At a glance.
- Victims sue SuperCare Health over data breach.
- Okta issues statement at close of ransomware attack investigation.
- Client data exposed in PlanMember Securities Corp data breach.
- REvil's rebrand.
Victims sue SuperCare Health over data breach.
US respiratory care provider SuperCare Health is facing multiple lawsuits connected to a July 2021 data breach that impacted over 300,000 individuals. Depending on the patient, the compromised data might have included name, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, claim information, and for a small subset of victims, Social Security or ID number. SuperCare is being accused of negligence, as one suit claims that the organization failed to take "adequate and reasonable measures" to protect the patient data and violated the California Confidentiality of Medical Information Act and California's Unfair Competition Law. The complaint reads, "Defendant’s data security obligations were particularly important given the substantial increase in ransomware attacks and/or data breaches in the healthcare industry preceding the date of the breach.” Another suit alleges that SuperCare failed to offer the victims adequate identity theft protection services, given that the exposed individuals could be in danger of identity theft for years to come. Healthcare IT News notes that the healthcare sector has experienced an unprecedented increase in litigation related to data breaches over the last year, as law firm BakerHostetler found that forty-three lawsuits were filed against healthcare organizations in 2021.
Okta issues statement at close of ransomware attack investigation.
As we noted previously, US identity management firm Okta, Inc. experienced a ransomware attack in January at the hands of the Lapsus$ threat group that exposed the data of many of its clients. SecurityWeek reports that Okta has concluded its investigation of the incident and has ended its relationship with Sykes/Sitel, the third-party vendor that was the source of the breach. Okta’s Chief Information Security Officer David Bradbury released a statement yesterday stating that the impact of the attack was “significantly smaller than we initially scoped.” Though initially Okta estimated over three hundred customers were affected, Bradbury explained that the attacker “actively controlled” a workstation belonging to a Sykes/Sitel engineer for twenty-five minutes, during which time they accessed the data of just two customers. Bradbury added, “We are making further modifications to our customer support tool to restrictively limit what information a technical support engineer can view. These changes also provide greater transparency about when this tool is used in customer admin consoles." VentureBeat notes that Okta has suffered some criticism for its response to the incident, as the company did not disclose the incident until March, only after Lapsus$ posted screenshots on Telegram as evidence of the attack. Okta has admittted it initially handled communications poorly, and in the most recent statement expressed the company knows “how vital it is to take steps to rebuild trust within our broader customer base and ecosystem.”
Client data exposed in PlanMember Securities Corp data breach.
US financial services company PlanMember Securities Corporation, considered one of the world’s fifty largest independent broker-dealers, has disclosed it suffered a data breach exposing client names, Social Security numbers, and bank account info. JDSupra reports that PlanMember, which is based in the state of California, began notifying impacted individuals earlier this week. Though it is unclear how many individiuals were impacted, PlanMember Securities has approximately $6.2 billion in assets under management on behalf of roughly 50,000 clients. Victims are urged to contact one of the three major credit bureaus and to monitor financial accounts for any suspicious activity.
Ransomware gangs continue to represent a threat to personal information, and therefore to personal privacy. John Hammond, Senior Security Researcher at Huntress, has been tracking the developments and shared the below information/thoughts:
"While it is too early to tell where this stems from or what the implications are, there has been some movement on the REvil ransomware gang's online onion website "Happy Blog." Historically this has been the ransomware gang's leak site, where they publish data of their ransomware victims that had refused to pay the ransom -- but for some time, the site had been offline and REvil seemed to have vanished from the internet.
"Now, off the tails of recent political conversations between Moscow and the United States (https://twitter.com/vxunderground/status/1516759394486263809), the original REvil domain is back online... but redirects to a new address, with a slightly different appearance. (https://twitter.com/_JohnHammond/status/1516814490339262466)
"The "Join Us" page (included as a screenshot, and passed through Google Translate) suggests new work can be carried out with "The same proven (but improved) software," supporting this could be a new rendition of REvil. The contact page also explains that ransomware affiliate workers can work with a member of the "Rutor" Russian darkweb forum, "useransom,” whose profile is private.
"Again, it is too early to draw any strong conclusions, but pure speculation can certainly consider this a rebranding of REvil just after the US stops talking to Russia about taking down cyber criminals."