Data Breaches Reported by the Chattanooga Heart Institute, Mulkay Cardiology Consultants, and Plastic Surgery Clinics

Cyberattack Victim Count Doubles at the Chattanooga Heart Institute

The Chattanooga Heart Institute located in Texas has reported the compromise of the protected health information (PHI) of 411,383 persons in a cyberattack that was uncovered on April 17, 2023. Chattanooga Heart Institute informed the HHS’ Office for Civil Rights and the Maine attorney general concerning the cyberattack on July 28, 2023. The notification initially indicated that the PHI of 170,450 individuals was affected. However, a breach notification update was already provided to the Maine Attorney General to report that the data breach had more victims than the initial count given.

The investigation into the cyberattack is still in progress. However, there is already a report on the unauthorized third party that got access to its system from March 8 to March 16, 2023, and extracted files that contain patients’ PHI. Although there was no breach in its electronic medical record system, the extracted files included data like names, email addresses, addresses, telephone numbers, birth dates, driver’s license numbers, Social Security numbers, medical insurance data, diagnoses, laboratory results, conditions, prescription drugs, account data, and other clinical, financial and demographic data.

The impacted persons were provided free credit monitoring services for one year and steps were taken to enhance security to stop more attacks. There was no mention in the notification letters that the Karakurt threat group professed to be behind the attack.

NoEscape Ransomware Group Exposes Data Stolen from Mulkay Cardiology Consultants

The NoEscape ransomware group has exposed information purportedly stolen from Mulkay Cardiology Consultants based in New Jersey. Based on the listing, the stolen information included over 60 GB of private and personal data, which contained the PHI of 30,000 patients. The exposed information consists of names, birth dates, addresses, telephone numbers, medical insurance policy numbers, medical cards, access cards, medical records, driver’s licenses, diagnostic information, Covid certificates, and other confidential data. Also included were sample photos and 2.43 GB of downloadable information.

NoEscape is a somewhat new ransomware group that initially came out in May 2023. The Health Sector Cybersecurity Coordination Center recently released a NoEscape Analyst Note regarding the group that contains information on its tactics, techniques, and procedures, and guidelines for improving security. Mulkay Cardiology Consultants has not posted yet any breach notice on its website and the cyberattack is not yet displayed on the HHS’ Office for Civil Rights breach website.

Extortion Groups Target Plastic Surgery Clinics

Cybercriminal groups are targeting U.S. plastic surgery offices, acquiring access to their systems, stealing information, and attempting to extort from the clinics and their patients, as per a new public service statement by the U.S. Federal Bureau of Investigation (FBI).

There have been a number of attacks on plastic surgery companies recently. Although ransomware may have been employed in these attacks, the main reason for the attacks is to get sensitive patient information, which may consist of health records and sensitive pre- and post-surgery pictures. Plastic surgery centers are provided a ransom demand, which if paid will stop the exposure of the stolen information. In certain instances, sensitive patient information and pictures have been published on the internet, and the attackers have tried to demand money directly from the patients. In May 2023, the attack on cosmetic surgeon, Gary Motykie, M.D. from Hollywood, CA, was asked to pay a $2.5 million ransom to stop the leakage of the stolen information. A number of the practice’s patients were called directly and instructed to pay to unpublish their sensitive data.

Based on the FBI, the threat actors utilize technology to conceal their true telephone numbers and email addresses and employ phishing emails to spread malware. The malware gives access to internal secured computers, allowing them to harvest sensitive information, such as photographs. The threat actors were seen enhancing the stolen information using information obtained from social networks, and have likewise employed social engineering techniques to improve the collected ePHI records of plastic surgery patients. The improved data is utilized for extortion and for other scams. The threat actors get hold of plastic surgery doctors and their patients by means of the telephone, email, text messages, and social networks. Sensitive ePHI is disclosed to the patient’s friends, loved ones, fellow workers, and colleagues, and public-facing sites are used to talk about the stolen information.

The FBI has provided guidelines on how to enhance security and minimize the chance of becoming victims of these attacks. These actions include going over the privacy options of social networking accounts and preferably making accounts private to restrict what people can read and what can be shared by other people on profiles. Accepting friend requests must be done with care, and audits must be done of friends to make sure they are all identified persons. Accounts must be set up in a way that friends are only visible to known persons. MFA and strong, unique passwords must likewise be employed for all accounts, particularly email, social media, and financial accounts. Use a password manager to generate strong, unique account passwords and store them safely. Bank accounts and credit reports must likewise be regularly examined for suspicious activity.

Although not stated in the notice, plastic surgery clinics must make sure that they implement cybersecurity guidelines like using strong passwords and activating multifactor authentication. They should also use endpoint detection programs and effective anti-phishing regulators.

 

Cyberattacks Reported by ESSET Researchers, Morris Hospital & Healthcare Centers, Wellness Medication Clinics, and CentroMed

Massive Phishing Campaign Targets Zimbra Collaboration Email Servers

ESET researchers have discovered a massive and continuing phishing campaign targeting Zimbra Collaboration email servers of SME enterprises and government organizations. The campaign is active as of April and is being carried out worldwide, with Ecuador, Italy, and Poland as the most attacked nations. The campaign doesn’t seem to be targeted at any particular vertical.

The attacker sent an email message including an HTML attachment to the targets. The email tells the user that the email server is having an update or Zimbra is having an issue like a security update. The From field shows that an email server admin sent the email. The user is instructed to download the HTML file, which has a URL going to a local file patch. The HTML attachment consists of the targeted company’s logo, the company’s name, and a bogus sign-in page, with the prefilled username. The user is just expected to type in their password. When the password is inputted, the credentials are sent by HTTPS POST request to a server controlled by the attacker.

The ESET researchers noticed lots of phishing emails being sent from a few of the companies chosen for the phishing campaign which indicates the attacker acquired admin credentials and could create other mailboxes on the server. The researchers state that in these instances, a similar password could have been utilized for email and admin. Although this email campaign isn’t specifically advanced, it has shown to be successful. Considering that the HTML attachments include legit code and just one URL directed to a malicious host, that is included in the HTML instead of the body of the message, the emails could not be noticed as malicious and are probable to get around antispam guidelines, particularly since the attacked companies are generally small-to-medium-sized enterprises that are not likely to have sophisticated email security protection. ESET could not find out which attacker was responsible for the campaign.

Morris Hospital & Healthcare Centers Informs 249,000 Individuals Concerning a Cyberattack in April

Morris Hospital & Healthcare Centers located in Illinois has begun informing 248,943 people concerning a cyberattack that was discovered on April 4, 2023. Upon discovery of the breach, third-party cybersecurity specialists were involved to check into the incident and find out its nature and extent. It was confirmed that unauthorized individuals exfiltrated files that contained protected health information (PHI) from its systems.

The stolen files contained the PHI of present and past patients, workers, and their beneficiaries or dependents. The PHI included names, addresses, birth dates, account numbers, medical record numbers, diagnostic/treatment codes, and Social Security numbers. Although there was no misuse of the stolen information reported, impacted persons were instructed to be careful and use the free identity theft resolution services that were provided.

The breach notification letters issued by Morris Hospital & Healthcare Centers didn’t mention who the attackers were nor the nature of the cyber attack. Nevertheless, the Royal Ransomware group has professed to be responsible for the cyber attack and included Morris Hospital on its dark web data leak website on May 22, 2023, together with a few of the data that was stolen during the attack.

