Apr 172019

On March 19, this blog linked to a TechCrunch report about an improperly secured Meditab fax server that potentially allowed fax images with patient information to be accessed from an analytics portal. The exposure had been found by SpiderSilk, a cybersecurity firm in Dubai, who estimated that 6 million images were potentially accessible.  The TechCrunch report noted that:

The exposed fax server was running a Elasticsearch database with over six million records since its creation in March 2018. Because the server had no password, anyone could read the transmitted faxes in real-time — including their contents.

Last night, I spoke with Angel Marrero, MedPharm’s general counsel, who responded to my request for an update as to what their investigation had shown.

According to Marrero, their investigation showed that there were maybe 200,000 fax images that were actually on the server and potentially accessible. They found no evidence that anyone other than the researches had accessed the images and that they had not been scraped, but the firm had been unable to connect with SpiderSilk to ask them questions or seek clarification.

All told, Marrero informs this site that they had about 400 clients affected by this incident that they notified.  Approximately 100 of them had 500 or more images accessible via the portal and will be notifying HHS and affected patients or will be having Meditab notify HHS and/or the patients.  The other 300 clients reportedly have fewer than 500 images or patients involved, and so will be notifying HHS or having Meditab notify HHS before next year’s deadline for incidents involving less than 500 patients.

Marrero did not give DataBreaches.net an exact number of how many patients, total, were affected as they are still investigating that, but his current best estimate is that approximately 150,000 patients may have been affected.

Obviously, that’s concerning, particularly when you remember that these are often medical reports complete with a lot of medical history and sensitive information that is not encrypted, but by the same token it’s nowhere near as bad as headlines that raise the specter of 6 million affected or learning that the data had been found and exfiltrated by those with malignant intent.

Because some of Meditab’s clients have opted to notify HHS themselves, we may find ourselves seeing a number of breach reports that do not name Meditab and where we may not understand that the report was part of this breach.  Next month could be messy that way.


Apr 172019

In December, 2018, Citrix forced a password reset for some of its clients due to what appeared to be a credential stuffing attack against ShareFile. But did some customers first find out about it March?  On April 16, external counsel for LD Evans, CPA provided notification that began;

On March 4, 2019, LD Evans learned from Citrix that individuals’ personal information may have been obtained by an unknown, unauthorized third party as the result of a security issue related to its use of Citrix ShareFile, a third-party filesharing service. LD Evans took immediate action to enhance security protocols and confirm that the issue could not lead to further unauthorized access.

LD Evans also conducted an internal investigation, which determined that an unknown, unauthorized third party could have gained access to individuals’ personal information stored within its Citrix ShareFile environment, including the names, addresses, dates of birth, Social Security numbers and bank account information of affected individuals.

Approximately 631 California residents were affected in this potential incident. The total number of LD Evans clients was not disclosed.

Update: this post was corrected post-publication because I had erroneously linked to a subsequent Citrix issue involving their internal network instead of the ShareFile incident. Thanks to the alert reader who questioned my connection between the events.

Apr 152019

Sergiu Gatlan reports:

Malicious DICOM files can be crafted to contain both CT and MRI scan imaging data and potentially dangerous PE executables, a process which can be used by threat actors to hide malware inside seemingly harmless files.

Cylera’s Markel Picado Ortiz achieved this by taking advantage of a DICOM format design flaw which allows for the “128-byte section at the beginning of the file, called the Preamble,” to be modified to add compatibility with non-DICOM image viewers.

Read more on BleepingComputer.


Apr 142019

Ben Winslow reports:

A ransomware attack hit Garfield County’s computer systems, crippling them for weeks before they were able to pay to get access to their own data, officials confirmed to FOX 13.

“All of our data had been taken,” Garfield County Attorney Barry Huntington said of the recent data breach.

Someone clicked on a phishing email earlier this year that launched a ransomware attack, swiping up a number of county offices’ data and locking it away.

“The Assessor’s Office, the Recorder’s Office, some of the files had been taken and we didn’t know how or why,” Huntington said Thursday. “Eventually we received an email stating that some terrorists had taken our information and if we wanted it back, we had to pay them.”

Read more on Fox13.

Thanks to @MRJDWoodard for alerting me to this story.

Apr 142019

On April 7, RS Medical disclosed an incident that had the potential to compromise patient information. A copy of the notification from the Vancouver, Washington entity, obtained by DataBreaches.net, indicates that the attacker may not have been particularly interested in patient information, though:

The primary purpose of the breach, as determined by internal investigation, was to obtain an Outlook account from which to launch 10,000 phishing emails.

This incident, which occurred February 11 – February 12, 2019,  does not appear to be related in any way to the breach Microsoft has confirmed to TechCrunch. It appears to be due to just one more instance of an employee falling for a phishing attack.

The pain-relief device manufacturer says that after obtaining the employee credentials and testing the login o make sure it worked, the attacker launched a phishing attack. Ten thousand emails were reportedly sent out from the compromised account before the attack was detected and the password to the account was changed to lock out the attacker.

“The time the U.P. [unauthorized person] had access to the account totaled less than 2 hours. The likelihood that any PHI was acquired or viewed is low but cannot be disproven,” RS Medical’s Privacy Officer Joseph Basham writes.

But because access could not be disproved, RS Medical notified approximately 250 patients whose health information was potentially accessible in that employee’s mailbox. The PHI included name, home address,  phone number, and date of birth, as well as either diagnosis codes and/or type and quantity of medical equipment/supplies prescribed that RS Medical documented.

The RS Medical incident is just the latest in a slew of incidents where access to PHI may be highly unlikely but because an entity cannot definitively prove no access, entities have had to — or decided to —  to make notifications. It is also just the latest in a slew of incidents where if employees didn’t keep unencrypted PHI in their email accounts, no notifications might be required.

So why, when phishing accounts for approximately 1/3 of all attacks these days and when the costs of incident response may run into the millions of dollars, are people still retaining unencrypted PHI in email accounts?  And how can a covered entity justify to OCR, “Yes, we knew that having employees retain PHI in their email accounts contributed to a significant risk of a reportable breach even with providing training on recognizing phishing emails, but we let them store PHI anyway and didn’t even limit for how long it could remain in their email inboxes.”

RS Medical is regulated by the FDA.  They did nothing unusual, and I do not mean to suggest in any way that they should be singled out for any enforcement action. But maybe it’s time for HHS to send out a guidance about storing PHI in employee email accounts and how OCR views incidents of this kind — whether allowing such unencrypted storage is consistent with the Security Rule or not. Then again, maybe I’m not seeing something that others with actual security expertise would see.