Hacking Humans 7.25.24
Ep 299 | 7.25.24

Healthcare hassles and hefty heists.

Transcript

Dave Bittner: Hello, everyone, and welcome to N2K CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from The CyberWire, and joining me is Joe Carrigan. Hi, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: And Maria Varmazis. Hello, Maria.

Maria Varmazis: Hello, hello.

Dave Bittner: We'll be right back after this message from our show sponsor. [ Music ] All right, before we dig in here, gang, we have a couple of bits of follow-up. Our first one comes from someone named Michael. I'm going to read part of what he wrote in. He said, by and large, I love and embrace tech more than most, but I view this early evolution of AI with even more concern than I did with crypto and NFTs.

Maria Varmazis: Same.

Dave Bittner: Yeah. I'm with you. And I was skeptical of crypto and downright dismissive of NFTs.

Joe Carrigan: Yeah, well, NFTs have been dismissed, so I think that dismissiveness is justified.

Dave Bittner: Yeah, yeah. Michael goes on and says, there appears to be a perception that by not jumping headfirst into incorporating AI into seemingly any product, service, or platform, we'll leave a company missing out on the imagined benefits that AI will deliver. I expect this push not only increases the probability of a poorly implemented product, but also normalizes the belief of the wider public that anything being advertised as AI must be inherently better and thus more trustworthy.

Maria Varmazis: Wow. Nail on the head right there. Yeah.

Dave Bittner: Yeah.

Joe Carrigan: This is an excellent comment, right?

Maria Varmazis: Yeah.

Dave Bittner: Yeah. No, and we're absolutely seeing it, and we see it among professional cybersecurity companies.

Maria Varmazis: Right.

Dave Bittner: That it's like, if you don't have AI somehow grafted onto your product offering, you're no longer on the cutting edge.

Joe Carrigan: Right.

Dave Bittner: And for better or for worse.

Joe Carrigan: Here's the thing, though. A lot of these algorithms that are involved here have always been in the field of AI. Right?

Dave Bittner: Yeah.

Joe Carrigan: Yeah. It's just that now people think there's -- well, there has been this really big development in AI and large language models.

Dave Bittner: Right.

Joe Carrigan: And deep learning and that kind of thing. But AI has been around for decades as a field of study.

Dave Bittner: Yeah

Joe Carrigan: I did my master's research, final research project, was in route planning algorithms using an AI algorithm. And that was back in the early 2000s.

Dave Bittner: Yeah.

Joe Carrigan: So it's not -- you know, my AI stuff is now out of date, actually.

Dave Bittner: Yeah. I agree. I mean, it's absolutely the LLMs that have kicked us into high gear here.

Joe Carrigan: Right.

Dave Bittner: I want to say it was six or seven years ago at the RSA conference, which is the big cybersecurity conference every year. The hot topic was AI. And it was before all of this LLM stuff.

Joe Carrigan: Right.

Dave Bittner: But we joked about, we were making similar jokes to what we're making now about how you couldn't swing a dead cat and not hit something that had to do with AI. But this is different.

Joe Carrigan: Right.

Dave Bittner: Yeah. This is a whole different hype cycle.

Joe Carrigan: The hype has gone way through the roof on this.

Dave Bittner: Yeah. I think it's partly because this is accessible to everybody. And everybody --

Maria Varmazis: I was going to say that. Yep.

Dave Bittner: Yeah. Everybody can see the magic that this, or the -- and I use magic in air quotes like an illusion that this generates.

Maria Varmazis: The black box. Yeah. We don't know how it works. We don't know that it does or doesn't.

Dave Bittner: Yeah. Right.

Joe Carrigan: It's like Arthur C. Clarke always said, any sufficiently advanced technology is indistinguishable from magic.

Dave Bittner: Right.

Joe Carrigan: You talk about these products that have, cybersecurity products that have AI built into them. That's generally a classifier. And that can be built with neural networks, which are the same as these large language models. But they're not as big or difficult to train as LLMs. They're much simpler. Because really, at the end of the day, all you want to know is, is this something I need to have an analyst look at?

Dave Bittner: Yeah.

Joe Carrigan: And then you want to know how accurate the model is. Right? Do my analysts spend a lot of time, waste a lot of time chasing down false positives? Or worse, am I missing something of something coming in? Am I getting false negatives, which is going to lead to a compromise?

Dave Bittner: Yeah.

Joe Carrigan: That part of AI is invaluable and absolutely necessary. And it's been, like you said, part of these products for seven to 10 years.

Dave Bittner: Yeah.

Joe Carrigan: So it's not anything new.

Dave Bittner: No. Absolutely. Well, Michael, thank you for writing in. We do appreciate it. We have another note here from a listener named John, who says, I'd like to mention one danger of storing known good phone numbers for banks on your phone. If a scammer spoofs the official number, it might make the call look more legitimate when it shows up with the bank's name.

Joe Carrigan: Right.

Maria Varmazis: That's true.

Dave Bittner: Perhaps adding a comment like, incoming call might be a scam, would help you remember that if it ever happens. And John says, thanks for all the great social engineering stories.

Maria Varmazis: So you might have to add it to every phone number.

Dave Bittner: Yeah.

Maria Varmazis: It might be for anybody, any incoming call.

Dave Bittner: Right.

