Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Patient Info. Show all posts
User Privacy
California Cyber Attacks Healthcare Industry Patient Info Ransomware attack User Privacy

Ransomware Actors' Recent Rhysida Attacks Highlight a Rising Threat on HealthCare Institutions

 

The threat organisation behind for the rapidly expanding Rhysida ransomware-as-a-service operation has claimed responsibility for an Aug. 19 attack that disrupted systems at Singing River Health System, one of Mississippi's leading healthcare facilities. 

The attack comes on the heels of one in August against California's Prospect Medical Holdings, which affected 16 hospitals and more than 160 clinics across the country. The extensive nature of the incident caused the Health Sector Cybersecurity Coordination Centre to issue a notice to other organisations in the industry. 

Fatal attack

The attack on Singing River impacted three hospitals and ten clinics in the system, and it is expected to solidify Rhysida's reputation as a growing threat to healthcare organisations in the United States. It's also a reminder of the growing interest in the sector from ransomware perpetrators, who pledged early in the COVID-19 outbreak not to target hospitals or other healthcare facilities. 

Check Point Software's threat intelligence group manager, Sergey Shykevich, who is tracking the Rhysida operation, says he can confirm the Rhysida group has disclosed only a small portion of data allegedly belonging to Singing River on its leak disclosure site. 

The gang has stated that it is willing to sell all of the data it has acquired from the healthcare system for 30 Bitcoin, which is approximately $780,000 at today's pricing. "We sell only to one hand, no reselling, you will be the sole owner," the group stated in a Facebook post. 

After debuting in May and quickly establishing itself as a serious threat in the ransomware world, Rhysida—named after a kind of centipede—has gained widespread attention. The group first targeted organisations in the government, managed service provider, education, manufacturing, and technology sectors. The threat group entered the healthcare industry with its attack on Prospect. 

Earlier this year, when looking into a ransomware attack on a university, Check Point first came across Rhysida. The threat actor's tactics, techniques, and procedures were examined by the security vendor, who found similarities between them and the TTPs of Vice Society, another extremely active threat actor that has been focusing on the health and education sectors since at least 2021. 

Lucrative target

The expansion of the Rhysida operation into the field of healthcare shows how significant the sector is to threat actors. Healthcare organisations offer a real gold mine of personal identity and health information that can be profited from in a variety of ways for individuals with illicit motives. 

Threat actors are also aware that health organisations are more willing to pay a ransom to bargain their way out of an attack and prevent disruptions that could impair their ability to deliver patient care.

"Attacks on healthcare providers have two main significant implications," Shykevich explained. "The hospital's ability to provide basic services to its patients and [on] the patients' sensitive data. Following such cyberattacks, the data quickly makes its way to Dark Web markets and forums." 

This attack is simply one of many ransomware and other types of incidents that have targeted healthcare organisations this year. The attacks uncovered a total of more than 41 million records in the first half of 2023 alone. According to data maintained by the Office for Civil Rights of the US Department of Health and Human Services, the organisation is now looking into more than 440 incidents that healthcare organisations reported during the first eight months of this year.
Read more »
Patient Info
CarePath Critical Data Data Breach IBM Security Janssen Johnson&Johnson. IBM Data Breach. sensitive information Medical Data breach Patient Info

Johnson & Johnson Reveals: IBM Data Breach Compromised Customer Data


Johnson & Johnson Health Care Systems (Janssen) recently informed their CarePath customers of a third-party data breach involving IBM, that has resulted in the compromise of their sensitive information.

IBM is a technology service provider for Janssen. In particular, it oversees the administration of the CarePath application and database.

CarePath is a software program created to assist patients in obtaining Janssen medications, provide discounts and cost-saving tips on prescriptions, explain insurance eligibility, and provide drug refiling and administration reminders.

The pharmaceutical company learned about an undocumented technique that could provide unauthorized individuals access to the CarePath database, according to the notification on Janssen's website.

Later, the company informed the issue to IBM that swiftly took action in patching the security gap and conducted an internal investigation to see whether the bug had been exploited by anyone.

The investigation wrapped up in August 2nd, 2023, and revealed that unauthorized persons had access to the following CarePath user details, that are as follows: 

  • Full name 
  • Contact information 
  • Date of birth 
  • Health insurance information 
  • Medication information 
  • Medical condition information 

Users of CarePath who signed up for Janssen's online services before July 2nd, 2023, are affected by the exposure, which may be a sign that the breach happened on that date or that the compromised database was a backup.

