Podcast: Play in new window | Download
Subscribe: RSS
This is the ProactiveIT Podcast. This Week: The latest in IT and Cyber Security news plus class-action suits for HIPAA breaches, PayPal issues abound and Business Associates Listen Up
This is Episode 19!
Intro
Hi Everyone and welcome to the Proactive IT Podcast. Each week we talk about the latest in tech and cyber news, compliance and more. We also bring you real world examples to learn from so that you can better protect your business and identity.
This podcast is brought to you by Nwaj Tech – a client focused & security minded IT Consultant located in Central Connecticut. You can find us at nwajtech.com.
Thanks for listening to this podcast. Show us some love on Apple or Google Podcasts. Subscribe and leave us some positive feedback. What are you waiting for?
Also, go join the Get HIPAA Compliance Facebook Group. Search for Get HIPAA Compliance
Patch Tuesday Update:
Google Chrome 80.0.3987.122 (Update)
Critical Cisco ‘CDPwn’ Flaws Break Network Segmentation
https://www.us-cert.gov/ncas/current-activity
Microsoft’s February 2020 Patch Tuesday Fixes 99 Flaws, IE 0day
Firefox 73.0.1 Released With Fixes for Linux, Windows Crashes
Cisco Releases Security Updates
Adobe Releases Security Updates for After Effects and Media Encoder
VMware Releases Security Updates for vRealize Operations for Horizon Adapter
Cyber Security News
Slickwraps Data Breach Exposes Financial and Customer Info
DoppelPaymer Ransomware Launches Site to Post Victim’s Data
Six suspected drug dealers went free after police lost evidence in ransomware attack
Stalkerware Attacks Increased 50 Percent Last Year, Report
Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!
Norton LifeLock Phishing Scam Installs Remote Access Trojan
Ransomware victims thought their backups were safe. They were wrong
Topic 1: New Jersey Hospital Network Faces Lawsuit Over Ransomware Attack
UW Medicine Faces Class Action Lawsuit Over 974,000-Record Data Breach
Topic 2: We found 6 critical PayPal vulnerabilities – and PayPal punished us for it
Topic 3: Google’s acquisition of Fitbit could pose ‘high level of risk to privacy and data protection’
The European Data Protection Board has ordered the firms to mitigate possible risks.
HIPAA Corner:
Maze Ransomware Attack on Accounting Firm Impacts Patients of New York Medical Group
Breaches
https://www.hipaajournal.com/category/hipaa-breach-news/
Transcription (Unedited)
This is the proactiveIT podcast this week the latest in it and cyber security news plus class action suits for HIPAA breaches, PayPal issues abound and business associates Listen up. This is Episode 19. Hi, everyone, welcome to the productive it podcast. Each week we talk about the latest in tech and cyber news compliance and more. We also bring your real world examples to learn from so that you can better protect your business and your identity. This podcast is brought to you by new watch tech a client focused and security minded consultant located in Central Connecticut. You can find us at unwashed check. com that’s NW Aj tech.com Hello everyone and welcome to the podcast episode 19. If you’re listening to us on Apple, Google stitcher or whatever podcast platform you’re listening to this on pleased, please subscribe, leave us some positive feedback, share it out whatever you could do to spread the word would be greatly appreciated and would send you virtual hugs. And if you are in a HIPAA compliant business, whether that’s a business associate or a covered entity, hop on over to Facebook typing, get HIPAA compliance, join the group and you will not regret it. I do not have any questions sent in this week. So we’re going to jump right into the Patch Tuesday update. There are no additional updates, except for Google Chrome needs to be updated to adjust some security vulnerabilities. You should be on Google Chrome at point 0.398 7.122 This is the last Patch Tuesday update of February’s. So we’ll be updating more next month. Next episode I should say I will not be recording next Friday. So, Episode 20 will be waiting two weeks. In addition to the Google Chrome update, you’ll have a list of updates that will will be recorded in the show notes. So make sure you check that out. Time for the biggest news of the week. First up bleeping computer reported earlier this week’s slick wraps data breach exposes financial and customer info. Slick, slick wraps has suffered a data breach after security researcher was able to access their systems after receiving no response to emails publicly disclosed how they gain access to the site and the data that was exposed. Slick wraps is a mobile device case retailer who sells a large assortment of pre made cases and custom cases from images uploaded by customers and opposed to medium as security researcher named links states that the January 2020 he was able to gain full access to slick wraps website using a path traversal vulnerability and an upload script used for case customizations. Using this access link stated that they were allegedly able to gain access to the resumes of employees nine gigs of personal customer photos, Zendesk ticketing system API credentials and personal customer information. shutts is hashed passwords, addresses email addresses, phone numbers and transactions. So a couple of notes here real quick. I have myself seen where I don’t know why employers do this store resumes online. I have myself done this and found resumes on other company sites and the passed. And the other thing here hash password, you might be thinking, Oh, it’s hashed. It’s okay. It’s not you’re not secure because if that hash password has already been cracked, and that means it’s already in the dark web somewhere. And so somebody only needs to mash up the hash. match up the hash with the password and now they have access so after trying to report these breaches to slick wraps link stated they were blocked multiple times even when they even when stating they did not want a bounty but rather for slick wraps to disclose the data breach. They had no interest in accepting security advice from me. They simply blocked and ignored me link stated in a medium post this post has been since taken down by medium but it’s available via archive.org since posting is medium post links told bleeping computer that another unauthorized user sent and sent an email to 377 7428 customers using slips wrap slick wraps, Zendesk Help Desk system, these emails begin with if you’re reading this, it’s too late. We have your data and then a link to links as medium post some of these things Customers have posted images of the image to Twitter as seen below. So there’s an image of the letter here on the bleeping computer article. When bleeping computer asked links if he knew who was sending out the emails, he told us that it was not. But they had seen traces of other unauthorized users inside the craps website as well. I saw some activity during my research maybe they’re the same people who sent out the emails, no clue to be honest links told me that the computer when we asked why they continue to look for more vulnerabilities instead of simply contacting slick Brock slick wraps, and why I’m having such a hard time seeing slick wraps. When they first gain access, we were told as a white hat we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first problem ability when they’re when they’re still 10 others while links told bleeping computer that they were always concerned about legal repercussions after performing penetration testing. They felt that due to the severity of the data breach needed to be publicly disclosed. companies know that I never intend to harm them and sometimes even offer boundaries. This one was different in the sense since that they blocked me in the sense that they blocked me and did not care about the customers at all. Since this is a major breach and I exhausted all my other options to contact them, I felt the need to disclose this publicly in hopes that they’d fix this ASAP. Even with the breach disclosed in a medium post and technical