Hackers Attack WHO and HHS to Swipe Login Credentials

An innovative team of hackers targeted the World Health Organization (WHO) and its associates trying to steal login information to obtain access to its network by faking WHO’s internal email system. A number of WHO staffers got spear-phishing messages that contained hyperlinks to a malicious web page having a phishing kit.

Cybersecurity specialist Alexander Urbelis discovered the spear-phishing attack on March 13. Urbelis is at the same time a lawyer with Blackstone Law Group centered in New York. The malicious webpage utilized to host the phony WHO login page was employed in other attacks on WHO personnel in the past.

It is unsure who was to blame for the campaign, nevertheless, it is thought to be a threat group referred to as DarkHotel located in South Korea. The objectives of the attackers are not understood, though Urbelis believes that taking into account the extremely focused nature of the attack, the attackers were on the lookout for specific information. DarkHotel has in the past performed a few attacks in East Asia for surveillance purposes. It’s probable that the hackers were seeking to obtain access to data concerning potential solutions, likely remedies, or vaccines for COVID-19.

Reuters was the earliest to tell about the story and reached out to WHO CISO, Flavio Aggio for additional facts. Aggio mentioned the campaign did not succeed and the attackers were not able to gather any information. Aggio validated the big increase in occurrences of targeting WHO in the past weeks. WHO was faked in a number of phishing campaigns that make an effort to steal information and pass on malware. Aggio reported that attacks directed at impersonating WHO have gone up more than twice throughout the coronavirus outbreak.

Phishers Take Advantage of Open Redirect on HHS Webpage to Deploy Racoon Information Stealer

Phishers were identified to be taking advantage of an open redirect on the HHS site to redirect people to a phishing web page.

Open redirects are utilized on sites to direct visitors to a different site. Open redirects could be employed by any person and are quite often used by cybercriminals for their phishing activities. Links begin with the official web page of the site having the open redirect, therefore persons checking out the web page link may be misled into believing they are going to a reputable website. They are in the beginning, however, the end destination is a phishing site.

The email employed a COVID-19 trick and gave facts regarding the coronavirus and enclosed a URL with the words “Find and lookup your health-related symptoms.”

Security analyst @SecSome identified the open redirect on a Departmental Contracts Information System subdomain. It was utilized to connect to a malicious file that contained an lnk file which executes a VBS script to install the Racoon information stealer. Stealing of credentials and sensitive details from 60 various applications is doable with the Racoon information stealer.

CMS Lightens Quality Payment Program Reporting Requirements During the COVID-19 Emergency

respiratory disease.

CMS Administrator Seema Verma explained that the Trump Administration is eliminating bureaucratic red tape to allow the healthcare delivery system to use its time and means for patient care.

The CMS has acknowledged that gathering quality measured data and sending reports for services for the duration of the COVID-19 outbreak might not represent the real level of performance in areas like cost, readmissions, and the experience of the patient. The switch will additionally alleviate the burden on health professionals during these extraordinary situations.

Policy exclusions and extensions are given for 2019 and the data submissions deadlines in 2020 for the following quality reporting programs:

Provider Programs
Medicare Shared Savings Program Accountable Care Organizations (ACOs)
Quality Payment Program – Merit-based Incentive Payment System (MIPS)

Hospital Programs
Ambulatory Surgical Center Quality Reporting Program
End-Stage Renal Disease (ESRD) Quality Incentive Program
CrownWeb National ESRD Patient Registry and Quality Measure Reporting System
Hospital-Acquired Condition Reduction Program
Hospital Outpatient Quality Reporting Program
Hospital Value-Based Purchasing Program
Hospital Inpatient Quality Reporting Program
Hospital Readmissions Reduction Program
Inpatient Psychiatric Facility Quality Reporting Program
Promoting Interoperability Program for Eligible Hospitals and Critical Access Hospitals
PPS-Exempt Cancer Hospital Quality Reporting Program

PAC Programs
Hospice Quality Reporting Program
Home Health Quality Reporting Program
Inpatient Rehabilitation Facility Quality Reporting Program
Long Term Care Hospital Quality Reporting Program
Skilled Nursing Facility Value-Based Purchasing Program
Skilled Nursing Facility Quality Reporting Program

More information about the new reporting due dates, exclusions, and extensions are available on this CMS web page.

HSCC Issues Guidance for Cyber Threat Information Sharing

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued guidelines for sharing cyber threat data. The new guidance document is supposed to assist healthcare companies in developing, implementing, and maintaining a successful cyber threat data sharing program to minimize risks.

