IN: Allied Physicians of Michiana report SamSam attack

 Posted by at 5:44 pm  Health Data, Malware
May 212018
 

South Bend Tribune reports:

A local physicians network was the focus of a recent cyberattack that released ransomware into its network.

According to a press release from Allied Physicians of Michiana CEO Shery Roussarie, the company became aware of the cyberattack on Thursday afternoon and immediately took steps to shut down the network in order to protect personal and protected health information of patients.

The company restored its data in a secure format without significant disruption to patients, but an investigation is ongoing to confirm that personal or protected health information wasn’t compromised.

Read more on South Bend Tribune. The statement does not reveal whether any ransom was paid, and if so, how much.  Nor is the incident on HHS’s public breach tool at this time.

An image of the notification was uploaded to the medical practice’s site today:

Notice of Data Breach at blackphoenixalchemylab.com

 Posted by at 11:58 am  Business Sector, Hack, Malware, U.S.
May 182018
 

Elizabeth Barrial of Black Phoenix Lab posted the following notice last night:

Please forgive me for the time it took to publish this. I wanted to make sure we had all the facts before I posted, and I needed to ensure that I used the correct format for the notice as required by law.

NOTICE OF DATA BREACH

I have lousy news to share: some time between May 1st and May 16th, the Black Phoenix Alchemy Lab site was hacked. [This does not apply to Trading Post or TAL; it was only BPAL’s main site that was affected.] There is no way for our dev team to be absolutely certain when the attack initially happened, so this is the best educated guess based on the information we have. This is the first time that our data has been breached in the sixteen years that we’ve been in business. We take our customers’ privacy, confidentiality, and security extremely seriously, and we are devastated that this incident occurred.

Yesterday, we learned from our devs that all passwords on the site needed to be changed. At the time, we didn’t have further details but took immediate steps to learn what was going on, and the moment that the malicious code was discovered, our devs neutralized it.

I didn’t want to post more until we understood exactly what happened. Although we cannot be sure that any of your information was accessed or misappropriated, we want to make you aware of the situation and provide you with information on what to do from here. So, here’s what we know as of today –

WHAT HAPPENED

Malicious code was injected into the portion of the checkout page where credit card info bound for AuthorizeNet is gathered. If you made a purchase using the AuthorizeNet gateway during this period, your credit card data may have been compromised. We do not store any credit card info ourselves on the site – none whatsoever – so there was no credit card data to harvest from before this time period.

Any purchases made through the PayPal gateway were not affected. Any sales made in-person at a convention were not affected, nor were any purchases made through BPTP, TAL, our Amazon store, or our etsy shop.

On May 16th, our developer found this malicious code, but didn’t immediately know what it was about. We immediately initiated the sitewide password reset to be safe while the developer tried to suss out what was going on. Most of the day was spent analyzing the code, and based on the information we now have, our developer determined that the malicious code was inserted for the purposes of harvesting credit card numbers.

Once that was established, I started drafting this announcement while Black Phoenix and our developers continued to research the situation.

It looks like less than 150 credit card transactions were at risk, and we will do everything in our power to directly contact anyone that might have been compromised.

WHAT INFORMATION WAS INVOLVED

The credit card numbers of under 150 customers who made purchases on the site using the AuthorizeNet gateway have possibly been compromised.

We do not know if any other data was accessed, as a bogus admin account was created by the person(s) who created the breach. Information that could have been accessed without authorization could have included your name, credit card billing address, telephone number, email address, and credit card number data, the name on card, expiration date, and security code.

WHAT WE ARE DOING

We take our obligation to safeguard your information very, very seriously, and we did all that was within our power to act as quickly as possible. A bulk password reset was initiated as soon as malicious activity was suspected. As soon as the malicious code was found, our developers neutralized it. A full security audit was performed. We moved the entirety of the site to a new server with a managed infrastructure for added security. When the fake admin account was found, it was removed. Our developer is in the process of further hardening our security to ensure that breaches do not occur in the future and initiating a more robust intrusion detection system, and we are in the process of directly contacting the 150ish people whose credit card numbers may have been compromised. We are also notifying AuthorizeNet, the FBI, and local law enforcement in Los Angeles, CA.

