At a glance.
- New York school districts ignored warnings about cybersecurity issues.
- GoAnywhere mass-hack claims another victim.
- UK pummeled with wave of cyberattacks.
- Data breach at HCA.
New York school districts ignored warnings about cybersecurity issues.
The New York City Department of Education recently suffered a data breach as the result of the MOVEit hack, and Govtech reports that administrators had ample warning that school networks were vulnerable to compromise. The New York State Comptroller released an audit in May revealing that incidents impacting schools in the state had increased three-fold in recent years because local school districts had not received “sufficient oversight.” The audit reviewed 131 data incidents reported by school districts in the state, including fifteen in New York City, and discovered that many were not compliant with cybersecurity regulations. In over half the incidents, reporting deadlines were not met, and 80% of incident reports lacked adequate detail to determine if the school community was notified of a breach within the required timeline. As well, fourteen out of 169 school districts did not employ data protection officers as mandated by the state. Furthermore, the Special Commissioner of Investigation for the New York School District had issued five warnings since 2021 that the district’s online portal was lacking in safeguards for personal identifiable information. Co-chair of the Parent Coalition for Student Privacy Leonie Haimson stated, “They’ve had a fairly laissez-faire attitude about this, and I think it hasn’t sufficiently protected student or teacher privacy, and shows a lack of real seriousness on their part.” State officials responded to the audit by saying school districts were responsible for their own cybersecurity. “As New York is a local control state, the manner in which Districts choose to meet their unique cybersecurity obligations is entirely under their discretion,” said education department spokesperson JP O’Hare. “The Department provides technical guidance, support, and resources for Districts to meet these obligations.”
GoAnywhere mass-hack claims another victim.
Patient payment firm Intellihartx has disclosed the theft of the personal health data of nearly half a million individuals. The company, which is based in the US state of Tennessee, filed a notice with the Main attorney general’s office stating that the data were stolen in a ransomware attack targeting Fortra, a vendor that supplied Intellihartx with file transfer software. TechCrunch reports that the pilfered data include patient names, addresses, dates of birth, and Social Security numbers, as well as medical billing and insurance information and diagnoses. The mass attack on Fortra’s GoAnywhere software has impacted over one hundred organizations so far, and the Cl0p ransomware group claims to be behind the hack.
UK pummeled with wave of cyberattacks.
As we noted last week, the ALPHV/BlackCat ransomware gang has claimed responsibility for the theft of 7TB of data from Barts Health NHS Trust, one of the largest hospital trusts in the UK. Barts has confirmed it is investigating the alleged attack, which would be the largest medical data breach in the country’s history. As TechCrunch reports, this attack is the latest in a surge of cyberattacks targeting UK organizations, and the second exposing National Health Service data in recent weeks. The University of Manchester suffered a June breach in which the attackers accessed an NHS dataset containing the info of 1.1 million patients across two hundred hospitals. The Cl0p ransomware gang’s mass-exploitation of the MOVEit file transfer app has impacted Ofcom, the U.K.’s communications regulator, and the May ransomware attack on British outsourcing giant Capita has compromised the data of over ninety organizations so far.
Data breach at HCA.
HCA Healthcare yesterday disclosed a data breach that exposed:
- "Patient name, city, state, and zip code;
- "Patient email, telephone number, date of birth, gender; and
- "Patient service date, location and next appointment date."
The upside, such as it is, is that HCA has concluded that no clinical information was lost. Thus the following kinds of data are thought to be safe:
- "Clinical information, such as treatment, diagnosis, or condition" (A preliminary investigation, however, by DataBreaches.net, of dark web souks suggests that there may have been some clinical data lost after all, and that HCA's conclusion may be optimistic);
- "Payment information, such as credit card or account numbers;
- "Sensitive information, such as passwords, driver’s license or social security numbers."
HCA believes the data were stolen from "an external storage location exclusively used to automate the formatting of email messages," and notes that there was no disruption to patient care.