details having been posted links told us that the vulnerabilities still exist in the website and that they still have access. So a couple things here. First of all, don’t do that. Don’t talk without a an agreement in place with the company don’t go and hack their website or hacked their business. That it that’s not going to be good because they can turn around and sue him now. They didn’t have an agreement in place and they can turn around and sue him and in technically he could be arrested. He did break the law. The laws right now don’t allow for this kind of behavior without the company being aware of it. The other thing is Shame on the crabs for not addressing it, they could have been handled a lot better. It could have said hey, you know, let’s get this fixed and thanks links for sharing this. But they didn’t move it along Doppel humor ransomware launches site to post victims data, the operators of the damn Doppel team or ransomware have launched a site that they will use to shame victims who do not pay a ransom and to publish any files that were stolen before computers were encrypted. And new extortion methods started by enemies ransomware is to steal files before encrypting them and then use them as leverage to get victims to pay the ransom if rampe ransom is not paid. Then the ransomware operators released the stolen files on public news site to expose the victim to government fines, lawsuits and the risk of attack being classified as a data breach. And if you’re if it is, it is classified as a data breach you have bigger problems. Soon after starting this tactic of the ransomware families including soda Nicki VMT and Doppel paper have stated that do it begin this practice as well because skip something so many ransomware Yeah, okay so I did read that. So me as ransomware started this and now soda Nikki been empty and now Doppel payments are also doing it. Double payment launches a public leak site today the operators at the top of payment ransomware. And this was reported on the 25th. So two days ago, three days ago. The operators adop of Famer ransomware have followed in his footsteps and launched a site called Doppel leaks that will be used to leak files in shame non paying victims Doppel famers and enterprise targeting ransomware that compromises a corporate network eventually gains access to admin credentials and then deploys the ransomware on the network to encrypt all devices. As these attacks encrypted hundreds if not thousands of devices, they tend to have huge impact on operators and attackers demand a very large ransom. The ransomware operators did that they’ve created the site as a threat to victims that if they do not pay their data and names will be leaked by the attackers. So you know you have two choices, really three choices one again, And risk having your data exposed and being classified as a data breach to pay it. And three, make sure you have mitigation in place to not get hit with a ransomware attack. On Zd net. We have District Court six suspected drug dealers went free after police lost evidence in a ransomware attack. So this the seventh incident of its kind when police investigations were impacted by ransomware infection. Us prosecutors were forced to drop 11 narcotics case cases against six suspected drug dealers after a crucial case file. After crucial case files were lost in a ransomware infection at a Florida State Police Florida police department. So I don’t know what what it is with Florida, Florida seems to have more than the issue of ransomware attacks. But here’s another one. The evidence and 11 cases could not be recovered following a ransomware attack that hit the Stewart police department in April of 2019. While still a police recovered some data from backups some files cannot be recovered. Los files included photo and video evidence. Detective Sergeant Mike gerwin with Steve Stewart, please department told WP TV in an interview last week. gerwin said that the drug cases included charges for possession of meth possession of cocaine, selling narcotics manufacturing narcotics, and delivering narcotics among others. previous cases of police losing data However, while Stewart police the ransomware it’s it looks bad. It is not an isolated case. ransomware infections have been wreaking havoc across the US for the past four years and what happened Stewart has also happened in other places while other police departments was in crucial case evidence or having activities disrupted in a severe way. So here they are January 2017. Police in Cockerill Hill, Texas admitted to losing eight years worth of evidence following an affection with hosts Darius hosts I also Iris ransomware may 2018. Police in Riverside Ohio last 10 months worth of cases after ransomware infection that got reinfected A month later, but the second time around they were prepared and didn’t lose any additional files. June 2018, Atlanta officials discovered The city’s police department lost almost two years of police car dash cam video evidence following the march 2018 ransomware. Attack. July 2018. Police in Lawrenceville, Georgia lost case related files and body cam footage falling or ransomware incident remains unclear how much data the police department lost as there are conflicting reports ranging from weeks to years worth of case evidence. July 2018 ransomware infection impacted police car laptops for the judges Georgia State Patrol, Georgia Capitol Police and Georgia motor carrier compliance division police car laptops and dash cams remain down and unable to record new video evidence for more than a month. December 2019. The St. Lucie County Sheriff’s Office in Florida lost a week’s worth of emails and evidence following a ransomware infection even if the office restored from backup backups. So that’s seven cases most of those are in Georgia and Florida will go to two outside of those areas. So down south taken down south please tomorrow. really taking it on the chin huh? On threat post stalker where attacks increased 50% last year, and a report. Research puts the emergency merging Mobile Threat which monitors the whereabouts and device activity of devices users as well as collects personal data into clear focused a number of stock aware attacks on mobile devices increased 50% over the last year, showing an upward upward and continued trend in the emerging threat richer set. Over the past year, the instances of stock aware which tracks users without their knowledge and can result in harassment, surveillance, stalking, and even domestic violence increased from 40,003 86 to 67,000 502,019. According to new research from Kaspersky, attacks involving the use of mobile stock where became more frequent, the purpose being to monitor and collect information about the victim, Victor Cheb shove a research development team lead at Kaspersky wrote and post on company secure fearless blog outlining trends in mobile malware in 2018. At the same time stalker were a threat that appeared on security researchers radar and only the last couple of years also began to show signs of keeping pace with its malware cousins in terms of sophistication, he said, researchers have had some difficulty in the past to find a stock where because the software using these types of attacks typically varies between service, surreptitious spyware available on Alyssa online markets and more legitimate applications that can be obtained through app stores such as Google Play, that landscape is beginning to change slightly. However, our software comes into clear focus in security researchers and privacy advocates like are aligning to help define alike are aligning to help define exactly what this threat entails as well as prevent future attacks. Kaspersky researchers divide software into two categories trackers and full fledge tracking apps this that the first type of software has two main features, checking victims coordinates, coordinates and intercepting text message Just ships ship ship rope. wants this type of app is loaded on a device that third party can access messages and data about