9.3 out of 10.

The most recent patches fix the vulnerabilities found in MyCareLink monitors aad nCareLink monitors and programmers. Patches were issued for roughly 50% of the impacted Medtronic implantable devices affected by the Conexus vulnerabilities. See the list of all the products below:

  • Brava™ CRT-D, all models
  • Evera™ ICD, all models
  • Evera MRI™ ICD, all models
  • Mirro MRI™ ICD, all models
  • Viva™ CRT-D, all models
  • Primo MRI™ ICD, all models

Patches for the other vulnerable products will be available later this year.

To protect against exploitation of the vulnerabilities, Medtronic deactivated the software development network (SDN) used for delivering device updates. Therefore, software updates should be done manually by using a secured USB. Since the patches are already available, Medtronic reactivated the SDN and customers can use it now to update their devices.

Medtronic is monitoring possible exploitation of the vulnerabilities. It’s good that no cyberattack or privacy breach has been reported resulting from the vulnerabilities and there is no report of patients being harmed.

Cybercriminals Continue to Exploit Pulse Secure VPN Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has released an alert to Pulse Secure customers instructing them to apply the patch for the 2019 Pulse Secure VPN vulnerability, labeled as CVE-2019-11510.

Cybercriminals are continually attacking unpatched Pulse Secure VPN servers. The threat actors install the Sodinokibi (REvil) ransomware in the unpatched Pulse Secure VPN servers they target when exploiting CVE-2019-11510. A number of attacks were already reported in January 2020. Aside from encrypting data, the threat actors steal the data and threaten the victims that they will publish the sensitive data. Last week, there was information owned by Artech Information Systems that was published because of the non-payment of the ransom.

CISA still see extensive exploitation of vulnerability CVE-2019-11510 by various threat actors. Some are country-state sponsored advanced persistent attackers exploiting the vulnerability with the intention to steal data, passwords, and install malware.

Exploiting vulnerability CVE-2019-11510 could make it possible for a remote, unauthorized attacker to access all active VPN users and get their plain-text passwords. CISA explains that an attacker could also execute arbitrary code on VPN clients in case they are able to connect to an unpatched Pulse Secure VPN server.

Pulse Secure published an advisory regarding the vulnerability on April 24, 2019 and released patches to fix the vulnerability on all Pulse Connect Secure and Pulse Policy Secure versions affected. However, lots of organizations are slow in applying the patches. Because there are no mitigations or alternative fixes that may be used to avoid vulnerability exploitation, the only option is to use the patches from Pulse Secure.

CISA has advised all institutions to use the patches without delay to avoid vulnerability exploitation. There are approximately 10% of Pulse Secure customers vulnerable to the attack because they have not applied the patch.

Healthcare Data Breaches Cost Estimated to Go Up to $4 Billion in 2020

Data breaches in the healthcare industry are happening more often than before. In 2019, the HHS’ Office for Civil Rights received 494 data breaches involving over 500 records so far and there were over 41.11 million healthcare records exposed, impermissibly disclosed or stolen. That figure makes 2019 the worst year ever with regards to healthcare data breaches and the second-worst when it comes to the volume of breached healthcare records.

About four of five data breaches involve the healthcare industry in 2019. The healthcare industry cost as a result of those breaches is estimated to go up to $4 billion in 2020.

The poor condition of healthcare cybersecurity was pointed out by a late 2019 Black Book Market Research survey of 2,876 healthcare security professionals from 733 provider organizations. The survey looked at the condition of vulnerabilities, cybersecurity gaps, and inadequacies in the healthcare industry.

The survey showed that over 93% of healthcare companies encountered a data breach since Q3 of 2016. 57% of surveyed healthcare workers encountered over 5 breaches during that period. Though there’s noticeably a high risk of a data breach, companies do not invest in cybersecurity at a level that is needed. As per 90% of hospital officials surveyed, the level of IT security budgets stayed the same since 2016.

The survey showed that hospital systems have spent 6% more on their cybersecurity budgets. However, physician organizations spend a lesser amount on cybersecurity since 2018 and currently their allocation is under 1% of their IT budget.

When spending money on cybersecurity, organizations often buy solutions blindly or with minimal idea or discernment. The survey revealed that from 2016 to 2018, 92% of data security buying decisions made by the C-suite did not involve any users or concerned department managers.

Despite the fact of attack threats, 92% of healthcare organizations do not have enough full-time cybersecurity experts and just 21% of hospitals claimed having a security executive. Just 6% of the survey participants said there was a person who is the Chief Information Security Officer (CISO). Just 1.5% of physician organizations with over 10 clinicians claimed to have a dedicated CISO.

