Cyber Security Incidents March 2017

Urology Austin notifies patients of ransomware attack

KY: Estill County Chiropractic notifies 5,335 patients of ransomware attack

Metropolitan Urology Group Notifies Almost 18,000 Patients of Ransomware Attack That Exposed PHI

City erases, re-installs server after ransomware attack

Student expelled for hacking professors’ emails

Hackers attack Pa. Senate Democrats’ computer system with Ransomware

Website of Korea retail giant Lotte hacked in China

26 million NHS patients’ records in security scare over SystmOne “enhanced data sharing”

Laptops containing 3.7 million Hong Kong voters’ data stolen after chief executive election

Dozens of patients’ medical records found lying in Melbourne street

Notification of data breach on FIRST Forums

Thousands of Psychiatrist’s Patient Records Stored in Basement of House He Rented Out

Council blunder leaks personal data on web

Vermont Department of Labor details data security breach at third party vendor

New Three Data Breach Exposes Mobile Customer Account Details To Total Strangers

UNC Health Care notifies 1,300 prenatal patients of potential breach

Saks Fifth Avenue Exposed Personal Info On Tens Of Thousands Of Customers

Blunder reveals Australian lawmakers’ private cell numbers

Email gaffe revealed 1,417 cancer patients’ email addresses

15 computers with ‘sensitive information’ stolen from Chief Justice Mogoeng’s office

Lane Community College notifies health clinic patients of potential breach

McDonalds India is leaking 2.2 million users data

Children’s Hospital of Eastern Ontario employee breached privacy of nearly 300 patients

Singapore Armed Forces apologizes for data leak

Ster-Kinekor “data leak” means private data of 7 million South Africans is at risk

Devon doctors’ surgery says sorry for data breach

Popular Teen Quiz App Wishbone Has Been Hacked, Exposing Tons of User Information

43,000 individuals’ possibly affected after Abta web server hacked

We’ve lost control of our personal data (including 33M NetProspex records)

US military leak exposes ‘holy grail’ of security clearance files

VCU Health System notifies 2,700 of inappropriate access to their medical records

Brand New Day notifies 14,005 members after breach at vendor

Tarleton Medical discloses breach involving protected health information

Three admits a further 76,000 customers hacked

PoS terminal manufacturer Verifone breached

Action Fraud raised alert about CEO fraud

1.3 billion records leaked: spam operator suffers data breach

Data breach may put Daytona State College students’ personal info at risk

Med Center Health reports stolen patient billing information

Email Security Breach Involving County Employees’ Bank Accounts In Sebastian County

Oh those inadequately secured backup devices…

GMO Payment Gateway confirms data leakage from two client websites

Hackers steal thousands after Queensland School Photography targeted online

No bail for 3 Romanians in ATM hack

Gang of Hackers Tries to Steal Baidu’s Driverless Car Secrets

Chinese police make 96 arrests in latest operation against personal data theft

Dutch detectives unravel 3.6 million encrypted emails sent by criminals

Nursing home employee arrested after filming senior residents having sex, posted video online

16 healthcare data breaches, security incidents in 2016

Here are the 16 healthcare data breaches or security incidents that occurred or were reported within the four weeks of September 2016, beginning with the most recent.

1. Keck Medicine in Los Angeles, part of University of Southern California, reported two servers were hit with ransomware in August, encrypting files and making them inaccessible to employees. The hospitals did not pay any ransom. Read more 

2. Codman Square Health Center in Dorchester, Mass., reported a breach due to unauthorized access to a regional health information exchange that contained some of its patients’ information. The breach affects 3,840 patients. Read more

3. The Russian hackers who accessed the World Anti-Doping Agency’s database of Olympians’ medical records leaked more documents, this time involving Spanish tennis player Rafael Nadal, British runner Mo Farah, and American gymnast Laurie Hernandez, among others. Read more 

4. Tulsa, Okla.-based Saint Francis Health System is opting not to pay a ransom demand to protect information of 6,000 patients obtained by a hacker, because paying doesn’t guarantee the data won’t be disclosed. Read more 

5. Danville, Pa.-based Geisinger Health Plan notified members of a data breach after a processing error resulted in invoices being mailed to incorrect recipients. The breach involved about 2,800 patients. Read more

6. Burrell Behavioral Health in Springfield, Mo., notified 7,748 patients of a potential data breach after an unauthorized party gained access to an employee’s email account. Read more 

7. Medford, Ore.-based Asante, a health system serving southern Oregon and Northern California, notified patients of a data breach after an employee was discovered to be inappropriately accessing patient records. Read more 

8. Authorities are investigating the possible theft of a binder containing the names and dates of birth of more than 700 patients who received CT scans since May 2012 at Oberlin, Kansas-based Decatur Health Systems. Read more 