the user’s location. He said However, it’s possible for a wider audience also to gain access to the data collection by trackers as a client server. interaction of some services ignores even the minimum security requirements of a device chef chef wrote. While this type of mobile app previously was available on the official Google Play marketplace changes to Google’s policy in 2018 led to removable most of these apps from the store with developers subsequently pulling up support for these products. He said, research trackers can be found on the developers and third party sites shift shift rope. So what does that mean? It means, you know, be careful who handles your phone and what they do on your phone. bleeping computer hackers are scanning for vulnerable Microsoft Exchange Server So real quick note there was a patch for Microsoft Exchange. CBE 2020 dash 06688 is a critical vulnerability in remote code execution that was patched two weeks ago. So if you need to patch your Microsoft Exchange Server if you are still running one because it is being actively looked for bleeping computer report Norton lifelock phishing scammer installs remote access Trojan cyber criminals behind a recently observed phishing scam. Use the clever ruse in the forms of a bogus Norton lifelock document to fool victims into installing a remote access Trojan that is typically used for legitimate purpose. The malicious activity has the hallmarks of a season threat actor familiar with the evasion techniques in offensive security frameworks that help install the payload. hooking the victim the infection chain starts with a Microsoft Word document laced with the malicious macro code. The threat actor relied on a creative tactic to entice victims into enabling magic pros which are disabled by default across the office suite under the pretext of a password protected Norton lifelock document with personal information victims are asked to enable macros and type in a password that is most likely provided in a phishing email. security researchers from unit 42 Palo Alto Networks threat intelligence team found that the password dialog box accepts only two uppercase lowercase letters See, when a wrong password is entered an error pops up showing the message incorrect key malicious action does not continue in this example in this scenario, if the user provides the correct input, the macro keeps executing and builds a command string to ultimately installs net Support Manager a legitimate remote control software. This is archived in three steps via the VBA shell functions launches command EFC passing this to slash c premier amateur carries out the command and exits, constructs a batch file name it, I’ll pick a bat and executes the newly created batch script to Binary is downloaded install with the help of the MSI exec command and a Windows Installer service deliveries from a domain quick way sign sex com view PHP that appears to have been compromised by the attacker for this purpose however the procedural occurs only when the request has the user agent string Windows Installer which is the part of the MSI exec command using a different user agent shows up at nine image. So if you get any documents from from Norton lifelock I would probably err on the side of caution and just you know, maybe call them and check with them to make sure that it is legitimate. And last bit of news we’re going to share this morning on Xena ransomware victims thought that their backups were safe they were wrong ransomware victim victims are finding out too late that their vital backups are online and also getting encrypted by crooks morn Cyber Security Agency, the UK cyber security agency updated its guidance on what to do after a ransomware attack, following a series of incidents where organizations were hit with ransomware, but also had their backups encrypted because they had left them connected to their networks. I’ve only mentioned that a few times on the show. Keeping a backup copy of vital data is good way of reducing the damage of a ransomware attack. It allows companies to get sim systems up and running again without having to pay off the crooks but the backup data isn’t much good if it’s also infected with ransomware and dust encrypted and unusable because it is still connected to the network when the attack took place. UK is National Cyber Security Center. And CSC said it has now updated its guidance guidance by emphasizing the offline backups as a defense against ransomware. We’ve seen a number of ransomware incidents lately where the victims had backed up their essential data, which is great, but all the backups were online at the time of the incident. Not so great mental backups was also encrypted ransom together with the rest of the victims data the agency warrant Well, the nscs Has ncsc sorry has previously recommended offline backups. This said recent incidents such as attacks by trick bot banking, Trojan malware, so just a greater emphasis was needed and key to mitigating a ransomware attack. And CSC said, is to ensure that businesses have up to date backups of important files, organizations should ensure that the backup is kept separate from the network offline or in a cloud service designed for this purpose, like data offers. Alright, so I would go a step further, depending on what you think of your data. I mean, yes, it might cost a few extra dollars and a little bit extra time and resources but backup to the cloud and a service that does protect it like data and keep a local backup that you can restore from quickly if if you you know, backup and then disconnected or backup and then password protected or encrypted yourself. Those are the ways to to kind of mitigate That problem All right, we’re gonna move on to our hot topics. Alright first bit of hot topics. kind of amusing to articles here because it’s going to help bring home the point that I’ve been trying to bring home for a little while now. New Jersey hospital This is on info security dash magazine. com. New Jersey hospital network faces lawsuit over ransomware attack. So you remember we talked about this a few months ago. Proposed class action lawsuit has been filed against New Jersey’s largest hospital Health Network over a ransomware attack that happened in December, through actors infected the computer systems of Hackensack meridian health causing a system was shut down in December 2. The attack disrupted Services has 17 urgent care centers, hospitals and nursing homes operated by the network news The attack was leaked to the media on December 5. Eight days later, Hackensack confirmed that it had paid an undisclosed sum to retrieve files encrypted in the ransomware attack. Now our proposed class action lawsuit has been filed in a New York District Court. by two plaintiffs seeking compensation reimbursement of out of pocket expenses. statutory damages and penalties to plaintiffs are also seeking to secure inductive injunctive relief that will require Hackensack meridian health to undergo annual data security audits make improvements to its security systems and provide three years of credit monitoring services to breach victims free of charge. In a 45 page complaint of the plane was alleged that the Hackensack meridian health failed to adequately protect patients data accused that healthcare provider of running its network in a reckless manner that left his computer systems vulnerable vulnerable to cyber attacks. The lawsuit further legend started as a result, the attack patients suffered major disruptions to their medical care for two days. And we’re for To seek alternative Karen treatment and investigation conducted by the Hackensack meridian health found no of an evidence that patient data had been stolen as a result of the ransomware attack. However, the plaintiffs allege that attackers stole their personal protected health information and disclosed it to other unknown thieves, putting them at an imminent risk of identity theft and fraud. I would tend to lean on the side of the patients here to plaintiffs allege that Hackensack meridian