Joe Carrigan: Well, so, I mean, I don't answer incoming calls anymore. Does anybody? I mean, unless it's my -- it has to be an immediate family member or a co-worker, right? But there's a very small, and I'd say shrinking circle of people that I will actually answer a live phone call from.

Maria Varmazis: Yeah.

Joe Carrigan: I do not want to talk to you in general. Send me a text message.

Maria Varmazis: Send me a text. Exactly that. Dave, I'm sure you've had those conversations with people you're close to about incoming calls from you, quote unquote.

Dave Bittner: Yeah.

Maria Varmazis: Even then, they may need to be skeptical. I've had that conversation also, about how to distinguish something that's real versus something that's fake. I mean, does anyone want an incoming call anymore? I don't even know.

Dave Bittner: Yeah. No, I had a similar conversation just this past week with my father, who I've talked about many times on this program. He is quite elderly, and he got a phishing email recently. It was kind of the standard, hey, we're going to bill you for your Norton antivirus kind of thing. He had forwarded it to me and said, is this a scam? It's totally the right thing to do, right?

Joe Carrigan: Right.

Maria Varmazis: Yes.

Dave Bittner: That part I'm proud of, because I got him trained.

Maria Varmazis: Yes!

Dave Bittner: But at some point with one of these, he had called the people, and so we had to reiterate, don't ever call anybody. Anytime you have a question about anything, please, please call me first.

Joe Carrigan: Right.

Dave Bittner: Call me first, but don't ever call anybody. So anyway, thank you, John, for sending in this useful tip. I think it's a good one, and of course, we would love to hear from you. If you have any feedback on our show, you can email us. It's hackinghumans@n2k.com. All right, well, let's move on and talk about our stories this week. I'm going to start things off for us. Mine comes from Infosecurity Magazine, and they're writing about a study that was done actually over in the UK. This is from the University of Portsmouth. I don't know if I have that quite right. It seems like every time I try to pronounce a location in the UK, someone writes in and tells me that I got it wrong.

Joe Carrigan: Just say Ports-mouth.

Dave Bittner: Just get it totally wrong? Right.

Maria Varmazis: We're American. It's wrong. It's just wrong by default.

Joe Carrigan: It's kind of a badge of honor for us.

Dave Bittner: Right.

Maria Varmazis: We say it wrong and we love it.

Dave Bittner: Yeah.

Joe Carrigan: Like Portsmouth, Maine?

Dave Bittner: Right, right. So this is from the University of Ports-mouth, where they had nearly 2,000 participants in this study, and over 80% of them were over 75 years old. And they were looking at basically fraud attempts on these people. And what they learned was in the UK, about 40% of elderly adults in the UK had experienced phone-based fraud attempts regularly. Two-thirds of the respondents had had at least one fraud attempt in the past six months, and 20% reported weekly harassment.

Maria Varmazis: Wow.

Dave Bittner: One out of five.

Joe Carrigan: Yeah. These are the people that are on the list that keep getting sold and distributed.

Dave Bittner: Right, right. We got a hot one here.

Joe Carrigan: Right.

Dave Bittner: Yeah, absolutely.

Maria Varmazis: When they say phone, do we know, is it mobile only? Are landlines even part of this equation, or is that completely outdated thinking?

Joe Carrigan: That's a good question, but given the age of these people, I would say landlines are included?

Dave Bittner: Well, I would say yes and, but I don't know what the situation is in the UK.

Joe Carrigan: Right.

Dave Bittner: I would suspect that they are probably farther along in their transition than we are, just because most parts of the world are.

Maria Varmazis: Usually safe in that assumption, yes, yes, yes.

Dave Bittner: Yeah. It also strikes me that the UK being more geographically constrained than the US is, that it would be easier to get ahead and go completely wireless than it would with as spread out as we are, or can be, that sort of thing. But I don't know. I'm just, total speculation on my part. This study found that 75% of attempted frauds were via telephone, and that breaks down to about 60% were through voice calls, and the rest through text messages, and they go through some of the impact here on the folks who are affected. And beyond the fraud, they touch on the fact that this really affects people's mental health, because it injects this kind of noise floor level of fear, right?

Maria Varmazis: Yeah.

Dave Bittner: If you know that somebody, that basically somebody's out to get you, these relentless scam attempts, it adds to your anxiety. They spoke to a gentleman named Mark Button, which I have to say is a very European name.

Joe Carrigan: I'd go so far as to call it English.

Dave Bittner: Yeah. He was saying that this all does operate at an industrial scale, that as we know, there are just call centers full of people around the world whose job it is to try to scam people like this.

Joe Carrigan: He is right.

Dave Bittner: Yeah. And he said that there needs to be more research, that they just, with only 2,000 participants, they're just scratching the surface here, but it certainly does reflect some of the trends. It was interesting also, this article did a comparison with some data from the US, and the Federal Trade Commission reported that between 2020 and 2023, they saw about a 50% decline in phone-based fraud, but they saw email scams rise quite a bit.

Joe Carrigan: Right. More than double, it looks like.

Dave Bittner: Yeah. And text-based impersonation fraud went up as well.

Maria Varmazis: Yep. That tracks. Yep.

Dave Bittner: Yeah. Yeah. It's interesting that email would be on the rise and phone-based things would be on the decline. I wonder what that means.

Maria Varmazis: It's because nobody answers their phone anymore.

Dave Bittner: Well, right.