Since social security numbers and financial account data was not involved in the database that was breached, critical details have not been revealed.

The company further revealed that the breach did not affect Janssen's Pulmonary Hypertension patients.

Given the significance of medical data, there is a strong likelihood that the leaked data will be sold for a premium on darknet markets. The compromised data could support very effective phishing, scamming, and social engineering attacks.

Also, IBM published an announcement in regards to the incident claiming that there are no signs that indicate that the stolen data has been exploited. However, it advises Janssen CarePath users to keep a sharp eye out for any unusual activity on their account statements./ The tech giant is now providing affected people with a free one-year credit monitoring to help shield them against fraud.

Both announcements include toll-free phone numbers that customers and providers can use to ask inquiries about the incident or get assistance signing up for credit monitoring services.

IBM is one of the hundreds of companies that were compromised by Clop ransomware earlier this year, when the notorious threat actors employed a zero-day vulnerability on the MOVEit Transfer software used by various organizations globally.

However, an IBM spokesperson on being asked if the recent attacks are related to the MOVEit attack confirmed that the two are in fact separate incidents caused by different threat actors.  

Read more »
Zero-day Flaw
Data Breach Data Leak MoveIt Hack Patient Info Zero-day Flaw

IBM MOVEit Hack Exposes Data of 4 Million US Citizens

 

Millions of Americans had their private medical and health information stolen after attackers hacked into systems operated by tech giant IBM and exploited a zero-day flaw in the widely used MOVEit file transfer software. 

The MOVEit major hacks exposed the data of more than 4 million patients, according to the Colorado Department of Health Care Policy and Financing (HCPF), which oversees Colorado's Medicaid programme.

In a notification of a data breach sent to people impacted, Colorado's HCPF stated that IBM, one of the state's vendors, "uses the MOVEit application to move HCPF data files in the normal course of business." 

While the Colorado state government or HCPF systems were unaffected by this problem, the letter claims that "certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorised actor." 

These files contain the full names, birth dates, residences, Social Security numbers, Medicaid and Medicare ID numbers, information on income, clinical and medical data (such as lab results and medication information), and information on health insurance for the patients. 

HCPF claimed that the hack in the system affected nearly 4.1 million people. However, IBM is yet to publicly disclose that it was impacted by the MOVEit mass attacks.

The Department of Social Services (DSS) in Missouri was also affected by the IBM MOVEit system breach. However, the exact number of victims is unknown at the moment. Missouri state is home to more than 6 million people. 

Missouri's DSS stated in a data breach notification posted last week: "IBM is a vendor that provides services to DSS, the state agency that provides Medicaid services to eligible Missourians." The data vulnerability did not directly affect any DSS systems, but it did affect DSS data." 

According to DSS, the data accessed may include an individual's name, department client number, date of birth, potential benefit eligibility status or coverage, and medical claims information. 

Neither Colorado's HCPF nor Missouri's DSS are named on the dark web leak site of the Clop ransomware gang, which has claimed responsibility for the mass hacks. The Russia-linked group asserts on the site, "We don't have any government data."

Colorado's latest breach comes just days after the Colorado Department of Higher Education revealed a ransomware incident in which hackers accessed and copied 16 years of data from its networks. Last month, Colorado State University disclosed a MOVEit-related data breach that affected tens of thousands of students and academic employees.
Read more »
User Safety
Cyber Crime Data Leak Healthcare Hack Ireland Patient Info User Safety

Here's How Microsoft Fought Against Ireland's HSE Attackers

 

Hackers exploited the victim's infected computer to access Ireland's public health system and tunnel across the network for weeks after luring a worker with a phishing email and a spreadsheet that was laced with malware. Infecting thousands of more systems and servers, they prowled from hospital to hospital, explored folders, and opened personal files. 

By the time they demanded a ransom, they had already taken over more than 80% of the IT infrastructure, knocked out the organisation's 100,000+ employees, and put the lives of thousands of patients in danger.

The attackers employed a "cracked," or exploited and unauthorised, legacy version of a powerful tool to launch the 2021 attack on Ireland's Health Service Executive (HSE). The tool, which is used by credible security professionals to simulate cyberattacks in defence testing, has also become a favourite tool of criminals who steal and manipulate previous versions to launch ransomware attacks around the world. In the previous two years, hackers have attempted to infect over 1.5 million devices using cracked copies of the tool Cobalt Strike. 