health has failed to officially notify patients of the attack and is not reported to talk to the OCR is required by Health Insurance Portability and Accountability Act which is extremely true notice of the ransomware attack had not yet appeared on a brief portal run by the US Department of Health and Human Services OCR at press time. And it was written on I don’t see a date on here. I don’t know when this was written, but Oh, here it is February 21. So just six days ago. Hackensack meridian health which is based in Edison, New Jersey has more than 35,000 employees and generates around $6 billion in annual revenue. So That swag it to my point in a moment. The other one UW Madison faces class action lawsuit over 974,000 record data breach This was on this is on HIPAA journal and this was February 24 2020. So three days ago. Several lawsuits filed against healthcare organizations have a data breach in recent weeks with the University of Washington medicine, the latest to face legal action for exposing the potential health protected health information of patients. The lawsuit has been filed over a December 2018 data breach to saw the personal information of 974,000 patients expose over the internet. As a result of misconfigured server the misconfigured server contained an accounting of disclosures databases that include a patient names, medical record numbers, a list of parties who had been provided with patient data, and the reason why that information was just was disclosed some individuals also had information exposed relating to research study. They were enrolled in their health condition and the name of the lab test had been performed for certain patients sensitive information. was exposed according to the lawsuit that included a patient’s HIV test taking history and in some cases the patient’s HIV status, social security numbers, financial information, health and insurance information and medical records were not exposed. The server Miss configuration occurred on December 4 2018. UW Madison was alerted to the breach when a patient discovered a file containing records that had been indexed by Google UW Madison found and corrected the misconfigurations on December 26 2018. UW Madison explained in a press release issued on February 20 2019, that the bat database was accessible for a period of three weeks. And UW Madison worked closely with Google to have all index information removed from Google’s servers. That process was completed by January 10 2019. The lawsuit filed in King County Superior Court ledges UW Madison was neglect negligent and failed to properly safeguard the protected health information of its patients and did not inform patients promptly that pH I had been exposed. The lawsuit alleges patients have suffered real significant and continuing injury have suffered distress and loss of reputation as a result of the breach and have been placed at an increased risk of identity theft, fraud and abuse. So the lawsuit also references in earlier UW Madison bridge, as further evidence of inadequate information security practices, a 2013 malpractice or malware infection that occurred as a result of an employee opening an infected email attachment. That was that incident impacted 90,000 patients. investigation of the breach by the HHS OCR found out UW Madison had violated the HIPAA Security Rule by a failing to implement adequate policies and procedures to prevent, detect, contain and correct security violations in 2015. UW Madison settled the case with those who are for 750,000 and agreed to adopt a corrective action plan that included conducting a comprehensive risk analysis of security risks and vulnerabilities and developing an organizing organization. Wide risk management plan doesn’t sound like they did that. You w medicines substandard security practices have now compromised nearly 1 million patients. PHR greatly exceeding the scope of the 2013 breach in violation of its statutory professional standard of care obligations in breach of plaintiffs and classified classes reasonable expectations when they decided to form a patient physician relationship with UW Medicine, and thereby diminishing the value of the services UW Medicine provided. And that is patients paid for argued the plaintiffs in the lawsuit. The lawsuit seeks full disclosure, but the information was compromised statutory damages and legal fees and calls for UW Madison to adopt sufficient secure practices and safeguards to prevent further data breaches in the future. So a few things here, this this drives home a point the lawsuits are going to continue where people are getting tired of their data being breached and it just shows a lack of concern. If you are You are compromised in 2013. And then again five years later, you’re not doing your job. You’re not you didn’t learn your lesson. And the OCR should come down very hard on this in the second incident UW Madison here, the OCR should come down really hard on them because they’ve already been fined once for similar activity. They’re not doing what they’re supposed to be doing. They’re not taking, they’re not doing the best to protect patient data. And that is that is what we’ll call it what it is it’s an epic failure on their part. But the whole point of me sharing these two articles in in the case of Hackensack meridian health, they they did not want to disclose it. They tried to cover it up people people shared it online. They didn’t come clean right away. They did eventually come clean to some degree. Probably in fear of OCR or in fear of reputation hit, I don’t know why they would try to cover it up. Because you care, you know, you have 30 something thousand employees, it’s that’s going to be a hard thing to cover up. But they didn’t do that they didn’t make their best efforts to notify the public, maybe because they did not want to be fine for HIPAA violation did so now not only did you not report it, it’s been more than 60 days you now have violated the reporting rule, the breach report rule and so now, you know, they’re going to be investigated, they’re probably trying to make sure everything is shipshape before they this investigation, but it’s too late. They’ve done the damage. Now they’re also getting sued and you to these lawsuits are probably going to be more than the OCR would actually find you. So, see how that plays out. But that’s going to be interesting for sure. We found six critical PayPal vulnerabilities and PayPal punished us for it. I found this on cyber news. Like I saw it floating around. Round on LinkedIn, cyber news calm. And the news It seems that PayPal and so PayPal I’ve been reporting on a cyber security daily on paypal all week because they’ve just one vulnerability after another. So in the news It seems that PayPal gives a lot of money to ethical hackers that found bugs don’t find bugs in our tools and services in March 2018, PayPal announced that they’re increasing their maximum bug bounty payment to $30,000. A pretty nice sum for hackers. On the other hand, ever since PayPal moved its bug bounty program to hacker one, its entire system for supporting bug bounties. bug bounty hunters who identify and report books has become more opaque, mired in logical delays vague responses and suspicious behavior. When our analysis when our analysts discovered six vulnerabilities and PayPal ranging from dangerous exploits that can allow anyone to bypass their two factor authentication to being able to send malicious code through their smart chat system. We were met with non stop delays, unresponsive staff and a lack of appreciation low IQ over each vulnerability in detail, and why we believe they’re so dangerous when we hushed when we push. The Hacker one staff for clarification on these on these issues, they removed points from our reputation scores, relegating our profiles to a suspicious and spammy level. This happened even when the issue was eventually patched. Although we receive no bounty credit or even thanks. Instead, we got our reputation scores which start out at 100 negative negatively impacted, leaving