Maria Varmazis: I mean, we all got so sick of it, we all said, forget that.

Joe Carrigan: Right. Yeah.

Dave Bittner: Right. It's true. What are the odds of a phone call being anything that you're at all interested in?

Joe Carrigan: You know what's interesting? You guys are talking about this, and today, or not -- well, today I got one, but recently, over the past three weeks, I have been getting scam text messages that are like the postal service impersonation scams.

Dave Bittner: Yeah.

Joe Carrigan: Have you been getting those?

Maria Varmazis: Oh, yeah.

Dave Bittner: Not particularly. I mean, I've gotten them, but I haven't been getting anything lately.

Joe Carrigan: Yeah. I've been getting them in the past two weeks. They're going through my spam filter and just showing up in my inbox, and it says, is this spam? And I'm like, yes. Report and block, please.

Dave Bittner: Yeah. Yeah. You know, just sort of quickly swinging back to my father here, in this message that got through. My father uses Gmail, which, in general, I think is excellent for filtering things out.

Joe Carrigan: Right. They do a good job at spam filtering.

Dave Bittner: World-class spam filtering from the good security folks at Google. But I have to say, I would totally throw money at enhancing my father's phishing protection.

Joe Carrigan: Right.

Dave Bittner: So if there's anybody in our audience who has a recommendation for any additional -- knowing my situation here, we've got an elderly person, not a sophisticated computer user. Is there something I can put in between him and his Gmail mailbox that adds an additional layer of phishing protection? I'm all ears.

Joe Carrigan: A locked door.

Dave Bittner: Well, it has to be not me reading all his emails, because that is --

Joe Carrigan: Right.

Maria Varmazis: Privacy violations.

Dave Bittner: That has been suggested. Right. Right. Yeah.

Maria Varmazis: Yeah. I would say can we throw that out to even non-Gmail users.

Joe Carrigan: Right.

Maria Varmazis: I mean, I have several elderly family members who use the -- oh, I'm putting this politely, the default email that came with their ISP 25 years ago. And I cannot get them to switch off of those. And 25 years ago is probably a -- it's probably longer than that.

Joe Carrigan: Right.

Maria Varmazis: Gmail would be an upgrade if I could get them to use it, but they won't. So a lot of times they still are using also a dedicated desktop client. They're not using web. Gosh.

Dave Bittner: Right.

Maria Varmazis: So help.

Joe Carrigan: Every time they go to check their email, they go into the other room, you hear the screech of a modem, and then it goes, you've got mail.

Dave Bittner: That's awesome.

Maria Varmazis: I know. I laugh, but actually there are people with AOL web addresses. Yeah. So yeah.

Dave Bittner: All right. Well, please, if you have something that you think would be helpful, please share with us and we'll tally up the answers and we'll put together a little report for our listeners here. All right. Well, that is my story. We'll have a link to that in the show notes. Joe, why don't you go next for us here?

Joe Carrigan: Very good, Dave. I have a story. It's a good one today. It's from Chase Golightly out in Phoenix at News 12.

Dave Bittner: What is the Chase Golightly?

Maria Varmazis: That's an American name.

Joe Carrigan: Chase is his first name. Golightly is his last name.

Dave Bittner: That has got to be a stage name.

Joe Carrigan: I don't know.

Dave Bittner: Chase Golightly?

Joe Carrigan: Yes.

Dave Bittner: The Golightly clan from the planet Golightly?

Maria Varmazis: We went from Mark Button to Chase Golightly. These names.

Joe Carrigan: We're just going to pick on everybody that wrote the stories that we're talking about.

Maria Varmazis: Max Power. Okay.

Dave Bittner: Chase Golightly. I mean, hey, it's a great stage name. If you're going to be a TV guy, Chase Golightly is like Guy Smiley.

Maria Varmazis: We're never going to forget this guy's name.

Joe Carrigan: That's true.

Dave Bittner: All right.

Joe Carrigan: That's true. I digress. And maybe that's his point. And he doesn't care that we're sitting here saying Chase Golightly over and over and over again.

Dave Bittner: He's going, ding, winner.

Joe Carrigan: Right.

Dave Bittner: Yeah.

Joe Carrigan: Let me give you two names that are not as easy. Alexandra Gerhke and Jeffrey King.

Dave Bittner: Okay.

Joe Carrigan: Although King kind of sticks in my head pretty easily. But they own a wound care business. Are you guys familiar with the wound care industry?

Dave Bittner: I am. Yes.

Joe Carrigan: So there are some times when people have wounds that will not heal, you have to go get specialized care for these wounds.

Dave Bittner: Right.

Joe Carrigan: And a lot of people ran a company that provided that. And there are certain risk factors that can impact the time it takes for a wound to heal, such as diabetes, type one or type two.

Maria Varmazis: Yeah.

Joe Carrigan: I had a friend that had type one that had terrible wounds later in her life and she has since passed. The other issue is age. You know, I don't heal like I used to. I was telling you guys about how I just got three stitches in my finger.

Dave Bittner: Yeah.

Joe Carrigan: And I'm waiting on how long this is going to take to heal.

Dave Bittner: Right.

Maria Varmazis: And that's just from clicking a mouse. You know, it's crazy what happens.

Dave Bittner: Right.

Joe Carrigan: Another one is immobility. Right. So if you lay in bed a lot and you're always touching the same part of your body to the bed, you're going to get bed sores and those are going to become wounds.

