18 Healthcare cyber-security incidents in October

18 Healthcare cyber-security incidents in October

Numerous privacy incidents at hospitals, IT suppliers and other healthcare organizations captured public attention last month.

While some security incidents only affected less than 1,000 patients, others were said to have affected more than 500,000.

  1. Tampa-based Women’s Care Florida alerted all current and former patients — 528,188 people — that their medical or personal information may have been exposed due to an April 29 cybersecurity incident.
  2. Around 152,000 patients may have had their information viewed because of a ransomware attack at St. Louis-based Betty Jean Kerr People’s Health Centers.
  3. Kalispell (Mont.) Regional Healthcare began notifying nearly 130,000 patients Oct. 23 that their information may have been exposed due to a phishing attack.
  4. Gary, Ind.-based Methodist Hospitals is notifying 68,039 patients that their protected health information may have been exposed in a data breach.
  5. Approximately 19,000 patients and 3,000 volunteers may have been affected in a data breach at six Prisma Health-Midlands hospitals.
  6. The University of Alabama Birmingham Medicine has alerted 19,557 patients that their information may have been exposed in a phishing attack.
  7. San Antonio-based South Texas Dermatopathology has notified 15,982 patients that their information may have been exposed in a data breach at a third-party collections company.
  8. Goshen (Ind.) Health began notifying 9,160 patients on Sept. 30 of a security incident that may have exposed their personal health information.
  9. Cancer Treatment Centers of America at Southeastern Regional Medical Center in Atlanta began notifying 3,290 patients that their personal health information may have been exposed in a security incident.
  10. The Virginia Department of Behavioral Health and Developmental Services is investigating an October data breach that may have affected 1,442 people.
  11. The Seattle Cancer Care Alliance began notifying nearly 1,000 patients Oct. 16 that their information may have been exposed due to an email error.
  12. Oakland, Calif.-based Kaiser Permanente began issuing notices Sept. 27 to 990 Sacramento-area patients that their information may have been exposed.
  13. Danville, Pa.-based Geisinger Health Plan began notifying an undisclosed number of patients Oct. 18 that their information may have been exposed in a phishing attack at a third-party vendor.
  14. A regional Veterans Affairs Department in Milwaukee mishandled patients’ personal data, leaving medical records, internal communications and other information available for unauthorized personnel to access.
  15. Asheville, N.C.-based Mission Health has mailed patients letters indicating that their financial information may have been stolen.
  16. Milwaukie, Ore.-based Monterey Health Center announced Oct. 11 that it is notifying patients their protected health information may have been exposed because of a ransomware attack.
  17. Greenville, Texas-based Hunt Regional Healthcare has notified additional patients of a cyberattack earlier this year that may have exposed patient information.
  18. A website created by the Philadelphia Department of Public Health to track hepatitis infections was compromised, exposing individuals’ health records.

 

Bypass Google Filters & Launching CSV Malware via Google Sheets

Cybercriminals are using new sophisticated techniques to spread CSV malware via Google sheets instead of using Microsoft Excel sheet which is often used by malicious hackers.

Cyber attackers are day today increasing and the attackers are always one step ahead to launching sophisticated cyber attackers which is very difficult to detect and mitigate.

Basically .CSV files could be opened in MS Excel when you click on a common .CSV file and interprets cells contents.

In this case, the Attacker embedded the malware dropper within the Google spreadsheet to infect the users and its launching via spam emails.

Spreading the malware via Google Spread Sheet is create more trust among the normal peoples without bothering about who send it but security community never trust it.

Google basically implemented the sophisticated gMail and gDrive anti Malware techniques in order to avoid Malware spreading over its amazing technologies by avoiding specific file type (.exe, .dll, .zip, etc etc) over gMail.

But an attacker bypass this Google filter technique and they easily use Google Sheets as a Malware vector. Anyhow, Google has been alerted about this issue but it confirmed that it’s actually an “Intended Behaviour”.

According to the researcher, finally, an attacker could send a clear link over an instant message platform and/or over an email asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box”

Users need to aware of this kind of serious attacks, avoid to download links if you receive a link to a not working Google Sheets.

IOC:

  • Hashes:
    • 5e561bf9e088f8f2b9c0610fb6f61f6d7655f6a0988a0d304452d8fa73a6a628 (.CSV)
    • cd3d1b4d147a198e1a2b7e3f4370998142bf20cbdfdd3d30cf86d65b5bd40f50 (dropped)

Airbus Data Breach – Hackers Stolen Employee Sensitive & Personal Data

Airbus IT system suffering from a data breach that resulted in unauthorized access of Airbus employees personal & Sensitive Data.

Airbus European Aeronautic Defence and Space Company manufactures and sells civil and military aerospace products worldwide with more than 129,000 Employees.

Experts learned the cyber incidents in their Airbus “Commercial Aircraft business” information systems, but it doesn’t affect the Airbus’ commercial operations.