Lost or Stolen DEXA Scan Backup Drive of Jefferson Health

Jefferson Health has lately begun informing its New Jersey Cherry Hill Hospital patients about the compromise of some of their PHI. A backup drive containing the data was hooked up to its DEXA scan device. While doing routine maintenance, its vendor did not find the backup drive. An investigation of the incident failed to trace the location of the drive and presumed that it was missing or stolen.

The backup drive included names, birth dates, study dates, medical record numbers, and, mailing addresses for some persons. The device additionally contained other data, yet it cannot be viewed without the right credentials and the proper software program and technology. That data contained diagnoses, telephone numbers, insurance data, Social Security numbers, driver’s license numbers, and scans. Jefferson Health is examining and improving its security practices to avoid the same occurrences later on.

The incident is still not published on the breach portal of the HHS’ Office for Civil Rights, hence the number of affected persons is presently uncertain.

Ransomware Attack on Pathways to Wellness Medication Clinics

Patients of Pathways to Wellness Medication Clinics located in Oakland, Union City, as well as Pleasanton in California, were informed about the exposure of some of their PHI in a cyberattack that was discovered on March 28, 2023. An unauthorized person acquired access to and damaged its system. Independent cybersecurity specialists investigated the breach and made its systems secure. Technical safeguards were evaluated and are being upgraded to better safeguard patient information.

Although no report of patient data misuse was received until July 5, 2023, the occurrence of data theft is likely. The compromised data included: first and last name, address, medical insurance data, provider name, birth date, gender, and Social Security number. Impacted persons were provided free single-bureau credit monitoring services. The Office for Civil Rights breach portal has no update about the incident yet, so the number of persons affected is still unclear.

CentroMed Informs 350,000 People About PHI Compromise

El Centro Del Barrio, dba CentroMed based in San Antonio, TX, has notified 350,000 individuals about the potential compromise of some of their PHI during a hacking incident that was discovered on June 12, 2023. It was confirmed by the forensic investigation that unauthorized individuals accessed some of its IT systems on June 9, 2023. The hackers also accessed files that contain PHI and data theft cannot be excluded. The impacted files included the data of present and past patients, workers, employee and provider partners, spouses, and dependents.

The impacted patient information contained names, addresses, birth dates, financial account details, medical records numbers, medical insurance plan member IDs, claims information (such as any diagnoses detailed on claims), and Social Security numbers. Worker and spouse/partner/dependent details consist of names, financial account data, medical insurance plan member IDs, claims information, and Social Security numbers. The impacted persons were sent notification by mail starting on August 11, 2023. CentroMed stated extra safety measures and technical security measures were carried out to avoid the same breaches later on.

 

Feds Alert of Malicious Usage of RMM Software in Callback Phishing Attacks

Cyber threat actors are more and more utilizing legit remote monitoring and management (RMM) software programs for their attacks, based on the latest joint advisory from the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The campaign was initially discovered in October 2022 and entails callback phishing. The emails utilized in this campaign are hard for email security solutions to identify as malicious because they have no malicious URLs or file attachments. The emails inform the recipient regarding an upcoming bill and a telephone number is given in the email for the users to call when they would like to stop the charge being made.

The charges generally pertain to a software program that is ending a free trial. The user is informed that the total cost of the software will be billed to the user’s account in case no action is undertaken. Because of the high price of the software program, very likely the number will be contacted. The call is responded to and social engineering techniques are employed to persuade the user to go to a malicious website and download the software, which they are advised is needed to get rid of the software and stop the charge. The software connects to a second-stage domain and gets a mobile version of reputable remote access software like SceenConnect and AnyDesk. In case carried out, the software will link to the RMM server of the threat actor that would give access to the device of the user.

The self-contained, lightweight versions of these remote access programs don’t call for an installation, and therefore do not need administrator privileges. Companies might have safety controls ready to stop the installation of this software program on the system, however portable versions will circumvent these security settings and will enable the attacker to get access to the user’s device as a local user. They could then go on to other vulnerable machines in the local computer system or set up persistent access as a local user service. One of the primary goals of these attacks is to fool users into signing into their bank accounts to start a reimbursement scam. The attackers stay linked while the user uses their bank account, and the user’s bank account summary is changed to seem like an extra amount of money was returned. The user was then informed to return the extra to the scammer.

CISA carried out a retrospective evaluation of the federal civilian executive branch (FCEB) intrusion detection system (IDS) according to third-party reporting and found malicious activity on two FCEB systems that were breached employing this method. Further examination discovered malicious activity on a lot of other FCEB networks, which the companies could connect to a wider financially inspired phishing campaign, associated with a typosquatting campaign found by Silent Push that spoofed Microsoft, McAfee, Amazon, Norton, Geek Squad, and PayPal domains. At first, this campaign concerned helpdesk-inspired email messages that instructed users to a site spoofing one of these brand names, then they began doing callback phishing attacks. The campaign is in action since June 2022.

Even though this campaign utilizes AnyDesk and ScreenConnect, other kinds of RMM software can be manufactured into self-contained mobile executables. These kinds of attacks are much less difficult to carry out than making custom malware that gives remote access and spreads that malware in phishing emails. The government institutions encourage all FCEB agencies and network defenders at other companies to evaluate the Indicators of Compromise (IOCs) and mitigations given in the security notification to safeguard against the malicious use of RMM software.

Patients’ PHI Exposed Due to MJ Care Email Account Breach and Washington Therapist Phishing Attack

Robert S. Miller LICSW, ACSW (RSM), a Washington therapist, has just informed 640 present and past clients of a phishing attack that exposed some of their protected health information (PHI).

In case of a breach of the private data of state residents, state laws require the breached entity to send notifications to the state attorneys general. The notifications usually include the minimum details of privacy breaches, however, in this instance, the therapist mentioned precisely how the phishing attack happened.

RSM had bought antivirus software from the Iolo Software Firm, and eventually bought also encryption software, which had vanished from his PC. RSM was called by an individual who said he is an Iolo worker who said he knew that RSM’s PC was hacked and asked for access to clean the PC of malware and viruses. RSM gave access to the device and later found out it was a scam because the worker asked for eBay cards valued at $300.

As a result of this incident, that person got access to the PC between December 2 and December 4, 2022, and possibly acquired files that contain names, birth dates, mailing and email addresses, telephone numbers, Social Security numbers, health insurance ID numbers, and clinical data, which contained assessments, development notes, letters and mental health rating scales.

Because of this incident, RSM implemented a few steps to stop the same incidents later on, including getting encryption systems, fortifying passwords, and having a third-party software firm examine computers and get rid of any malware that was installed. Impacted clients were provided free identity theft protection services.

MJ Care Reports Email Account Breach

MJ Care based in New Berlin, WI provides rehabilitation and health services. It recently informed 1,832 individuals about the potential access or acquisition of some of their PHI by an unauthorized person. MJ Care didn’t say when it detected the breach; nevertheless, the investigation showed the hacker accessed the email account from May 31, 2022 to June 24, 2022.

The analysis of the impacted email account was concluded on November 2, 2022, and affirmed it included patient names together with at least one of these types of data: Social Security numbers, birth dates, financial account data, credit/debit card details, biometric data, dates of service, treatment/diagnosis data, provider name, patient numbers, medical record numbers, medicines, general medical data, and/or medical insurance policy data. MJ Care sent notifications to impacted persons on December 29, 2022. Free credit monitoring services were provided to individuals who had their Social Security numbers compromised.