The healthcare industry needs more CISOs and cybersecurity specialists. However, it is uncertain where those people will be from because of a national deficiency of skilled cybersecurity specialists. Meanwhile, cybersecurity is being outsourced to managed service providers.

The survey also observed these things:

  • 96% of IT experts say threat actors are moving faster than medical companies
  • Providers are spending more money on marketing to fix ruined reputations following a breach than on dealing with the effects of data breaches.
  • 35% of healthcare establishments have not scanned for vulnerabilities prior to an attack
  • 87% of healthcare organizations did not have a cybersecurity drill and an incident response procedure
  • 40% of companies surveyed don’t assess their cybersecurity status
  • 26% of hospital survey participants and 93% of physician groups reported they have no sufficient solution to quickly identify and respond to a cyberattack.

Georgia Supreme Court Overturns Court of Appeals Ruling on Athens Orthopedic Clinic Data Breach Case

The Georgia Supreme Court revived a lawsuit filed against Athens Orthopedic Clinic regarding a cyberattack by TheDarkOverlord in June 2016.

The cyberattack involved patient data theft from Athens Orthopedic clinic. The hacking group issued a ransom demand and said that they would restore the data after paying the ransom. The clinic declined to pay off the ransom and the hacking group replied by saying that it sold some of the stolen information. Later on, the hacking group posted certain stolen information on Pastebin, where other people could download it.

According to three victims of the data breach, namely, Paulette Moreland, Christine Collins, and Kathryn Strickland, they faced risks of identity theft and fraud from the time the cybercriminals got hold of their personal data, posted them for sale on the darknet, and some people downloaded them.

Christine Collins, one of the plaintiffs, claimed her credit card had fraudulent charges soon after the cyberattack. Those charges were reversed but she needed to spend time working on it. She also put her credit card on fraud alerts to avoid further problems.

The plaintiffs want damages covering the fees they had to pay for credit monitoring and identity theft protection services as the clinic did not offer such services plus attorneys fees, and they also want injunctive relief according to the Georgia Uniform Deceptive Trade Practices Act.

The lower court granted standing to the lawsuit, however, Athens Orthopedic clinic submitted a motion to dismiss that the Court of Appeals granted. The Court of Appeals decided that the alleged negligence was invalid, seeing that the plaintiffs were trying to get damages for a heightened risk of harm. Under the Georgia tort law, this was regarded as speculative harm and wouldn’t be tantamount to a cognizable injury.

Now, that decision was overturned by the Supreme Court stating that the plaintiffs had claimed adequate harm so that the case survived the motion to dismiss.

The Supreme Court in its ruling stated that the plaintiffs claim the cybercriminals could steal their identities for fraudulent acts and there is an “imminent and substantial” risk of identity theft. This equates to a legitimate allegation with regard to the possibility of identity theft of any class member because of the data breach. Since this lawsuit is presented with a motion to dismiss, we should acknowledge this factual allegation as true.

The Supreme Court determined that the Court Of Appeals’ ruling was based on two cases that were not the same as the cyberattack on Athens Orthopedic Clinic. In the two cases, there was no proof that indicates the cybercriminals stole information, consequently, there’s no imminent and substantial risk of identity theft and fraud.

In the incident of Athens Orthopedic Clinic’s cyberattack, a cybercriminal stole the plaintiffs’ information and threatened to peddle the information, tried to do so, and other people downloaded the information. At this point, we should presume that the plaintiffs’ data was maliciously accessed by a criminal actor and there was an attempt to sell some of the information to other wrongdoers. Therefore, the “imminent and substantial risk” of identity theft and fraud is real. The Supreme Court decided that the plaintiffs’ negligence claims are adequate to survive the motion to dismiss.

New Zeppelin Ransomware Variant Used to Target MSPs and Healthcare Companies

Security researchers at Blackberry Cylance warn managed service providers, technology, and medical care companies about a new ransomware variant used for targeted attacks.

Attacks using a new VegaLocker/Buran ransomware variant called Zeppelin are executed on carefully picked, high profile targets. Since early 2019, attackers use VegaLocker and variants from this ransomware family were used to strike businesses located in Russian speaking nations.

The campaigns were extensive and employed malvertising to direct users to sites holding the ransomware. The most recent variant is being employed in a remarkably different campaign that’s a lot more focused. So far, attacks were only identified in European, Canadian and United States companies. In case a gadget in the Russian Federation, Belorussia, Ukraine or Kazakhstan downloads the ransomware, the ransomware simply leaves and doesn’t do file encryption.