Erfan Shadabi, cybersecurity expert with comforte AG, thinks this recent incident has the potential to become one of the biggest of its kind ever. “This incident could potentially be one of the largest health breaches to date, highlighting the vulnerability of sensitive patient data and the potential consequences of inadequate protection. To bolster cybersecurity in healthcare, the industry must prioritize the adoption of data-centric security measures, such as tokenization and format-preserving encryption. By embracing these data-centric security measures, the healthcare industry can significantly mitigate the impact of data breaches. Tokenization and format-preserving encryption provide robust protection for patient information, minimizing the potential for identity theft, fraud, and other malicious activities. Furthermore, these methods offer a level of flexibility and scalability, making them suitable for large-scale healthcare systems and interoperability between different entities. In addition to adopting data-centric security measures, it is crucial for the healthcare industry to be highly sensitive to data security and privacy concerns. Healthcare organizations must actively prepare for breach scenarios, considering they are entrusted with the most personal and sensitive information of individuals. The healthcare sector should prioritize establishing comprehensive security protocols and practices that encompass preventive, detective, and responsive measures.”
Darren James, senior product manager at Specops Software, sees the attackers' motive as straightforwardly financial. “Once again, we see that global healthcare organizations are a high-value target for cyber criminals. HCA claims that they offer cybersecurity awareness education to their employees and vendors, but this once again proves that training needs to be reinforced by policy. All organizations can improve their security posture quickly by improving and enforcing their password policy so that it complies with NIST and HIPAA requirements. Implementing 2FA/MFA reduces the risk even further. Allegedly HCA was contacted by the hacker on the 4th of July, and the data, including that of 11 million patients, was offered for sale on a forum on the 5th of July. It appears that no ransomware was deployed in this breach, or that it may have been contained, as HCA's operations do not appear to have been affected so this attack seems to be driven purely for financial gain.“
Lior Yaari, CEO and co-founder of Grip Security, sees more incidents of this kind in the future. “We live in a world where data is everywhere and accessed from anywhere because of SaaS technology, and unfortunately, this type of breach has become far too common. Companies do not seem to have a solid understanding of their security posture when using SaaS services, and that means that this is going to happen again and again. To prevent this happening again, companies should focus on getting a complete inventory of all of their SaaS and data locations. Whatever they are using today is evidently insufficient, and unless something changes, history will continue to repeat itself.”
(Added, 8:45 PM ET, July 11th, 2023. Nikhil Girdhar, Senior Director of Data Security at Securiti, called for a rethinking of data protection tactics. "The relentless wave of healthcare data breaches, as highlighted by the HCA Healthcare incident that exposed 11 million patients' data, serves as a stark reminder: we need to rethink Data Security Posture Management (DSPM) tactics in the healthcare industry. As healthcare providers go digital at a breakneck pace, patient data - the prized target of these ransomware attacks - is piling up in unsecure data systems scattered across multiple clouds and enterprise applications. Preventing data breaches requires a herculean effort as, in reality, the security teams are scrambling to allocate limited resources to plug an endless stream of IT vulnerabilities. To succeed, security must home in on protecting assets that house their crown jewels - Personal Health Information (PHI).")
(Added, 9:30 PM ET, July 11th, 2023. Or Yair, Security Researcher at SafeBreach commented on the favorable cost-benefit proposition the healthcare sector offers cybercriminals. "Hospitals and healthcare facilities are definitely becoming the most cost-effective targets for attackers. As a result, we of course see a rise in attacks that are being made against them. Like in a few other industries, client information that is kept by the health industry can be sensitive and valuable for attackers that want to extort organizations. With that being said, the health industry is different. In many cases, it relies on OT systems that save lives. There are cybersecurity needs that cannot be met or that are very hard to fulfill because of limitations of these systems, such as being very old. Due to the fact that there are always lives at stake, every little technical change is heavily considered, even if it's just an informational system that may slow down the efficiency of healthcare workers. Therefore, attackers identify organizations in the health industry as potentially easier to infiltrate or easier to perform lateral movements in."
Avishai Avivi, CISO at SafeBreach, points out that while many records were affected, the exposure of PHI might be limited. "While the number of records impacted by this apparent breach is significant, it is important to note that no Protected Health Information (PHI) appears to be involved. Even though the information elements that were included can be used by malicious actors to craft better phishing campaigns, the information is not much different than the paper phone books we used to get for free in the mail. It is actually a good indicator, considering the target - HCA, that the organization was practicing good cyber hygiene and was limiting the data elements that were shared externally.")
(Added, 8:00 AM ET, July 12th, 2023. Liat Hayun, CEO of Eureka Security, also commented on the way the incident exhibits the value data holds in the criminal economy. “This is yet another example illustrating the criticality of data as a valuable asset – one that can be stolen and sold to the highest bidder. Business use cases have led companies to store larger & larger amounts of data within their infrastructure, but most security tools haven’t made the same progress and are lagging behind, leaving organizations vulnerable to such unfortunate data breaches.")