Phishing Attacks and Unauthorized Email Account Access Reported by 6 HIPAA Regulated Entities

21,500-Record Data Breach Reported by Police Department of the City of New York

Unauthorized persons have gotten access to the Administrative Fund of the Detectives’ Endowment Association of the Police Department of the City of New York (NYCDEA) email system and possibly viewed or acquired the protected health information (PHI) of 21,544 persons.

Upon discovery of suspicious activity in its email system on December 16, 2021, NYCDEA changed passwords to stop continuing unauthorized access and engaged third-party cybersecurity specialists to look into the unauthorized activity. Based on the breach report submitted to the Maine Attorney General, an unauthorized third-party access to the email system and sensitive information was confirmed only on October 3, 2022. It is unknown why the confirmation of the breach took a very long time.

The evaluation of the breached email accounts showed they include data like names, addresses, dates of birth, driver’s license numbers, state ID card numbers, payment card details, financial account numbers, usernames and passwords, medical background, and medical insurance details. Notification letters were mailed to impacted persons on October 31, 2022. Credit monitoring, identity theft protection services and fraud consultation were provided to impacted persons.

Two Email Accounts Breach in Phishing Attack at Gateway Ambulatory Surgery Center

Gateway Ambulatory Surgery Center located in Concord, NC, has begun informing 18,479 patients that unauthorized individuals potentially accessed some of their PHI that was saved in email accounts. The medical center discovered the email account breach first on April 6, 2022. According to the third-party forensic investigation, unauthorized individuals accessed two employee email accounts from February 14, 2022 to May 10, 2022, because of employees clicking on phishing emails.

It was confirmed by Gateway on September 1, 2022 that the email accounts included patient data, such as names, health benefit enrollment data, medical background, medical insurance data, dates of service, and patient account numbers. The driver’s license numbers and/or Social Security numbers of some patients were likewise exposed. Gateway sent notification letters on October 31, 2022, and offered free credit monitoring, identity restoration, and fraud consultation services to qualified patients.

Gateway stated it has enforced a new endpoint detection and response program and has given extra security awareness training to its employees.

Two Email Accounts Breached at Assurance Health System

Assurance Health System based in Indianapolis, IN offers senior inpatient psychiatric care services in central Indiana and Ohio. It recently reported that unauthorized persons accessed the email accounts of two employees. It is uncertain when the provider detected the unauthorized email account activity; however, the forensic investigation affirmed that an unauthorized third party accessed one email account from April 8, 2022 to April 21, 2022, and had another unauthorized access from June 10, 2021 to March 8, 2022. The health system finished the analysis of the email accounts on September 1, 2022, and began sending notifications to the 3,565 impacted people on October 28, 2022.

The breached email accounts held the PHI of patients of Assurance Health, Brightwell Behavioral Health facilities, and Anew Health, which include names, contact details, driver’s license numbers, Social Security numbers, birth dates, patient account numbers, medical record numbers, dates of treatment, treatment facilities, medical background, condition and diagnosis data, provider names, prescription data, and medical insurance details.

Persons who had their driver’s license numbers or Social Security numbers exposed were offered free credit monitoring and identity protection services. Assurance Health System stated that it implemented extra safety measures and technical security procedures to further secure and keep track of its email system.

2,915 Patients of Native American Rehabilitation Association of the Northwest were Affected by Email Breach

Native American Rehabilitation Association of the Northwest (NARA NW) based in Portland, OR has submitted a breach report involving the email accounts of seven staff members. NARA NW detected suspicious activity inside its email system on September 1, 2022 and took quick action to stop continuing unauthorized access. The analysis of the impacted email accounts showed unauthorized access from August 31 to September 1 by a third party located outside America.

The email accounts included patient data such as names, birth dates, and non-sensitive treatment data. Four of the 2,915 impacted persons had their Social Security numbers compromised. Those persons were given free credit monitoring services for one year.

NARA NW stated it was ready for such incidents, and that it had the technology in place to immediately determine the particular emails and data that were accessed; nevertheless, additional safety measures have already been carried out, such as limiting the usage of cloud-based email, blocking access coming from beyond the United States, and using multi-factor authentication for email accounts.

Work Health Solutions Email Account Breach

Occupational healthcare provider Work Health Solutions in San Jose, CA recently reported that an unauthorized third party accessed an employee’s email account from February 16, 2022 to March 24, 2022. The provider immediately secured the email account and started a forensic investigation. The account evaluation that was conducted confirmed the potential breach of PHI on October 11, 2022. Full names, driver’s license numbers, Social Security numbers, medical insurance data, and/or medical data may have been compromised.

Work Health Solutions sent notification letters to impacted persons on November 9, 2022 and offered free credit monitoring services to those who had their Social Security numbers affected. The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is presently uncertain how many persons were impacted.

Three Rivers Provider Network Reports Unauthorized Email Account Activity

Three Rivers Provider Network based in Las Vegas, NV recently announced an employee email account breach that affected sensitive patient data such as names, birth dates, addresses, passport numbers, Social Security numbers, state-issued ID numbers, driver’s license numbers, and health data.

The company detected the unauthorized activity on June 3, 2022, and confirmed on August 17, 2022 the exposure of PHI. No report of patient data misuse was received during the issuance of notifications. The affected individuals received notification letters on November 5, 2022 and offers of free credit monitoring services for 24 months.

Data Breaches at Main Line Women’s Healthcare, Fred Hutchinson Cancer Center, and Seton Medical Center Harker Heights

An ex-employee of Main Line Women’s Healthcare located in Bryn Mawr, PA, was found to be viewing and taking photos of patient data utilizing a personal mobile phone. The breach investigation reveals that the information of 804 OB/GYN practice patients was viewed and photographed.

As soon as the HIPAA violation was discovered, the worker was promptly suspended. The provider started an internal investigation to find out the magnitude of the privacy violation and the types of data obtained. The compromised records contained patient names, birth dates,
addresses, medical account numbers, insurance companies, treating doctors, prescription drugs, and diagnoses.

The employee’s work at Main Line Women’s Healthcare was from February 7, 2022 to June 14, 2022, which is now over as a result of the HIPAA breach. A representative for Main Line Women’s Healthcare stated it cannot ascertain the employee’s reasons, nor if the copied data was improperly used or further exposed. The privacy breach report was submitted to the police and Main Line Women’s Healthcare is helping with the investigation.

The provider finished the analysis of the data on September 7, 2022, and sent notification letters on October 10. The late issuance of notification letters was because of the time used to get updated contact details. Free credit monitoring services were provided to impacted persons.

Email Account Breach at Fred Hutchinson Cancer Center, WA

Fred Hutchinson Cancer Center located in Seattle, WA, previously called Seattle Cancer Care Alliance, has found out that an unauthorized person had accessed a staff email account. The incident was discovered on March 26, 2022, upon noticing suspicious activity in the email account. After securing the email account immediately, the center started a forensic investigation to find out the nature and extent of the data breach.

Fred Hutchinson Cancer Center uncovered on April 18, 2022, that an unauthorized individual accessed the email account from March 25 to March 26, 2022. A team was created to review all the documents contained in the account and find out how many persons were impacted and the types of data that were viewed. That process was finished on September 9, 2022, and since contact details had been updated, the center began sending notification letters. The types of data compromised were different from one patient to another but might have contained names, addresses, financial account details, Social Security numbers, medical data, and/or medical insurance data. Fred Hutchinson Cancer Center stated it is not aware of any improper use of patient data.