The VegaLocker family ransomware variants were all offered as ransomware-as-a-service. The Zeppelin ransomware seems to be the same, though Blackberry Cylance researchers think that the threat actors behind the attacks are different. There were just a few attacks to date, thus this can mean a few people are executing the attacks on carefully selected targets.

Zeppelin ransomware is very easy to customize and may be used as an EXE or DLL file. Some were also found wrapped in PowerShell loaders. Attackers additionally personalize the ransom notes and modify them to match various campaigns. Some found the name of the firm attacked being used, further showing how the campaigns are highly targeted.

When attacking managed service providers, MSP files are encrypted, and by means of their remote admin tools, the ransomware is installed on their clients’ systems. It is more common for service providers to be attacked and a number of threat actors have used this tactic, which includes those responsible for the Ryuk and Sodinokibi ransomware.

Zeppelin ransomware uses a number of obfuscation layers to avert security solutions, which include using encrypted strings, code of various sizes and pseudo-random keys. The encryption schedule could likewise be slowed down to evade detection by heuristic analyses and trick sandboxes. The ransomware could even eliminate backup services and remove backup files and shadow copies to hinder repair without a ransom payment.

The original file is encrypted retaining the extension. The files are tagged using the word Zeppelin. The encryption routine employs symmetric file encryption with randomly created keys for every file, (AES-256 in CBC mode) together with asymmetric encryption for the session key, utilizing a personalized RSA implementation.

Blackberry Cylance researchers obtained a number of ransomware samples where only the file’s first 1000 bytes are encrypted. This is enough to make the files unusable and accelerates the file encryption process at the same time, hence it is less likely to detect the attack and stop it before the completion of file encryption.

In these targeted attacks, the attackers drop a ransom note that includes email addresses so that the victims could contact them. This makes it possible for the attackers to specify ransom payments based on the victim’s perceived capability to pay.

It is not known what strategies the attackers use to spread the Zeppelin ransomware. The researchers located a sample on water-holed sites, with Pastebin hosting the ransomware payload. However, a number of distribution methods could be employed.

Protecting against attacks calls for combining security solutions and adopting best practices in cybersecurity, which include:

  • Blocking open ports
  • Changing all default passwords
  • Disabling RDP when possible
  • Using an enhanced spam filtering solution
  • Applying patches immediately
  • Keeping operating systems and software program updated

Make sure to train staff and follow security best practices. Be sure to create backups regularly and test them to ensure file recovery. It is additionally necessary to store one backup copy securely on a device that isn’t linked to the network.

100 Dental Practices Affected by Ransomware Attack on Managed Service Provider

An IT company in Colorado that offers managed IT services to dental offices experienced a ransomware attack. Using the company’s systems, over 100 dental practices were likewise attacked by ransomware.

The ransomware attack on Complete Technology Solutions (CTS) based in Englewood, CO started on November 25, 2019. A KrebsonSecurity report stated that CTS received a ransom demand of $700,000 in exchange for the keys to disable the encryption. The company decided not to pay the ransom.

When providing dental practices with IT services, access to their systems is given to CTS using a remote access tool. Hackers seem to have used that tool to access the systems of CTS clients and attack it using Sodinokibi ransomware.

A few of the dental practices hit by the attack were able to recover their data using backups, specifically those that had stored a copy of their data offsite. A lot of dental practices continue to have no access to their data or systems and are turning down patients because of continuing system failures.

KrebsonSecurity reports that a few of those practices are attempting to make a deal with the attackers to get the keys to unlock their data.

Due to several ransom notes and file extensions, data recovery has been challenging. And so, recovery of some encrypted data has been possible after paying the ransom demand. To unlock other encrypted files, it required paying an additional ransom. Black Talon Security mentioned to KrebsonSecurity the condition of one dental practice that had 50 encrypted devices and got over 20 ransom notes. There were several payments made to recover data.

There was a similar attack on the Wisconsin company PerCSoft, which resulted in the ransomware attack of about 400 dental offices in August 2019. PerCSoft is a company providing dental offices with digital data backup services. The hackers used the Sodinokibi ransomware.

Ransomware gangs are increasingly targeting managed service providers. Through one attack on a managed service provider, the attackers could strike many other firms, so that the returns are much higher.

A Kaspersky Lab recent report stated that ransomware attackers are focusing on backups and Network Attached Storage (NAS) tools to make it tougher for victims to get back their files for free and not pay the ransom.

