Apr 132019

Zack Whittaker reports:

A hacker group has breached several FBI-affiliated websites and uploaded their contents to the web, including dozens of files containing the personal information of thousands of federal agents and law enforcement officers, TechCrunch has learned.

The hackers breached three sites associated with the FBI National Academy Association, a coalition of different chapters across the U.S. promoting federal and law enforcement leadership and training located at the FBI training academy in Quantico, VA. The hackers exploited flaws on at least three of the organization’s chapter websites — which we’re not naming — and downloaded the contents of each web server.

The hackers then put the data up for download on their own website, which we’re also not naming nor linking to given the sensitivity of the data.

Read more on TechCrunch.

Apr 122019

Boise, Idaho (April 12, 2019) – Blue Cross of Idaho Health Service, Inc. (“Blue Cross of Idaho”) is providing notice to certain members of a recent incident involving protected health information (“PHI”) which qualifies as privacy breach.

On March 21, 2019, an unauthorized user accessed Blue Cross of Idaho’s online provider portal with the intent of fraudulently rerouting a provider financial transaction. Blue Cross of Idaho stopped the attempted financial fraud and secured the portal. On March 22, 2019, Blue Cross of Idaho determined the unauthorized user was able to access provider remittance documents, which contained PHI.

The information the unauthorized user had access to includes member names, enrollee/subscriber number, date of service, healthcare provider name, the provider’s patient account number, claim number, claims payment information and procedure code. The information did not include any member’s Social Security number, driver’s license number, banking or credit card numbers or information about medical diagnoses.

Blue Cross of Idaho reported the incident to the Federal Bureau of Investigation (FBI), which opened an active investigation. Blue Cross of Idaho has also engaged internal and external cybersecurity and financial experts to review the provider portal and associated financial transactions. Based on the results of the investigation, Blue Cross of Idaho believes that the attacker was able to access information for approximately 1 percent of its overall membership.

Blue Cross of Idaho is cooperating fully with the FBI investigation and is continuing to review its provider portal and online security to ensure its members’ data is safe.

Blue Cross of Idaho is not aware of any improper use, or attempted use, of this information, but is actively taking steps to protect its members. In the next seven to 10 business days, most members will receive a new member ID card with a new member number. Any member that experiences problems using their benefits before receiving their new card is encouraged to call Blue Cross of Idaho’s Customer Service Department at 986-224-4154 or toll free at 833-623-7995.

To help protect our members’ identities, Blue Cross of Idaho is offering a complimentary three-year membership for credit monitoring and identity theft restoration services. Each affected member is receiving a personal notification letter with instructions on how to enroll in this service.

Blue Cross of Idaho recommends that all impacted members review their Explanation of Benefits (EOB) statements. If any member finds healthcare services listed on their EOB that they did not receive, they are strongly encouraged to contact Blue Cross of Idaho immediately.

While the provider remittance documents did not include any member’s bank account or credit card information, Blue Cross of Idaho still recommends that members remain vigilant to the possibility of fraud and identity theft by reviewing their bank, credit card and other financial statements for any unauthorized activity. Members should contact their bank directly if they would like to place an alert on their bank account or change their bank account number.

Blue Cross of Idaho takes this incident seriously and has taken multiple actions in response. Blue Cross of Idaho removed the unauthorized user’s access to the provider portal as soon as it was discovered. Blue Cross of Idaho reported the incident to the FBI and is cooperating fully with the investigation. Blue Cross of Idaho has also engaged both internal and external cybersecurity experts to review the incident. Blue Cross of Idaho is reviewing its financial accounts and provider portal to ensure that only legitimate transactions are occurring.

Blue Cross of Idaho is committed to making continuous improvements to its provider portal and online security based on the results of this investigation and best practices used across the industry.

If any member has questions or needs additional information, they can call the Blue Cross of Idaho Customer Service Department at 986-224-4154 or toll free at 833-623-7995.


Apr 122019

Kyodo News reports:

Kyushu Railway Co. said Friday that personal and credit information on up to 8,000 customers were stolen from the goods store website for its “Seven Stars in Kyushu” luxury cruise train.

The leaked information includes customers’ names, addresses, phone numbers, email addresses, date of birth and type of work, according to JR Kyushu. Credit card numbers, security codes and expiration dates of up to 2,800 customers were also stolen.

Read more on Kyodo News.

I’m not sure why Kyodo News refers to this as leaked information when it’s stolen info.

Apr 112019

Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute, recently notified patients after discovering on February 20 that their EMR system had been accessed without authorization. Their investigation revealed that the third party accessed

patients’ names, addresses, telephone numbers, email addresses, social security numbers, dates of birth, insurance information, name of referring provider, and other demographic information. The information that was accessed in an unauthorized manner did not include credit card information, financial account information, or the clinical information in patients’ medical records.

Their notice indicates that they are offering some mitigation services to those impacted while they take steps to prevent future incidents of this kind:

In addition to investigating this matter thoroughly and terminating the unauthorized access to our EMR system, we have reviewed all user accounts on our system and validated the access levels and activity for each account. We are reviewing and updating our policies and procedures regarding access to patient information and our systems as necessary. As an additional precaution, to reduce the risk of fraud or identity theft, we are offering affected individuals a one-year membership in Experian’s® IdentityWorks SM at no cost.

They do not indicate how many patients were affected, and whether HHS has been notified of this incident.

Update: This was  reported to HHS on April 5 as impacting 35,000 patients, although it wasn’t posted on HHS’s site immediately.

Apr 102019

Chris Serres reports:

A data breach last year at the state agency that oversees Minnesota’s health and welfare programs may have exposed the personal information of approximately 11,000 individuals.

The state Department of Human Services (DHS) notified lawmakers Tuesday that an employee’s e-mail account was compromised as a result of a cyberattack on or about March 26, 2018. A hacker unlawfully logged into a state e-mail account of a DHS employee and used it to send two e-mails to one of the employee’s co-workers, asking that co-worker to pay an “invoice” by wiring money.

Read more on Star Tribune.

In their letter to state legislators, the agency highlighted a step it took to prevent further recurrences:

MNIT and DHS have taken important steps to help prevent such incidents from happening in the future. Notably, in February 2019, MNIT deployed a new cybersecurity tool that blocks malicious links and attachments in emails intended for state employees. This tool could have prevented many of the breaches experienced by DHS, including the breach described in this letter.

MNIT and DHS also continue to train employees on how to identify and report the increasingly sophisticated cyberattacks being perpetrated against DHS, and have revised their policies and procedures to ensure that they can appropriately and quickly respond to data security incidents.

So how expensive is that cybersecurity tool? How cumbersome is it to deploy systemwide? And is it really new, or was it available prior to March 2018?

Given how prevalent phishing attacks and email attacks are, I guess I’m asking why everyone isn’t using  a tool like this? There really may be a reasonable explanation, and I hope someone with actual security expertise can help me understand why it’s not more universal already.