Any person whose Social Security or government ID number had been exposed will be eligible to receive one-year free credit monitoring and identity theft protection services. The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore, the number of affected persons is presently uncertain.

Phishing Attack at Seton Medical Center Harker Heights

HH Killeen Health System, which manages Seton Medical Center Harker Heights based in Texas, has begun informing 15,056 patients about the potential exposure and theft of some of their PHI by unauthorized persons.

The breach happened at a vendor employed by Seton Medical Center Harker Heights. Unauthorized individuals accessed the email accounts of two employees after the employees made a response to phishing emails. The medical center immediately secured the accounts to stop further unauthorized access. It conducted a forensic investigation to find out the scope of the breach. Based on the notification letter given to the Texas Attorney General, the attackers acquired access to the names and medical data of patients.

Evernote Phishing Campaign Targets Healthcare Companies

There is a malicious phishing campaign discovered that targets healthcare companies. The emails sent employ an Evernote-themed bait to fool recipients into accessing a Trojan file that creates a log in prompt to steal information.

The Health Information Cybersecurity Coordination Center (HC3) just released an advisory concerning the campaign that has targeted a number of healthcare companies in the U.S. The malicious emails sent to targeted companies have a malicious URL that leads to an Evernote-themed webpage. The phishing emails are customized and the baits employed may differ; nonetheless, the emails noticed by HC3 include the subject “[Name of Organization] [Date] Business Review” and contain a Secure Message motif.

The URL provided in the email message takes the recipient to the Evernote website, where they are advised to save an HTML file – named message (3).html. The file contains JavaScript code that makes an Adobe or Microsoft-designed page to try to collect Outlook, AOL, IONOS, as well as other credentials.

After acquiring credentials via phishing campaigns like this, cyber threat actors will be able to access email accounts that can have substantial amounts of sensitive information, such as protected health information (PHI). Affected email accounts may be employed to perform phishing attacks internally and could allow threat actors to gain a foothold to perform more significant attacks on the company. A lot of ransomware attacks begin by sending phishing emails.

Ways to safeguard against phishing attacks include a mix of measures, such as email security tools for stopping phishing emails, web filters for hindering access to malicious sites that prompt malware download, antivirus software programs that recognize Trojans as well as other malicious code, and multifactor authentication to prevent unauthorized access to the email system. It is also crucial to give the workforce frequent security awareness training regarding phishing threats and teach employees to identify phishing emails.

Additional data on this phishing campaign, together with other suggested mitigations, are available in the HC3 security advisory.

Data Breaches Reported by St. Luke’s Health System, Allegheny Health Network, Central Maine Medical Center, and Granbury Eye Clinic

St. Luke’s Health System based in Boise, ID, has just submitted a data breach report to the HHS’ Office for Civil Rights that impacted 31,579 individuals. The breach took place in May 2022 at Kaye-Smith, which is a billing vendor of the company. The patients invoiced that month were impacted by the incident. Kaye-Smith learned about the breach in June 2022 and informed St. Luke’s Health System on July 6, 2022.

Unauthorized people got access to the network at Kaye-Smith, which comprised data including patient names, insured names, telephone numbers, addresses, ID numbers, dates of birth, services descriptions, amounts invoiced, payment due dates, outstanding bills, status of accounts, and Social Security numbers. The FBI is helping Kaye-Smith look into the breach to better know how the breach took place.

St. Luke’s Health System mentioned it terminated its association with the billing provider. The investigation at this point has not found any information that indicates patient information misuse. Impacted persons got a free credit monitoring service membership.

Allegheny Health Network Phishing Attack Impacts 1000s of Patients

Allegheny Health Network located in Pennsylvania has lately confirmed that an unauthorized third party viewed the email account of a worker after responding to a phishing email. On May 31, 2022, the worker responded to the email message and the breach was noticed the next day.

An analysis of the email account affirmed that PHI like names, birth dates, dates of medical services, medical backgrounds, health ailments, diagnoses and treatment data, and driver’s license numbers is held in the account. A part of the patients additionally had their Social Security number and/or financial details compromised.

Allegheny Health Network stated immediate action was undertaken to handle the occurrence, such as executing a password reset to avert more unauthorized access. A third-party cybersecurity agency has additionally aided to strengthen its security settings.

Allegheny Health Network has sent the breach report to the HHS’ Office for Civil Rights having a placeholder of 500 records until finally the breach is completely investigated and the number of people affected is identified. The local press has mentioned approximately 8,000 persons were impacted.

Central Maine Medical Center Impacted by Data Breach at Shields Healthcare Group

Central Maine Medical Center (CMMC) has affirmed the impact of a data breach at Shields Healthcare Group on its organization. Of the 56 facility partners that were impacted by the breach, CMMC was one of the impacted. Approximately 2 million persons were affected, which include 11,938 patients of CMMC.

Granbury Eye Clinic Located in Texas Affected by Data Breach at Eye Care Leaders

Granbury Eye Clinic located in Texas is the most recent eye care company to affirm being impacted by the Eye Care Leaders data breach, which affected the PHI of 16, 475 individuals. The data breach is currently identified to have impacted a minimum of 39 eye care companies, along with 3,091,694 patients.

More than 10,000 Companies Attacked in Ongoing MFA-Bypassing Phishing and BEC Campaign

Microsoft gave a warning about a big phishing campaign aimed at Office 365 credentials that circumvents multi-factor authentication (MFA). The campaign is happening now and over 10,000 companies were targeted by attackers in the last 10 months.

According to a report by Microsoft, one of the phishing campaigns used emails that include HTML file attachments. The email tells the user that he/she received a Microsoft voicemail message. The HTML file needed to be opened in order to see the message. The HTML file behaves as a gatekeeper, making sure the targeted user goes to the URL after being redirected from the file attachment.

The user is taken to a web page that has a known open source phishing set, which is utilized to collect credentials. The user is prompted to log in to their Microsoft account to be able to access the voicemail. After signing in, the user is told that an MP3 voicemail message will be sent as an attachment to an email message within an hour. The email address of the user is auto-filled into the sign-in window, only the password needs to be inputted by the user.

This campaign is known as an adversary-in-the-middle (AiTM) phishing attack. The phishing site is placed between the targeted user and the real site they are supposed to log into. Two distinct Transport Layer Security (TLS) sessions are utilized, one is between the user and the attacker and the other is between the attacker and the real site.

After entering the credentials on the attacker-controlled page, they are directed to the real web page. The information from the real resource is handed to the attacker, which is then passed on to the user. Aside from collecting credentials, session cookies are ripped off. The session cookie is used on the browser to bypass the authentication procedure, which works even though multi-factor authentication is activated. The phishing kit makes the whole process automatic.

As soon as the attacker got access to the Office 365 email of the user, the messages inside the account are viewed to determine possible targets for the following stage of the phishing attack. The attacker subsequently creates mailbox protocols that tag selected messages as read and transfers them to the archive to keep the user from finding out about the compromise of their mailbox. Afterward, the attacker conducts a business email compromise (BEC) scam on the targets.

Message posts are hijacked, and the attacker adds their own information to try to obtain the targeted individual to send a fake wire transfer to the attacker’s account. Because the emails are responses to earlier messages, the recipient is likely to think they are in real communication with the account owner, when they are just conversing with the attacker.

