At a glance.
- Florida hospital discloses patient data breach.
- US officials warn that third-party tracking could expose protected health data.
- June breaks ransomware records.
Breach at Tampa General.
US healthcare provider Tampa General Hospital (TGH) has posted a notice on its website explaining it suffered a cybersecurity event that might have led to the breach of patient data. “The information varied by individual, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations,” the announcement reads. “TGH’s electronic medical record system was not involved or accessed.” As DataBreaches.net explains, the incident occurred over three weeks in May and impacted approximately 1.2 million individuals. Although TGH has not identified the attackers, cyber gang Snatch Team has added the hospital to its leak site, claiming to have stolen 4TB of data. The hospital, which is located in the state of Florida, has also declined to disclose whether a ransom demand has been made, but did state that the TGH IT team has prevented the encryption of any files.
Al Martinek, Customer Threat Analyst at Horizon3.ai, wrote to point out that stolen credentials are a lot more common than zero-day attacks. “Cyber threat actors do not typically use sophisticated hacking tools and techniques like zero-day exploits to gain access to a network; most often, they simply log in with legitimate user credentials gleaned from previous data breaches. According to CrowdStrike, 62% of all detections indexed by the fourth quarter of 2021 were malware-free – meaning attackers were “living off the land,” using legitimate credentials and built-in tools to evade detection instead of sophisticated malware." Martinek went on to outline the ways in which attackers use this approach. “Nefarious actors exploit credentials in many ways. They can:
- "Take advantage of weak password strength requirements or weak account lockout thresholds
- "Capture and then crack hashes
- "Take advantage of accounts that reuse compromised credentials
- "Use the default credentials that remain unchanged in a variety of web applications and systems processes
Martinek concluded, “Some threat actors even go so far as to buy cleartext credentials available on the dark web. Once they gain initial access, they then appear as legitimate users and can move laterally within a network to gain further access and establish persistence, steal sensitive data, bring down systems, and/or hold the organization hostage through ransomware.”
Other comments came in from Ani Chaudhuri, CEO of Dasera:
"First and foremost, it is crucial to acknowledge the immense challenge hospitals like Tampa General and the healthcare industry face in safeguarding sensitive medical information amidst the relentless barrage of external and internal threats. The recent breach is a stark reminder of the complexities in ensuring robust patient data security across the board. However, it is essential to recognize that this challenge extends far beyond the healthcare sector, as data breaches have become a pervasive issue faced by companies worldwide. From multinational corporations to small businesses, organizations of all sizes and industries grapple with the daunting task of securing sensitive data in the face of increasingly sophisticated cyber threats.
"Securing healthcare data requires a comprehensive and multifaceted approach considering the ever-evolving technological vulnerabilities and the persistent threats cybercriminals pose. Hospitals like Tampa General are responsible for protecting patient confidentiality and must invest in robust security measures to prevent unauthorized access.
"While we await further details regarding the breach, it is evident that the unauthorized party gained access to a substantial amount of personal information, including Social Security numbers, addresses, and medical records. This breach exposes patients to the risk of identity theft and financial fraud and undermines patients' trust and confidence in the hospital's commitment to data security.
"In light of this breach, all affected individuals should protect themselves immediately. Monitoring financial accounts closely, reviewing credit reports regularly, and remaining vigilant for any suspicious activity is crucial.
"Tampa General Hospital and healthcare organizations worldwide must use incidents like this as catalysts for change. Learning from such breaches and proactively enhancing data security practices is vital. Cybersecurity requires continual investment in advanced technologies, comprehensive training programs, and stringent security protocols.
"Let us view this unfortunate event as an opportunity for growth and improvement, reinforcing the critical importance of safeguarding patient data. We should work together to build a more resilient healthcare ecosystem that prioritizes the privacy and security of every individual's sensitive information."
US officials warn that third-party tracking could expose protected health data.
Yesterday the US Federal Trade Commission (FTC) and the Department of Health and Human Services’ Office for Civil Rights (OCR) sent a letter to approximately 130 hospital systems and telehealth providers warning that their websites could be exposing sensitive patient data through third-party tracking tools like Meta Pixel and Google Analytics, Nextgov.com reports. “These tracking tools gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users,” the letter stated. The officials warn that exposure of such data could be a violation of Health Insurance Portability and Accountability Act (HIPAA) rules, and even entities not covered by HIPAA are required to protect certain health data under the FTC Act and the FTC Health Breach Notification Rule. “As recent FTC enforcement actions demonstrate, it is essential to monitor data flows of health information to third parties via technologies you have integrated into your website or app,” the letter explains.
June breaks ransomware records.
A report from Corvus Threat Intel indicates that June 2023 saw the highest levels of number of listed companies on leak sites ever recorded. Attack frequency increased 38% over the previous month and a whopping 179% over the same period last year, and this was the fifth month in a row to experience a year-over-year increase in ransomware victims. The report notes that much of June’s activity can be attributed to the Cl0p ransomware group, which is responsible for the mass-hack of a vulnerability found in the widely-used MOVEit file transfer app. A report from NCC Group’s Global Threat Intelligence team supports this, noting that Cl0p claimed ninety victims in June alone. The report also indicates there were 434 total ransomware attacks that month, a 221% increase over the same period last year. Matt Hull, Global Head of Threat Intelligence at NCC Group, stated, “It’s imperative that organisations should remain vigilant and adapt their security measures to stay one step ahead. We strongly advise any organisation using MOVEit File transfer software to apply the recent patch, given this vulnerability is being actively exploited.” In addition to the Cl0p attacks, the steep spike can be attributed to consistently high levels of activity from mainstays like the Lockbit 3.0 threat group, as well as new kids on the block like 8base, Rhysida, and Darkrace. The findings show that North America was the most targeted region in June, and Industrials were the most targeted sector.