us worse off than if we’d reported nothing at all. It’s unclear where the majority of problem lies before going through hacker one. We attempted to communicate directly with PayPal but we received only copy paste customer support responses and humdrum say nothing responses from human representatives. There also needs to be also seems to be a larger issue of hacker wants triage system in which they employ security analysts to check the submitted issues before passing them on to paypal. The only problem the security analysts are hackers themselves and they have clear motivation for delaying a new Too in order to collect a bounty themselves. Since there’s a lot more money to be made from using or selling these exploits on the black market, we believe that PayPal hack one system is flawed and we will lead to and will lead to fewer ethical hackers providing the necessary help in finding and patching people’s tools. In our analysis of people’s mobile apps and website UI, we were able to uncover a series of significant issues will explain these vulnerabilities from the most severe to least severe, as well as how vulnerability can lead to serious issues for the end user. So the first one probably the most severe even in my opinion, using the current version of PayPal for androids version seven point 16.1, the cyber news research team was able to bypass papers phone or email verification, which for ease of terminology can call two factor authentication. The two factor authentication which is called off flow on paper files normally trigger when a user logs into their account from a new device location or IP address. In order to bypass papers to FA our researchers use the PayPal mobile app in a Men in the middle of proxy like Charles proxy, then through a series of steps, the researcher was able to get an elevated token to enter the account. Since their vulnerability hasn’t been patched yet we can’t go into detail on how it was done. processes. This was very simple and only six seconds or minutes. This means that attackers can gain easy access to counts, rendering paper files loaded security system useless. Now, I’ve always said for some reason, they don’t really, they should really force people to use two factor authentication and they don’t, they don’t even make it easy to find. stolen, PayPal credentials can go for just $1 50 on the black market, essentially, it’s exactly because it’s so difficult to get into people’s PayPal accounts with stolen credentials that those stolen credentials are so cheap. PayPal is off flow is set up to detect and block suspicious login attempts, usually related to new device or IP besides other suspicious activity, and so I’ve experienced that myself. But with our two factor authentication bypass the security measures null and void hackers can buy stolen credentials and bulk logging with those credentials bypass to FA in minutes and have complete access to those accounts with many more many known and unknown stolen credentials on the market. This is potentially a huge loss for any paid customer. Paul’s response will assume that hacker one’s responses representative people’s response for this issue, PayPal decided that since the users account must already be compromised for this to work, there goes no there does not appear to be any security implication as a direct result of this behavior. So let’s go through the rest of the rest of the list quickly so you have number two is phone verification without with tip number three is sending money security bypass number four, full name change. Number five, this self help smart chat stored cross site vulnerability. And number six is security questions persistent cross site vulnerability. Alright, the last bit of news we have to share today Google’s acquisition of Fitbit could pose higher level of risk to privacy and data protection So we talked about this a couple months ago to Google’s dipping their hands in a few places that might be might be HIPAA related. European Data Protection Board has ordered the firm’s to mitigate possible risks. So the European Data Protection Board has ordered Google to conduct a full assessment assessment of the data protection requirements and privacy implications of its acquisition of wearables giant Fitbit, and a plenary session of every 20th concerns were raised about the privacy implications of merger obligations under the US general data protection regulation. The board urge both firms to mitigate possible risks to the rights to privacy and data protection before notifying the merger to the European Commissioner. It added that the EDP be will consider any implications for the protection of personal data, European Economic Area, who will flip it did not respond to the request for comments from hymns, media. So hymns is a medical site medical Compliance healthcare compliance state. And so why? Why is that important? Because Fitbit does contain some healthcare information like heart rate, and steps taken and so forth. You might have weight and height and all that. There have been questions around what will happen a Fitbit sensitive data, health data and wellness data since Google announced the acquisition November, UK data warehouse watchdog the Information Commissioner’s Office and the US Department of Justice are both looking into privacy concerns around the deal. And in blog posts about the acquisition Google Senior Vice President of President of devices and services. Vic Osceola reassure consumers that privacy and security are paramount. He wrote similar to our other products with wearables, we will be transparent about the data we collect and why we will never sell personal information to anyone. Fitbit health and wellness data will not be used for Google ads and will not and will give hibbett users the choice to review move or deleted data. So that is the official Google response. will be, this is going to be this is going to play out for a little while because they’re in Google’s got their hands in a few different projects. So project Nightingale we’ve talked about a few times, and a few other projects that they have their hands and they, um, they’re crossing into healthcare and that could be a potential problem for some people. So we will see where that goes, as well. We’ll continue to follow that for you. Alright, HIPAA education time, we’re going to talk a little bit about business associates responsibility in the exposure that your healthcare provider can be your your healthcare practice can be at risk for when you’re not paying attention and you don’t have the right measures in place, right people in place. There have been three separate reports of HIPAA breaches in the last, I think about two weeks little less than two weeks prior to the result of a business associate, so I’m going to focus on one for the moment. And this is mais ransomware attack on accounting firm impacts patients of New York and medical group. So the Albany New York based accounting, tax and advisory firm BST and company CPAs LLC has experienced a maze ransomware attack that has affected patients of New York Medical Group community care physicians, PC. Now let’s remember Mase ransomware is one of those ransomware attacks that does threaten to expose client data if you don’t pay up. So let’s keep that in mind for a moment. Today’s ransomware gang is one of the handful of threat groups to still do. data from victims prior to deploying our ransom where payload. A threat is then issued to publish the stolen data for ransom is not paid. Some of the data stolen and the attack has since been published by the gang so they’re already doing it, including names, dates, birth, addresses, contact telephone numbers and social security numbers of BST employees. BSD has issued a statement saying a computer virus was detected on December 7, which prevented access to its files. In addition to internal data. Some information related to local clients was also potentially compromised, including community care physicians. A leading computer forensic firm was engaged to assist with the investigation