Category: Breach

Healthcare organizations are prime targets for cybercriminals due to the sensitive and valuable nature of the data they store. Personal health information (PHI) is one of the most sought-after commodities on the dark web. If a healthcare database breach occurs, it can have severe consequences—not only for the affected individuals but also for the organization itself. From patient data exposure to regulatory violations, the repercussions can be long-lasting. Therefore, healthcare providers must act swiftly, methodically, and in accordance with legal requirements when a data breach happens.

Here’s a step-by-step guide on what to do if a healthcare database breach occurs:

1. Contain the Breach Immediately

The first and most critical step when discovering a data breach is to contain it. Prompt action can help prevent further exposure of sensitive data. This could involve:

• Disconnecting affected systems: If the breach is detected in real time, immediately isolate compromised systems from the rest of the network to prevent the spread of malicious activity.

 • Shutting down access points: Disable any compromised user accounts, login credentials, or vulnerable network pathways that may have been exploited by the attackers.

• Alerting internal IT and security teams: Ensure that the organization’s cybersecurity team is immediately aware of the breach. They should work to identify the entry point of the attack and stop the data exfiltration.

2. Assess the Scope and Impact of the Breach

Once the breach is contained, it’s crucial to understand its scope. This step involves:

• Identifying the compromised data: Determine which databases or files were accessed or leaked. Was it patient health records (e.g., medical history, prescriptions, lab results)? Was personal identifiable information (PII) exposed?

• Assessing the size and scale: How many records were affected? This will help to prioritize responses based on the severity and the number of impacted individuals.

• Analyzing the method of attack: Understanding how the breach occurred—whether through phishing, ransomware, or an insider threat—will inform the response and future prevention strategies.

3. Notify Regulatory Bodies and Authorities

In most countries, healthcare providers are required by law to notify specific authorities when a data breach occurs, particularly if it involves PHI or sensitive personal information. For example:

 • United States (HIPAA Compliance): The Health Insurance Portability and Accountability Act (HIPAA) mandates that covered entities report data breaches involving PHI to the U.S. Department of Health and Human Services (HHS) and affected individuals. A breach affecting 500 or more individuals must be reported within 60 days.

• European Union (GDPR Compliance): The General Data Protection Regulation (GDPR) requires data controllers to notify relevant authorities within 72 hours of becoming aware of a breach.

Not only is notifying the appropriate regulatory body legally required, but it also ensures that organizations remain in compliance and avoid potential fines and penalties.

4. Notify Affected Individuals

Transparency with affected individuals is crucial to maintaining trust and fulfilling legal obligations. The following steps should be taken:

• Timely notification: Affected individuals must be notified as soon as possible about the breach, typically within a set time frame defined by regulations (e.g., 60 days under HIPAA).

• Details of the breach: Provide clear information about what data was compromised, how it occurred, and what the organization is doing to mitigate damage.

• Offer support and guidance: Depending on the nature of the breach, you may offer affected individuals assistance like credit monitoring or identity theft protection services, particularly if financial data or social security numbers were involved.

• Clear communication channels: Set up a dedicated hotline or communication channel where affected individuals can ask questions and report any suspicious activity on their accounts.

5. Conduct a Forensic Investigation

To understand the cause and extent of the breach, a thorough forensic investigation should be conducted. This may involve:

• Hiring a third-party cybersecurity firm: Engage experienced professionals who specialize in data breaches. They can conduct a thorough investigation, identify how the breach occurred, and recommend corrective measures.

• Documenting findings: Maintain a detailed record of the investigation, including timelines, findings, and remediation actions taken. This documentation will be critical for regulatory reporting, insurance claims, and potential legal action.

The investigation will also help identify whether any security vulnerabilities were exploited and guide the implementation of improved security measures.

6. Mitigate and Prevent Future Breaches

After a breach, it’s vital to take steps to ensure that the same vulnerability does not lead to future incidents. This may involve:

 • Patch and update systems: Ensure that all security patches and updates are applied to affected systems, including software, firewalls, and anti-virus programs.

 • Change passwords and credentials: Immediately reset passwords and access credentials that may have been compromised. Implement multi-factor authentication (MFA) wherever possible.

• Review and improve cybersecurity policies: Strengthen network security, employee training, and data encryption policies. Consider adopting more robust encryption for sensitive data both at rest and in transit.

• Conduct regular audits: Perform regular security audits to assess and address any vulnerabilities before they can be exploited by cybercriminals.