However, Microsoft and the tool's owner, Fortra, now have a court order authorising them to seize and block infrastructure associated with cracked versions of the software. The order also permits Microsoft to interrupt infrastructure linked with the misuse of its software code, which thieves have utilised in some of the attacks to disable antivirus systems. Since the order was carried out in April, the number of compromised IP addresses has decreased dramatically. 

"The message we want to send in cases like these is: 'If you think you're going to get away with weaponizing our products, you're going to get a rude awakening,'" states Richard Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit (DCU) and head of the unit's Malware Analysis & Disruption team. 

The effort to take down cracked Cobalt Strike began in 2021, when DCU — a diverse, multinational organisation of cybercrime fighters — aimed to make a deeper dent in the rising number of ransomware attacks. Previous operations had separately targeted particular botnets such as Trickbot and Necurs, but ransomware investigator Jason Lyons advocated a large operation targeting multiple malware groups and focusing on what they all had in common: the usage of cracked, old Cobalt Strike. 

"We kept seeing cracked Cobalt Strike as the tool in the middle being leveraged in ransomware attacks," Lyons explained, basing his evaluations on internal information about Windows-based attacks. 

Lyons, a former US Army counterintelligence special agent, had spent many nights and weekends responding to ransomware attacks and breaches. The opportunity to pursue multiple crooks at once allowed him to "bring a little pain to the bad guys and interrupt their nights and weekends, too," he adds.

But before it could start inflicting pain, Microsoft needed to clean up its own house and get rid of the broken Cobalt Strike in Azure. Rodel Finones, a reverse engineer who deconstructs and analyses malware, jumped to work right away. He had transferred from the Microsoft Defender Antivirus team to DCU a few years earlier in order to play a more proactive role in combating criminality. 

Finones designed a crawler that connected to every active, publicly accessible Cobalt Strike command-and-control server on Azure — and, ultimately, the internet. The servers communicate with infected devices, enabling operators to spy on networks, move laterally, and encrypt information. He also began looking into how ransomware criminals used Microsoft's technologies in their operations. 

Crawling, though, was insufficient. The investigators had a difficult time distinguishing between legitimate security uses of Cobalt Strike and unlawful use by threat actors. Fortra assigns a unique licence number, or watermark, to each Cobalt Strike kit sold, which serves as a forensic clue in cracked copies. However, the corporation was not involved in the first operation, and DCU investigators worked alone to create an internal catalogue of watermarks associated with customer attacks while cleaning up Azure. 

Meanwhile, Fortra, which purchased Cobalt Strike in 2020, was addressing the issue of criminals exploiting cracked copies. When Microsoft proposed a joint venture, the corporation needed time to ensure that working with Microsoft was the appropriate decision, according to Bob Erdman, assistant vice president for business development. 

In early 2023, Fortra joined the action and released a list of over 200 "illegitimate" watermarks linked to 3,500 unauthorised Cobalt Strike servers. The company had been doing its own investigations and implementing new security procedures, but teaming with Microsoft allowed access to scale, extra knowledge, and an additional method of protecting its tool and the internet. Fortra and Microsoft examined around 50,000 distinct copies of cracked Cobalt Strike during the inquiry. 

Microsoft benefited from the collaboration as well, with Fortra's knowledge and watermark list significantly expanding the operation's reach. It aided the firms' case, which linked malicious infrastructure to 16 unknown defendants, each representing a unique threat group. 

Lawyers argued that the groups – ransomware authors, extortionists, victim lurers, and cracked Cobalt Strike sellers — collaborated in a thriving, profitable ransomware-as-a-service operation aimed at maximising profit and harm. They also linked broken Cobalt Strike to eight ransomware families, including LockBit, a quick encryption and denial-of-service attacker, and Conti, the malware suspected in the disastrous 2022 attacks on the Costa Rican government.
Read more »
UK
Ad targeting Data Breach Data Leak Mental Health Charities Patient Info Social Media UK

UK Mental Health Charities Imparted Facebook Private Data for Targeted Ads

 

Some of the largest mental health support organisations in Britain gave Facebook information about private web browsing for its targeted advertising system. 

The data was delivered via a monitoring mechanism installed in the charities’ websites and includes details of URLs a user visited and buttons they clicked across content linked to depression, self-harm and eating disorders. 

