Oct 152018
 

From HHS/OCR, this record-setting announcement:

Anthem, Inc. has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronic protected health information of almost 79 million people.

The $16 million settlement eclipses the previous high of $5.55 million paid to OCR in 2016.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks. OCR’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/anthem/index.html.

Oct 152018
 

There’s an update to a case previously reported in February that I missed last month.  From the U.S. Attorney’s Office, District of Minnesota:

A Latvian man was sentenced today in Minneapolis for participating in a lucrative “scareware” hacking scheme that targeted visitors to the Minneapolis Star Tribune’s website. Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division, U.S. Attorney Erica H. MacDonald of the District of Minnesota and Special Agent in Charge Jill Sanborn of the FBI’s Minneapolis Field Office made the announcement.

PETERIS SAHUROVS aka “Piotrek” and “Sagade,” 29, was sentenced to 33 months in prison for conspiracy to commit wire fraud. District Judge Ann D. Montgomery of the District of Minnesota imposed the sentence. SAHUROVS will be removed from the United States to Latvia following his prison sentence.  SAHUROVS was arrested in Latvia on a District of Minnesota indictment in June 2011, but was released by a Latvian court and later fled. In November 2016, SAHUROVS was located in Poland, apprehended by Polish law enforcement, and extradited to the United States in June 2017. SAHUROVS was once the FBI’s fifth most wanted cybercriminal and a reward of up to $50,000 had been offered for information leading to his arrest and conviction. He pleaded guilty before Judge Montgomery on February 7, 2018.

According to admissions made in connection with his plea, from at least May 2009 to June 2011, SAHUROVS operated a “bullet-proof” web hosting service in Latvia, through which he leased server space to customers seeking to carry out criminal schemes without being identified or taken offline. The defendant admitted that he knew his customers were using his servers to perpetrate criminal schemes, including the transmission of malware, fake anti-virus software, spam, and botnets to unwitting victims, and he received notices from Internet governance entities (such as Spamhaus) that his servers were hosting malicious activity. Nonetheless, SAHUROVS took steps to protect the criminal schemes from being discovered or disrupted, and hosted them on his servers for financial gain.

SAHUROVS admitted that from in or about February 2010 to in or about September 2010, he registered domain names, provided bullet-proof hosting services, and gave technical support to a “scareware” scheme targeting visitors to the Minneapolis Star Tribune’s website. On February 19, 2010, the Minneapolis Star Tribune began hosting an online advertisement, purporting to be for Best Western hotels, on its website, startribune.com. Two days later, however, the advertisement began causing the computers of visitors to the website to be infected with malware. This malware, also known as “scareware,” caused visitors to experience slow system performance, unwanted pop-ups and total system failure. Website visitors also received a fake “Windows Security Alert” pop-up informing them that their computer had been infected with a virus and another pop-up that falsely represented that they needed to purchase the “Antivirus Soft” computer program to fix their security issues, at a price of $49.95.

Website visitors who clicked the “Antivirus Soft” window were presented with an online order form to purchase a purported security program called “Antivirus Soft.” Users who purchased “Antivirus Soft” received a file download that “unfroze” their computers and stopped the pop-ups and security notifications. However, the defendant admitted, the file was not a real anti-virus product, did not perform legitimate computer security functions, and merely caused the malware that members of the conspiracy had previously installed to cease operating. Meanwhile, the defendant admitted, victim users who did not choose to purchase “Antivirus Soft” became immediately inundated with so many pop-ups containing fraudulent “security alerts” that all information, data, and files on their computers were rendered inaccessible. Members of the conspiracy defrauded victims out of substantial amounts of money as a result of the scheme. The defendant admitted that as a result of his participation, he made between $150,000 and $250,000 U.S. dollars.

This case was investigated by the FBI’s Minneapolis Field Office. The Criminal Division’s Office of International Affairs secured the extradition from Poland and the Polish National Police, the National Prosecutor’s Office, and the Ministry of Justice provided substantial assistance in this matter.

Assistant U.S. Attorney Timothy C. Rank of the District of Minnesota and Trial Attorney Aaron R. Cooper of the Criminal Division’s Computer Crime and Intellectual Property Section prosecuted the case.

Defendant Information:

PETERIS SAHUROVS, 29

Rezekne, Latvia

Convicted:

  • Conspiracy to commit wire fraud, 1 count

Sentenced:

  • 33 months in prison
  • Removal from the United States to Latvia following the defendant’s prison sentence

Related: Bad News for Hacker

Oct 132018
 

Scott Eidler recently reported that Rep. Pete King’s campaign website was attacked by a group that calls itself “Tim’s Army” (also known as “Ayyildiz Tim Siber Army”).

The group has taken over the Twitter accounts of national political journalists, including Fox News’ Brit Hume and NBC’s Peter Alexander, posting Turkish propaganda, according to news media reports.

King said in an interview Monday that he alerted the House security team of the hacking, as well as the House Intelligence and Homeland Security committees and the Nassau County Police Department.

Read more on Newsday.

Oct 132018
 

Lolita C. Baldor reports:

The Pentagon on Friday said there has been a cyber breach of Defense Department travel records that compromised the personal information and credit card data of U.S. military and civilian personnel.

Stock image of Pentagon, 2014. Credit: Ivan Cholakov/Dreamstime

According to a U.S. official familiar with the matter, the breach could have affected as many as 30,000 workers, but that number may grow as the investigation continues. The breach could have happened some months ago but was only recently discovered.

The official, who spoke on condition of anonymity because the breach is under investigation, said that no classified was compromised.

Read more at Phys.org

Oct 122018
 

Donnie O’Sullivan reports:

Almost 30 million Facebook users’ phone numbers and email addresses were accessed by hackers in the biggest security breach in the company’s history, Facebook said Friday. The attackers accessed even more details on 14 million of those users, including the area where they live, their relationship status, their religion, and part of their search history.

Read more on CNN.

In related news, Business Insider shows you how to check to see if your account was affected  and it also shows you how to delete your Facebook account.