Dave Bittner: Yeah.

Maria Varmazis: Yes. Yes. Yep.

Joe Carrigan: So here is what I want to propose as a great business idea.

Dave Bittner: Okay.

Joe Carrigan: All right. What if we had a wound care company?

Dave Bittner: Yeah.

Joe Carrigan: And we were going to market a people who were probably going to have wounds due to age and immobility.

Dave Bittner: Right.

Joe Carrigan: Possibly diabetes. And ideally, these patients should be very unlikely to complain about it or sue.

Dave Bittner: Wait. So are you going into this figuring you're going to be doing a lousy job?

Joe Carrigan: No.

Maria Varmazis: N2K wound care?

Joe Carrigan: Okay. I'm pitching what this wound care idea is, right?

Dave Bittner: Okay.

Joe Carrigan: So it turns out that King and Gerhke, allegedly, have found that market in hospice patients.

Dave Bittner: Okay.

Maria Varmazis: Oh! Okay. Oh, no.

Joe Carrigan: Here in the US, we have Medicare for those over 65.

Dave Bittner: Yeah.

Joe Carrigan: And once a patient who is on Medicare enters hospice, and this is a quote from an HHS, Health and Human Services, publication I found. It's easier to say Health and Human Services than it is to say HHS.

Maria Varmazis: HHS. Yeah, that's true. Yeah.

Joe Carrigan: Original Medicare will cover everything you need related to a terminal illness.

Dave Bittner: Yes.

Joe Carrigan: So once a patient goes into hospice care, Medicare covers everything.

Dave Bittner: Let me tell you, just from my own personal experience, when my mother was ill, and in the months before she passed away, it's about two years ago now, when the doctor declares we are in the end-of-life care mode, and you are officially a hospice patient, ironically, the quality of care goes through the roof.

Joe Carrigan: Right.

Maria Varmazis: Yes.

Dave Bittner: Because anything you need, it's true, Medicare provides anything you need.

Joe Carrigan: Right.

Dave Bittner: And I hate to say it's wonderful, because your loved one is passing away, but in a terrible situation, it's comforting.

Joe Carrigan: Right. It is. I'll agree with that. Well, the DOJ is alleging that these two would pressure nurse practitioners to apply wound graft kits to patients that did not need them. And there are not many medical details in this story, but they are accused of submitting $900 million worth of fraudulent claims over two years.

Dave Bittner: Wow.

Maria Varmazis: Excuse me?

Joe Carrigan: Let me say that again, Maria, $900 million.

Dave Bittner: That's almost a billion.

Joe Carrigan: If you had that much money and just kept it for a year, you'd have a billion.

Dave Bittner: I mean, there aren't that many wounds in the world, but go on.

Joe Carrigan: Right. Of that $900 million, the DOJ is alleging that these two collected $330 million in illegal kickbacks.

Dave Bittner: The two nurse practitioners.

Joe Carrigan: No, no.

Maria Varmazis: What?

Joe Carrigan: The people that run the wound company.

Dave Bittner: Okay.

Maria Varmazis: What?

Joe Carrigan: Who were pressuring nurse practitioners.

Dave Bittner: Oh, I see. I see. I see. I see.

Maria Varmazis: I'm sorry. My brain can't even handle that. That is -- what? Okay.

Joe Carrigan: So they're going into these nursing homes or these places where people are in hospice.

Dave Bittner: Right.

Joe Carrigan: And they're saying, that patient has a wound. You need to put this wound patch on them right now.

Dave Bittner: That'll be $1,500.

Joe Carrigan: Yeah. Right. Or maybe more.

Dave Bittner: Right. Right. Right.

Joe Carrigan: But the DOJ notes that some of these patients died on the same day they received treatment or some a few days later. Now, the treatments are not harming the patients. We should be clear. These are hospice patients who are on the way out of life.

Dave Bittner: Yeah.

Joe Carrigan: But, you know, if you have a patient who is at the very end of their life and they have a wound on their leg and their pain is managed, you don't need to do anything else for them. You know, this becomes unnecessary treatment.

Dave Bittner: Right.

Joe Carrigan: And that's kind of the crux of this. So I think they got the idea that the jig was up here because they were at Sky Harbor Airport when they were arrested. By the way, coolest airport name in the country.

Dave Bittner: Sky Harbor. That's a good airport name. Yeah.

Maria Varmazis: It is very sci-fi. Yes.

Joe Carrigan: Right. They were trying to leave. And when authorities arrested them, they searched their home and they found a book called "How to Disappear: Erase Your Digital Footprint, Leave False Trails and Vanish Without a Trace".

Maria Varmazis: Subtle.

Joe Carrigan: This is Frank Ahearn's book. Have we ever had Frank Ahearn on any of our shows?

Dave Bittner: He's the "Catch Me If You Can"?

Joe Carrigan: No, that's Frank Abagnale.

Dave Bittner: Oh, no, I don't think we've had Frank Ahearn on.

Joe Carrigan: This is a different Frank.

Dave Bittner: Okay.

Joe Carrigan: And then the criminal law handbook, "Know Your Rights and Survive the System".

Dave Bittner: Okay.

Joe Carrigan: Which tells you what to do if you get sent to prison, which may come in handy for these two.

Maria Varmazis: Oh, geez.