Additionally, it included information about the times visitors saw pages to access online chat tools and when they clicked links that said "I need help" in order to request assistance. Some of the pages that caused data sharing with Facebook were particularly targeted towards youngsters, such as a page for 11 to 18-year-olds that provided guidance on how to deal with suicidal thoughts. 

Details of conversations between charities and users or messages sent via chat tools were not included in the data sent to Facebook during the Observer's analysis. All of the charities emphasised that they took service user privacy very seriously and that such messages were confidential.

However, it frequently involved browsing that most users would consider private, such as information about button clicks and page views on websites for the eating disorder charity Beat as well as the mental health charities Mind, Shout, and Rethink Mental Illness. 

The data was matched to IP addresses, which are typically used to identify a specific person or home, and, in many cases, specifics of their Facebook account ID. The tracking tool, known as Meta Pixel, has now been taken down from the majority of charity' websites. 

The information was discovered following an Observer investigation last week that exposed 20 NHS England trusts sharing data with Facebook for targeted advertising. This data included browsing activity across hundreds of websites related to particular medical conditions, appointments, medications, and referral requests.

Facebook says it makes explicit that businesses should not use Meta Pixel to gather or distribute sensitive data, such as information that could expose details about a person’s health or data belonging to children. It also says it has filters to weed out sensitive data it receives by mistake. However, prior research has indicated that they don't always work, and Facebook itself acknowledges that the system "doesn't catch everything".

The social media giant has been accused of doing too little to oversee what information it is being supplied, and faced questions over why it would allow some entities – such as hospitals or mental health organisations – to send it data in the first place.
Read more »
User Privacy
Exposed Patient Records Hospitals malware Patient Info ransomware attacks U.S. US Hospital User Information User Privacy

Ransomware Attacks on U.S. Hospitals Causing Deaths

Every day we are witnessing ransomware attacks, and companies worldwide are investing millions to protect their network and systems from digital attacks, however, it is getting increasingly challenging to fight against cyber threats because cyber attackers do not only use traditional methods, they are also inventing advance technologies to fortify their attacks.

Hospitals and clinics are a top target of malicious attackers since reports suggest that the annual number of ransomware attacks against U.S. hospitals has virtually doubled from 2016 to 2021 and is likely to rise in the future given its pace, according to what JAMA Health Forum said in its recent research. 

As per the report, the security breaches exploited the sensitive information of an estimated 42 million patients. “It does seem like ransomware actors have recognized that health care is a sector that has a lot of money and they're willing to pay up to try to resume health care delivery, so it seems to be an area that they're targeting more and more,” lead researcher Hannah Neprash said. 

JAMA Health Forum conducted research over five years on U.S. medical facilities, in which they have discovered that the attackers exposed a large volume of personal health data over time and in coming years the attacks will increase by large.

According to Neprash’s database, clinics were targeted in 58% of attacks, followed by hospitals (22%), outpatient surgical centers (15%), mental health facilities (14%), and dental offices (12%). 

Threat actors exploit open security vulnerabilities by infecting a PC or a network with a phishing attack, or malicious websites and asking for a ransom to be paid. Unlike other cyber attacks, the goal of malicious actors, here, is to disrupt operations rather than to steal data. 

However, it becomes a great threat because it can jeopardize patient outcomes when health organizations are targeted. 

In 2019, a baby died during a ransomware attack at Springhill Medical Center in Mobile, Ala. As per the data, 44% of the attacks disrupted care delivery, sometimes by more than a month. 

“We found that along a number of dimensions, ransomware attacks are getting more severe. It's not a good news story. This is a scary thing for health care providers and patients,” Neprash added. 

Ponemon Institute, an information technology research group published its report in September 2021, in which they found out that one out of four healthcare delivery organizations reported that ransomware attacks are responsible for an increase in deaths. 

“Health care organizations need to think about and drill on — that is practice — these back-up processes and systems, the old-school ways of getting out information and communicating with each other. Unfortunately, that cyber event will happen at one point or another and it will be chaos unless there is a plan,” said Lee Kim, senior principal of cybersecurity and privacy with the Healthcare Information and Management Systems Society, in Chicago.
Read more »
User Privacy
Cyber Attacks Data Leak data security Patient Info Ransomware attack User Privacy

Private Data Leaked in Ransomware Attack on Virginia Mason Franciscan Health

 

The parent firm of Virginia Mason Franciscan Health was recently the target of a ransomware assault, the healthcare system disclosed earlier this week. 