Microsoft stated it takes less than five minutes after stealing the credentials and session cookies to send the first BEC email. With all responses to the request being archived automatically, the attacker can just look at the archive for any responses and does this every couple of hours. They are additionally able to find more prospective targets to perform BEC scams on. Although the account breach is programmed, the BEC attacks seem to be done manually. Any email messages sent or gotten are one by one erased from the archive and sent folder to steer clear of discovery. BEC attacks like this can entail bogus transactions of up to millions of dollars.

Protecting against these attacks demands advanced email security options that check incoming and outgoing email messages and can likewise prohibit access to malicious web pages, for instance, an email security program and a DNS filter. Microsoft additionally suggests employing conditional access guidelines that restrict account access to particular gadgets or IP addresses. Microsoft additionally advises continually checking emails for shady or anomalous activities, for example, log-in attempts along with suspicious elements.

With regard to the bypass of MFA, Microsoft highlights that although AiTM attacks could avoid MFA, MFA is still an essential security step and is useful for preventing a lot of threats. Microsoft recommends making MFA usage “phish-resistant” by making use of programs with Fast ID Online (FIDO) v2.0 as well as certificate-based authentication.

Security Breaches at Atrium Health and Heartland Healthcare Services Reported

Patient Data Likely Exposed in Atrium Health Phishing Attack

Atrium Health based in Charlotte, NC reported a phishing incident that compromised the protected health information (PHI) of 6,695 individuals who received services from Atrium Health at Home. A staff member clicked a link in a phishing email on April 7, 2022 and exposed the credentials for an email account. Atrium Health detected the breach on April 8 and blocked the unauthorized access right away.

From April 7 to April 8, the unauthorized third party utilized the account for sending other phishing emails, which indicates that acquiring patient data saved in the account wasn’t the purpose of the phishing attack, though it cannot be determined whether any patient data was seen or acquired.

An analysis of the email messages and file attachments within the account showed they included patients’ complete names, residential addresses, dates of birth, medical insurance data, and medical data (including medical record number, service dates, facility and provider and/or diagnosis and treatment details). The financial account data, Social Security numbers, and/or driver’s license/state ID numbers of some persons were also exposed. Atrium Health stated there were no reported instances of patient data misuse.

Affected persons received breach notification letters. Those who had either their Social Security number, driver’s license number, or financial account information exposed received free credit monitoring and identity theft protection services. Security measures have been improved and Atrium Health stated it will still give its employees regular phishing training.

Patient Data Theft Due to Heartland Healthcare Services Ransomware Attack

Heartland Healthcare Services based in Toledo, OH, has reported the exfiltration of files that contain patient information from its system during a ransomware attack in April 2022. The attack was discovered on April 11 when the employees could not access files on its system.

Heartland Healthcare Services mentioned that the attacker issued a ransom demand, however, after contacting the Federal Bureau of Investigation, it made the decision not to give the ransom payment. Part of the stolen data was uploaded to the dark web data leak website of the ransomware group.

A review of the impacted files showed they included the PHI of 2,763 individuals who got medicines via Heartland Healthcare Services, which include Heartland Pharmacy of Pennsylvania, Heartland Pharmacy of Illinois, or Heartland Pharmacy of Maryland. The stolen information contained names, phone numbers, addresses, medicine names, and other medication-associated data.

Heartland Healthcare Services claimed it has toughened its security procedures to stop the same attacks later on.

Spokane Regional Health District and Catholic Health Announce Data Breaches

Spokane Regional Health District (SRHD) located in Washington encountered once again a phishing attack. This is the second time this year, the health district has reported the potential compromise of patient data after a staff responded to a phishing email.

SRHD announced on March 24, 2022 that its IT unit identified a compromised email account. The investigation just confirmed that a staff replied to a phishing email on February 24, 2022, and subsequently shared credentials that enabled the account to be accessed. Last week, SRHD stated that the email account stored the protected health information (PHI) of 1,260 people. An unauthorized individual may have ‘previewed’ that data, although there was no evidence obtained that suggests the access or download of information.

Content in the account were names, birth dates, service dates, source of referral, healthcare provider name, diagnosing status, whether the patient was located, date placed, patient risk level, staging level, how medicines were obtained, test type, test result, treatment details, medication data, delivery dates and any remedies offered to the baby, diagnostic data, medical details, and client notes.

An SRHD spokesperson stated corrective measures were taken to mitigate the current incident and avoid further phishing attacks, such as reinforcing worker cybersecurity training, employing multifactor authentication, and carrying out testing on its systems.

Similar to the other parts of the state of Washington, SRHD has encountered a record-level surge in phishing emails as well as malware installation attempts. In this incident, staff members fell victim to a phishing scam that exposed confidential data to data thieves. SRHD Deputy Administrative Officer Lola Phillips expressed their strong dedication to protecting personal data and minimizing the possibility of future attacks.

On January 24, 2022, SRHD reported the compromise of an employee email account on December 21, 2021. The email account comprised the sensitive information of 1,058 persons, which include names, dates of birth, counselor names, case numbers, test findings and dates of urinalysis, medicines, and date of the last dose.

Subsequent to that attack, SRHD mentioned it will be enhancing worker cybersecurity training, using multifactor authentication, and doing tests on its systems.

Catholic Health Informs Patients Regarding Data Theft at a Business Associate

Catholic Health has lately begun informing roughly 1,300 patients concerning the exposure of some of their PHI in a cyberattack encountered by Ciox Health, its business associate.

Ciox Health based in Buffalo, NY offers health data management services to hospitals and insurance companies. From June 24, 2021 to July 2, 2021, emails and file attachments in the email account of a Ciox Health worker had been downloaded by an unauthorized person.

The breach was noticed last year and Ciox Health learned in September 2021 that the email account comprised patient data associated with billing queries and customer support requests. An assessment of the data within the account was done at the beginning of November and impacted healthcare providers and insurance companies were informed from November 23 to December 30, 2021.

Catholic Health stated the breached data included names of patients, healthcare provider names, birth dates, dates of service, medical insurance details, and/or medical record numbers. Although Ciox’s investigation didn’t uncover any cases of fraud or identity theft because of this incident, as a safety precaution, Ciox is informing impacted Catholic Health patients.

HIMSS Cybersecurity Survey Reveals the Human Factor is the Biggest Vulnerability in Healthcare

HIMSS has released the results of its 2021 Healthcare Cybersecurity Survey which revealed that 67% of respondents have had at least one significant security event in the past 12 months, with the biggest security breaches the consequence of phishing attacks.

The 2021 HIMSS Healthcare Cybersecurity Survey was performed on 167 healthcare cybersecurity specialists, who had at least some accountability for daily cybersecurity operations or oversight.

The surveyed IT experts were questioned concerning the major security breaches they had encountered in the last 12 months, and in 45% of instances it was a phishing attack, and 57% of survey participants stated the most significant breach involved phishing. Phishing attacks are most frequently carried out through email. 71% of the most significant security incidents are email-based phishing attacks; nonetheless, 27% mentioned there was a significant voice phishing incident (vishing), 21% stated they had many SMS phishing incidents (smishing), and 16% mentioned there were many social media phishing incidents.

Phishing was the most frequent preliminary point of compromise, accounting for 71% of the most critical security breaches. Next are social engineering attacks at 15%. Human error is often the reason for critical data breaches, making up 19% of the major security breaches, with 15% due to the extended use of legacy software for which support is not provided anymore. The survey additionally showed fundamental security controls were not completely implemented at many companies.