Joe Carrigan: The DOJ has also seized $72 million in assets, including $52 million in cash, two houses, numerous cars, jewelries and gold bars.

Dave Bittner: Wow.

Joe Carrigan: Now, the when they went to apply for bail, the prosecuting attorney said, well, we don't think you should do that because we're pretty sure these guys still have a quarter of a billion dollars somewhere. Because let me tell you, you're not spending $330 million inside of two years.

Dave Bittner: Right.

Joe Carrigan: It doesn't matter --

Maria Varmazis: You want to bet? Oh, no.

Dave Bittner: Try me.

Maria Varmazis: You want to try?

Joe Carrigan: I would challenge you to spend that kind of money.

Maria Varmazis: I would gladly accept that challenge.

Dave Bittner: Let's do a reality show. Maria tries to spend $250 million.

Joe Carrigan: We call it "Maria's Millions".

Dave Bittner: Right.

Maria Varmazis: Pitch that to Netflix. Let's do it.

Joe Carrigan: Right. First, what's the budget for the show? $250 million plus expenses. So when they went to apply for bail, the DOJ said, no, they have this this quarter of a billion dollars laying around out there somewhere. And we found this book in their house. Right.

Dave Bittner: Yeah.

Joe Carrigan: So they probably will not get bail.

Dave Bittner: Wow.

Joe Carrigan: But this is a scam perpetrated on the American taxpayer, right, who pays into the Medicare system to the tune of almost a billion dollars in losses these guys have caused, allegedly, of course. This is all alleged, they're innocent until proven guilty.

Dave Bittner: Yeah.

Joe Carrigan: But, you know, I think if these guys get busted, they should go up for a long time.

Dave Bittner: It is such a strange thing. I mean, everything around end of life, because it's so fraught with emotion.

Joe Carrigan: Right.

Dave Bittner: And for many people, they've never been through it before. They don't know how to handle it. Here in the US, we tend to not want to talk about it.

Joe Carrigan: Yeah.

Dave Bittner: So you can't you go in unprepared. I mean, I remember again, you know, my only real intimate experience with it was when my mom passed. And I remember after she was gone, you know, we'd had a place in the house set up for her. And there were things like there was a hospital bed and oxygen generating unit and things like that.

Joe Carrigan: Right.

Dave Bittner: And, you know, some things people come and get, like somebody came pretty quickly and got the hospital bed. But other things, like you sort of have to track them down. Do you want to come -- please come get this thing.

Joe Carrigan: Right.

Dave Bittner: We don't need this anymore. And please come get it.

Joe Carrigan: Right.

Dave Bittner: And I don't know if they're still billing for it or they just, you know, who cares? It's probably been paid for 10 times over in the amount of time that they've rented it out. It's just such a strange thing. But a good reminder, Joe, that you need to be mindful that people aren't taking advantage of this situation. Yeah.

Joe Carrigan: Yeah. And, you know, I don't know, are the hospice patients victims here? I don't know that they necessarily are. I mean, they're being exploited.

Maria Varmazis: Yeah. Yeah. They are. I mean, these guys are allegedly exploiting people who are actively dying. I mean, we need to bring back public shaming. This is terrible.

Joe Carrigan: Yeah. Yeah. Right.

Maria Varmazis: Honestly, I mean, they weren't harmed. But the fact that some -- I went through this eight years ago, Dave, so I'm just remembering also. I'm in my feelings right now remembering when I went through this, the idea that you have to have your guard up when you've got a loved one dying and like just -- man, you're right. I'm just like incandescently angry. Yes. They weren't being physically harmed. But if they don't need that wound care, that is still harm. It's unnecessary care.

Dave Bittner: Right. Yeah.

Maria Varmazis: Like let people die in peace, for gosh sakes. I mean, geez.

Joe Carrigan: I haven't done this yet, but I got to set up an advance directive that says when I go into hospice, no more care at all, you know, whatever happens, happens. I'm going to let nature's take its course.

Dave Bittner: Yeah. I remember another incident where a family member had passed away and I was with someone who was responsible for doing their final arrangements of choosing a casket and that sort of thing. And I was accompanying this family member to the funeral home as part of this task of choosing a casket.

Joe Carrigan: Right.

Dave Bittner: And the funeral director said, you know, I'm going to take you in this room now and we're going to look at caskets and we'll make a decision. And, you know, my family member said, was in in their grief, said, I don't know that I can do this. Can't you just choose one for us?

Joe Carrigan: No.

Dave Bittner: Well, and that's what the funeral home director said. The funeral home director said, I am prohibited from doing that, to protect you from being taken advantage of.

Maria Varmazis: Yes.

Dave Bittner: So let's go in together. But, you know, in that case, it's a good outcome. But it reminds you that that regulation is there for a reason.

Joe Carrigan: Right.

Dave Bittner: Because so many people got taken advantage of in their moment of deep despair that they had to do something about it.

Joe Carrigan: Yeah. So if you can, spare your family that and make the arrangements ahead of time.

Dave Bittner: Yeah. Yeah. That's a good point. All right. Well, you know what? This is a great time for a break.

Joe Carrigan: Yay! I had another story that brought the show down.

Dave Bittner: We're going to take a quick break here and we will be back with Maria's story. Stay with us.

Maria Varmazis: I need a tissue. Oh my God. Whew! [ Music ]

Dave Bittner: All right. We are back. And Maria, you're up. What do you got for us this week?