The most recent attack demonstrates the importance of creating backups of all critical information. So make sure to at least have one backup copy of files to be stored securely off-site, on a non-networked device that is not accessible online.

Medical Devices Using Windows 7 Must Upgrade Now

Healthcare companies that still use Windows 7 and Windows 2008 must upgrade their operating systems because Microsoft will stop giving support starting on January 14, 2019.

On January 14, 2019, Microsoft will not release patches and updates anymore making the operating system vulnerable to attackers. There probably won’t be any cyberattack the moment support stops, however any operating system vulnerabilities identified after January 14 will not be addressed. Attackers could exploit the Windows 7 vulnerabilities in compromised devices and launch attacks on all devices linked to the network. The risk of cyberattacks will grow in proportion to the number of vulnerabilities found.

As per Forescout, the industry that uses the most number of Windows 7 devices is the healthcare industry. A report at the start of this year showed that 56% of healthcare companies still use devices running on Windows 7. Moreover, 10% of the devices used by healthcare companies still use Windows 7 or its identical versions. It is expected that by January 14, 2020, around 70% of all IoT and healthcare devices will continue to use Windows 7 or other operating systems that are not supported.

Using unsupported operating systems violates the HIPAA. In case of a Windows 7 vulnerability exploitation after January 14, healthcare companies will face a regulatory penalty if protected health information (PHI) is exposed.

Healthcare companies that cannot upgrade prior to January 14 have another option. Microsoft will still provide extended security updates for users of enterprise Windows 7 but they will pay an annual fee per device. The cost of Microsoft’s extended support will be high and will only be available until January 2023.

  • $25 per device in 2020
  • $50 per device in 2021
  • $100 per device in 2022

Cybersecurity Attacks on Southeastern Minnesota Oral & Maxillofacial Surgery and Healthcare Administrative Partners

Southeastern Minnesota Oral & Maxillofacial Surgery (SEMOMS) reported a ransomware attack that resulted in the potential compromise of the protected health information (PHI) of approximately 80,000 patients.

The attack was discovered on September 23, 2019. The IT staff responded and singled out the affected server and took steps to recover the encrypted data. It is uncertain whether SEMOMS paid the ransom or if the IT crew had restored the server from backups.

With the help of computer forensics specialists, SEMOMS established that the affected server included names and X-ray pictures and that an unauthorized individual accessed the server. No proof was found to show the attackers accessed or exfiltrated patient information, but it cannot be ruled out that there was unauthorized ePHI access and theft of data. As a result, notification letters were sent to all individuals whose protected health information was possibly compromised.

Phishing Attack on Healthcare Administrative Partners Affected 17,693 Patients

Healthcare Administrative Partners (HAP), a company offering medical billing and coding services to healthcare organizations in Media, PA, reported that an unauthorized person accessed the email account of an employee after responding to a phishing email.

HAP became aware of the phishing attack on June 26, 2019 upon noticing suspicious activity in the email account of an employee. It was confirmed on September 26, 2019 that the email account contained the PHI of some clients.

A third-party computer forensics company investigated the breach, but found no clear information yet if the email messages and attachments with ePHI had been accessed. Its probability cannot be eliminated.

The account comprised patient information such as names, addresses, birth dates, medical record numbers, doctors’ names, prescription medications, health diagnoses, and limited treatment data. HAP sent notification letters to all impacted companies on October 4, 2019.

HAP also took the necessary steps to enhance email security including the resetting of email passwords, labeling of all external emails as external, training of employees on extra security awareness, and implementing mailbox size limitations and email archiving to minimize the exposure of data in case of more attack. HAP is additionally examining multi-factor authentication alternatives.

89% of Healthcare Service Providers Still Use Fax Machines and 39% Use Pagers as per TigerConnect Survey

TigerConnect’s 2019 State of Healthcare Communications Report showed that dependence on decades-old, ineffective communications technology is adversely affecting patients and is further increasing healthcare costs.

TigerConnect’s report involved the participation of over 2,000 patients and 200 healthcare workers in a survey to evaluate the present condition of communications in healthcare and obtain information on areas with inefficient communication.

The results undoubtedly indicate the brokenness of communication in healthcare. 52% of healthcare companies are have disconnected communication that affects patients every day or a few times per week.

The report shows the majority of hospitals still heavily rely on 70s communications technology. 89% of hospitals continue to utilize faxes and 39% still use pagers in certain divisions, jobs, or even throughout the entire business. The world probably has advanced, yet healthcare has not, though healthcare is the sector that benefits the most from using mobile technology.