Ransomware attacks continue to trouble the medical care sector, and the attacks frequently result in major disruption and have huge mitigation costs. 17% of respondents reported the most critical security incident they experienced was a ransomware attack. 7% of survey participants stated negligent insider activity brought about the greatest security incident, although HIMSS remarks that healthcare firms frequently do not have strong defenses against insider breaches, thus it is likely that these kinds of breaches were underreported.

Considering the extent to which phishing results in account exposures or serious cyberattacks, it is essential for healthcare companies to employ effective email security measures to stop phishing emails and to additionally invest in security awareness training for the employees. Not just one security solution can prohibit all phishing attacks, therefore it is essential for the labor force to get training on how to recognize phishing and social engineering attacks. Training employees in security best practices can help to minimize human error which often causes data breaches.

The prolonged use of legacy systems once it’s the end-of-life can be a problem in healthcare, however, plans must be made to upgrade obsolete programs, and if that is not possible, mitigations ought to be used to make exploitation of vulnerabilities more difficult, for instance isolating legacy systems and not exposing them to the web.

44% of survey respondents stated their biggest breach had no negligible impact; nevertheless, 32% mentioned security breaches resulted in disruption to systems that impacted business functions, 26% said security breaches interrupted IT systems, and 22% reported security breaches led to data breaches or data leakage. 21% stated the security breaches had affected clinical care, and 17% mentioned the most critical security incident ended in financial loss.

In spite of the risk of cyberattacks, funds for cybersecurity budgets stay slim. 40% of surveyed IT specialists stated 6% or less of their IT budget was spent on cybersecurity, which is the same percent as the last four years even if the risk of attacks has grown. 40% of survey participants mentioned they either had funding that has not changed since last year or had diminished, and 35% stated their cybersecurity funding is not expected to change.

The HIMSS survey questioned respondents to learn about the biggest security problems, which for 47% of participants was inadequate budget. Staff compliance with policies and procedures was a big obstacle for 43% of respondents, the continuing use of legacy software programs was a problem for 39% of participants, and 34% stated they had trouble with patch and vulnerability management.

Workers making errors, identity and access management, device management, building a cybersecurity culture, data leaks, and shadow IT were likewise considered as big security issues.

The discoveries of the 2021 HIMSS Healthcare Cybersecurity Survey show that healthcare providers still have substantial difficulties to overcome. These obstacles to progress include limited security budgets, growing legacy footprints, and the increasing volume of cyber-attacks and compromises. Furthermore, standard security controls were not fully enforced at numerous organizations. Maybe the major vulnerability is the human factor. Healthcare companies ought to do more to support healthcare cybersecurity experts and their cybersecurity programs.

Newest Phishing Kits Used for Multi-Factor Authentication Bypass

Phishing attacks enable threat actors to acquire credentials, however, with multi-factor authentication (MFA), it is more difficult for phishing attacks to be successful. With MFA turned on, besides a username and password, one more method of authentication is required before granting account access. Microsoft has formerly stated multi-factor authentication hinders 99.9% of automated account compromise attacks. Nonetheless, MFA does not guarantee protection. A new kind of phishing kit is being used more and more to circumvent MFA.

Proofpoint Researchers revealed in a new blog article that phishing kits are currently being utilized that use a transparent reverse proxy (TRP), which facilitates browser man-in-the-middle (MitM) attacks. The phishing kits permit the attackers to expose browser sessions and steal credentials and session cookies in real-time, permitting full account control without giving a warning to the victim.

There are several phishing kits that can typically be purchased cheaply that enable the bypass of MFA; some are basic with no-extra functionality, while others are more advanced and include a few layers of obfuscation and include modules for doing a variety of functions, such as the theft of sensitive data such as passwords, credit card numbers, Social Security numbers, and MFA tokens.

With common phishing attacks, the attackers make a bogus login page to deceive visitors into sharing their credentials. Quite often the phishing page is a carbon copy of the website it impersonates, with the web address as the only indicator that the phishing page is not real. One MitM phishing kit discovered by the Proofpoint staff doesn’t utilize these bogus pages, instead, it utilizes TRP to present the legit landing page to the visitor. This strategy makes it difficult for victims to identify the phishing scam. As soon as a user visits the page and a request is transmitted to that service, Microsoft 365 for instance, the attackers record the username and password even before they are sent and snatch the session cookies that are transmitted in response in real-time.

The researchers pertain to the Stony Brook University and Palo Alto Networks’ review of MitM phishing kits, which found more than 1,200 phishing websites employing MitM phishing kits. Worryingly, these phishing web pages are frequently not discovered and blocked by security solutions. 43.7% of the domains and 18.9% of the IP addresses were not listed on common blocklists, for example, those managed by VirusTotal. Additionally, although regular phishing pages usually only have a lifespan of about 24 hours prior to being blacklisted, MitM phishing pages last a lot longer. 15% of those found lasted for longer than 20 days before being added to blocklists.

The usage of these phishing kits is growing, though fairly slowly. Proofpoint experts think that threat actors adopt MitM phishing kits a lot more widely in response to the greater use of MFA. MitM phishing kits are simple to set up, free to use, and have been confirmed effective at averting detection. The industry must be ready to handle blind spots like these before they can change in new unexpected directions.

PHI of 138,000 People Exposed Because of 3 Email Security Incidents

Hackers have acquired access to email accounts that contain protected health information (PHI) at Volunteers of America Southwest California, Injured Workers Pharmacy, and iRise Florida Spine and Joint Institute.

Injured Workers Pharmacy

Injured Workers Pharmacy based in Andover, MA has recently reported a data breach to the Maine Attorney General. The incident was discovered on or about May 11, 2021, upon seeing suspicious activity in an employee’s email account. The pharmacy immediately secured the email account and engaged third-party computer forensics professionals to investigate the attack. The investigation confirmed the compromise of 7 email accounts from January 16, 2021 to May 12, 2021.

Third-party data review experts were engaged to look at the emails and file attachments in the exposed accounts, which affirmed they included the PHI of 75,771 people like names, addresses, and Social Security numbers. Following the review, Injured Workers Pharmacy confirmed the results, and that process was finished on or approximately December 14, 2021. The pharmacy began sending notification letters to affected individuals on February 3, 2022.

Injured Workers Pharmacy mentioned it has augmented its email security measures and is giving some impacted persons complimentary credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has found out a worker email account that contains the protected health information of 61,595 patients was accessed by an unauthorized individual. The forensic investigation revealed the hacker got access to the email account between February 24, 2021 and February 26, 2021.

A thorough assessment of email messages and attachments was performed, and the procedure was accomplished on November 22, 2021. iRise stated the following types of information were potentially viewed or obtained at the time of the attack: Names, dates of birth, diagnoses, clinical treatment data, physician and/or hospital name, dates of service, and health insurance details. The Social Security numbers, driver’s license numbers, financial account details, credit card numbers, and/or usernames and passwords of a few persons were likewise exposed.

Affected people were informed and a one-year membership to a credit monitoring service was offered for free to persons whose Social Security numbers were exposed. iRise has examined its email security procedures and has carried out extra technical safeguards, which include multifactor authentication. The workforce is also provided extra training on email security.

Volunteers of America Southwest California

The social service organization based in San Diego, CA Volunteers of America Southwest California, lately announced it encountered a phishing attack. A worker got an email that is like a voicemail message, that has a hyperlink to a web page that required the input of login information in order to listen to the message. The access credentials were captured and utilized to view the staff’s email account.

