Cyber Alert: Last week, hackers continued to phish for patient data from US healthcare providers.
LAST WEEK'S CYBER ALERT, HACKS, ATTACKS, BREACHES AND MORE...
Equitas Health: Regional, a not-for-profit healthcare provider based in Ohio
Exploit: Employee email account breach
Risk to Small Business: 1.333 = Extreme: Company officials discovered abnormal email activity on two enterprise email accounts belonging to employees, ultimately concluding that a hacker was successful in accessing personally identifiable information (PII) and patient records. The organization hired a third-party forensics firm to better understand the breach, and they are reaching out to affected individuals. Although the organization took immediate steps to contain the incident, it will now face the tangible costs of offering free identity monitoring services to patients, along with the less quantifiable losses in reputational damage.
Individual Risk: 2 = Severe: While it appears that the scope of the attack is limited, the breadth of compromised information is extensive. It includes patient names, dates of birth, patient account and medical record numbers, prescription information, medical history, procedure information, physician names, diagnoses, health insurance information, social security numbers, and driver’s license numbers.
Customers Impacted: 569 affiliated members
How it Could Affect Your Business: This data breach demonstrates the potentially expansive consequences of a single vulnerability. Since healthcare companies are legally required to protect their patients’ data, they need to conduct regular security audits and employee training that can prevent this type of breach. At the same time, Equitas explicitly serves protected classes and marginalized patient groups, making this episode especially egregious. Therefore, it’s critical to continuously monitor protected information in order to understand what happens to patient data after it’s compromised.
Oregon State Hospital: Public psychiatric hospital based in Salem, Oregon
Exploit: Spear phishing attack
Risk to Small Business: 1.555 = Severe: An employee clicked on a phishing email, which allowed hackers to gain access to the employee’s email account. Fortunately, IT administrators were able to identify the breach just 40 minutes after it occurred, limiting the exposure of patient information. Although the investigation isn’t complete, the company did reveal that an undetermined amount of patient information was exposed during the breach.
Individual Risk: 2 = Severe: The phishing scam compromised names, dates of birth, medical record numbers, diagnoses, and treatment care plans. Although the company plans to notify impacted individuals in 4 to 6 weeks, anyone with records as the hospital should monitor their credentials for potential misuse.
Customers Impacted: Unknown
How it Could Affect Your Business: Phishing scams are entirely avoidable, and any data breach that results from a phishing scam is a self-inflicted wound for the company’s reputation. In addition to deploying robust security software, companies should conduct regular training to avoid unnecessary data breaches. MSPs should consider partnering with third-party cybersecurity services that provide robust employee training to avoid phishing scams.
Pacers Sports and Entertainment: The parent company of the Indiana Pacers, a professional basketball team in the NBA
Exploit: Employee email phishing campaign
Risk to Small Business: 1.555 = Severe: A phishing campaign against Pacers Sports & Entertainment (PSE) resulted in hackers gaining access to several employee accounts that contained sensitive personal information between October 15 and December 4 of last year. However, the company first learned of the incident almost six months ago, which begs the question: why are they just beginning to notify customers now? Along with the damaging outcomes of a customer and employee breach, the organization will now face media scrutiny and resulting customer attrition.
Individual Risk: 1.857 = Severe: PSE did not differentiate if the compromised data belonged to employees or customers, but it does include names, addresses, dates of birth, password numbers, health insurance information, driver’s license numbers, social security numbers, debit/credit card numbers, digital signatures, usernames, and account passwords.
Customers Impacted: Unknown
How it Could Affect Your Business: It’s clear that PSE did not fully appreciate the scope of the data breach. Although the company has not received any reports of personal data misuse, the compromised information can be used to orchestrate fraud in the near future. Along with harming the reputation of their company, PSE will have to answer to the press and customers in the wake of the breach.