7. Work with Legal and PR Teams

A data breach, especially in the healthcare sector, can result in significant legal and reputational consequences. Therefore, it’s essential to:

• Consult legal advisors: Ensure that all responses to the breach are in compliance with data protection laws and regulations. Legal advisors can also help mitigate liability, including responding to any potential lawsuits from affected individuals or regulatory fines.

• Manage public relations: Work closely with PR teams to craft a statement addressing the breach. Be honest and transparent in communications, acknowledging the severity of the situation and outlining the steps being taken to resolve it. A well-managed PR response can help maintain public trust in the organization.

8. Monitor for Ongoing Risks

Even after a breach has been contained and addressed, the organization must remain vigilant. Ongoing monitoring is essential to:

• Detect additional threats: Cybercriminals may attempt to exploit the breach further. Continuous monitoring of network traffic and logs will help identify any lingering threats.

 • Watch for identity theft: If personal information like social security numbers, addresses, or financial data was involved, consider monitoring services or providing credit monitoring to affected individuals.

 • Analyze impact on operations: Some breaches can have long-term operational impacts.

Continuously evaluate how the breach has affected your organization’s processes, patient trust, and financial standing.

9. Learn from the Incident

Finally, every data breach is an opportunity for improvement. After resolving the immediate crisis, take the time to:

• Review your incident response plan: Determine what worked well and what could be improved. Update your procedures and make sure all employees are trained on new protocols.

• Invest in cybersecurity improvements: With the knowledge gained from the breach, enhance the organization’s security measures. This could include stronger firewalls, improved access control, better employee training, or more advanced threat detection tools.

Conclusion

A healthcare database breach is a serious event that requires swift action and adherence to legal and regulatory requirements. By containing the breach, notifying the necessary authorities and individuals, conducting a forensic investigation, and implementing stronger cybersecurity practices, healthcare organizations can mitigate the damage and prevent future incidents. Proactive planning, transparency, and a well-prepared response are key to minimizing the impact on patients, staff, and the organization as a whole.

 

The post What to Do if a Healthcare Database Breach Occurs: A Step-by-Step Guide appeared first on Cybersecurity Insiders.

In 2024, we’ve seen several high-profile data breaches that have caused tangible and widespread damage to companies and their customers. One of the hardest-hit industries also includes one of our most critical: healthcare. The UnitedHealth data breach has had ripple effects since the initial news hit earlier this year.

It was recently revealed that the data breach will impact a large portion of the American people, and up to one in three Americans may have had their information compromised. This has been one of the worst healthcare breaches ever, and as the consequences keep emerging, the grim truth of exposing this personal data becomes clear.

This is what an expert had to say:

Clyde Williamson, Product Manager, Protegrity , said, “Months after the initial breach, UnitedHealth is still dealing with the long-term impacts of BlackCat’s infiltration into their networks. We’re now learning that personal identifiable information (PII, personal health information (PHI), and billing information were all part of this incident.  

While in this instance no complete patient information has been exposed, billing information can be just as revealing for a customer’s private medical procedure. For example, this information could include details on a prescribed drug, a specialist seen, or even of an out-of-state charge for a medical procedure when recent legal changes may make this legally problematic.  

Not only do these kinds of incidents expose some PII data, but they also expose inferences that can be made with that data. 

Stolen data has a wide-reaching and long tail of impact, and there are often subsequent breaches years after a primary attack. There’s no way to know for sure that either party involved actually deleted the stolen PII and PHI, but we can be sure that broader bad actors had access to this information for a period of time.  

Double extortion scenarios can haunt these organizations for years, meaning prevention is the best defense. UnitedHealth has already started the arduous process of creating a website for impacted customers. We must stop hoping layered defenses can stop threat actors from stealing our information while internally leaving it in clear text. Data de-identification methods offer flexibility and foresight benefits that render sensitive data useless for these groups. 

We need to remove the most significant source of ransom value to avoid these costs and strains on both organizations and their customers, even in instances of data exfiltration.” 

 

The post How Data Inference Could Expose Customer Information: The Case of UnitedHealth Breach appeared first on Cybersecurity Insiders.

Third-party cyber-attacks remain one of the most significant threats facing organisations across the globe. Most recently, Bank of America, a multinational investment banking and financial services corporation, began notifying customers that a November 2023 hack against one of its service vendors resulted in the exposure of personally identifiable information (PII). 