The HHS’ Centers for Medicaid and Medicare Services (CMS) is lobbying for the elimination of fax machines at the close of 2020 and want healthcare organizations to use safer, dependable, and effective communications techniques. Considering the numerous application of fax machines, that goal may be hard to accomplish.

There is considerable cost brought about by communication problems in healthcare. As per NCBI, over $4 million is lost each year by a 500-bed hospital because 70% of all medical error fatalities are due to inefficient communication and errors.

Healthcare employees definitely feel the communication problems when valuable time is wasted on combating inefficient communications systems. According to the report, 55% of healthcare companies think the healthcare industry is not up-to-date when it comes to communications technology, in contrast to other consumer sectors.

One of the major problems confronting healthcare professionals is the inability to contact members of the care team when needed. 39% of healthcare specialists said that communicating with more than one care group team members is hard. The problems in communicating immediately and effectively are creating work problems all through the care system. Quick communication is crucial for offering premium quality patient care and enhancements are done, although slowly. Secure messaging is currently the main method of communication in general for nurses (45%) and doctors (39%). Landlines are the primary way of communication for personnel outside hospitals (37%) and allied health experts (32%), though secure messaging platforms may be used by all groups anywhere.

Although there is a growing mobile labor force in healthcare, healthcare companies still rely heavily on landlines. People use landlines when there is no secure messaging available. Organizations likewise use landlines 25% of the time where secure messaging is available.

A lot of healthcare companies that have implemented secure messaging platforms to improve communication are unable to enjoy all of its benefits. Too often, secure messaging technology is applied in silos, with diverse groups utilizing varied techniques and tools to converse with one another. When not using secure messaging, for example when using the platform only by particular persons, communication is very problematic.

Patients feel communications problems. About 3/4 (74%) of surveyed patients who’d been in the hospital for two years, either getting treatment or seeing an immediate family, said the inefficient processes are frustrating.

The most typical complaints were

  • slow-moving discharge/transfer times (31%)
  • ED time with physicians (22%)
  • lengthy waiting room times (22%)
  • the capability to communicate with a physician (22%)
  • the amount of time required to get laboratory test results (15%).

A lot of these issues can be resolved by improving care team members’ communication.

The survey likewise showed that hospital employees have a tendency to underrate the degree of frustration felt by patients. The survey additionally revealed that clinical and non-clinical personnel are not in-line. Non-clinical employees underrate communication problems, and 68% of non-clinical employees probably won’t say communication disconnects are adversely affecting patients every day.

Communication issues were reported as causing

  • late discharges (50%)
  • delays in consultation (40%)
  • lengthy ED wait times (38%)
  • transport delays (33%)
  • slow inter-facility transfers (30%).

There is a 50% better chance of everyday communication disconnects adversely affecting patients when not using secure messaging.

TigerConnect has a number of recommendations regarding how to improve communication in healthcare:

  • Prioritize communication as a method
  • Concentrate on enhancing communication to relieve major bottlenecks
  • Incorporate communication platforms with EHRs to achieve the best value
  • Standardize communication throughout the organization
  • Clinical leadership must be included in designing a solution
  • Quit using patient websites to connect with patients and begin using patient messaging as an all-around communication strategy.

The survey gives important information about the status of communication in healthcare and evidently shows what needs to be improved. The full TigerConnect 2019 State of Communication in Healthcare Report is available free of charge on this link (registration required).

Minimum Security Standards Required for IoT Devices by Internet of Things Improvement Act

The Internet of Things Improvement Act has been introduced by co-chairs of the Senate Cybersecurity Caucus, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT). This act requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has also been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

It has been predicted by Ericcson that there will be 18 billion IoT devices in use by 2022. What’s more, IDC predicts IoT spending will hit$1.2 trillion in the same year. With growing numbers of IoT devices, the concern about the security risk posed by the devices also grows.

Sen. Warner wants to ensure that a basic standard for security is achieved before any IoT device is allowed to connect to a government network. He also wants to make use of the purchasing power of the U.S. government in order to help establish minimum standards of security for IoT devices.

IoT devices are currently entering the market with scant cybersecurity protections. Often when cybersecurity measures are integrated into IoT devices it is as an afterthought. The majority of IoT devices have not been designed with security as a priority. This is largely as a result of the market encouraging device manufacturers to prioritize convenience and cost over security.

