Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label US Department of Health and Human Services. Show all posts

US Health Dept Urges Hospitals to Patch Critical ‘Citrix Bleed’ Vulnerability


This week, the US Department of Health and Human Services (HSS) has warned hospitals of the critical ‘Citrix Bleed’ Netscaler vulnerability that has been exploited by threat actors in cyberattacks.

On Thursday, the department’s security team, Health Sector Cybersecurity Coordination Center (HC3), issued an alert where it urged all U.S. healthcare businesses to protect their NetScaler ADC and NetScaler Gateway equipment from ransomware gang invasions.

"The Citrix Bleed vulnerability is being actively exploited, and HC3 strongly urges organizations to upgrade to prevent further damage against the Healthcare and Public Health (HPH) sector. This alert contains information on attack detection and mitigation of the vulnerability,” the alert read.

"HC3 strongly encourages users and administrators to review these recommended actions and upgrade their devices to prevent serious damage to the HPH sector."

Prior to the aforementioned warning, Citrix had already issued two warnings urging admins to patch their appliances in priority. It also urged administrators to terminate all open and persistent sessions. Moreover, in order to stop hackers from obtaining authentication tokens even after the security upgrades have as well been installed.

Thousands of Servers Exposed, Many Already Breached

Cybersecurity professional Kevin Beaumont has been monitoring and analyzing cyberattacks against a variety of targets throughout the globe, such as Boeing, DP World, Allen & Overy, and the Industrial and Commercial Bank of China (ICBC), and he discovered that these targets were probably all compromised through the use of Citrix Bleed exploits. 

On Friday, Beaumont revealed that the U.S.-based managed service provider (MSP) experienced a ransomware attack by a threat group, that has exploited a Citrix Bleed vulnerability a week earlier. 

The MSP continues to work on securing its susceptible Netscaler appliances, which may leave its clients' networks and data open to additional intrusions.

The vulnerability was fixed by Citrix in early October, but Mandiant subsequently discovered that it has been actively exploited as a zero-day since at least late August of 2023. 

AssetNote, an external attack surface management company, on October 25, released a CVE-2023-4966 proof-of-concept exploit explaining how session tokens can be accessed by cybercriminals from Citrix appliances that has not been patched. 

According to Japan-based threat researcher Yukata Sejiyama, over 10,000 Citrix servers – many of which belonged to some important organizations globally – were still susceptible to Citrix Bleed attacks more than a month after the critical flaw was patched.

"This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems," said John Riggi, a cybersecurity and risk advisor for the American Hospital Association, a healthcare industry trade group that represents 5,000 hospitals and healthcare providers across the U.S.

According to Riggi, this case also highlights the ferocity with which ‘foreign ransomware gangs,’ (majorly the Russian-speaking groups), continue to attack medical facilities and other healthcare institutions. Ransomware attacks interrupt and delay health care delivery, placing patient lives in danger.  

Rhysida Ransomware Group: Social Security Numbers, Passport Data Compromised in Recent Hospital Attack


On Thursday, the Rhysida ransomware gang confirmed to have been behind the recent cyberattack on Prospect Medical Holdings, as reported by a dark web listing reviewed by Axios.

Apparently, the ransomware gang stole more than 500,000 Social Security numbers and copies of the company’s employees’ driving licenses and passports. Also, other legal and financial documents are said to be compromised.

Prospect Medical Holdings—currently operating 16 hospitals spread across four U.S. states—confirms that the ransomware attack was launched earlier this month, because of which they have been facing issues in their online operations.

Moreover, several elective surgeries, outpatient appointments, blood drives and other services are put to hold owing to the attack. 

According to a Prospect spokesperson, the company was unable to comment on the suspected data leak due to "the sensitivity of the incident and law enforcement involvement."

"Prospect Medical continues to work around-the-clock to recover critical systems and restore their integrity[…]We are making significant progress. Some operational systems have been fully restored and we are in the process of bringing others online," the spokesperson said. 

Rhysida Ransomware Group 

Rhysida confirmed Prospect as one of its victims on its dark web site this Thursday, stating that it had taken 1.3 terabytes of SQL data and 1 terabyte of "unique" files.

Certainly, if the ransom demands are not fulfilled, the ransomware group has threatened the firm to expose their victims’ names to their site. 

Rhysida, in a listing, says that it will auction off "more than 500,000 SNNs, passports of their clients and employees, driver's licenses, patient files (profile, medical history), financial and legal documents!!!"

The auction apparently ends in nine days, with 50 Bitcoins as ransom, per the listing.

Rhysida first came to light in May, however the government officials and cybersecurity professionals claim to have already known about the group, following instances of the group targeting critical infrastructure organizations in recent months.

Also, the Department of Health and Human Services (HHS) published an advisory in regards to the group, since Rhysida’s prime targets involved organizations in the health and public health sector. They further noted that Rhysida’s victims also involved firms in the education and manufacturing sectors.

HHS has advised organizations to patch known security flaws present in their systems and install data back-ups in case they are taken offline. Moreover, they recommended phishing awareness training programs for employees.  

How Much Will Each Stolen Client SSN Cost You Now That You Have Been Pwned?


