At a glance.
- Recent US healthcare data breaches.
- Is it too late to say I'm sorry?
Recent US healthcare data breaches.
US health insurer Santa Clara Health Plan (SCHP) disclosed it suffered a third-party data breach as a result of the Fortra GoAnywhere managed file transfer (MFT) bug. Health IT Security explains that SCHP’s supplemental benefits administration services vendor NationsBenefits was the target of the attack. Approximately 276,993 individuals were impacted, adding SCHP to the growing list of organizations attacked as a result of the Fortra hack. The compromised data include customer names, demographic information, health insurance numbers, Social Security numbers, dates of service, phone numbers, and provider names.
UnitedHealthcare (UHC) says in February it detected suspicious activity on its mobile app that appears to be a credential stuffing attack and may have exposed the information of some members. The US health insurance giant has begun notifying the impacted individuals that data including member names, ID numbers, dates of birth, addresses, and other claim information might have been compromised. CBS News reports that fortunately more sensitive info like Social Security numbers and login credentials were spared, but that UHC still initiated a password reset and locked the accounts of affected members to prevent any further unauthorized access. KOLD notes that some Arizona residents were impacted, and the Baltimore Sun says Maryland residents were also among the victims.
Six individuals pleaded guilty to violating the Health Insurance Portability and Accountability Act (HIPAA) by disclosing the personal health information of car accident victims to an unauthorized individual. Health IT Security explains that five of the offenders are former employees of Methodist Hospital, and a man named Roderick Harvey offered them monetary compensation in exchange for the names and phone numbers of the patients in question. Harvey then sold the data to third parties including personal injury lawyers and chiropractors. The DOJ press release states, "HIPAA's provisions make it a crime to disclose patient information, or to obtain patient information with the intent to sell, transfer or use such information for personal gain." Each violation is punishable by a maximum of one year in prison, a fine of $50,000, and a year of supervised release, and Harvey could face a maximum sentence of five years in prison, a fine of $250,000, and three years of supervised release if found guilty.
Is it too late to say I’m sorry?
The LockBit ransomware group is asking for forgiveness after attacking a school district in the US state of Illinois. Bitdefender reports that Olympia Community Unit School District 16, which is the largest school district in the state, first detected an intrusion of their systems on February 26. Soon after, a counter on LockBit’s leak site announced that the district had until April 12 to meet their ransom demands before they would publish the data the attackers had stolen. LockBit conducts a ransomware-as-a-service (RaaS) operation, meaning it provides malware to affiliates who do the dirty work of carrying out the actual attacks. LockBit is claiming they were unaware the affiliates planned to target school children, and the gang’s operators have issued an apology and offered the district a free decryption key. A note on LockBit’s leak site states, “Please forgive me for allowing the attack on small innocent children, the stolen data has been deleted, to get the decryptor please give me the decryption id. I am very ashamed, but I can not control all partners, anyone can join my affiliate program as well as break the rules, I have blocked this partner." Regardless of whether LockBit’s intentions are pure, for the victims of the attack the apology is likely too little, too late.