The breach occurred following a security incident against Infosys McCamish Systems (IMS), a subsidiary of Infosys that provides deferred compensation plan services to Bank of America. According to the IMS notification letter filed with the Maine Attorney General, “On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications.” 

The notice revealed that while only 57,028 of Bank of America’s millions of customers were directly impacted in the breach, the PII exposed included Social Security Numbers, credit card and account numbers, as well as names, and addresses. An incendiary mix of data—one that could be easily leveraged by threat actors to launch social engineering attacks against any and all of the impacted individuals. 

Then, on November 4th, IMS notified Bank of America that data relating to their customers may have been exposed. The infamous ransomware gang, LockBit, on the same day claimed responsibility for encrypting over 2,000 IMS systems in the attack.  

“Vendor risk is continuing to become more of a concern,” commented Erich Kron, Security Awareness Advocate at KnowBe4. “Bad actors are finding that attacking the large organizations with significant budgets for cybersecurity and data protection can often be less effective than attacking those that process the same information but may not have the same budget to protect it.” 

 

While Kron explained that using third-party vendors isn’t a bad thing on its own, he also pointed out how “it’s critical to ensure that policies and procedures exist related to the protection of any data being shared. Making sure that contracts define what information is being processed and how long it’s been retained is a very important part of this data management with third parties. In addition, information should be limited as much as possible and anonymized whenever it’s an option.” 

 

Interestingly, this is not the first time Bank of America has been impacted by a third-party cyber-attack. In May 2023, Ernst & Young, an accounting firm providing services to the bank, was hacked by the Cl0p ransomware gang by way of the MOVEit file transfer zero-day exploit. In this incident, personal data like SSNs and financial information of Bank of America customers were also exposed.  

The fallout from the MOVEit hack was explosive, impacting mainly third-party vendors and, as a result, their many, varied customers.  

Indeed, Ray Kelly, fellow at the Synopsys Software Integrity Group, said, “[The MOVEit] issue caused massive amounts of stolen data from large organisations and even the US Government. Ensuring the trust chain between organisations, while not a simple task, is essential to protecting consumers’ private information.” 

Hackers have certainly cottoned on to the weakness of third-party, supply-chain vendors. Where big enterprises like Bank of America most likely have mature cybersecurity protocols, vendors like ISM might not prioritise cyber posture like they ought to. But really—they ought to. The malicious moxie of cybercriminals and cybergangs continues to evolve daily. Vendors can no longer neglect cybersecurity experts.  

As Tom Kellermann, SVP of Cyber Strategy at Contrast Security, commented, “By targeting these less secure vendors [cybercriminals] can successfully compromise major banks. The regulators must mandate higher standards of cybersecurity for shared service providers.” 

 

And yet, this doesn’t dissolve organisations like Bank of America from responsibility either. Sure, ISM (and previously, Ernst & Young) were the actual hacked parties, but it was Bank of America customers that were impacted. Did the bank do its due diligence to ensure that data was being handled by vendors in a sophisticated manner? In the wake of these events, the answer is probably no. The question then becomes: how much longer will banks, enterprises, and even government organisations accept lacklustre cybersecurity standards from their vendors? 

 

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, commented, “Financial institutions, particularly banks, have long been prime targets for cybercriminals due to the vast amount of sensitive information they hold. This breach underscores the need for financial institutions to adopt a proactive approach to cybersecurity, embracing continuous monitoring and threat intelligence capabilities to detect and respond to threats in real-time.”  

 

Al Lakhani, CEO of IDEE, added, “Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter.  

“To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA.” 

Darren James, a Senior Product Manager at Specops Software, an Outpost24 company, commented,When outsourcing services to 3rd parties that handle personally identifiable or sensitive information, both for employees and customer, appropriate risk assessments should always be made.”  

 

In fact, James suggested asking the following questions when it comes to risk assessing third parties:  

  

  • Do they regularly scan for breached passwords? 
  • Do they have strong MFA controls in place especially with access to customer data? 
  • Do they scan the internal and external attack surface of their IT systems? Can you see a summary of recent results? 
  • Where is the data held, under what countries jurisdiction, is your data always encrypted in transit and at rest? 
  • What security, backup, disaster recovery policies and procedures do they have in place? 
  • Do they comply with regulatory requirements for your industry? 
  • What guarantees and insurance do they offer if their systems are compromised? 
  • Do they outsource your data to any other parties? 