Following the theft from its systems of more than 447,000 patient names, Social Security numbers, and private medical information, a Florida healthcare organization has resolved a class-action lawsuit. 

Orlando Family physicians, which has 10 clinics in central Florida, has agreed to pay affected patients who submit a claim by July 1 a reimbursement and provide them two years of free credit monitoring. Patients may earn up to $225 or, for those whose SSNs were stolen, up to $7,500 depending on what kind of private information the thieves obtained. 

However, as part of the compensation, the physician organization denies any responsibility for the data heist. 

Court records reveal that the crime took place in April 2021 after thieves used a phishing scam to access the email accounts of four employees. As per Orlando Family Physicians, it “immediately” took the necessary steps, containing the intrusion and hires a “leading” security shop to determine the scope of intrusion. 

The health group, a few months later, published a notice on its website and sent letter to victims whose private information was compromised. The data apparently includes names, demographic information, health information, including diagnosis, medical record numbers, patient account numbers, passport numbers, providers and prescriptions; health insurance details, including legacy Medicare beneficiary numbers generated from the person's Social Security number or other subscriber identification number. 

However, according to the physician group “, the available forensic evidence indicates that the unauthorized person’s purpose was to commit financial fraud against OFP and not to obtain personal information about the affected individuals.” 

Moreover, OFP reported to the US Department of Health and Human Services, saying it potentially affected 447,426 individuals. 

Is Your PII Worth $250, or $75k? 

After the attorneys take their cut, of course, those hundreds of thousands of people whose personal information most certainly ended up for sale on a hacking forum are now eligible for a compensation. The settlement's overall sum is still undisclosed. 

There are two groups within the class that stand to gain monetarily. The first group, individuals who incurred out-of-pocket costs as a result of the theft, may file a claim for up to $225 in duly substantiated costs. This covers any expenses incurred while freezing or unfreezing credit reports, paying for credit monitoring services, or contacting banks about the occurrence, including notary, fax, mailing, copying, mileage, and long-distance phone costs. 

The victims can also file a claim for a time limit of up to three hours, compromised due to the security breach at the rate of $25 per hour. 

The second category consists of victims whose Social Security numbers were taken. These people are eligible to file claims for up to $7,500 for confirmed instances of identity theft, fabricated tax returns, or other forms of fraud that can be linked back to the initial hack. They as well can claim up to eight hours of lost time at $25 per hour. 

The settlement comes as ransomware gangs and other cybercriminals intensify their attacks on hospitals and other healthcare organizations, and the lawyers have responded by bringing numerous class-action cases. 

The aforementioned class-action lawsuit is proposed following an intrusion in February, wherein the BlackCat malware infiltrated one of the Lehigh Valley Health Network physician’s networks, stole sensitive health records belonging to more than 75,000 people, including pictures of patients receiving radiation oncology treatment, and then demanded a ransom to decrypt the files and stop it from posting the records online.  

Telehealth Startup Reveals Exposing Private Data of Millions of its Patients


Telehealth startup, Cerebral, which specializes in mental health has recently revealed that it has exposed its patients’ private information that includes mental health assessments. 

This data of more than 3.1 million patients in the US has apparently been shared with advertisers and social media giants like Facebook, Google, and TikTok. 

In a notice published on the company’s website, it addressed the case, admitting to having exposed patient data from as far back as October 2019 by the tracking technologies it had been utilizing. 

The telehealth startup came to light in the wake of the COVID-19 pandemic, after the online-only virtual health services came into culture due to lockdown, disclosing the security lapse in its system at the time. 

In a filing with the federal government, pertaining to the security lapse, the company revealed that it has shared personal and health-related information of patients who were attempting to seek therapy or other mental health care service via their app. 

The collected and distributed data includes information like names, phone numbers, email addresses, dates of birth, IP addresses, and other demographic data. In addition to data obtained from Cerebral's online mental health self-assessment, which may also have included the services that the patient chose, assessment responses, and other related health information was also there.

Reportedly, Cerebral was using trackers and other data-collecting programmes that the company included in its apps to share patient data with digital giants in real time. 

In most cases, it has been observed that online users have no idea if they are opting into the tracking options in these apps, and simply accept the app’s terms of use and privacy policies, which they clearly do not read. 

According to Cerebral, the data could vary from patient to patient based on different factors, like “what actions individuals took on Cerebral’s Platforms, the nature of the services provided by the Subcontractors, the configuration of Tracking Technologies,” and more. The company added that it will notify the affected users, regardless of “how an individual interacted with the Cerebral’s platform.” 

Moreover, it claims that nothing such as the patient’s social security, credit card credentials, or bank account information has been exposed. Following the data breach in January, the company says it has “disabled, reconfigured, and/or removed any of the tracking pixels on the platform to prevent future exposures, and has enhanced its information security practices and technology vetting processes.” 

It added that the company has terminated the tracking code from its apps. However, the tech giants are under no obligation in taking down the exposed data that Cerebral has shared. 

Taking into account the way Cerebral manages sensitive patient information, it is being protected by the HIPAA health privacy regulation in the United States. The U.S. Department of Health and Human Services, which supervises and enforces HIPAA, has compiled a list of health-related security violations under investigation. Cerebral's data leak is the second-largest compromise of health data in 2023.