NIST are called by the bill to issue recommendations for IoT device manufacturers on secure development, configuration management, identity management and patching throughout the life-cycle of the devices. It will also be required for NIST to work alongside cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to make sure flaws are ironed-out when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to make guidelines available for every agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

It will also be required for any IoT device used by the federal government to meet the security standards set by NIST. Additionally, contractors and vendors that provide IoT devices to the government will be asked to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is vital that IoT devices do not give hackers an opportunity to break into government networks. Without these minimum security standards, the government will be open to attack and critical national security information will be in a vulnerable state.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.

Healthcare Employees Are Vulnerable to Phishing Attacks, According to Study

The healthcare industry is being heavily targeted by cybercriminals and phishing is one of the most common methods they are using to gain access to healthcare networks and, as a result, sensitive data. The number of successful phishing attacks on healthcare institutions is a serious cause for concern.

OCR identified email as being the main location of breached ePHI at HIMSS19, and the highest risk of data breaches come from phishing attacks.

Is the high number of successful phishing attacks mostly down to the healthcare industry being targeted more than other industry sectors? Or is it as a result of healthcare employees being more susceptible to phishing attacks? A recently published study has provided us with some answers.

A study has recently been conducted by Dr. William Gordon of Boston’s Brigham and Women’s Hospital and Harvard Medical School and his team to determine the susceptibility of healthcare employees to phishing attacks.

To conduct the study, Gordon and his team analysed data from 6 healthcare institutions in the United States that used vendor solutions or custom-developed tools to send simulated phishing emails to their employees.

The researchers analyzed the data collected from the simulated phishing emails sent to healthcare employees between August 2011 and April 2018. The data set included 95 simulated phishing campaigns which resulted in 2,971,945 simulated phishing emails being sent.

422,062 of these emails (14.2%) were clicked by the employees. The institutional click rate median ranged between 7.4% and 16.7% per campaign. In one of its campaigns, an institutions had a median click rate of 30.7%. Overall, 1 in 7 emails attracted a click across all institutions and all campaigns.

The emails were divided into three categories: Office-related, IT-related and personal. IT-related emails (e.g. password resets, security alerts) turned out to be the most successful, with an institutional click rate median of 18.6%.

No significant association between the year that campaigns were conducted and click rates was found by the researchers. However, they did discover that repeated phishing simulations reduced the chances of employees falling for a later phishing email.

Institutions that ran between 6 and 10 simulated phishing campaigns lowered the odds of a click on a phishing email by 0.511. When more than 10 campaigns were conducted, the odds were reduced by 0.335.

The researchers indicated that the healthcare systems are uniquely vulnerable to phishing attacks, mostly as a result of a high turnover of employees and a constant influx of new employees that may not have had any previous cybersecurity training. High endpoint complexity was also named as a factor that makes healthcare institutions vulnerable to phishing attacks.

From the high click rates, the researchers concluded that phishing is a major cybersecurity risk in healthcare.

Three particular tactics were suggested by the researchers to counter the threat from phishing:

  1. Prevent emails from being delivered to employees through the use of spam filtering technology
  2.  Implement multi-factor authentication to decrease the value of credentials
  3. Improve security awareness through cybersecurity training and phishing simulations.

The report ‘Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions’ was published on JAMA Network Open on March 8, 2019. DOI:10.1001/jamanetworkopen.2019.0393.

25% of Healthcare Organizations Have Suffered a Mobile Security Breach in Past Year

It has been indicated by the Verizon Mobile Security Index 2019 report that 25% of healthcare organizations have experienced a security breach which involved a mobile device in the past 12 months.

Despite all businesses facing similar risks from mobile devices, it appears that healthcare organizations are addressing risks better than most other industry sectors. Out of the eight industry sectors that were surveyed, healthcare experienced the second lowest number of mobile security incidents, just behind manufacturing/transportation.

Healthcare mobile security breaches have fallen considerably in the past couple of years. Since 2017, 35% of surveyed healthcare organizations claimed they had experienced a mobile security breach in the past 12 months.

Although the figures suggest that healthcare organizations are getting better at protecting mobile devices, Verizon argue that may not necessarily be what is happening. A suggested explanation is that healthcare organizations may simply be struggling to identify security incidents involving mobile devices.

Out of all the healthcare organizations surveyed, 85% believed that their security defenses were effective. What’s more, 83% said they believed they would be able to detect a security incident quickly. That confidence may be misplaced as 25% of healthcare organizations have suffered a breach involving a mobile device and 80% of those entities were made aware of the breach from a third party.

As mobile devices are used regularly to access or store ePHI, a security incident could easily result in a breach of ePHI. 67% of all healthcare mobile security incidents were considered major breaches. From those breaches, 40% had significant lasting repercussions and, in 40% of cases, it was said to be difficult and expensive to remediate the situation.