9. CHI Franciscan Health Highline Medical Center in Burien, Wash., notified patients of a potential data breach after a vendor working on behalf of the medical center inadvertently left patient information accessible via the internet. The incident affected 18,399 individuals. Read more 

10. Kansas City, Mo.-based Children’s Mercy Hospital reported a data breach affecting 238 patients after paper records were stolen from an employee’s vehicle. Read more

11. Medical College of Wisconsin in Milwaukee notified patients of a security incident after an unauthorized third party accessed an employee’s email account. The breach affects 3,200 patients. Read more 

12. Los Angeles County + USC Medical Center notified more than 700 patients of a potential data breach after appointment lists containing protected health information were stolen from an employee’s car. Read more

13. Planned Parenthood of Greater Washington and North Idaho is notifying patients of a potential data breach after emails regarding a new patient portal were sent to the wrong email addresses, affecting 10,700 patients. Read more

14. Lexington, Ky.-based Appalachian Regional Healthcare hospitals in Kentucky and West Virginia were operating under an emergency operations plan after being struck with ransomware and pulling networks offline. The system was back online three weeks later. Read more 

15. SCAN Health Plan in Long Beach, Calif., notified patients of a potential data breach after contact sheets containing protected health information were accessed by an outside party. Read more 

16. Orleans (Ind.) Medical Clinic notified patients that hackers accessed one of its computer servers containing EHR data after it was left unsecured after an upgrade. The incident compromised all 7,000 patients’ information. Read more 


Healthcare sector Man-in-the-middle attacks

In its April cyber awareness newsletter, the Department of Health and Human Services’ Office for Civil Rights [] has shared information about the man-in-the-middle attacks by using Secure Hypertext Transport Protocol, or “HTTPS.”

Advisory published by Department of Health & Human Services - USA
Advisory published by Department of Health & Human Services – USA

Security recommendations from US-CERT

Securing end-to-end communications performs an important function in protecting the privacy of HTTPS traffic and preventing some forms of MITM attacks. US-CERT recommends reviewing the following mitigations in Alert TA15-120A to reduce vulnerability to MITM attacks:

  • Updating Transport Layer Security and Secure Socket Layer. Specifically, upgrading TLS to 1.1 or higher and ensuring TLS 1.0 and SSL 1, 2, 3.x are disabled unless required. “The continued use of TLS 1.0 and SSL 1, 2, 3.x is leading to increased cases affected by MITM attacks and session hijacks,” US-CERT notes.
  • Utilizing certificate pinning. “Certificate pinning is a method of associating X.509 certificate and its public key to a specific CA or root,” US-CERT writes. “Typically, certificates are validated by checking a verifiable chain of trust back to a trusted root certificate. Certificate pinning bypasses this validation process and allows the user to trust ‘this certificate only’ or ‘trust only certificates signed by this certificate.'”
  • Implementing DNS-based Authentication of Named Entities, or DANE, which is a protocol that allows certificates (X.509) commonly used for TLS. “DANE is bound to DNS, which uses Domain Name System Security Extensions. A working group in the Internet Engineering Task Force of DANE developed a new type of DNS record that allows a domain itself to sign statements about which entities are authorized to represent it,” US-CERT writes.
  • Using Network notary servers, which aim to improve the security of communications between computers and websites by enabling browsers to verify website authenticity without relying on certificate authorities, or CAs. “CAs are often considered a security risk because they can be compromised,” US-CERT writes. “As a result, browsers can treat fraudulent sites as trustworthy and are left vulnerable to MITM attacks.”

Additional security recommendations:

  • In addition to recommendations provided by US-CERT, Herold suggests that to prevent falling victim to man-in-the-middle attacks,
    • Organizations apply “comprehensive, layers of security and vigilant security monitoring and updates.”
    • Performing a security risk assessment for the network. “Establish the scope to include HTTPS interception tools, and wherever TLS and SSL are used,” she says.
    • “Have a qualified third party, or an experienced IT internal auditor, review/audit the implementation of HTTPS, TLS and SSL tools and associated systems/applications that the organization uses. Such an audit should be on the annual audit plan any way, but now that there is increased awareness of this issue, doing such an audit should be moved to the top of an organization’s priority list.”
    • Organizations also need to be proactive in accomplishing those measures. “The CISO, CIO and others responsible for the network, applications and network security should work together to plan how to effectively do these updates, implementations, and removal of inadequate tools to minimize the impact on network users and patients,” she says.
    • “Don’t just go changing settings; planning is necessary for successful security improvement. Without such you run the risk of not only network interruptions, but also of creating more holes and vulnerabilities than you are trying to fix as a result of not being comprehensive in addressing all vulnerabilities.”