The new document is based on earlier guidance, the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), which presented the key Information Sharing and Analysis Organizations (ISAOs) for the healthcare industry determined by the HSCC. The new guidance document will enable organizations to know which information to share, in what way the information can be shared, and how to secure sensitive data, as well as providing recommendations for acquiring internal and legal authorizations for data sharing processes.

One of the primary benefits of taking part in these programs is to know about probable attacks and the mitigations to employ to avert getting victimized. In the event that an attack happens at one healthcare company, it is likely that the same attacks will occur on others. By means of sharing threat information, healthcare companies could learn about the attacks from others and prepare an improved security posture. This is predominantly crucial for healthcare companies with minimal resources for cybersecurity as it makes it possible for them to get cybersecurity expertise by crowdsourcing.

The threat landscape changes quickly and cybercriminals are continually developing new ways of attack. Cyber threat intelligence sharing programs allow participants to stay on top of new attack strategies and take action on reducing risk by means of speedy sharing of actionable intelligence. Cross-organizational venture additionally helps to better patient safety via the creation of trusted networks that help handle possible threats.

The guidance document will enable organizations to start outlining the actions they need to take prior to participating in a threat information sharing program. Getting ready calls for the establishment of information sharing goals and objectives, and governance models to regulate compliance. Information sharing assets need to be classified. There must be a governance body created and sanitization regulations established. HSCC advises the early involvement of the legal department on the information sharing process and ensuring the understanding of the value and extent of information sharing.

The HSCC cyber threat information sharing document specifies the types of data that must be shared, for instance strategic, operational, tactical, and technical intelligence, open-source information and data on incident response. Threat intelligence not just includes data about malware, hacking tactics, and threat actors, but also the variety of forms of threat intelligence data, which encompass all cyber risk that can affect the medical industry, for instance, insider threats, third-party risks, regulatory risks, cybersecurity risks, and geopolitical risks.

The guidance additionally gives recommendations for sharing information, including the use of the traffic light protocol, setting up legal protections against any liability, and the information about the people to whom the threat data can be shared with. The document ends with case studies demonstrating the benefits of sharing information to the community and secure against cyber attacks.

The new guidance about cyber threat information sharing is available for download here.

Cybersecurity Attack at the University of Kentucky, UK HealthCare and Arkansas Children’s Hospital

The University of Kentucky (UK) is fighting to get rid of downloaded malware on its network last February 2020. Cybercriminals were able to access the UK network and downloaded cryptocurrency mining malware which employed the processing functionality of UK computers for mining Bitcoin and various cryptocurrencies.

The malware brought about a substantial network slowdown with momentary computer system failures causing repetitive every day interruptions to daily functions, particularly in UK healthcare.

UK is convinced that the attack was settled after a month of work. On Sunday morning, UK conducted a major IT systems reboot, which lasted about 3 hours. The UK feels the cybercriminals were removed from its systems, however, they will be tracking the network carefully to make sure the blocking of external access. The attacker is thought to be from outside the U.S.A.

UK Healthcare caters to over 2 million patients and operates the Good Samaritan Hospital in Lexington, KY and the UK Albert B. Chandler Hospital. Although computer systems were seriously affected at times, there is no impact on patient care and patient safety.

An investigation of the breach with the assistance of third-party computer forensics experts was started. According to University spokesman Jay Blanton, it is difficult to know if any sensitive information was viewed or copied. It is believed that the malware attack was exclusively done to hijack the UK network’s “vast processing capabilities” and use it for mining cryptocurrency.

UK took steps to strengthen its cybersecurity, which includes installing the CrowdStrike security software program. Over $1.5 million was spent getting rid of hackers from the network and improving security.

Systems Reboot at Arkansas Children’s Hospital to Manage ‘Cybersecuirty Threat’

Arkansas Children’s Hospital located in Little Rock has encountered a cyberattack, which impacted Arkansas Children’s Northwest and Arkansas Children’s Hospital. The hospital rebooted its IT systems to deal with the cybersecurity threat and engaged an independent digital forensics company to help with the investigation.

There is no disclosure yet regarding the exact nature of the threat. It is also unclear as of this time when the attack will be fixed. All Arkansas Children’s Hospital facilities continue to provide patient care but rescheduled some non-urgent consultations.

There is a continuing investigation of the attack. At this point, there is no evidence found that indicates the breach of patient information.

Potential PHI Exposure Due to Cyberattacks on Pediatric Physicians’ Organization at Children and Central Kansas Orthopedic Group

The Pediatric Physicians’ Organization at Children (PPOC) encountered a malware attack on February 10, 2020, causing a system outage. 500+ pediatricians, doctor assistants and nurse practitioners were not able to access patient data and consultation calendar. The PPOC is a physician group affiliated with Boston Children’s Hospital.