67% of mobile device security incidents involved other devices being compromised, 60% of organizations said they experienced downtime as a result of the breach, and 60% said it resulted in the loss of data. 40% of healthcare organizations that suffered such a breach said multiple devices were compromised, downtime was experienced, and they lost data. 30% of breached entities said that cloud services had been compromised due to a mobile security breach.

The main security risks were seen to be related to how devices were used by employees. 53% of respondents claimed personal use of mobile devices posed a major security risk and 53% said user error was also a significant problem.

Out of all the healthcare organizations that were surveyed, 65% were less confident about their ability to protect mobile devices than other IT systems. Verizon claims that this could be partly explained by the lack of effective security measures in place. An example of this can be seen with just 27% of healthcare organizations using a private mobile network and only 22% having unified endpoint management (UEM) in place.

It was also confirmed from the survey that users are taking major risks and are breaching company policies. Across all industries, 48% of respondents said in order to get tasks completed, they sacrificed security. This percentage was only at 32% last year. 81% admitted to using mobile devices to connect to public Wi-Fi, despite the fact that in many cases doing so violates their company’s mobile device security policy.

Hospitals at High Risk of Suffering Devastating Cyberattack, According to Moody’s

The following four industry sectors – hospitals, banks, market infrastructure providers, and securities firms – face significant financial risks from cyberattacks, a new Moody’s Investors Service Report has revealed.

Those four sectors were discovered to have high risk of being exposed to cyberattacks. The four sectors are all heavily reliant on technology for daily operations, distribution of content, and customer engagement. An ever-increasing digitalization and interconnectedness within each sector and across different sectors means the risk of cyberattacks is also increasing.

In Moody’s report, they assessed vulnerability to a cyberattack and the impact such an attack could have on crucial businesses operations, reputation damage and disclosure of data. Cybersecurity measures that had been deployed to protect the company against cyberattacks were not taken into account for the report, unless mitigants had been applied consistently across each sector (e.g. supply chain diversity). In total, 35 broad industry sectors were assessed for the report and each were given a rating of low-risk, medium-risk, or high-risk.

The health insurance, pharmaceutical, and medical device industries were all placed in the medium-risk category. Hospitals were rated at high-risk, with the main reasons being the sensitive and essential nature of data used by hospitals, the increasing number of vulnerabilities introduced due to connected medical devices, the value of healthcare data to hackers, and the estimated time it would take to recover from an attack as well as the disruption to the business during the mitigation of an attack.

A successful cyberattack can prove costly to mitigate. Entities which have been breached must increase investment in technology and infrastructure,  pay higher insurance premiums, cover the cost of regulatory fines and litigation, increase R&D spending. What’s more these attacks can have serious reputational effects, such as higher customer churn rates and a creditworthiness reduction.

“We view cyber risk as event risk that can have material impact on sectors and individual issuers,” stated Derek Vadala, Moody’s Managing Director. “Data disclosure and business disruption are the two primary types of cyber event risk that we view as having the potential for material impact on issuers’ financial profiles and business prospects.”

As the financial impact of a cyberattack can be substantial and long-lasting, it is vital for businesses and organizations in the high-risk sectors to have “robust sources of liquidity” to weather the storm.

While larger hospitals are likely to have more financial resources to assign to mitigating threats and recovering from cyberattacks, they are still not immune to attack. Even with these resources, they can still suffer a significant financial impact, particularly when you consider the fact that many hospitals have not purchased cyber insurance due to the high cost.

Cyberattacks on businesses and organizations in high-risk sectors have the potential to be catastrophic. This ultimately could have an impact on the ability of breached entities to pay back debts. The four high-risk industry sectors mentioned above hold a combined $11.7 trillion in rated debt.

Not only do they result in considerable financial costs and damage to an entity that is attacked, cyberattacks in the high-risk sectors would also likely have a number of ripple effects and a far-reaching impact on other industry sectors.

New Federal Data Privacy Act Proposed by Nevada Senator

A new bill (the Data Privacy Act) has recently been introduced by Nevada Senator Catherine Cortez Masto, (D-NV). This bill calls for improved privacy protections for consumers, greater accountability and transparency for data collection practices, and the prohibition of discriminatory data practices.

It is currently a requirement for HIPAA-covered entities to obtain consent from patients before using or disclosing their health information for reasons other than the payment for healthcare, provision of healthcare, or for healthcare operations. With this being said, companies not bound by HIPAA Rules do not have the same restrictions in place.