and determine the nature and scope of the attack. The forensics expert determined the virus was active on a network from December 4 to December 7, and that the attackers had gain access to parts of the network where client data was stored. BST managed to recover the encrypted data from backups so at least they had backups in place. PST confirmed individuals affected by the breach by February 2020 notification letters were sent by BST on February 14 2020. So that is what’s supposed to happen with a business associate, to compromise client data included names, dates of birth, medical record numbers, medical billing codes, and insurance descriptions. incident has yet to appear on the HHS Office of silver rights breach portal. So it’s currently unclear how many individuals have been affected. So we don’t know how many people What does this mean? So let’s let’s, let’s start with the business associate agreement. The agreement needs to exist between the healthcare provider and all of the vendors that think that they have that may have intentionally or unintentionally have access to healthcare records pH I that’s protected health and for health information and Sounds like they might have a business agreement in place in this incident, because they are the ones that sent out the notification letters, but is it up to date? So, what ended up happening here is the in the OCR has already come out and said they will, there will be more enforcement on business associates so now we see three separate incidents in the last two weeks of business associates being compromised and causing healthcare records to be exposed on the OCR is going to investigate so what will happen here is a business associate agreement is in place and and in good standing. To the health care provider the health care practice, in this case, community care physicians PC is probably off the hook. That’s assuming that the rest of their HIPAA compliance program is is up to date and they’re doing the security risk assessments and so forth where the where the onus will fall. And the OCR based on previous statements may make an example out of them is rbst. And company CPAs are same. Now, this is a financial firm, it’s a CPA, they also have a compliance that they have to deal with. And in some cases, it’s probably most cases it’s more strict, more stringent than HIPAA. So they may have their own things to handle their own things to deal with down the road with this, but that also means that this should have had some type of cyber security program in place and I could tell you, for me, visiting CPAs CPAs are notorious just like dentist they’re notorious for not having the right safeguards in place. They’re a little laxed. I don’t know if they just feel like they’re there. They’re not they’re not a potential victim, that obviously according to this and other cases that we’ve seen, that is not the case. But that’s neither here nor there. Because this isn’t about financial compliance, FINRA, this is about HIPAA. And so now, if they have the business associate agreement in place, they’re now on the hook for whatever comes with this, and OCR is more than likely to come down on them. So what does that mean? That means potential fines or settlements. That means that cap, maybe, I don’t know because they don’t have. There aren’t a lot of cases against business associates at this point. That means loss of reputation that has nothing to do with OCR, but its loss of reputation among the community. If they have other healthcare clients, they may lose those as those people as clients and it could could be even a loss of reputation for community care physicians. Now, if community care physicians doesn’t have a business associate agreement in place, they are now the liable company here. They’re the ones that are going to be potentially at risk with OCR. And and we just talked about earlier the lawsuits that are happening, right. Sounds like in this instance instance, there is a business associate agreement in place. However, one of the other ones are reported. And I report again in a few moments, was a business associate agreement. And in that instance, that does not sound like there was a business associate agreement in place, and that’s going to lead to prob problems. The point being is you need to have a bit you need to vet your business associates, health care providers, you need to vet your business associates. And if you need help that you need to have somebody who is knowledgeable in HIPAA compliance and understands the needs To have these agreements in place and understands that they need to vet these vendors and make sure that they’re doing what they need to do. Because if they’re not, you put your, again, you’re putting your clients who are your patients, you’re putting their their life at risk, essentially, because now, identity theft on may be delayed healthcare. These are all things that can happen as a result of a ransomware attack a data breach malware on the system, whatever it might be, and this is it’s a growing problem. It’s continuing to grow we’ve seen it was a slow start to the new year, but it is definitely picked up a notch or two in the last few weeks. So those business associate agreements need to be in place, but even more importantly, you need to vet your business associates you need to vet all your vendors, you know anybody who comes into your building for any reason, in any way. So whether it’s an electrician, they need to be vetted. They don’t need a business associate agreement but they need to be vetted, make sure they’re not going to try to steal your information. We’ve got to stop putting client data at risk across all businesses, not just healthcare, but all businesses. So something to think about. If you if you’re a smaller practice and you’re not sure, you know you have the right pieces in place, then you need to hire somebody who can handle HIPAA compliance for you and vet those business associates for you. Alright, that’s going to do it for this part of the HIPAA education piece. I didn’t really drill down in anything today was more about making sure your your health care practices protected and ultimately that your patients are protected because it’s really what it’s all about. Alright, it’s time for the hip. breach report is kind of an extension of hip education because it helps you to to learn what could impact your health care practice. Now I am recording this today earlier this week because of plans to be off the grid for a few days. I guess you could say we’ll put it that way. Not that I’m entirely off the grid I’ll still be monitoring but won’t have access to a microphone. Um Alright, so let’s start with the most recent tennis orthopedic Alliance phishing attack impacts over 81,000 patients so the numbers are starting to increase in these attacks at 1146 patients affected by Tennessee orthopedic Alliance phishing attack. Tennessee orthopedic Alliance has discovered unauthorized individuals have gained access to email accounts of two employees. So whenever it’s more than one employee, definitely tells her multi factor authentication is not being used. And more than Likely there is no fishing mitigation steps including education in place. So to a Tennessee orthopedic Alliance became aware of the breach on October 18 2019, when unusual activity was detected in an employer’s email account. The account was immediately secured and third party computer forensic experts were engaged. To investigate the breach. The investigation revealed his second email account had also been compromised, and the accounts were accessed by unauthorized individuals between August 16 and on October 14, to determine on January 3 2019. I’m assuming that’s 2020 that the compromised email accounts contain names, addresses, phone numbers, dates of birth, so security numbers, health insurance information, diagnostic information, treatment information and treatment codes. Patients were notified about the breach on February 14 of 2020. individuals whose social security number was potentially compromised