 

Sean McNee, VP of Research and Data at DomainTools, concluded, “The deeply interconnected nature of running business online generates tremendous value for consumers and business owners alike, but it also fundamentally changes the threat landscape businesses must defend themselves against. Supply chain attacks such as this highlight the unique challenges operating today. Unfortunately, customers end up suffering long term effects from these events.” 

 

“Stay frosty out there,” McNee warned. The best thing consumers can do is to stay vigilant, alert, and proactive. And—if you are one of the impacted — make sure to take advantage of that free credit monitoring service. 

 

 

The post Cyber gaps in the supply chain — Bank of America breached in another vendor cyberattack first appeared on IT Security Guru.

The post Cyber gaps in the supply chain — Bank of America breached in another vendor cyberattack appeared first on IT Security Guru.

Undoubtedly, every business worldwide is susceptible to cyber attacks and data breaches. The imperative response lies in implementing proactive measures to safeguard against such attacks and establishing an efficient disaster recovery plan for unforeseen events.

Addressing password breaches, hackers frequently employ phishing schemes to manipulate employees into surrendering crucial credentials, such as login information. These ill-intentioned individuals may then infiltrate networks to pilfer sensitive data or sell compromised credentials on the dark web, leaving the targeted business vulnerable to significant repercussions.

In the aftermath of a password breach, businesses must take decisive actions to recover:

1. Password Reset: The immediate response to a discovered password breach should involve initiating a password reset directive across the organization’s data center environments. Employing an internal communication strategy, companies should prompt users and customers to change their passwords promptly, mitigating potential damages.

2. Incident Response Plan: Having a robust incident response plan is paramount. Such a plan can shield the company from severe disruptions, legal consequences, and safeguard customers from the exposure of sensitive details. Collaboration with third-party experts and forensic specialists can further diminish the impact of the cyber attack.

3. Education for Affected Parties: Abiding by prevailing data privacy and security laws, proactive employee training is crucial. Staff members should be well-versed in the protocols to follow in the event of a cybersecurity incident. Adhering to disclosure timelines and implementing mitigation measures within four days are encouraged practices.

As we look ahead to 2024, the following password best practices should be considered:

A. Complex Password Formulation: Craft passwords with a mix of alphanumeric characters and incorporate one or two special characters. Crucially, passwords should consist of a minimum of 12 to 15 characters to enhance security beyond the easily guessable traditional 8-character passwords.

B. Employee Education: Instill a culture of password security by educating employees to avoid using the same password across multiple online services.

C. Regular Password Changes: Encourage businesses to change application passwords monthly or bi-monthly to prevent network breaches in the event of a compromised password.

D. Utilize Online Tools: Leverage available online tools and services for scanning compromised passwords in the active directory. Regular usage, preferably weekly, can alleviate concerns regarding password security.

By adopting these practices, businesses can fortify their defenses against cyber threats, minimize potential damages, and ensure a more resilient cybersecurity posture.

The post How companies should recover when password breach occurs appeared first on Cybersecurity Insiders.

The MOVEit attack is constantly evolving and this week a new update has occurred. Maximus Inc., a US government services provider is the latest victim of the Clop ransomware gang’s exploitation of a critical vulnerability within Progress Software Corp.’s MOVEit file transfer software. It is estimated that as many as 11 million people have had information stolen.

Maximus specialises in providing services for the US healthcare industry, specifically Medicaid, Medicare, health care reform, welfare-to-work and student loan servicing.

The company declared the incident to the U.S. Securities and Exchange Commission after becoming aware it had been impacted by the initial MOVEit vulnerability attack that has plagued organisations around the world. At present, it is unclear as to who the victims are or where they are from because Maximus also provides services outside the US, to countries such as Australia, Canada and the UK.

With the Clop ransomware group being attributed with the attack, Maximus joins a seemingly growing list of high-profiled companies that have been affected, which includes: the US Department of Energy, Shell, the BBC, British Airways and the University of Georgia.

We reached out to industry experts to gather their thoughts on this attack:

Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems:

“If ever there was an example of why you need to closely monitor and continuously evaluate the security of your suppliers and supply chain, look no further than the MOVEit vulnerabilities that were disclosed in June of this year. While the company behind MOVEit file transfer technology has released patches for the two zero-day vulnerabilities that were discovered in June, many large organisations aren’t very nimble when it comes to patching systems, even when critical vulnerabilities are exposed like this. This is perhaps the largest breach of this calendar year, but due to the challenge organisations have with patching their vulnerable systems in a timely manner, this won’t be the last breach due to MOVEit we hear about.