The attackers viewed the email account on or about November 16, 2021, and the attack was discovered and secured on November 16. An evaluation of the email account showed it comprised the first and last names of clients in most of the cases, with a number of the records at the same time including the COVID-19 vaccination status of individuals.

The breach appears to have been fully remediated and third-party specialists were employed to verify the containment steps. Email security was enhanced because of the breach.

The organization submitted the breach report to the HHS’ Office for Civil Rights indicating that 1,300 people were affected.

More than 30 Healthcare Providers Affected by CIOX Health Data Breach

The health information management services provider CIOX Health experienced a data breach that has affected no less than 32 healthcare providers. In July 2021, CIOX Health found out an unauthorized individual had acquired access to the email of a worker in the customer service team. The email account was promptly secured, with the following investigation affirming the email account was first accessed by an unauthorized person on June 24, 2021, with continuing access until the security breach was identified on July 2, 2021.

Based on the breach investigation by CIOX Health, it was confirmed that the incident was limited to just one staff email account. An audit of the data of the email account on September 24, 2021 revealed that it contained emails and file attachments that held the protected health information (PHI) of some of its healthcare provider clients for example names, dates of birth, provider names, dates of service, and the Social Security numbers, driver’s license numbers, health insurance data, and/or treatment details of a very limited number of people.

The worker in question worked in customer support and, therefore, assisted healthcare company clients throughout the country with billing problems and assisted with other customer service needs, therefore a substantial number of impacted clients. The staff did not, nevertheless, have access to the medical record systems of any of its healthcare provider clients.

CIOX Health stated that when the account was accessible it is likely that emails that contain protected health information were viewed or copied, however, there is no direct evidence of attempted or actual misuse of patient data found. CIOX Health is convinced that the email account was compromised to send out phishing email messages from the company domain to persons not related to CIOX Health.

CIOX Health is advising all people affected by the breach to take a look at their statements and explanation of benefits statements from their healthcare companies and insurance companies for any indication of unauthorized use of their information.

As a result of the breach, CIOX Health will implement stronger email security measures and will provide the workers with additional security awareness training.

On December 30, 2021, CIOX health started sending notifications to impacted healthcare company clients regarding the breach. Healthcare providers found to have been affected by the CIOX Health email account breach are the following:

Alabama Orthopaedic Specialists
AdventHealth in Orlando
Baptist Memorial Health Care
Butler Health Systems
Centra Health
Cameron Memorial Community Hospital
Children’s Healthcare of Atlanta
Copley Hospital
Coastal Family Health Center
DeSoto Memorial Hospital Health System
EvergreenHealth
Hospital Sisters Health System
Hoag Health System
Huntsville Hospital Health System
Indiana University Health
MD Partners
McLeod Health System
Niagara Falls Memorial Medical Center Health System
Northwestern Medicine
Northern Light Mercy Hospital
Ohio State University Health System
OrthoConnecticut
Prisma Health – Palmetto Health
Prisma Health – Greenville Health System
Sarasota County Public Hospital District d/b/a Sarasota Memorial Health Care System
Trinity Health – Mount Carmel Health System
Trinity Health – Holy Cross Hospital
Trinity Health – Saint Alphonsus Health System
Trinity Health – St. Joseph Mercy Health System
Trinity Health – St. Francis Medical Center
Union Hospital Healthcare System
Women’s Health Specialist

CIOX Health reported the security breach to the HHS’ Office for Civil Rights indicating that 12,493 individuals were impacted.

UH College of Optometry and Valley Mountain Regional Center Report Data Breaches

The University of Houston College of Optometry has found out that an unauthorized person not from the United States acquired access to an affiliated eye clinic’s networks and stole data included in the database of the clinic.

The Community Eye Clinic based in Fort Worth, TX, is managed by UH College of Optometry. The security team discovered the attack on September 13, 2021, a day after the breach happened. The IT security team promptly took action to protect the system, implemented additional defensive safety measures to better secure patient information, and enhanced its monitoring and notifications. The security team also reviewed the clinic’s IT guidelines and procedures to make sure that industry-standard protocols are implemented.

The attacker obtained files associated with patients who got services at the Community Eye Clinic from May 22, 2013, to September 13, 2021. The information in the database included names, birth dates, contact details, government ID numbers, medical insurance data, Social Security numbers, passport numbers, driver’s license numbers, diagnosis, and treatment details. There was no financial data kept in the database and the attack did not affect the University of Houston or College of Optometry network systems.

The 18,500 impacted persons were instructed to keep track of their explanation of benefits statements and account for hints of fraudulent transaction, to review their credit reports, and to put a security fraud notifier on their credit reports.

17,197 Patients Affected by Valley Mountain Regional Center Phishing Attack

Valley Mountain Regional Center (VMRC) based in Stockton, CA has begun informing 17,197 patients that unauthorized individuals accessed some of their protected health information (PHI) located in breached email accounts.

VMRC found phishing emails in its inboxes on September 15, 2021, and removed all the messages from its email accounts; nevertheless, the following investigation of the phishing attack showed that 14 workers had clicked the hyperlinks and shared credentials that permitted access to their email accounts.

A thorough analysis of the contents of the impacted inboxes affirmed they included names, addresses, birth dates, state-given client identifier numbers, phone numbers, individual e-mail addresses, diagnoses, prescription drugs, dates of service, and other unique identifiers.

VMRC stated no proof was found that suggests the attacker accessed, obtained, or misused any data in the email accounts; nevertheless, impacted individuals were instructed to keep track of their accounts and credit reports for strange transactions.

Data Breaches Suffered by PracticeMax and UMass Memorial Health

Anthem health plan members who have End-Stage Kidney Disease and are signed up in the VillageHealth program were notified about the potential compromise of some of their protected health information (PHI) during a ransomware attack.

VillageHealth assists Anthem plan members through coordinating care between the dialysis center, nephrologists, and healthcare providers and shares the results with Anthem through its vendor, PracticeMax.

PracticeMax provides business management and information technology solutions to healthcare companies. It identified the attack on May 1, 2021. According to the investigation, the attackers obtained access to its systems on April 17, 2021, and had continuing access possibly until May 5, 2021. PracticeMax mentioned it obtain back the access to its IT systems on the following day.

A forensic analysis of the attack affirmed that it affected one server that held protected health information (PHI) and the attackers may have accessed and acquired them.

The investigation into the incident finished on August 19, 2021, and established the exposure of the following types of data: First and last name, address, date of birth, phone number, Anthem member ID number, and clinical information associated with kidney care services obtained. There were no compromised financial details or Social Security numbers.

PracticeMax states it has performed an evaluation of its policies and protocols and has applied extra safeguards to prevent future attacks, which include rebuilding systems, utilizing more endpoint security solutions, and improving its firewalls. Affected individuals were provided complimentary credit monitoring services for 24 months.

UMass Memorial Health Notifies Patients With Regards to Phishing Attack

UMass Memorial Health has found out that unauthorized persons obtained access to some employees’ email accounts due to responding to phishing emails. The phishing attack was identified on August 25, 2021 upon noticing suspicious activity in its email environment.

UMass blocked authorized access to the email accounts right away and launched a forensic investigation, with support given by a third-party computer forensics company. The investigation affirmed the breach of the email accounts from June 24, 2020 until January 7, 2021, and in the course of that time, the unauthorized individuals got access to PHI stored in the email accounts.