Maria Varmazis: All right. So this one is from a listener, Chloe. And Chloe sent us an email with an attachment of something that I'm sure we all get in the mail, at this point for me feels like weekly, yet another breach notification from some organization whose name you may or may not even recognize. And Chloe did us the nice service of actually highlighting the bit of interest where in this case, there was a breach of an outside vendor of some company, Geisinger, I'm not sure, Geisinger, which provides information technology services, learned that a former Nuance employee had accessed certain Geisinger patient information after being terminated two days earlier. Upon learning this, Nuance permanently disconnected the former employee's access to Geisinger's records. Okay, so unauthorized access of patient information by, it sounds like, not an employee that should have been handling information that was confidential. Okay.

Joe Carrigan: Right.

Maria Varmazis: So Chloe wrote us this, I'm not personally any more worried than I was a month ago since my data has been breached in four different health care systems in two different countries within the last year. Same, Chloe. Same.

Joe Carrigan: Right. Good news about that.

Dave Bittner: Yeah.

Joe Carrigan: The good news about that is you have free lifetime credit monitoring and identity theft monitoring.

Maria Varmazis: Multiple overlapping at this point.

Joe Carrigan: Multiple and overlapping ones, right?

Maria Varmazis: Yeah. In looking into this over the past year or so, I cannot get any confirmation from anyone so far that there's any law against an IT company working for a health care company to sell patient data they happen to acquire in the course of their work. It seems entirely reliant upon NDA contracts between the health care company and the IT company because HIPAA only applies to health care companies. This seems problematic to me for a number of reasons. Do you guys happen to have any info on this aspect of health care data breaches? So yes, I feel like we should talk about this one because this is a great question from Chloe. We're going to talk about HIPAA, everybody. Yay. HIPAA. Buckle up. Buckle up, buckaroos. It's time to talk about HIPAA.

Joe Carrigan: Mama, instead of a bedtime story tonight, can you tell me about HIPAA?

Maria Varmazis: My daughter asks me that all the time.

Dave Bittner: Sure. It'll put you to sleep.

Maria Varmazis: Yeah, it'll put you to sleep. Yeah. Now, I got some HIPAA training 15 years ago and it was minimal. So my information is, I'm not an expert and my information is probably not even close to up to date. But I just want to say first, there is an entirely huge industry to train and ensure HIPAA compliance of both internal and managed third-party IT companies and services because HIPAA violations do mean millions and millions of dollars in fines and/or jail time for people who violate it. So there was a question in Chloe's email about, do IT companies have to comply with HIPAA if they are handling, personally, PHI, which is a personal health information. I'm trying to remember that acronym.

Dave Bittner: Right.

Maria Varmazis: And yes, they do need to comply with HIPAA. They do. So to me, it was explained, and this is possibly where we get into a little trouble, but it was explained to me that if you so much as breathe in the direction of PHI, assume that HIPAA applies and go from there.

Dave Bittner: Yeah.

Maria Varmazis: That was certainly how it was told to me. That has led to misunderstandings. We heard a lot of people shouting like, HIPAA violation during COVID, it's not quite how it works.

Dave Bittner: Right. Right.

Maria Varmazis: So I feel like we should just re-familiarize ourselves with what HIPAA is supposed to do. And I know this is not like the most thrilling conversation, but there's a good question in there about like who is covered by HIPAA. And HIPAA is from the United States Department of Health and Human Services. Joe, you're right. That is really hard to say. The HHS. This is their rule. Okay.

Dave Bittner: Yeah.

Maria Varmazis: And it says basically the HIPAA privacy rule standards address the use and disclosure of individuals' health information, which is called protected health information, by organizations subject to the privacy rule. And these are covered entities. As well as standards for individual privacy rights to understand and control how their health information is used. A major goal of this HIPAA privacy rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and wellbeing. Sorry. It's a lot of legalese. Whew! So HIPAA includes what are called business associates. And these are often outsourced functions who work with the covered entities of HIPAA. And that does mean like a third-party IT company. So a lot of smaller health care companies and bigger ones too, they don't have their own IT department. They don't have their own security guys. They hire a third party to do that for them. And those guys do need to be HIPAA compliant.

Dave Bittner: Right.

Maria Varmazis: They need to be HIPAA compliant. They need to understand the rules. So it's not at all unusual, you know, mistakes and breaches are going to happen, but any decent managed IT services company should at the minimum have HIPAA training and be what they call HIPAA-compliant. And of course, a health care provider hiring these guys should be doing their due diligence to make sure they find an IT or cybersecurity company that understands HIPAA and is compliant with it.

Dave Bittner: Yeah.

Maria Varmazis: So the question from Chloe in there was, but it seems to be despite all this, despite HIPAA, there are places where it seems to be legal or gray area legal-ish to buy and sell health care data, because it is happening, or at least nobody has been able to stop this from happening.

Dave Bittner: Right.

Maria Varmazis: So what is going on there? So did a little digging and please jump in here if any of this sounds familiar. There seem to be two camps, at least as far as I can tell. The buying and selling of breached data by unscrupulous data brokers. That is unethical treatment of data.

Dave Bittner: Right.

Maria Varmazis: They're selling and buying something that was already stolen. So that's criminal activity.

Joe Carrigan: It is.

