At a glance.
- Healthcare equipment provider takes nearly two years to disclose breach.
- Data breach at Harvard Pilgrim.
- Enzo Biochem breach.
Healthcare equipment provider takes nearly two years to disclose breach.
Speaking of healthcare data breaches, Apria Healthcare LLC has also disclosed it suffered a data breach in 2019 and 2021. A leading provider of home healthcare equipment in the US, Apria says it first detected the unauthorized intrusion in September 2021, at which time the company notified federal law enforcement authorities and enlisted the help of external cyber forensics experts. While Apria says a “small number of emails and files” were accessed, the company believes the attack was actually an (unsuccessful) attempt to steal funds and was not focused on exfiltrating company data. Apria stated, “There is no evidence of funds removed, and Apria is not aware of the misuse of personal information related to this incident. A small number of emails and files were confirmed to have been accessed, but there is no proof that any data was taken from any system.” That said, cybersecurity expert Tom Kellermann says the company should not rule out the possibility that the exposed data might be abused by cybercriminals. Kellerman, who is SVP of Cyber Strategy at Contrast Security, told CPO Magazine, “If I was one of their customers, I would immediately LOCK my credit and demand more investment into cybersecurity technologies like runtime protection, XDR, and MDR services.” The attack also raises questions about why it took the company so long to disclose the incident, and how the intruders were able to return to access their systems over a year later.
Data breach at Harvard Pilgrim.
In yet another healthcare data breach, Bleeping Computer reports that a non-profit health services provider located in the US state of Massachusetts experienced a ransomware attack that started in March. Harvard Pilgrim Health Care (HPHC) says the data of 2,550,922 individuals were exposed. The company has reported the incident on the US Department of Health and Human Services breach portal and launched an investigation. "Unfortunately, the investigation identified signs that data was copied and taken from our Harvard Pilgrim systems from March 28, 2023, to April 17, 2023," the notice reads. Business operations have been interrupted as the probe continues. The stolen data include full names, street addresses, phone numbers, dates of birth, health insurance account details, Social Security and provider taxpayer ID numbers, and clinical info for current and former members of Harvard Pilgrim.
Avishai Avivi, CISO at SafeBreach, noted, again, why healthcare data are particularly attractive to criminals. “Healthcare has unfortunately become one of the most popular industries targeted by ransomware groups. Their valuable client PII as well as the need to keep vital client services operating make them especially attractive targets," Avivi wrote. "Any company holding large numbers of personally identifiable information (PII) records should be especially vigilant, establishing best practice security policies that include good password hygiene and multi-factor authentication (MFA) for all employees and third party vendors. Further, these organizations should proactively and continuously test their systems to identify any security vulnerabilities, as well as develop and actively practice a remediation plan in case they become the latest victim of a ransomware attack.”
Enzo Biochem breach.
Enzo Biochem, a life sciences and biotechnology company based in the US state of New York, was the target of an April ransomware attack that exposed the data of nearly 2.5 million patients, JDSupra reports. The compromised data include names, test information, and approximately 600,000 Social Security numbers, some of which were exfiltrated from the company’s systems. It’s unclear who’s behind the attack, the Record explains, but the company says it disconnected its systems from the internet and notified law enforcement as soon as the incident was discovered. An investigation is ongoing. “Further, the Company remains subject to risks and uncertainties as a result of the incident, including as a result of the data that was accessed or exfiltrated from the Company’s network as noted above,” the CEO Hamid Erfanian said in a filing that was submitted to the Securities and Exchange Commission on Wednesday. The incident demonstrates the continued targeting of the healthcare sector by cybercriminals.
An attack against a biomedical research organization is, at one level of abstraction, an attack on a healthcare organization. It's not a care provider, not primarily, but the data it holds can be the same kind of information a hospital or a clinic might maintain. We received a great deal of comment from industry experts on the Enzo Biochem incident.
Sean McNee, vice president of research and data at DomainTools, suggested that this might be conceived as a supply chain attack.“Biotechnology companies, such as Enzo, are a critical component of the fight against cancer and other viral and bacterial diseases," McNee wrote. "A ransomware attack of this nature can and should be viewed as an attack on the healthcare supply chain, affecting not just this company or the hospitals and clinics it serves, but all of us who rely on these tests as part of our healthcare. Because this data is extremely sensitive, including people’s health information and SSNs, affected individuals will need to be vigilant monitoring for possible online identity theft from this ransomware incident. People should check their credit reports for suspicious entries and also place freezes and fraud alerts on your accounts.”
Colin Little, security engineer at Centripetal, offered some thoughts on defense. “A breach like this leaves us wondering, 'How did this happen, and how can I stop it from happening with my sensitive information?' Part of the answer is strong security at the perimeter beyond firewalls and IPS technologies, and strong network monitoring/alerting capabilities inside the network," Little said. "Another, perhaps more targeted, part of the answer resides within the secured state of the sensitive data itself. Was the sensitive information appropriately classified as such, and if so, was access restricted using the principle of least privilege? Most importantly in my mind, was the sensitive information encrypted-at-rest (EAR)? These are all things organizations who deal with sensitive information can actively perform to keep sensitive information safe, and if the classification, restricted access, and encryption-at-rest of sensitive information at this organization were all in place prior to the attack, I believe the risk would have been greatly mitigated.”
