Oct 152018

From HHS/OCR, this record-setting announcement:

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

Oct 152018

There’s an update to a case previously reported in February that I missed last month.  From the U.S. Attorney’s Office, District of Minnesota:

A Latvian man was sentenced today in Minneapolis for participating in a lucrative “scareware” hacking scheme that targeted visitors to the Minneapolis Star Tribune’s website. Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Erica H. MacDonald of the District of Minnesota and Special Agent in Charge Jill Sanborn of the FBI’s Minneapolis Field Office made the announcement.

PETERIS SAHUROVS aka “Piotrek” and “Sagade,” 29, was sentenced to 33 months in prison for conspiracy to commit wire fraud. District Judge Ann D. Montgomery of the District of Minnesota imposed the sentence. SAHUROVS will be removed from the United States to Latvia following his prison sentence.  SAHUROVS was arrested in Latvia on a District of Minnesota indictment in June 2011, but was released by a Latvian court and later fled. In November 2016, SAHUROVS was located in Poland, apprehended by Polish law enforcement, and extradited to the United States in June 2017. SAHUROVS was once the FBI’s fifth most wanted cybercriminal and a reward of up to $50,000 had been offered for information leading to his arrest and conviction. He pleaded guilty before Judge Montgomery on February 7, 2018.

According to admissions made in connection with his plea, from at least May 2009 to June 2011, SAHUROVS operated a “bullet-proof” web hosting service in Latvia, through which he leased server space to customers seeking to carry out criminal schemes without being identified or taken offline. The defendant admitted that he knew his customers were using his servers to perpetrate criminal schemes, including the transmission of malware, fake anti-virus software, spam, and botnets to unwitting victims, and he received notices from Internet governance entities (such as Spamhaus) that his servers were hosting malicious activity. Nonetheless, SAHUROVS took steps to protect the criminal schemes from being discovered or disrupted, and hosted them on his servers for financial gain.

SAHUROVS admitted that from in or about February 2010 to in or about September 2010, he registered domain names, provided bullet-proof hosting services, and gave technical support to a “scareware” scheme targeting visitors to the Minneapolis Star Tribune’s website. On February 19, 2010, the Minneapolis Star Tribune began hosting an online advertisement, purporting to be for Best Western hotels, on its website, startribune.com. Two days later, however, the advertisement began causing the computers of visitors to the website to be infected with malware. This malware, also known as “scareware,” caused visitors to experience slow system performance, unwanted pop-ups and total system failure. Website visitors also received a fake “Windows Security Alert” pop-up informing them that their computer had been infected with a virus and another pop-up that falsely represented that they needed to purchase the “Antivirus Soft” computer program to fix their security issues, at a price of $49.95.

Website visitors who clicked the “Antivirus Soft” window were presented with an online order form to purchase a purported security program called “Antivirus Soft.” Users who purchased “Antivirus Soft” received a file download that “unfroze” their computers and stopped the pop-ups and security notifications. However, the defendant admitted, the file was not a real anti-virus product, did not perform legitimate computer security functions, and merely caused the malware that members of the conspiracy had previously installed to cease operating. Meanwhile, the defendant admitted, victim users who did not choose to purchase “Antivirus Soft” became immediately inundated with so many pop-ups containing fraudulent “security alerts” that all information, data, and files on their computers were rendered inaccessible. Members of the conspiracy defrauded victims out of substantial amounts of money as a result of the scheme. The defendant admitted that as a result of his participation, he made between $150,000 and $250,000 U.S. dollars.

This case was investigated by the FBI’s Minneapolis Field Office. The Criminal Division’s Office of International Affairs secured the extradition from Poland and the Polish National Police, the National Prosecutor’s Office, and the Ministry of Justice provided substantial assistance in this matter.

Assistant U.S. Attorney Timothy C. Rank of the District of Minnesota and Trial Attorney Aaron R. Cooper of the Criminal Division’s Computer Crime and Intellectual Property Section prosecuted the case.

Defendant Information:


Rezekne, Latvia


  • Conspiracy to commit wire fraud, 1 count


  • 33 months in prison
  • Removal from the United States to Latvia following the defendant’s prison sentence

Related: Bad News for Hacker

Oct 152018

WNCT reports:

The Onslow Water and Sewer Authority‘s internal computer system, including servers and personal computers, was hit by a ransomware attack Saturday.


ONWASA began experiencing persistent virus attacks from a polymorphic malware known as EMOTET on October 4……..  At what ONWASA officials said may have been a timed event, the malware launched a sophisticated virus known as RYUK at 3 a.m. on Saturday.

Read more on WNCT. Some good reporting provides us with more details than we usually find in media reports of this kind.

Oct 142018

David Chenault reports:

Financial scammers stole more than $600,000 from Henderson ISD through a sophisticated, yet common, fraud scheme.

According to HISD’s financial records, on Sept. 26, the district initiated a $609,615.24 direct electronic bank payment (known as an Automated Clearing House or ACH) to RPR Construction Company Inc. The firm is overseeing the construction at Lions Stadium and renovation work at the former Chamberlain Elementary School.

However, on Oct. 1, the district’s business department staff discovered the funds were mistakenly transferred to a fraudulent account instead of RPR’s bank account. Administrators soon realized HISD was the target of a Business Email Compromise (BEC) scheme.

Read more on Tyler Morning Telegraph.

h/t, @K12CyberMap

Oct 142018

Breanna Edelstein reports:

Sen. Maggie Hassan’s former staffer Jackson Cosko is facing up to 50 years in federal prison amid accusations that he recently broke into the New Hampshire Democrat’s Washington office, leaked lawmakers’ personal information and threatened to do the same to others.

Investigators said they were alerted to the 27-year-old’s alleged criminal activity after he used stolen login credentials to use a computer in Hassan’s office and attempted to keep a witness silent.

Read more on The Eagle-Tribune.