PPOC has approximately 200 servers. The malware attack didn’t affect 11 PPOC’s servers. IT personnel at PPOC and Boston Children’s Hospital took action without delay to stop the malware and quarantined the infected servers. As a safety precaution, even the unaffected servers were deactivated. Boston Children’s Hospital published a statement saying the attack didn’t affect its systems.

Because it was not possible to gain access to patient medical records, PPOC informed the patients that non-urgent visits will be rescheduled until the malware has been totally removed and PPOC has reactivated the servers. Children’s Hospital issued a statement on February 12, 2020, that servers restoration is still in progress. But there is no certain date when the restoration will be finished.

PPOC has over 100 practices all over Massachusetts and serves more than 350,000 patients. The malware variant employed in the attack is still unidentified. It is likewise uncertain whether the hackers viewed patient information.

Central Kansas Orthopedic Group Ransomware Attack

Central Kansas Orthopedic Group (CKOG) located in Great Bend, KS experienced a ransomware attack in November 2019 and its patient files were encrypted.

CKOG found out about the ransomware attack on November 11, 2019. The attackers sent a ransom demand but CKOG refused to give any ransom payment. Nevertheless, CKOG successfully retrieved all encrypted files, including patient medical records, using its backups.

The attack was investigated by a third-party forensic group to confirm if the threat actors had viewed or copied patient information prior to deploying the ransomware. The investigators found no proof of access or theft of patient information by hackers. There is likewise no report filed concerning data misuse.

It’s possible that the attackers had accessed these types of data: names, birth dates, email addresses, addresses, state-issued ID numbers, Social Security numbers, driver’s license numbers, medical data related to treatment services provided by CKOG, and healthcare insurance information. CKOG mailed notification letters to all affected patients and offered them identity theft protection services from ID Experts.

CKOG is checking its security platform and applying additional security protocols to reinforce its security posture.

There were 17,214 patients possibly affected by attacked as posted in HHS’ Office for Civil Rights breach portal.

Healthcare Worker Arraigned on 430 Counts in a Criminal HIPAA Violation Case

Jessica Meier, 41, of Hamlin, NY, was accused of unauthorized access of the health records of a patient, on countless instances in an effort to discover facts that may be employed in a child custody case. She was an ex-employee of ACM Global Laboratories, which is an associate of Rochester Regional Health,

The supposed HIPAA violations were put under a criminal investigation when allegedly Jessica Meier had abused her access rights to patient data for malicious reasons.

Kristina Ciaccia had a relationship with the half brother of Meier in the past and has an extended child custody case. In court, Ciaccia knew of a historic visit by her own brother to the Rochester Regional Health emergency room, when she herself did not know about the visit. She suspected the snooping on the medical records of her family and reported the issue to Rochester Regional Health.

In accordance with the court records, the Rochester Regional Health audit showed that Meier had accessed Ciaccia’s private medical records on over 200 times from March 2017 to August 2019 without any legit work reason. It was also affirmed that Meier had seen the health records of Ciaccia’s family members.

Ciaccia submitted a report of the criminal HIPAA violations to law enforcement, which prompted the investigation. Meier had an arraignment in Gates Town Court on February 11, 2019 regarding 215 felony counts of computer trespass plus 215 counts of a misdemeanor for the unauthorized access of a computer. The case will likely be heard before a grand jury after Meier pleaded not guilty to all counts.

Snooping into somebody’s health records must be held accountable and charged. Ciaccia feels that Rochester Regional Health must also be held responsible, not for the breach but for the inability to tag a recurring privacy violation that happened for over two years.

Rochester Regional Health only knew about the unauthorized health record access after Ciaccia submitted a report of the potential privacy violation. Ciaccia stated that she felt like Rochester Regional paid Meier all year to access her health records. Rochester Regional Health subjected Meier to disciplinary action after being aware of the unauthorized access.

HIPAA necessitates healthcare institutions to employ safety measures to protect the confidentiality, availability, and integrity of patient data. Even though there are access controls and other security measures implemented, it isn’t possible to stop all instances of improper access to health records by employees. Nevertheless, when improper accesses occur, they must be identified immediately.

HIPAA expects healthcare organizations to maintain audit logs to monitor the accessing of protected health information. Those logs make it possible to perform audits, like the case when Ciaccia brought the matter to Rochester Regional Health’s attention.