Darren James, senior product manager with Specops Software, wonders what other data might have been exposed, and hopes the company has a good response plan. “Once again we see the healthcare industry hit by another ransomware attack. So far we only know that patient data was compromised, there is still a question mark around lost employee data and details of how the attackers accessed the network. It was good to hear that they have a Disaster Recovery plan, however as these attacks are very often related to stolen credentials we hope that they have a HIPAA compliant password policy that blocks breached passwords or will implement one as a result of this attack.”
Dror Liwer, co-founder of cybersecurity company Coro, commented on the ease with which data of this kind can be monetized. “Healthcare-related organizations are among the most coveted targets for cybercriminals because of the rich, current data they maintain about individuals, which can be easily monetized. Because of this sensitive data, three cybersecurity pillars must be zealously maintained: Protection, automation, and awareness training. Buying great cybersecurity isn’t enough. Automation must be used to offset the shortage in cyber personnel, and continuous awareness training and simulation must be part of the strategy, since in most cases human error is the attacker’s entry point.”
Erich Kron, Security Awareness Advocate at KnowBe4, focused on the extortion:
"The power of modern ransomware is the ability to use stolen data as a way to leverage victim organizations into paying exorbitant ransoms in exchange for not publishing the information and for promises to destroy it. The amount of information along with the sensitive nature of test results, procedures, or other things related is a key reason that ransomware is so successful in the healthcare industry. In this case, with over two and a half million patients having had their clinical test information and with 600,000 of them also potentially having their Social Security numbers stolen as well, this is clearly a pretty significant data breach even without considering the ransomware portion of the event. The information within those tests could potentially be extremely embarrassing for many of the patients, and the loss of personally identifiable information such as Social Security numbers could pose them a whole other issue related to the potential to have their identity stolen.
"The fact that this information related to the ransomware attack and data loss that occurred on April 6th and discovered on April 11th, was only confirmed in a recent SEC filing means that many of these patients whose information was stolen were left unaware of the potential for identity theft or the potential publication of their test results, leaving them vulnerable for this time. Had patients whose information been stolen been made aware of this situation sooner, they could have taken steps to protect themselves against potential identity theft and social engineering attacks that use their testing results and information against them. Because the majority of ransomware attacks such as this start with the simple phishing email, organizations in the medical industry should be especially focused on educating their employees in how to quickly identify and report phishing attacks to their security department. In addition, organizations need to ensure that they have a well-defined software and hardware patching program in place and that software updates are applied as soon as possible to resolve security vulnerabilities."
Paul Bischoff, Consumer Privacy Advocate at Comparitech, pointed out the long-term effects the theft of personally identifiable information can have. "The ransomware attack on Enzo is very serious and could have long-term impacts for patients," Bischoff observed. "The theft of 600,000 Social Security numbers is particularly worrying, because these are critical for identity theft. Cybercriminals might use the SSNs and other info to take out loans, apply for credit, get medical benefits, or even sign up for utilities in victims' names. Patients should take advantage of free credit monitoring services that Enzo will almost certainly offer to victims. Between Enzo and PharMerica, 2023 is shaping up to be a big year for medical data breaches and ransomware attacks."
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, sees this incident as an instance of an unfortunate trend. "Unfortunately, the number of data breaches and ransomware attacks on the medical-related industry continues to climb. Breaches of medical information is always concerning, especially when it includes Social Security information as we're seeing with this incident. Affected customers will want to stay alert for phishing emails, texts, and phone calls from the bad actors of the world, as they use the information they've already gleaned to gain access to additional personal and financial information. Customers will also want to keep a close eye on their credit, making sure no new accounts are opened in their name, and that their accounts are not being accessed by the wrong people. I strongly suggest affected folks take advantage of any credit or identity monitoring services that are likely to be offered by Enzo Biochem. If they do not offer free monitoring, customers should also check with their bank or credit card issuers, as they often offer free credit and identity monitoring."
Halcyon's CEO and Co-Founder, Jon Miller, urges a look at the root incentives behind this sort of crime.“Ransomware attacks that include the theft of sensitive data will continue unabated until the profit motives for the threat actors are eliminated. This is organized crime we are dealing with; they only care about bringing pain to victims for their own financial gain," Miller wrote. "Ransomware groups continue to victimize the healthcare providers because they are for the most part easy targets and they have a wealth of personally identifiable information." Data are dangerous, and organizations shouldn't collect and store it without well-considered good reason. "To protect themselves and their patients, organizations that handle personally identifiable information (PII/PHI) must reevaluate what kinds of data they collect and store and for how long. Eliminating the unnecessary storage of sensitive data will make organizations a less attractive target to attackers and help reduce collateral damage after a successful attack." And, of course, cultivation of resilience is vital. "Since the options for prevention are limited, the focus should on implementing a resilience strategy and assume they will be the victim of a ransomware attack and have the contingencies in place to recover as quickly as possible. This includes endpoint protection solutions, patch management, data backups, access controls, staff awareness training, and organizational procedure and resilience testing to be successful. Organizations need to plan for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times. A determined attacker with enough time and resources is going to find a way around security controls. Planning to be resilient in the aftermath of a successful ransomware attack is the best advice there is - putting all your efforts into prevention alone is just not going to be enough.”