Although no proof was found that pointed out the attackers had viewed or acquired the emails, the chances could not be ruled out. An evaluation of the PHI within the accounts was done on August 25, 2021. The compromised information includes names, financial account information, driver’s license numbers, and Social Security numbers. UMass Memorial Health stated free credit monitoring and identity theft protection services were given to impacted people. UMass Memorial stated it is improving email security and will be re-educating the employees on email guidelines.

The breach has been reported to the Maine Attorney General as affecting a total of 3,099 individuals across the United States.

How Password Managers Protect MSPs

A quickly growing business is the offering of password managers for MSPs. This is because cybercriminals are targeting more Managed Service Providers. A recent “State of the Channel” survey revealed that 95% of MSP respondents state that their businesses were being attacked instead of the clients they provide with managed services.

It’s obvious why cybercriminals are attacking MSPs. When a “supply-chain ransomware attack” on an MSP succeeds, it could keep an MSP from providing its clients with its services; and even if only the MSPs’ systems are encrypted, clients can’t run their businesses because of the type of services delivered by the MSP.

Cybercriminals are also attacking SMB clients, but not as much as MSPs. The Datto “State of the Channel” survey reported that 78% of the respondents stated SMB clients had been attacked in the last two years with spyware, adware, and viruses causing as much trouble as ransomware. Even more troubling were the methods used by the cybercriminals to access systems and deploy malware:

  • Reported attacks by 54% of respondents were due to a phishing email
  • Reported attacks by 27% of respondents were due to poor user practices.
  • Reported attacks by 26% of respondents were because of a deficiency of cybersecurity training
  • Reported attacks by 24% of respondents were due to weak passwords and also bad credential management.

Other respondents stated that attacks succeeded because of lost and stolen user credentials, a deficiency of financing for IT security, and insufficiency of executive buy-in for using security tools. All of these causes are preventable or could be mitigated by employing a password manager for MSPs.

How Can Password Managers Protect MSPs

One lacking statistic from Datto´s State of the Channel report is the number of cyberattacks due to MSP susceptibility versus the number of cyberattacks due to client susceptibility. Although it could be presumed that clients are less difficult targets because of a lack of security competence, it is obvious the report says over fifty percent [of MSPs] currently use multi-factor authentication and password management tools.

Using the word “now” implies that less than fifty percent of MSPs were using password management tools in the past. Once again, there is no differentiation between the exclusive use of password managers within the MSP companies and the provision by MSPs of password-management-as-a-service to clients.

The creation, saving, and sharing of login credentials between teams can impact a business´s online protection. According to research, a lot of employees utilize weak passwords simply because they are easier to remember, re-use passwords in several accounts to save needing to recall several passwords, save login credentials in unprotected files, and share security passwords through unsecured avenues of communication like email, chat services, and SMS.

When companies use a password manager, they could likewise implement password policies necessitating the usage of tough, unique passwords for every account. The majority of commercial password managers feature cross-browser, cross-platform synchronization, use with directory services, and protected encrypted credential sharing, so employees have a secure means to swap passwords, credit card information, and other sensitive data.

Password managers for MSPs may be utilized to secure business credentials and clients’ credentials. Passwords are kept in a protected user vault and, whenever a user visits a site that vault has a saved password, the sign-in credentials are auto-filled. Therefore, when a user unintentionally clicks on a phishing email and lands on a phony phishing site, the sign-in credentials won’t auto-fill – notifying the user of a likely threat.

With password guidelines requiring good password tactics, teaching users on good password care, and getting rid of the possibility for weak passwords, the major methods used by cybercriminals to access MSP systems are removed. Regarding the insufficiency of funds for IT security or executive buy-in, password managers for MSPs are affordable in comparison to the price of recovering from a cyberattack and – if given to clients as “password-management-as-a-service,” password managers for MSPs could get more revenue than the cost.

Phishing Attacks at Star Refining & Express MRI

Express MRI, a medical imaging center based in Peachtree Corners, GA, has begun informing patients regarding the exposure of some of their protected health information (PHI) due to a historic data breach. Express MRI found out on July 10, 2020 that an unauthorized person had acquired access to one email account and utilized it to send unauthorized email messages. The occurrence was explored back then, however, it was confirmed that no patient data was accessed.

On June 10, 2021, another evaluation of the security breach was done, and although no particular evidence was found that suggested unauthorized data access or theft, Express MRI deduced that it wasn’t really feasible to completely rule out data access or exfiltration by unauthorized individuals, for that reason Express MRI issued breach notification letters.

An analysis of the breached account confirmed the potential access or exfiltration of the following data: names, email addresses, addresses, birth dates, patient ages, referring doctor names, part of the body scanned, and if the scan was associated to a workers’ payment claim or investigation of a motor vehicle accident. There is no other patient information present in the breached email accounts.

Express MRI stated it took the essential and prompt steps to deal with the incident, which include putting together a team of very competent experts to strengthen the security of its data systems and carry out more safety measures to avoid other breaches.

Star Refining Phishing Attack Impacts 1,910 People

Adelda Health, Inc. also known as Star Refining, has found out that unauthorized persons obtained access to several employees’ email accounts after responding to phishing emails. The personal data of 1,910 people may have been accessed or exfiltrated.

The dental refining company in West Palm Beach, FL discovered the breach on April 29, 2021. A third-party computer forensics company is helping to make sure the incident was completely remediated and to find out the nature and extent of the breach.

An analysis of the breached email accounts showed they contained sensitive information like first and last names, postal addresses, Social Security numbers, driver’s license numbers, and credit card/financial details; nevertheless, there is no evidence that suggested the emails with that data were seen or obtained during the breach of the accounts. The first account access happened on April 12, 2021.

Notifications began to be delivered to impacted persons on July 22, 2021. Free Identity Works credit monitoring and identity theft protection services via Experian were given to impacted persons.

Over 447K Patients Impacted by Orlando Family Physicians Phishing Attack

An unauthorized person accessed the email accounts of Orlando Family Physicians in Florida that contain the protected health information (PHI) of 447,426 patients.

Orlando Family Physicians stated that the compromise of the first email account happened on April 15, 2021 because an employee responded to a phishing email and exposed their account login information. The provider immediately took action to stop unauthorized access and started an investigation to find out the nature and scope of the breach.

With the help of a top-rated cybersecurity forensics company, Orlando Family Physicians confirmed that three more employee email accounts were accessed by unauthorized person. External access to the four compromised email accounts had been blocked in 24 hours after the first unauthored account access.

On May 21, 2021, Orlando Family Physicians confirmed that the unauthorized person possibly accessed email messages in the email account that included patients’ PHI. A review of the email messages and attachments was done, and on July 9, 2021, Orlando Family Physicians had identified all impacted persons.

The email accounts included the personal data and PHI of present patients, prospective patients, workers, and other people. The types of data in the accounts differed from person to person and included at least one of these data elements: Names, demographic information, diagnoses, names of providers, prescription medications, medical record numbers, patient account numbers, medical insurance data (Medicare beneficiary number or another subscriber ID number), and passport numbers.

The phishing attack seems to have been executed with the goal of undertaking financial fraud towards the practice rather than acquiring patient records. Nonetheless, because unauthorized data access and exfiltration cannot be excluded, impacted persons have been instructed to exercise extreme care and carefully monitor their explanation of benefits statements and financial accounts for indications of fraudulent transactions.

Orlando Family Physicians has improved its technical security procedures after the breach and additional training on email security is being given to its employees.