It was unclear that the operator behind this attack and the Airbus IT security experts are continuously monitoring this incidents.

Also, experts who have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins.

According to the Airbus Press Release, Investigations are ongoing to understand if any specific data was targeted, however we do know some personal data was accessed. This is mostly professional contact and IT identification details of some Airbus employees in Europe.

Also Company contacted with the relevant regulatory authorities and the data protection authorities pursuant to the GDPR (General Data Protection Regulation) .

Airbus instructed to their employees to take the all necessary security precaution for this incident.

Reddit Locks Down Accounts After Security Incident

A large number of Reddit users have been locked out of their accounts as a precaution while the site’s admins investigate potential unauthorized access.

Staffer “Sporkicide” would not disclose exactly how many users were affected by the move, but claimed in a post yesterday that “a large group of accounts were locked down due to a security concern.”

“By ‘security concern,’ we mean unusual activity that did not correspond to the account’s normal behavior that may indicate unauthorized access,” the admin continued.

“The most common explanation for this is the use of very simple passwords or the reuse of credentials across multiple websites or services. If another site is compromised and those lists of usernames and passwords become available, it’s very likely that they will be tried against other popular sites to see if they work and this means that any account where you use the same credential combination is then at risk.”

These credential stuffing attacks, facilitated by automated software which injects breached credentials into other sites to crack accounts, is set to become ever more popular in 2019, according to one security vendor.

“Breached credentials will be actively and heavily used in fraudulent transactions as cyber-criminals take the next logical step after amassing data breach info dumps in past years: using these stolen credentials,”.

However, some of those commenting on the security notice claimed they used strong, site-specific credentials for Reddit. One even suggested the incident could be the result of a session hijacking attack of the same kind that led to the theft of access tokens for 30 million Facebook accounts last year.

Reddit is no stranger to security incidents: last year it suffered a major breach of user data after hackers first cracked staff accounts by intercepting SMS-based two-factor authentication codes.

Sporkicide claimed yesterday that over “the next few hours” affected account holders will be able to reset their passwords.

Reddit accounts are prized as they can be used to push malicious content, exploit other users and make content go viral.

“Reddit is notoriously easy for attackers to manipulate — they don’t require an email to open an account; the signup form only uses basic reCAPTCHA, which has been ineffective for years; and the login form does not appear to use any automation prevention techniques to protect against credential stuffing attacks,” he added.

“Sites like Reddit are a dream for attackers, there are virtually no barriers to entry and the value of trusted accounts on social networks is so high.”

 

SingHealth breach report blames lack of basic security

A report detailing the investigation into the 2018 SingHealth data breach that leaked the medical records of 1.5 million Singapore residents has blamed a lack of basic security hygiene coupled with ill-trained IT staff for the disaster.

The review was written by the Singapore Committee of Inquiry, bearing statements and research from Singapore’s Cyber Security Agency, Ministry of Health, and the Integrated Health Information System (IHiS) .

An investigation was launched after an unknown party accessed the database of SingHealth – Singapore’s largest healthcare organization – between May 1, 2015, and July 4, 2018, taking medical records, national identity numbers, and other personal details.

The attackers took millions of Singapore citizens’ data, as well as repeatedly and specifically targeting the records of Prime Minister Lee Hsien Loong, as suspicions pointed to the work of a nation-state actor.

The review agreed, noting: “The Committee agrees with CSA’s assessment of the attacker as skilled and sophisticated attacker bearing the characteristics of an APT group.”

However it did also note that while it is difficult to prevent an APT (Advanced Persistent Threat – a term commonly ascribed to government-funded hackers), the attack could have been stopped if staff had taken appropriate action.

Indeed, much of the report is dedicated to highlighting the failings in SingHealth’s basic security hygiene.

Administration accounts had not implemented two-factor authentication, systems were not patched or updated, and staff didn’t respond seriously or quickly enough.

“The Security Incident Response Manager (SIRM) and Cluster Information Security Officer (Cluster ISO) for SingHealth, who were responsible for incident response and reporting, held mistaken understandings of what constituted a ‘security incident’, and when a security incident should be reported,” the report read.

There was also a coding vulnerability in the database which hadn’t been patched and likely led to attackers gaining access.

Some suspicious behavior, such as unauthorized access to servers, but noted that they failed to recognize the significance of these attacks and therefore stopping the intrusion.

The committee gave 16 recommendations for the healthcare organization, including a review of current technologies to deem whether they are adequate to defend against a future cyber-attack; improving staff awareness on security measures; tightening control of admin-level accounts; and improving incident response processes.

Routine security checks should also be made to check the robustness of both SingHealth’s own systems and vendor-bought products, the report advised.

IHiS, which created and maintains the software SingHealth uses, also made a commitment to bolster its security defenses following the breach, which it says will be fully implemented by the end of the year.