HIPAA additionally calls for the regular checking of audit logs to recognize unauthorized PHI access. If the audit logs were monitored more carefully, Rochester Regional Health should have identified the privacy violation and applied the sanctions against Meier a lot sooner.

Breaches Due to Sunshine Behavioral Health Group System Misconfiguration and Lake County Behavioral Health Burglary

Sunshine Behavioral Health Group located in Portland, OR provides healthcare companies with business services. The group submitted a breach report of its web-based system where patient medical records were stored. Due to an accidental misconfiguration, anyone could access patient data online.

The group uncovered the problem on September 4, 2019 and immediately executed access controls to prevent unauthorized access to patient records. On November 14, 2019, the group also restricted access to patient records online.

On December 23, 2019, Sunshine Behavioral Health Group confirmed that the following information was contained in a folder located in the cloud-based system: names, physical addresses, debit/credit card numbers, digital signatures of individuals who paid for medical services, security codes, and expiry dates.

The people whose data were exposed included those who paid for services at the addiction treatment and rehabilitation centers of Willow Springs Recovery, Chapters Capistrano, Mountain Springs, and Monarch Shores.

The group provided all people who had their data exposed two years of complimentary MyIDCare protection services.

The incident has not been published on HHS’ Office for Civil Rights breach portal so it is uncertain at the moment how many individuals were impacted.

Patient Data Exposed Due to Lake County Behavioral Health Burglary

A break-in at Lake County Behavioral Health in Clearlake, CA on December 5, 2019 resulted in the stealing of a locked filing cabinet which has the health records of clients.

The stolen records may contain the following information about the patients: names, contact numbers, prescription medications, case numbers, consultation schedules, payments, and amounts due. One file additionally contained a patient’s birth date, healthcare history, Social Security number, income verification details, disability status, Medi-Cal ID number and record of substance use.

Lake County Behavioral Health sent breach notifications by mail to all patients whose information was taken and instructed them to send a fraud report in case of data misuse. All remaining patient records were moved to a locked room inside the facility that is secured with an alarm system and 24-hour video monitoring. The break-in is still under investigation by the Clearlake Police Department. There is no apprehension yet so far.

Due date for Submitting Reports of 2019 Healthcare Data Breaches With Less than 500 Records

The HIPAA Breach Notification Rule (45 C.F.R. § 164.408) necessitates healthcare companies to report data breaches involving 500 and up medical records to the Secretary of the Department of Health and Human Services (HHS) not beyond the 60 days after uncovering a breach. Breaches of under 500 medical records may be reported to the DHS at any date provided that it is not after 60 days from the close of the calendar year wherein the data breach happened.

This means healthcare data breaches affecting less than 500 records ought to be reported to the HHS on or before March 1 every year. However, since 2020 is a leap year, February has one extra day. Therefore, the due date for reporting breaches that affected less than 500 persons is one day earlier – on or before February 29, 2020.

All breach reports ought to be sent to the Secretary of the HHS through the Office for Civil Rights. Every data breach ought to be reported on their own including the complete details regarding each breach. In case there are a couple of small data breaches encountered in the 2020 calendar year, sending breach reports might take longer. It is hence a good idea not to delay until the last minute to submit the data breach reports to be sure not to forget the due date. In case data breach reports are sent in after the 60-day deadline, there are going to be monetary penalties.

In cases where the number of people impacted by a data breach is not yet known, an approximate number of individuals impacted by the breach must be given. It isn’t allowable to defer breach reporting. Once the exact number of impacted people is identified, there should be a report of an addendum. Addenda ought to also be employed to update breach reports when there are more details concerning the breach.

Coveware Report Reveals Higher Average Ransomware Payment in Q4 of 2019

A new report from Coveware, a ransomware incident response company, has a new report that showed the sharp increase in payments made by ransomware victims in Q4 of 2019. There is a doubling of average ransomware payment in Q4 since two of the high profile ransomware gangs, Sodinokibi and Ryuk, began attacking big enterprises. The average ransom payment of $41,198 in Q3 of 2019 jumped to $84,116 in Q4.

The big increase in ransom demands is mostly because of the two ransomware gangs’ changing strategies. Ryuk is currently seriously targeting big enterprises. Victim companies have an average number of employees of 1,075 in Q3 and went up to 1,686 in Q4. The biggest ransom demand in Q4 was $779,855.5, which jumped from $377,027 in Q3.