What’s interesting is that the company behind the MOVEit software appears to have all of its compliance-driven security checks and protocols in place, things like PCI-DSS and HIPAA, requirements to manage credit card and health PII, respectively. It is clear that these compliance frameworks are simply the starting point for security posture. Organisations that manage large swaths of customer data and sensitive personal information must perform regular and continuous audits of their systems, checking their configurations and versions for vulnerabilities. It is important to use multiple methods and vendors to perform rigorous security testing of your internal systems as well as the products you deliver to customers. This includes penetration testing but also establishing internal teams to perform continuous validation of your security. These can be enhanced with bug bounty programs that use monetary incentives to get ethical security researchers to test your systems. I’ve seen a fair number of SQL-injection vulnerabilities (like this one in MOVEit file transfer system) caught by ethical hackers working on bug bounties for key systems in the US government and beyond. This class of vulnerability is certainly not beyond the scope of regular programmes and security tools that have emerged in the past decade.”

Erfan Shadabi, cybersecurity expert at comforte AG

“A breach in the healthcare sector is highly damaging due to the sensitive nature of the data involved. It exposes some of the most private personal and medical information of an already vulnerable section of the population, leading to identity theft, medical fraud, and financial losses for individuals and organizations. Such incidents erode trust, impact patient safety, and incur heavy legal and regulatory consequences. Organizations, especially in the healthcare sector,  should prioritize data-centric security measures. By adopting robust data-centric security strategies, organizations can protect sensitive information at its core, mitigating the impact of potential breaches. Encrypted data, strict access controls, and continuous monitoring are essential components to safeguard personal and healthcare data effectively.”

Ray Kelly, fellow at the Synopsys Software Integrity Group:

This massive exploit of the MOVEit vulnerability is yet another demonstration of the importance of securing the software supply chain when it comes to data privacy. The key takeaway for business leaders is clear—just a single vulnerability in one piece of a third-party vendors’ software can lead to the compromise and exposure of personally identifiable information across every organization that vendor services. Organizations should ensure that any third-party vendor performs regular security assessments across their entire portfolio and infrastructure, and also meets compliance policy standards such as GDPR and SOX. Unfortunately, adopting these practices is not a silver bullet and does not ensure your organization’s protection against a future ransomware attack via the software supply chain.”

The post MOVEit latest: US Government services provider Maximus hit appeared first on IT Security Guru.

Popular social media platform Discord has notified users it has suffered a data breach after a support agent’s account at a third party became compromised.

A malicious individual then gained unauthorised access to the agent’s support queue, exposing user email addresses, Discord support messages and attachments sent via the ticket system.

Discord – which has a user base of over 150 million monthly active users – has deactivated the compromised account and undertaken security checks on the agent’s machine, including malware scans.

The social media platform has collaborated with the third-party partner and has ensured security measures have been put in place, so such an incident is avoided going forward.

Discord has contacted users warning them to remain vigilant of any unusual activity regarding accounts including phishing or fraud attempts.

Commenting on the news and offering insight are the following cybersecurity experts:

Jamie Boote, associate principal consultant at the Synopsys Software Integrity Group, said “Companies need to take a top-down approach to protecting their data. It starts with policy and standards that classify all types of data the company would expect to create, collect, store, or generate. Once these data classification standards are in place, companies then need to catalogue where all sensitive or privacy data is collected, handled, or stored into an inventory. You can’t protect something if you don’t know where or what it is.

Alex Archondakis, Head of Professional Services at Pentest People, comments; “Organisations often focus security resources on their own internal and external assets, however, this attack proves that your security is only as good as the weakest link in your supply chain. Every level of the supply chain should be analysed to understand what type of data or access can be acquired from exploiting it. The company chosen for each section should be researched to ensure that they perform regular penetration tests against their systems and hold relevant cyber security certificates such as Cyber Essentials Plus. In the case of third parties storing your sensitive data, one should ensure that anyone with access to it has been through relevant vetting procedures.”

Chris Hauk, Consumer Privacy Advocate at Pixel Privacy said, “The growing popularity of Discord, especially among gamers, makes it an increasingly attractive target for the bad actors of the world. Discord users must remain alert for any phishing emails using the email addresses gleaned in the data breach.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech added, “Scammers might personalise their messages using data from the breach to make them more convincing. Never click on links or attachments in unsolicited messages!”

 

 

The post Discord Suffers Data Breach Through Compromised Third Party appeared first on IT Security Guru.