At a glance.
- Breach at medical tech company.
- How low will cybercriminals go?
- Never speak ill of the dead.
Breach at medical tech company.
Zoll Medical, a med tech developer based in the US state of Massachusetts, has disclosed a breach in which the data of approximately one million individuals were exposed. Zoll’s notification letter to those impacted reads, “We determined that your information may have been affected on or about February 2, 2023.” The compromised data include names, addresses, birth dates, and Social Security numbers. Security Week notes that although Zoll says there are no signs that the data has been abused, it is within the realm of reason that the exposed information could be shared or sold online for use in phishing scams or other nefarious activities.
Stuart Wells, CTO of Jumio, points out the effects of major breaches on both individuals and organizations.
“Major breaches like this one can have a devastating impact on organizations and users alike. With personal details like names, birth dates and Social Security numbers compromised, one million patients, current and former employees, as well as their families, find themselves at risk of phishing attacks, insurance fraud, identity theft and account takeover attacks. This incident further proves that healthcare organizations must be placing more stringent security measures to protect their users, in addition to their own reputation. For instance, biometric authentication (which leverages a person’s unique human traits to verify identity), liveness detection and anti-spoofing technology are safe, secure security measures that can be used to ensure data is only accessed by authorized users, keeping data protected and out of fraudsters’ hands.”
Access to data for healthcare organizations isn't frivolous or careless. But the data have to be properly handled and protected. Jocelyn Houle, Senior Director, Data Governance at Securiti, explains, "Enabling healthcare organizations with access to patient data is essential for developing innovative treatments and improving the quality of patient care. The recent Zoll Medical data breach highlights the active threats and challenges healthcare organizations face in harnessing data while keeping it secure. While the exact cause of this cyberattack is still being investigated, roughly one million individuals' personal health information (PHI) has been compromised, including names, addresses, birth dates, and Social Security numbers." She adds that "Understanding and tracking the PHI data one holds is a priority for all healthcare organizations. With the advancements in AI & ML techniques, organizations can now leverage automation to accurately discover PHI data at scale no matter where it's stored. From a security standpoint, organizations must mitigate misconfiguration risks and enforce least privilege access to avoid unintended data exposures. Techniques such as data masking can enable key business users to leverage patient data while minimizing the damage caused by a security breach. It's equally important to deploy automation to identify which patient's data lives where and for what purposes it is used to honor patient privacy rights and understand the regulatory impact of an unfortunate data breach."
How low will cybercriminals go?
As we discussed last week, after a recent cyberattack targeting US medical provider Lehigh Valley Health Network (LVHN), the BlackCat ransomware group published nude images of cancer patients stolen in the attack. Also last week, the Medusa threat group dumped screenshots of data stolen from Minneapolis Public Schools that details about sexual assault allegations, including the names of the alleged perpetrator and his victims. Such incidents indicate the extremes attackers are willing to go to in order to pressure victims into meeting their ransom demands. Allan Liska, a ransomware analyst at Recorded Future, told Wired, “As fewer victims pay the ransom, ransomware actors are getting more aggressive in their extortion techniques. I think we’ll see more of that. It follows closely patterns in kidnapping cases, where when victims’ families refused to pay, the kidnappers might send an ear or other body part of the victim.” Brett Callow, a threat analyst at the antivirus company Emsisoft, says that in the past, attackers were reluctant to go to such drastic measures, as it might motivate victims to end negotiations. Callow says, “We really haven’t seen things like this before. Groups have done unpleasant things, but it was adults that were targeted, it wasn’t sick cancer patients or school kids.” The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) released its annual Internet Crime Report this week, and it notes that cybercriminals are becoming more aggressive in their extortion efforts. The report states, “In 2022, the IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware. The threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom.” The silver lining is that these extreme tactics will likely only make victims less likely to want to do business with the perpetrators of such vile acts. Callow concludes, “I hope that these tactics will bite them in the butt and that companies will say no, we cannot be seen funding an organization that does these heinous things.”
Never speak ill of the dead.
Facial recognition search engine PimEyes has faced criticism in the past for its use of scraped web images to populate its database without the consent of the subjects. Most recently, Wired reports, the platform was found to also be using images of the dead, culled from death announcements, memorial websites, and heritage tracing sites like Ancestry.com. The practice raises many ethical questions, not the least of which is, is it possible (without a seance) to get the consent of the dead? Ancestry spokesperson Katherine Wylie says the users maintain ownership and control over their data, including images, and that the site’s terms and conditions prohibit scraping. Giorgi Gobronidze, PimEyes’ director, says he was unaware that images from Ancestry were landing in his database. “PimEyes only crawls websites who officially allow us to do so,” Gobronidze says. “It was … very unpleasant news that our crawlers have somehow broken the rule.” PimEyes has now blocked the Ancestry.com domain from its site.
Meanwhile, the Record by Recorded Future reports that data on the deceased were recently exposed in a Hawaii Department of Health cyberattack in which hackers gained access to the state’s death registry. In January Mandiant warned several state agencies that the credentials for an external medical death certifier account for the state Electronic Death Registry System (EDRS) had been purchased. The compromised account belonged to a former medical certifier who had left the job in 2021, but their account had never been deactivated. Although the department immediately locked down the account after Mandiant’s notice, a subsequent investigation revealed an intruder had already accessed approximately 3,400 death records (which are separate from death certificates) ranging from 1998 to 2023. Officials stated, “The death records contain the decedent’s name, social security number, address, sex, date of birth, date of death, place of death, and cause of death. Records that had been certified could not be altered, and 99% of the records had been certified.”