The organization linked to 10 VMFH hospitals spread across the Puget Sound region, CommonSpirit Health, stated some patients' names, addresses, phone numbers, and dates of birth were included in leaked files while the cyberattack was being investigated. Additionally included were special IDs that the hospital utilized internally (not insurance IDs or medical record numbers). 

According to Chad Burns, a spokeswoman for CommonSpirit, it's unclear how many patients were impacted. The firm acknowledged that there is currently no proof that any private information has been "misused." 

“We apologize for any concern this may cause. CommonSpirit Health and its affiliated entities … take the protection and proper use of personal information very seriously.” CommonSpirit said in a statement. 

Midway through October, the Chicago-based healthcare organization revealed it had become the victim of ransomware, a type of malicious software. Patients and professionals in the Puget Sound region had started to notice system disruptions at VMFH institutions. MyChart, a patient interface used to maintain electronic health data, medicines, and test results, was unavailable for roughly two weeks as the business took some systems offline and started looking into the issue. Appointments were canceled or rescheduled. 

Earlier this week, CommonSpirit acknowledged that between September 16 and October 3, an "unauthorized third party" had acquired access to some areas of its network. According to the statement, the third party might have had access to patients' private information over those two weeks. 

Since then, the statement stated, electronic systems have been brought back online with more security and monitoring measures. 

CommonSpirit, which operates 140 hospitals throughout 21 states, alerted the authorities and is still assisting with the investigation. The business claimed that it took action to safeguard its technological equipment, control the situation, and preserve the continuity of care. 

St. Michael Medical Center in Silverdale, St. Anne in Burien, St. Anthony in Gig Harbor, St. Clare in Lakewood, St. Elizabeth in Enumclaw, St. Francis in Federal Way, and St. Joseph in Tacoma are among the VMFH facilities in Washington. 

No other information was revealed on whether the cyberattack also impacted patient data from CommonSpirit's other facilities across the nation because the investigation is still underway, according to Burns. 

Beginning on Thursday, CommonSpirit intends to mail letters to all impacted patients. Additionally, it urged patients of VMFH institutions to check their healthcare accounts for accuracy and notify their physician or insurer of any odd services or expenditures.
Read more »
Vulnerabilties and Exploits
Canon Healthcare Medical Security Patient Info Vulnerabilties and Exploits

XSS Bugs in Canon's Vitrea View Tool, Can Expose Patient Data


XSS Bugs in Canon's Vitrea View

In a penetration test, Trustwave Spiderlabs' experts found two reflected cross-site scriptings (XSS) flaws, together termed as CVE-2022-3746, in third-party software for Canon Medical's Vitrea View. The Vitrea View feature lets you view and safely share medical images via DICOM standard. 

"Canon Medical released a patch for these issues in version 7.7.6. We recommend all customers on version 7. x to update to the latest release. We always appreciate vendors like Canon Medical that approach the disclosure process with transparency and in the interest of the security of their products and users."

A threat actor can activate the bugs to access/change patient details (i.e. stored scans and images) and get extra access to some features related to Vitrea View. 

The first problem is an unauthorized Reflected XSS that exists in an error message at /vitrea-view/error/, reflecting all input following the /error/ subdirectory back to the user, with minor limitations. 

How does the bug work?

The researchers observed that space characters and single and double quotes can alter the reflection. The use of base 64 encoding and backticks (`) can allow to escape these restrictions, as well as importing remote scripts. 

The second problem is one more Reflected XSS within the Vitrea View Administrative panel. A threat actor can access the panel by luring the victims to click on a specially made link. 

The researchers found the search for 'limit', 'offset', and 'group' in the 'Group and Users' page of the admin panel all highlight their inputs back to the user, after the text is entered rather than anticipated numerical inputs. 

The report says :

"Like the previous finding, the reflected input is slightly restricted, as it does not allow spaces. Once an authenticated admin is coerced into visiting the affected URL, it is possible to create and modify the Python, JavaScript, and Groovy scripts used by the Vitrea View application.”

The researchers also wrote a proof-of-concept for both these vulnerabilities. Canon Medical handled these two vulnerabilities by releasing Vitrea View version 7.7.6. 




Read more »
Subscribe to: Posts (Atom)