Oct 152018
 

From HHS/OCR, this record-setting announcement:

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

Oct 152018
 

Amitai Ziv reports:

Serious security breaches in the website of Magen David Adom, also known as MDA, have led to the leaking of identifying information about patients, sensitive medical information, financial information and even information on organization volunteers.

A so-called white hat hacker – who finds breaches to improve cybersecurity rather than to attack sites – revealed the information this week. The hacker, Eliel Hauzi, is a professional programmer and veteran of the army’s Encryption and Security Center who checks the security of websites in his free time.

Read more on Haaretz. It turns out he subsequently found yet another problem with MDA, leading them to take it completely offline for a time.

Oct 152018
 

There’s an update to a case previously reported in February that I missed last month.  From the U.S. Attorney’s Office, District of Minnesota:

A Latvian man was sentenced today in Minneapolis for participating in a lucrative “scareware” hacking scheme that targeted visitors to the Minneapolis Star Tribune’s website. Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Erica H. MacDonald of the District of Minnesota and Special Agent in Charge Jill Sanborn of the FBI’s Minneapolis Field Office made the announcement.

PETERIS SAHUROVS aka “Piotrek” and “Sagade,” 29, was sentenced to 33 months in prison for conspiracy to commit wire fraud. District Judge Ann D. Montgomery of the District of Minnesota imposed the sentence. SAHUROVS will be removed from the United States to Latvia following his prison sentence.  SAHUROVS was arrested in Latvia on a District of Minnesota indictment in June 2011, but was released by a Latvian court and later fled. In November 2016, SAHUROVS was located in Poland, apprehended by Polish law enforcement, and extradited to the United States in June 2017. SAHUROVS was once the FBI’s fifth most wanted cybercriminal and a reward of up to $50,000 had been offered for information leading to his arrest and conviction. He pleaded guilty before Judge Montgomery on February 7, 2018.

According to admissions made in connection with his plea, from at least May 2009 to June 2011, SAHUROVS operated a “bullet-proof” web hosting service in Latvia, through which he leased server space to customers seeking to carry out criminal schemes without being identified or taken offline. The defendant admitted that he knew his customers were using his servers to perpetrate criminal schemes, including the transmission of malware, fake anti-virus software, spam, and botnets to unwitting victims, and he received notices from Internet governance entities (such as Spamhaus) that his servers were hosting malicious activity. Nonetheless, SAHUROVS took steps to protect the criminal schemes from being discovered or disrupted, and hosted them on his servers for financial gain.

SAHUROVS admitted that from in or about February 2010 to in or about September 2010, he registered domain names, provided bullet-proof hosting services, and gave technical support to a “scareware” scheme targeting visitors to the Minneapolis Star Tribune’s website. On February 19, 2010, the Minneapolis Star Tribune began hosting an online advertisement, purporting to be for Best Western hotels, on its website, startribune.com. Two days later, however, the advertisement began causing the computers of visitors to the website to be infected with malware. This malware, also known as “scareware,” caused visitors to experience slow system performance, unwanted pop-ups and total system failure. Website visitors also received a fake “Windows Security Alert” pop-up informing them that their computer had been infected with a virus and another pop-up that falsely represented that they needed to purchase the “Antivirus Soft” computer program to fix their security issues, at a price of $49.95.

Website visitors who clicked the “Antivirus Soft” window were presented with an online order form to purchase a purported security program called “Antivirus Soft.” Users who purchased “Antivirus Soft” received a file download that “unfroze” their computers and stopped the pop-ups and security notifications. However, the defendant admitted, the file was not a real anti-virus product, did not perform legitimate computer security functions, and merely caused the malware that members of the conspiracy had previously installed to cease operating. Meanwhile, the defendant admitted, victim users who did not choose to purchase “Antivirus Soft” became immediately inundated with so many pop-ups containing fraudulent “security alerts” that all information, data, and files on their computers were rendered inaccessible. Members of the conspiracy defrauded victims out of substantial amounts of money as a result of the scheme. The defendant admitted that as a result of his participation, he made between $150,000 and $250,000 U.S. dollars.

This case was investigated by the FBI’s Minneapolis Field Office. The Criminal Division’s Office of International Affairs secured the extradition from Poland and the Polish National Police, the National Prosecutor’s Office, and the Ministry of Justice provided substantial assistance in this matter.

Assistant U.S. Attorney Timothy C. Rank of the District of Minnesota and Trial Attorney Aaron R. Cooper of the Criminal Division’s Computer Crime and Intellectual Property Section prosecuted the case.

Defendant Information:

PETERIS SAHUROVS, 29

Rezekne, Latvia

Convicted:

  • Conspiracy to commit wire fraud, 1 count

Sentenced:

  • 33 months in prison
  • Removal from the United States to Latvia following the defendant’s prison sentence

Related: Bad News for Hacker

Oct 152018
 

WNCT reports:

The Onslow Water and Sewer Authority‘s internal computer system, including servers and personal computers, was hit by a ransomware attack Saturday.

[…]

ONWASA began experiencing persistent virus attacks from a polymorphic malware known as EMOTET on October 4……..  At what ONWASA officials said may have been a timed event, the malware launched a sophisticated virus known as RYUK at 3 a.m. on Saturday.

Read more on WNCT. Some good reporting provides us with more details than we usually find in media reports of this kind.

Oct 152018
 

Rachel Eddie reports:

Kitchenware brand Neoflam Australia has mistakenly published its internal warranty records, exposing the private information of more than 7500 of its customers, The New Daily can reveal.

A page under the brand’s website revealed the full name, age or age bracket, gender, phone number, home address and email of customers from between 2010 and 2015.

Read more on The New Daily.