At a glance.
- NextGen data breach impacts 1 million patients.
- Twitter confirms Circle security incident.
- LockBit publishes stolen Fullerton India data.
NextGen data breach impacts 1 million patients.
NextGen Healthcare has disclosed it suffered a cyberattack that resulted in the theft of the data of over 1 million patients. The US-based provider of electronic health record software says hackers gained access to the company’s cloud-based EHR and practice management system by using stolen login credentials. The attackers had access to the company’s network between March 29 and April 14, and the breach was detected on April 24. In a notification letter sent to the impacted individuals, the company says the compromised data include patient names, dates of birth, addresses, and Social Security numbers, but that no medical records were exposed. TechCrunch, however, says the company has declined to state how it determined which data were exfiltrated. Tom Kellermann, senior vice president of cyber strategy at Contrast Security, told Dark Reading, "This is a massive cybercrime which will result in widespread identity theft. Healthcare providers have long been preferred targets by cybercriminals who specialize in identity theft due to two reasons: First they have woeful inadequate cybersecurity and second, they store the most sensitive PII." It’s worth noting that data reportedly stolen from NextGen recently appeared on a leak site belonging to ransomware operator BlackCat, but the company says this cache of data is unrelated to the most recent breach.
Chris Hauk, Consumer Privacy Advocate at Pixel Privacy, warned of the exposed data's potential use in social engineering. "The victims in this data breach will want to keep a close eye on their personal and financial information, as even though the breach supposedly did not expose any health or medical information, the data that was gleaned could be used to either trick the victims into providing additional information or could even be used by bad actors to extract more info about the victims from other companies. Affected users should definitely take advantage of the free credit monitoring offer. I do applaud NextGen Healthcare for quickly taking action after learning about the breach and for resetting the passwords of the affected customers."
Dror Liwer, co-founder of cybersecurity company Coro, advises, again, minimizing the risk of a breach by following well-established best practices. “The risk of credentials theft and misuse can be greatly diminished through basic password management policy and multi-factor authentication. Moreover, deploying smart automated detection and remediation would have reduced the attacker's activity window to a fraction of the time they were able to access patient information.”
(Added, 8:15 PM, ET, May 9th, 2023. Erfan Shadabi, cybersecurity expert with comforte AG, wrote to point out a lesson that doesn't grow old--healthcare organizations necessarily collect and process a great deal of valuable personal data:
“Healthcare providers collect and handle some of the most sensitive personal data about an individual, information that goes beyond contact and financial data. And by that very reason, the healthcare industry is among the most lucrative targets for threat actors. The healthcare industry present attractive targets because PHI data persists for healthcare management purposes over long periods. PHI data is quite sensitive, including financial data, identity information, as well as health history. Penetrating one of the systems (either the healthcare business itself or the related business) presents a gold mine of information for attackers to hold hostage or sell.
"While it appears that a third party might be culpable, this does not absolve a primary organization from ensuring that all sensitive data is fully protected at all times. Companies should learn from situations and prepare for such eventualities by deploying data-centric security and having a robust backup strategy. The bare minimum of data security includes fortifying the perimeters around this type of data. However, more effective data protection methods are readily available in the marketplace, including data-centric technologies such as tokenization and format-preserving encryption. These measures guard the data itself instead of the environment around it by replacing sensitive information with representational and innocuous tokens. This data-centric protection travels with the data, so even if hackers circumvent perimeter security or information is inadvertently exposed, any sensitive data subsequently accessed will be worthless, thereby averting the worst repercussions of a breach or leak.”
Darren James, senior product manager at Specops Software, sees a failure of cyber hygiene in the incident. “Once again we have seen a healthcare company fall foul one of the most common forms of bad cyber hygiene and that is the re-using of passwords. This database of sensitive information was accessed by known user credentials from an unrelated source," James writes. "Using the same password across multiple IT systems and services means that only one of those systems needs to be comprised for all of those systems to be at risk. It might be easier to remember, but at what cost when the attack eventually happens? What can companies do to reduce the risk of this type of attack? Block use of known stolen or compromised passwords, train end-users to understand the risks, and make sure that 2 factor authentication is enabled on all company systems—including third party apps.”)
(Added, 11:45 PM ET, May 10th, 2023. Stephan Chenette, Co-Founder and CTO at AttackIQ, draws an analogy between patient care and care of networks and systems. Both should involve regular checkups:
“Just as patients require checkups, so do cybersecurity programs. It is imperative for healthcare organizations that manage sensitive information to establish a threat-informed cyberdefense strategy. This includes understanding the common tactics and techniques used by common adversaries and mapping organizational capabilities and security controls to specific attack scenarios.
"These “checkups” should also include continuously evaluating existing security controls to uncover gaps and weaknesses and test their cyberdefenses against known threats using the MITRE ATT&CK framework. Automated security solutions will aid healthcare organizations’ defensive controls against threat actors and ensure that sensitive data remains protected.”
Alexander Heid, Chief Researcher, SecurityScorecard, remarked that the incident offers further confirmation of the value, to criminals no less than to legitimate users, of the information healthcare systems hold. "The recent revelation that over a million Social Security numbers were compromised in a cyber attack against NextGen highlights the ongoing vulnerability of the healthcare sector to malicious actors," he wrote. "The sheer volume of personally identifiable information (PII) managed by healthcare providers makes them prime targets for hackers seeking to profit from identity theft and insurance fraud. This alarming trend underscores the urgent need for a focus on cybersecurity measures to protect the sensitive data handled by the healthcare industry.")
Twitter confirms Circle security incident.
As Twitter continues to grapple with massive changes under its new management, users say they were recently informed of an incident in which tweets intended only for their Twitter Circle were inadvertently shown to other users. An email sent from Twitter to those impacted reads, "In April 2023, a security incident that may have allowed users outside of your Twitter Circle to see tweets that should have otherwise been limited to the Circle to which you were posting. The issue was identified by our security team and immediately fixed so that these tweets were no longer visible outside of your Circle." Making matters worse, as Circle is intended to be used for semi-private communications, some of the exposed tweets included mature images. Twitter users reported the issue back when it occurred in April, and many are wondering why it took the social media platform over a month to confirm. The Register says it reached out to Twitter’s PR team for comment on the incident, but as the Elon Musk-helmed Twitter 2.0 no longer responds to emails from the press, reporters’ queries were met with an automated poop-emoji reply. (Yes, you read that correctly.)
LockBit publishes stolen Fullerton India data.
Indian lender Fullerton India suffered a recent ransomware attack at the hands of the LockBit 3.0 ransomware group, and on Monday the cybercriminals published 600 gigabytes of data stolen from the company. Fullerton disclosed on April 24 that it was forced to temporarily go offline as the result of a malware attack, Gov Info Security reports. LockBit soon added Fullerton to its list of victims on its leak site, and the gang demanded a $3 million ransom for the return of the data – 600 gigabytes of "loan agreements with individuals and legal companies” – giving Fullerton until April 29 to pay up. Ritesh Bhatia, noted cybercrime researcher and the founder of V4WEB Cybersecurity, says Fullerton refused to engage with the threat group, resulting in the data dump.