Maria Varmazis: Yes. So HIPAA is there, but they're ignoring it. I mean, they're doing stuff they're not supposed to do. So the second area is the part where it starts to get really tricky, is that the buying and selling of health data, especially mental health data, can happen with patients who don't know that they've actually consented to give their data away. This is the part that kind of blew my mind. I didn't know this either. There are a lot of entities that you might think are actually covered by HIPAA that aren't. Like your employer, your gym, life insurance companies -- so health insurance is definitely covered, but life insurance is not. Workers' compensation carriers also aren't, and they're definitely dealing with health data. So that's more than you might expect. They are not a covered entity from HIPAA, so that's a big gap.

Dave Bittner: Right.

Maria Varmazis: Schools also aren't, but they have to comply with something called FERPA, which is a different privacy thing. But third-party mental health apps that a lot of people download on their phones if they are trying to get a cheap therapist, essentially, they are completely exempt from HIPAA. So they're gathering a lot of information on you about your mental health, your state, a lot of really private info, and if you're assuming that that information is private, it is not. It is not covered by HIPAA. And in many cases, these apps can be free or freemium, and guess what they're selling behind the scenes, probably somewhere in the EULA you agreed to it, is your private health data.

Dave Bittner: Right, yeah.

Maria Varmazis: Yeah, so they are technically not breaking the law because they are technically not under the law, and it is extremely icky, but they're not breaking any laws.

Dave Bittner: Yeah. I think also, I mean, my understanding is that pretty much anything that falls into these independent app categories, things like period trackers and weight loss trackers and all those kinds of things that are gathering up your private information about your health, that those don't fall into HIPAA.

Maria Varmazis: Correct.

Dave Bittner: And that's where they get you.

Maria Varmazis: Yeah, because there are apps that have to be HIPAA compliant. I remember during the worst of COVID when there were a lot of telehealth visits, there was a lot of scrambling for doctors to be able to use HIPAA-compliant video conferencing software.

Dave Bittner: Right.

Maria Varmazis: But you couldn't use FaceTime to talk to your doctor, for example. My kid had a bunch of health issues during COVID. I could not just FaceTime my doctor. I had to go through their specific video app because that one was actually HIPAA-compliant, whereas FaceTime was not.

Dave Bittner: Yeah. So there are a lot of apps that we use that we don't even think about that are absolutely not required to be HIPAA compliant, and they are not. So somewhere buried in the EULA, if there was one, if you even remember checking that Agree box, maybe even a part that says, we're going to sell your data, and we're going to give it, like sell it to data brokers, and that's how we make our money, and then your data is out there, and all your private information can be out there. So it's super icky. It is a big gap in HIPAA, and frankly, I really wish that would be closed, but that is a discussion for another time. Yeah, that's a different issue.

Maria Varmazis: Yeah, and would love if we had stronger privacy laws in general to protect American citizens from stuff like this, but yeah, ongoing issue.

Dave Bittner: Go ahead, Joe.

Joe Carrigan: I would like to talk about Chloe's specific issue here.

Maria Varmazis: Yes, yes.

Joe Carrigan: This is a Nuance employee. Nuance is the third-party tech company.

Maria Varmazis: Yes, of Geisinger. Yes.

Joe Carrigan: Right, of Geisinger. This is so easily preventable, you know, because this employee accessed these records two days after they were terminated. They should not have been able to access the records five minutes before they were terminated.

Dave Bittner: That's right.

Joe Carrigan: That access should have been terminated before the employee was actually terminated. That is standard operating procedure, so if I'm going to guess where the law is going to come down on this, the employee is going to be charged criminally, because this is a criminal act, and this company, Nuance, is going to be charged civilly for a violation of HIPAA, because they didn't take a very simple action here of disabling the employee's access before termination.

Maria Varmazis: Yes, access control. Yep, absolutely.

Dave Bittner: Right.

Maria Varmazis: That's a big one. The phrase was like, rogue employees, or, you know, employees that are going to go rogue or something like that.

Joe Carrigan: Yeah. Yeah. This is not even an employee anymore, and you still haven't disabled their access?

Maria Varmazis: Yeah.

Joe Carrigan: I'm shocked. I'm not actually shocked.

Maria Varmazis: Pen testers love this one weird trick, you know?

Joe Carrigan: Right, yeah, exactly. This is the kind of stuff that happens all the time, and this is the kind of stuff that leaves data breaches all the time.

Maria Varmazis: All the time.

Joe Carrigan: Again, we see we're just not getting the basics down as an industry, the IT industry. We're just not getting the basics down. We missed the basics, and this is what happens.

Dave Bittner: Yeah. I also think, Maria, you alluded to a really good point here, which is there's so much misinformation with HIPAA. Yeah.

Maria Varmazis: Yes.

Dave Bittner: And I think I put it in the same category as censorship. You see people scream, HIPAA violation, HIPAA violation, when it's not.

Maria Varmazis: Right, yep.

Dave Bittner: The same way you see people scream, this is online screamers, censorship, censorship, when it's not. HIPAA applies to very specific things, the same way that First Amendment rights and censorship apply to very specific things. And there's widespread misunderstanding about them, and so I would suggest it's good for everybody to just go check out the Wikipedia page or something like that and educate yourself, like we did here today, about what does it cover and what does it not.

Maria Varmazis: Yeah, there's a growing gap of what it doesn't cover, and companies, reputable ones know and care about it, even if they may roll their eyes at the idea of compliance, like some companies might. It is there, and you need to put in more than a good faith effort. It's business practice to be compliant.