have been offer complimentary credit monitoring and identity theft protection services while pH I in the accounts could would have been accessed by the attackers to a found no evidence to indicate patient information has been misused. Okay, so let’s talk about that statement because that statement I see over and over again. So first of all, the 60 day Breach Notification rule right out the window here did not happen. Second of all, you have no way to know if that information has been compromised has has been misused, because it’s been, what, four months? Yeah, four months since since you noticed the activity. And so it’s only four months. It’s not a long time. I could tell you that the the people that compromised this information, people to steal this information, they don’t use it right away. Most of the time, it’s sits and waits and in a lot of times, it’s just put for sale. So you don’t know that this is all failure. This is a complete failure on behalf of Tennessee orthopedic Alliance phishing attack, because they did not. They don’t have fishing mitigation in place. They don’t have multifactor at execution setup they failed the breach notification rule. And this that statement you know, it’s old. Let’s stop saying that because you don’t know. Jefferson dental oral that Jefferson dental. Jefferson Dental Care Health Care Management in Dallas, Texas, has discovered an unauthorized individual access to email account of an employee between July 21 and August 26. Suspicious email account activity was detected on around October 19. And the account was immediately secured. JD h health care management determined on December 10 that the account contain a pH of 45,748 patients. So I don’t know why do we have 45,000 pH I records in email why I could get one or two or 10 even put 45,080 1000 That’s crazy. Well, no evidence was found to indicate patient information was accessed by the attacker Of course not. It is possible that names addresses dates of birth, medical treatment information, medical histories health insurance information payment information patient numbers and medical record numbers may have been compromised complimentary credit monitoring and identity protection services have been offered to affected patients and patients notified of months in healthcare phishing attack. The months in health care in Traverse City Michigan was just has discovered on authorized individuals have gained access to the email accounts of some of its employees a system by third party computer forensics experts, months and healthcare determined that the email accounts were subjected to unauthorized access between July 31 and October 22. Through review of the affected email accounts was completed on January 16. The accounts were found to contain patient names, dates of birth, insurance, information and treatment and diagnostic information. The accounts also contain a limited number of financial account numbers, driver’s license numbers and social security numbers. And, yeah, the standard PR release their data breaches reported Rady Children’s Hospital San Diego, the largest Children’s Hospital in California discovered I don’t even know why that’s relevant, but anyway, discovered a security breach on January 3 2020, in which the protected health information of certain patients was potentially accessed by an unauthorized individual computer used by the radiology department had been remotely accessed by an unauthorized individual via an open Internet port. So it’s a little different, not the usual stuff. A digital forensics firm was engaged to investigate to breach and determine that the computer was compromised on June 20 2019. And access remain possible until the port was closed in January 3, so they had access for six months. And analysis of an analysis of the compromised device revealed on February 5, that names and genders of patients were potentially compromised along with the type of end date of imaging studies. And for some patients their date of birth, medical record number referring physicians name and or description of the imaging study. No financial information, social security numbers, diagnosis or medical images were compromised. complimentary credit monitoring services have been offered to affect a patient’s Rady Children’s hospitals working closely with a digital forensics firm to determine what additional security measures are required to prevent further cyber attacks in the future. multiple email accounts breached in avianna healthcare phishing attacks So, yet another one with no NFA no fishing mitigation. Lana, Georgia based avionic healthcare the largest provider of pediatric home care in the United States has discovered the email accounts of several employees were compromised over the summer of 2019 avianna healthcare first identify suspicious activity, email and email accounts of some of its employees on August 24. Third Party computer forensic specialists were engaged to assist with the investigation and determine the nature of the extent of the attack. The investigation revealed several email accounts were compromised between July 9 and August 24. It was not possible to determine if any patient information was accessed or stolen by the attackers. Their view of the compromised Council was completed on December 19. So that’s a better statement. It’s not it’s not really possible to know for sure. The breach report submitted to the California Attorney General shows 5000 for California residents were affected. It is currently unclear how many patients in other states have also been affected on being a children’s hospital. I’m sorry, this is Yeah, this is a children’s hospital. It’s hard to say for sure, because sometimes people come from other states. California patients were notified about the breach of February 14 2020. We’re offered complimentary credit monitoring and identity theft protection services for 12 months through transfer union. IV on a healthcare determined at the following information of California residents was contained in the accounts name, social security numbers, driver’s license numbers, bank and financial information, state ID numbers, medical information and health insurance information. So another failure because that is multiple accounts compromised. No multi factor authentication. No fishing medication, and we’re storing records in email, and no 60 day Breach Notification rule, endeavour energy. So this one’s a little interesting. This is not a health care provider or a business associate. So listen, the oil and gas exploration form firm sorry, endeavour energy resources has announced it has experienced a phishing attack that potentially saw unauthorized individuals gain access to the personal and health information of 5103 current and former employees The attack was detected on January 14, when unusual activity was detected in office 365 email account of one of its employees on February 7 2020, endeavor determined compromise the email account continue names and health plan ID numbers of current and former endeavor employees. So that’s where it becomes a HIPAA breach the Health Care Health Plan ID numbers in the names put together and independence. So steps have been taken to improve email security. So it’s a phishing attack. It’s not a health care providers Not a business associate I doubt the OCR will put much into this but is they do have to report it because of the healthcare information. medical records of 156,400 personal touch home care patients compromised and ransomware attack on EHR hosting company. So like success New York based home health company personal touch home care has started notifying patients that a recent ransomware attack on its Wyomissing, Pennsylvania based it vendor Crossroads technologies has potentially seen some of the health protected health information compromised crossroads and form PT hc on December 1 2019. The ransomware attack affected its Pennsylvania data center, where p th sees electronic medical records were hosted the ransomware attack prevented patient records from being accessed for a