In Q4, the frequency of ransomware attacks is as follows:

  • 29.4% – Sodinokibi
  • 21.5% – Ryuk
  • 10.7% – Phobos
  • 9.3% – Dharma
  • 6.1% – DoppelPaymer
  • 5.1% – NetWalker
  • 10.7% – Snatch, Rapid, GlobeImposter or IEncrypt ransomware variants

The ransomware variants mentioned above are usually spread using the ransomware-as-a-service model, where affiliates could register and employ the ransomware and keep a percentage of the ransom payments. The more advanced gangs are careful in accepting affiliates while the smaller ransomware gangs accept any affiliate. Only a few affiliates are employed to send Sodinokibi, with a few focusing on various kinds of attacks. A Sodinokibi affiliate has extensive expertise in remote tracking and management tools and is an expert in attacking managed service providers.

Ransomware is generally installed by buying stolen RDP credentials or brute-forcing weak RDP credentials. This strategy is employed in over 50% of successful ransomware attacks. The next strategy is phishing (26%) and exploiting software vulnerabilities (13%).

Coveware discussed in the report that attackers give valid keys to 98% of victims who paid the ransom, thus allowing them to decrypt the files. The likelihood of success really relies upon the ransomware variant employed. Certain threat actors default after getting the ransom payment and do not give valid keys. Threat groups connected with the ransomware Phobos, Rapid, and Mr. Dec, were known as frequent defaulters, less picky and accepts any affiliate.

Even with valid decryptors, it is expected that there will some data loss. On average, 97% of the companies helped by Coveware were able to recover data. The 3% permanently lost files were corrupted at the time of data encryption/decryption. More advanced attackers like the Sodinokibi and Ryuk threat actors are usually more cautious in data encryption making sure that file recovery is achievable and their reputation isn’t ruined.

The average downtime after a ransomware attack were 12.1 days in Q3 of 2019 and 16.2 days in Q4. This is mainly because of the growth in attacks on big businesses that have sophisticated systems that take more time to bring back.

The statistics for the report normally only consist of ransomware victims that engaged Coveware’s services to make a deal with the attackers and help with recovery. A lot of companies opt to talk with the attackers themselves or employ alternative ransomware recovery companies.

Insider Breach at Beaumont Health and Ex-VA Employee Jailed for Leaking Army Major Health Data

Beaumont Health in Southfield, MI, a non-profit 8-hospital health system, learned about the unauthorized access to its patients’ health data by an ex-employee who likely disclosed protected health information (PHI) with another person.

Upon knowledge of the unauthorized access of health documents, the hospital system started an internal investigation. The access logs of the ex-employee were examined and showed the unauthorized access initially took place on February 1, 2017 and went on until October 22, 2019. Then, the healthcare provider learned about the data breach in December 2018.

Beaumont Health mentioned its internal investigation established on December 10, 2019 that the ex-employee had access to the health records of 1,182 patients for 20 months. The data likely acquired and exposed included names, email addresses, addresses, contact phone numbers, Social Security numbers, dates of birth, health insurance details, and reasons for seeking health care.

The person with whom the ex-employee shared the data was associated with a personal injury attorney. A lot of the patients whose data were accessed had gotten treatment for injuries acquired in motor vehicle accidents.

Once unauthorized access was affirmed, Beaumont Health terminated the employee for breaking hospital guidelines and HIPAA Regulations. The data breach report has been sent to authorities and Beaumont Health stated it will help law enforcement in case of pursuing prosecution. The incident was additionally reported to the Michigan Health and Hospital Association.

Beaumont Health sent by mail notification letters to all impacted patients. People who had their Social Security numbers exposed likewise got offers of credit monitoring and identity theft protection services. Individuals were told to be careful about the danger of identity theft and fraud and were instructed to monitor their explanation of benefits statements and accounts diligently and to report in case of misuse of their information.

To avoid the happening of identical breaches, Beaumont Health kept up to date its internal policies and procedures.

Previous VA Employee Got Sentence for Leaking Health Records of Ex-Army Major

Jeffrey Miller, 40, of Huntington, WV, a Department of Veteran Affairs’ Benefits Administration ex-employee, received his sentence for the unauthorized access of the health records of veterans and for exposing the healthcare data of ex- U.S. Army major who campaigned for a position in Congress in West Virginia.

Miller pleaded guilty to obtaining the health information of 6 veterans, among them was the retired Army Major, Richard Ojeda. Photos of the information were obtained and mailed to a friend. The picture of Ojeda’s healthcare records was then handed out to high-ranking Republicans in an effort to manipulate his 2018 election campaign for the 3rd Congressional District in West Virginia.

The federal court announced the sentence on Miller on January 21, 2020 and will be imprisoned for 6 months.