Dave Bittner: Right.

Maria Varmazis: But mistakes are going to happen. Breaches are going to happen, but Joe, as you said, there is some really basic stuff about making sure terminated employees don't still have access to PHI. I mean, that's a pretty big one.

Joe Carrigan: Right. Your customers' PHI.

Maria Varmazis: Yeah, yep. And there was a phrase that I had been introduced to years ago about being a good steward of data, and I think about that all the time, and it's just not enough companies take that seriously, unfortunately, but hopefully more will.

Dave Bittner: Yeah. All right. Well, we won't have a link to that in the show notes because that's an image that one of our listeners sent in.

Maria Varmazis: Sorry.

Dave Bittner: We'll have a link to the other stories in our show notes.

Maria Varmazis: We'll send you to the HIPAA page.

Dave Bittner: Yeah, there you go. Just go to the Wikipedia page on HIPAA and read up. We've given you homework this week. Just what every podcast listener wants. Yes, there will be a quiz next week. All right. Well, Joe, Maria, it is time to move on to our "Catch of the Day". [ Music ]

Joe Carrigan: Dave, our "Catch of the Day" comes from Jim, and it's a pretty standard beneficiary scam. In fact, it even begins with the words, Dear Beneficiary. Dave.

Dave Bittner: It goes on and reads, Our International Operations Division has directed the attention of the Federal Bureau of Investigation to your transaction with the National Bank of Belgium concerning your overdue inheritance and contract payment. It might interest you to learn that we've fully analyzed the transaction as stipulated by our operational investigation guidelines and have confirmed that it is 100% genuine and hitch-free and you have the legitimate right to claim. It's a technical term there, hitch-free.

Maria Varmazis: Hitch-free.

Dave Bittner: That's right.

Maria Varmazis: Term of art. My car is also hitch-free. I'm trying to fix that.

Dave Bittner: We recently had our spring meetings with the executive government of the National Bank of Belgium, Mr. Michael M. Adler, U.S. Ambassador to Belgium, and some top officials of the ministry regarding the subject matter. This reminds me of "Raiders of the Lost Ark". Top men.

Maria Varmazis: Right. Top men.

Joe Carrigan: Top men.

Maria Varmazis: Some fan fiction here. Yeah.

Dave Bittner: And we were led to understand that your payment file was suspended pending when you applied to the claim. But the major challenges facing the bank are, one, some unscrupulous elements were using this project to scam innocent people off their hard-earned money by impersonating the executive governor or an official of the National Bank of Belgium. Two, a woman named Mrs. Linda J. Box from New York submitted an application to NBB with the power of attorney and some official documents with your purported authorization for the release of the fund, U.S. $8 million, to her due to her ill health. Given all this, we've been urged to warn beneficiaries who have received information about their outstanding inheritance and contract payment to be very careful in order not to be a victim of circumstance. In case you are already dealing with someone from the National Bank of Belgium or whichever office, you are strictly advised to desist from further communication with that individual in your best interest and thereby contact the real office of the National Bank of Belgium via the below information. Note, you should ignore any message that does not come from the above email address for security reasons. And to enable the National Bank of Belgium to process and release the fund to you, you are required to reconfirm your full details, such as your full name, contact home address, your cell phone number, your date of birth, your sex, and your country. Ensure that you abide by the National Bank of Belgium due process in line with the International Banking Secrecy Act to avoid any form of discrepancy which may hinder your fund transfer. Thanks for your understanding and cooperation as we earnestly await your urgent reply. Best regards, Christopher A. Ray, Federal Bureau of Investigation.

Joe Carrigan: With an Outlook.com email address.

Dave Bittner: Yeah.

Maria Varmazis: I was going to say, all these Outlook.com emails everywhere. Mess of letters and numbers at Outlook.com.

Joe Carrigan: Michael M. Adler is in fact the ambassador to Belgium.

Dave Bittner: Okay. Get him on the line.

Joe Carrigan: But in that role, he is certainly not executive governor of the National Bank of Belgium. That would be a real conflict of interest.

Dave Bittner: Right.

Joe Carrigan: This is obviously a far-fetched scam, but we've talked about this before. This is why they do it like this. They do it like this so that they weed out people who go, this is obviously a scam. They rope in the people who go, well, maybe.

Dave Bittner: Why Belgium?

Joe Carrigan: I don't know.

Dave Bittner: They just throw a dart at a world map and say, all right, Belgium.

Joe Carrigan: Does Belgium share a border with Switzerland? I think they do.

Dave Bittner: Okay.

Joe Carrigan: Hold on. Let me look that up.

Maria Varmazis: This is a very American moment. We don't know geography.

Joe Carrigan: Right. I don't know European geography. No. [ Music ]

Dave Bittner: All right. Well, our thanks to Jim for sending this in. That was a fun one. And, of course, once again, we would love to hear from you. You can email us. It's hackinghumans@n2k.com. That is "Hacking Humans", brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to hackinghumans@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. We're mixed by Elliott Pelzmann and Trey Hester. Our executive editor is Brandon Karp. Peter Kilpe is our publisher. I'm Dave Bittner.

Joe Carrigan: I'm Joe Carrigan.

Maria Varmazis: And I'm Maria Varmazis.

Dave Bittner: Thanks for listening. [ Music ]