few days. While the EHR system was down staff at p th. See, switch to emergency protocols and use pen and paper to record patient information encrypted data has now been recovered. It is unclear whether cross was restored to death from backups or if the ransom was paid and if, if any other healthcare clients were affected, the compromised medical records contain patient names, addresses telephone numbers, dates of birth, medical record numbers, health insurance card numbers, plan benefit numbers, whole security numbers and treatment information. P THC is currently unaware of the extent to which pH was compromised, and whether the attackers obtain pH I prior to the encryption of data. At this stage of the investigation evidence has been found to suggest patient information was exfiltrated prior to the deployment of ransomware, so it sounds like they may suspected crosswords is crossroads. Crossroads is still investigating the attack. incident was reported to the to HHS OCR as 17 separate breach reports. One for each of the offices affected the data breaches were reported separately as each office as a separate legal entity. In total the pH of 156,409 patients and caregivers giver’s across six states has been compromised. So you know, Crossroads might lose a big client here. As a result, this is a business associate. So I just talked about this a few minutes ago. This is a business associate. And I will bet that since since p THC is the one making the notification that the business associate agreement is not up to date with all 17. So remember, it’s 17 different entities that we know. We don’t know if there was other healthcare practices involved. So this will be interesting to follow. On we just talked about the maze ransomware attack on the accounting firm, and there was also united regional phishing attack affects up to 2000 patients Wichita Falls, Texas based united regional healthcare system has announced it has suffered a phishing attack. I’ve seen an email account of one of its employees. access by an unauthorized individual attack occurred in July of 2013. But it took until December to complete the investigation and review the email account to determine whether patient information was compromised. It was not possible to determine whether emails were accessed or copied by the attacker, but on authorized access and data def could not be ruled out the email account contain patient names, dates of birth patient account and or medical record numbers, and clinical information such as provider name and location lab result tests, test results sorry, location, lab test results, diagnostic data, prescription information procedures and or treatment information. a limited number of individuals also had your social security numbers, driver’s license numbers, health insurance information and or passport information exposed. Patients were notified about the breach on February 18. So the compromise took place on July 19, July of 2019. So that’s seven months ago they did not so you know what I’m what I’m saying? seeing a lot of is it’s not just one failure, that would be in this case to fishing to failures, the breach notification rule, storing data in email, lots of it at that. And, you know, it just continues it really just. But all these health care providers probably were approached by somebody who offers services to protect them and they declined. And RC health recovering from ransomware attack NRC, health a provider patient server survey services, so this is a business associate, and software to more than 9000 healthcare organizations, including 75% of the largest hospital systems in the United States and Canada experienced a ransomware attack on February 11 2020 that affected some of its computer systems. And RC health immediately took steps to limit the harm caused and shut down its entire environment, including its client facing portals. A leading computer forensic investigation firm was engaged to determine the nature and extent of the tech and the incident has been reported to the FBI. According to the NRC Health website to DOD of more than 25 million healthcare consumers, United States and Canada is collected by NRC health every year, patient surveys conducted surveys conducted by undersea health on behalf of its clients, allow them to prove that patients are satisfied with their services they have received that information is important for helping to improve patient care and also for determining how much Medicare reimbursement health care providers receive under the Affordable Care Act. Health care patients also used patient satisfaction scores to determine how much executives and patient physicians get paid and are see health said a significant progress has been made restoring its systems and services to customers and full recovery expected. In the next few days. Notifications have been sent to its healthcare clients informing them about the attack and updates are being provided to clients on daily basis until the incident is fully resolved. In the Notification Center. See health said the initial findings of the investigation suggest no patient data or sensitive client information. been compromised. The breach report submitted to the Department of Health and Human Services OCR indicates 63,581 patients were impacted by the attack. Sounds like it might be bigger than that, but we’ll see. Finally, communication errors result in impermissible disclosure of 5300 patients pH I’m mercy, mercy mercy health physicians partner Southwest environment center Michigan, started sending Breach Notification letters to patients on February 10, informing them that a third party vendor contracted to mercy health so this is actually the fourth business associate made an error with a recent mailing mercy health had provided the mailing vendor with the list of a 3164 names and addresses to send letters to patients informing them about the recent departure of a physician, an error and a mailing list. mailing resulted in names being mismatch with addresses and 20 487 patients were sent a letter addressed to a different patient, no other sensitive information was disclosed. So I don’t know that that’s really a HIPAA breach but during the Okay, here’s why it’s a HIPAA breach during and I remember this from last time I read it. During the breach investigation, it was discovered that there was no business associate agreement in place with the vendor. So there’s the problem. Hawaii hospital notifies patients have an email error on February 3 and employee of Queens health systems and why sent an email with an attachment continuing to pH I of 2001 or 2852 patients to an incorrect recipient. The attached file contained the pH of 2852 patients of the Queen’s Medical Center of Queens, North Hawaii Community Hospital email era was detected the following day, efforts were made to contact the person who made who had sent the email and error who had been sent the email and error to ensure the patient list is deleted but no response has been received. Which tells me this wasn’t sent to a business email address. This was sent to a free email address so that in itself should Raise alert for a red flag. The email attachment included patient names, admission dates, discharge dates, health plan, ID numbers and limited information about care received. The file also contained in diagnosis of 300 patients. The breach affected patients who received medical services after June 1 2018. No reports have been received to suggest patient information has been misused, patients have been advised to monitor their explanation of benefit statements and to report any services that are listed but not have not been received. So this was reported on February 3, so that’s only 24 days ago. And there’s that statement against no reports have been received to suggest patient information has been misused. You don’t know you can’t you can’t say that. Because it’s only been 24 days. Anyway, that is going to do it for this episode of the productive it podcast. Until next week. Stay secure
Transcribed by https://otter.ai