Southeastern Council on Alochol and Drug Dependence: Non-profit organization based in Norwich, Connecticut offering alcohol and substance abuse treatment
Risk to Small Business: 1.777= Severe: The healthcare provider lost control of more than 25,000 patient records when a ransomware attack was discovered in its network. While they have procured cybersecurity assistance to deal with the issue, the company has been unable to eradicate the ransomware or secure patient records.
Individual Risk: 1.857 = Severe: The data breach compromised PII including patient names, addresses, social security numbers, medical history, and treatment information. Although affected individuals are being offered free credit monitoring services, they are encouraged to remain vigilant about potential financial or identity fraud.
Customers Impacted: 25,148
How it Could Affect Your Business: It is incredibly important for companies, especially those already dealing with a vulnerable client base, to ensure the integrity of their financials and identity after a data breach. In order to be vigilant and prepared at all times, every organization should partner with a security solution that can proactively monitor the Dark Web for customer and employee.
Risk to Small Business: 2 = Severe: A ransomware attack injected into the agency’s system through malicious malware restricted access to the computer networks for nearly 30 hours. While the agency hasn’t found evidence that the hackers accessed the department’s database, they can’t conclusively rule out a more extensive breach. The agency has declined to pay the undisclosed ransom demanded by the hackers.
Individual Risk: 2 = Severe: There is no indication that hackers accessed any individual data during the attack. However, since the agency can’t conclusively rule out access to their database, those with information at the agency should monitor their personal information for signs of fraud or misuse.
Customers Impacted: Unknown
How it Could Affect Your Business: Ransomware attacks are growing in frequency and sophistication, making it mandatory that companies of all sizes develop a comprehensive plan for responding to the threat and ensuring that services remain operational during an attack. These contingencies can be the difference between a temporary disruption and a major debacle. Moreover, since many ransomware attacks start with phishing emails, employee training and security contingencies are a must-have protocol in today’s digital environment.
Exploit: Phishing Scam
Risk to Small Business: 1.555 = Severe: When an untrained employee inadvertently clicked on a phishing email, hackers gained access to the employee’s account, which contained sensitive data on an unknown number of patients. Although the data breach took place in June 2018, the healthcare network just reported the incident to the public, a problematic delay when personally identifiable information is involved. While the company has taken measures to secure their network, their delayed response and the preventable nature of the attack is a reminder that the greatest security risk to a company can be its own employees.
Individual Risk: 1.857 = Severe: Although just a single email account was compromised, it contained patient data including names, social security numbers, government-issued IDs, financial data, dates of birth, and medical records.
Customers Impacted: Unknown
How it Could Affect Your Business: The consequences of a data breach are amplified when companies are slow to respond. In the wake of a data loss event, companies have a responsibility to quickly react by both communicating with their customers and by repairing the technical vulnerability. Even though the company took important steps to shore up their cybersecurity by integrating things like malware blocking tools, suspicious email reporting, email encryption, and two-factor authentication, their slow response time is bad for business and bad for their customers. Not only do companies need to be proactive about prioritizing cybersecurity best practices before a breach occurs, but they must develop a strategy for communicating with their customers in a timely fashion.
A Note From Kobargo:
Australia Sees a Spike in Credential Stuffing Attacks
If you’ve ever wondered what happens to the deluge of data stolen during a cybersecurity breach, Australia’s sudden spike in credential stuffing attacks will certainly provide some clarity.
According to a recent cybersecurity report, Australians are now the fifth highest target for credential stuffing attacks, an incredible metric given their modest population.
This form of cybercrime involves hackers using previously stolen information like usernames, email addresses, or passwords in an attempt to gain access on other platforms. Since people often use the same username and password combinations, it’s often possible to apply stolen credentials across multiple accounts.
The report found a robust market for stolen credentials that are often sold in bulk on the Dark Web. Businesses are encouraged to deploy the latest security standards, like two-factor authentication, to help prevent these attacks. Moreover, it underscores the cascading consequences of a data breach, and it highlights the importance of keeping a pulse on customer and employee information. Hint: that’s our bread and butter. Ask how you can take advantage of Dark Web monitoring services