A number of states are considering introducing or have already introduced laws covering health and other sensitive data collected by entities that are not covered by HIPAA in the absence of a federal law that provides such protections. While Congress is assessing privacy protections for consumers, patchwork of state laws are currently the main providers of protection. As a result of this, privacy protections can vary greatly depending on where the consumer lives.

The bill, The Digital Accountability and Transparency to Advance Privacy (DATA Privacy) Act, calls for data privacy protections similar to that in place for GDPR to be introduced to limit the collection of personal data, to protect data that is collected, and to prevent personal data from being used to discriminate against individuals.

If the Data Privacy Act is passed, it will see consumers being given more of a say about the types of information that are collected, how this information is used, and with who the information is shared with.

The Data Privacy Act will also call for companies to provide consumers with an option of opting in or out of the collection and sharing of sensitive data, such as genetic information, location data and biometric data.

Consumers have a right to be told what information will be collected, how  the company plans to use the information, and with whom the information will be shared. The company must also create a process that allows consumers to check the accuracy of their data, to request a copy of any information that has been collected, and to be provided with the option of transferring or deleting their data without any negative effects.

Restrictions will also be implemented in terms of the data that can be collected. It will only be permitted for companies to collect data if there is a legitimate business reason for doing so. Additionally, individuals whose data is collected must not be exposed to unreasonable privacy risks. The bill also aims to protect consumers from discriminatory targeted advertising practices based on information they give such as sex, gender, sexual orientation, race, nationality, religious belief, or political affiliation.

It would also be necessary for any company that collects the personal data of more than 3,000 individuals in a calendar year to provide consumers with a notice of their privacy policies that clearly explains how their data will be used.

Furthermore, any business with annual revenues in excess of $25 million will also be required to appoint a Privacy Officer. His/her responsibilities will include tasks such as training staff on data privacy.

The FTC and state attorneys general will be given the authority to enforce compliance with the new Act and financial penalties will be issued to companies who are found not to be in compliance.

The intention of the Data Privacy Act is to improve privacy protections for consumers without placing any unnecessary burden on small businesses.

In a statement released in relation to the new ACT, Senator Cortez Masto said “My legislation takes a proactive approach to protecting consumer data by ensuring Americans have a voice in how their consumer data is used. I’m proud to introduce this legislation with my colleagues and will continue this fight to strengthen consumer privacy and data security.”

Definition of Personal Information that Requires Breach Notifications Expanded by New Jersey

A bill that expands the types of personal information that require notifications to be sent to consumers in the event of a data breach occurring has been unanimously passed by the New Jersey Assembly.

Up to now it has been required by New Jersey breach notification laws that businesses and public entities must send notifications to consumers if there has been a breach of their Social Security number, driver’s license number, or bank account number or credit/debit card information if they are accompanied with a password or code that enables access to the account.

The amendment to the New Jersey data breach notification requirements of the Consumer Fraud Act will see an expansion of the definition of personal information to include usernames and email addresses along with a password or answers to security questions that would allow accounts to be accessed.

This bill (A-3245) was sponsored by Ralph Caputo (D-Essex) and was recently passed by the Senate by a 37-0 vote and by the Assembly by a 76-0 vote. A bill which was almost identical (S-52) was passed by the Senate and Assembly in 2018, however it was not signed by the state governor at the time, Chris Christie. It is expected that current state governor Phil Murphy will sign the bill.

The bill closes a gap in current laws which would enable businesses to avoid notifying consumers of breaches of their online information. If online accounts are accessed or compromised, criminals can gain access to a variety of sensitive information that can be used for identity theft and fraud. Consumers have the right to be made aware if an online account can be accessed by someone else as a result of a data breach so they can take steps to secure their accounts.

Once the new bill is passed, breach notifications can be mailed to consumers or electronic notices can be provided. A substitute breach notice can be issued if more than 500,000 individuals have been affected or if the cost of providing notices would cost in excess $250,000. In such events, breach victims should be emailed promptly, and a notice should be posted in a prominent position on the company’s website.

However, a business or public entity that furnishes an email account is prohibited from issuing email notifications to breached accounts and must use a different means to deliver notices. An example of such a method could be providing a notice that is clearly visible when the user logs into their account from an IP address or location that has previously been used by the user to access their account.

A fine of up to $10,000 can be placed on any business or public entity found to have willfully violated state data breach notification laws and up to $20,000 for any subsequent offenses after the first. Furthermore, for individuals who have suffered ascertainable losses as a result of a data breach, there is now also a private right of action available.