Less than meets the eye with Gale Healthcare data. NHS Trust apologizes for careless email. Update on the Planned Parenthood ransomware incident.

Announcement

How to create tangible demand with a direct response budget.

The CyberWire has released its B2B Marketer’s Guide to Podcast Advertising: how to create tangible demand with a direct response budget. Published as both an eBook and a podcast, the guide was created to help organizations advertising in the popular programs across the CyberWire Network or other podcast networks make the most of their audio marketing investment. Take a look and gain a practical perspective on marketing in this young medium.

Summary

By the CyberWire staff

At a glance.

Less than meets the eye with Gale Healthcare data.
National Health Service Trust apologizes for leak of COVID-trial participants' information.
Update on the Planned Parenthood ransomware incident.

No sensitive data appear to have been compromised at Gale Healthcare Solutions.

Gale Healthcare Solutions says that an apparent data exposure incident reported by Website Planet didn't, in fact, amount to a breach. "The database was a temporary environment created for an internal system test," Gale wrote us. "When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured. There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused. Contrary to the report findings, Social Security Numbers were not used in the file names, nor disclosed. Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment. Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials."

Thus there appears to have been no threat to employee privacy. While of course one wouldn't want even a test environment exposed, even if it contained fictive data, there's an enormous difference between that and the exposure of a production environment with real personal information.

NHS Trust apologizes for leak of trial participants' data.

According to the BBC, participants in a trial of a COVID vaccine had their email addresses inadvertently exposed by the Midlands Partnership NHS Trust, which sent an email all of whose recipients could see each other's addresses. The Midlands Partnership NHS Trust regrets the incident, which sounds like the sort of rookie error any one of us might have committed.

Comment on the Planned Parenthood breach.

Infosecurity Magazine reports that Planned Parenthood Los Angeles continues to work on recovering from the criminal, financially motivated ransomware incident it sustained. Ric Longenecker, CISO at Open Systems, has advice for organizations that handle patient or client information:

"Healthcare organizations are appealing to cybercriminals due to the wealth of personal data these institutions and patient records contain. The information can include billing details, addresses, dates of birth and Social Security numbers, just to name a few. The attack on Planned Parenthood, with the bad actors obtaining records for over 400,000 people, not only increases the risk of fraudulent activity such as identity theft, it may also be used to disclose personal health information. This underscores the need for companies to have rapid detection and response plans in place, especially those in industries which may be considered data gold mines. Managed detection and response (MDR) services – which combine human expertise, advanced threat detection and AI-driven technology – are a good solution to combating cyberattacks, and the large number of providers means companies have many to choose from. Our advice to healthcare organizations is: find a security partner that not only helps you detect and respond to threats, but one that can enhance your security maturity, prevent security breaches impacting your business and ensure you have a comprehensive recovery plan ready.”

Selected Reading

Ransomware groups increasingly using data leak threats to pile pressure on victims (The Daily Swig) Nearly one in three victims succumb to extortion, estimates Group-IB

NHS trust apologises for Covid trial data breach (BBC News) "Human error" blamed for sharing email addresses of people taking part in a trial.

EXCLUSIVE U.S. State Department phones hacked with Israeli company spyware (Reuters) Apple Inc iPhones of at least nine U.S. State Department employees were hacked by an unknown assailant using sophisticated spyware developed by the Israel-based NSO Group, according to four people familiar with the matter.

Cyber-Attack on Planned Parenthood (Infosecurity Magazine) Los Angeles patients’ information exposed in suspected ransomware attack

Meta builds tool to stop the spread of ‘revenge porn’ (NBC News) Facebook beefs up revenge porn protections

1.5 million users joined Facebook Protect since September (The Record by Recorded Future) Meta (formerly Facebook) said today that they enrolled more than 1.5 million users in Facebook Protect, a security program designed for human rights activists, journalists, and government officials.

Missouri officials planned to thank Post-Dispatch before threatening newspaper, emails show (Saint Louis Post-Dispatch) Records also show the FBI told the state the incident was ‘not an actual network intrusion.’

Cabinet Office fined £500,000 by ICO over New Year Honours data breach (Computing) Sir Elton John and cricketer Ben Stokes are among individuals affected by the breach