WHAT YOU CAN DO

We don’t know if the hacker successfully retrieved any data, but we strenuously recommend that if you used AuthorizeNet as your payment gateway on our site between May 1st and May 16th, you keep a close eye on your credit card transactions and report to your issuing bank that your card may have been compromised. Equifax also provides Identity Theft Prevention Tips, which provides additional steps that you can take, including instructions for obtaining a free copy of your credit report and how to place a fraud alert and/or credit freeze on your report.

We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your credit reports. You may obtain a free copy of your credit report from each company listed below once every 12 months by requesting your report online at www.annualcreditreport.com, calling toll-free 1-877-322-8228, or mailing an Annual Credit Report Request Form (available at www.annualcreditreport.com) to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA, 30348-5281. You may also purchase a copy of your credit report by contacting any of the credit reporting agencies below:

Equifax
PO Box 740241
Atlanta, GA 30374
www.equifax.com
888-766-0008

Experian
PO Box 9554
Allen, TX 75013
www.experian.com
888-397-3742

TransUnion
PO Box 2000
Chester, PA 19016
www.transunion.com
800-680-7289

If you believe you are the victim of identity theft, you should contact the proper law enforcement authorities, including local law enforcement, and you should consider contacting your state attorney general and/or the Federal Trade Commission (“FTC”). You may also contact the FTC to obtain additional information about avoiding identity theft.

Federal Trade Commission, Consumer Response Center
600 Pennsylvania Avenue NW, Washington, DC 20580; 1-877-IDTHEFT (438-4338)
www.ftc.gov/idtheft

State Attorneys General: Information on how to contact your state attorney general may be found at www.naag.org/naag/attorneys-general/whos-my-ag.php.

You may obtain information from the FTC and the credit reporting agencies listed above about placing a fraud alert and/or credit freeze on your credit report.

The State of California has a web site with further information to help consumers when their data has been breached: https://oag.ca.gov/p…s-for-consumers

FOR MORE INFORMATION
We are deeply committed to our customers, and I am profoundly upset that this breach occurred. We will continue to do everything in our power to ensure that this does not happen again in the future, and I hope that you can accept my heartfelt apology. If you have any questions, please do not hesitate to contact us at [email protected]

With all my heart, I am so, so sorry.

Elizabeth Barrial
President
Black Phoenix, Inc.

LifeBridge Health and LifeBridge Potomac Professionals Notify Patients of a Recent Security Incident

 Posted by at 9:37 pm  Health Data, Malware
May 162018
 

From their press release:

LifeBridge Health and LifeBridge Potomac Professionals announced today that it is sending letters to patients about a recent security incident involving patient information.

On March 18, 2018, LifeBridge Health discovered that malware infected the server that host LifeBridge Potomac Professional’s electronic medical record, and LifeBridge Health’s patient registration and billing systems. LifeBridge immediately began an investigation, engaged a national forensic firm, and determined that the unauthorized person accessed the server on September 27, 2016.  The information potentially accessed may include patients’ names, addresses, dates of birth, diagnoses, medications, clinical and treatment information, insurance information, and in some instances social security numbers.

At this time, LifeBridge Health and LifeBridge Potomac Professionals has no reason to believe that the patient information has been misused in any way.  However, as a precaution, LifeBridge Health is sending letters to patients, and has established a dedicated call center to answer any questions patients may have.  For those patients whose Social Security numbers were potentially involved, LifeBridge is offering a one-year complimentary credit monitoring and identity protection services. LifeBridge Health also recommends that patients review their billing statements and explanation of benefits they receive.  If patients see services that they did not receive, they should contact the provider or insurer immediately.

To help prevent something like this from happening again, LifeBridge has enhanced the complexity of its password requirements and the security of its system.

For additional information about this incident, please visit the LifeBridge website at www.lifebridgehealth.org.

SOURCE LifeBridge Health and LifeBridge Potomac Professionals

Of note, although they point to their site for more info, I see no notice or information on their site as of the time of this posting.

Shadowy Hackers Accidentally Reveal Two Zero-Days to Security Researchers

 Posted by at 8:15 am  Malware
May 162018
 

Catalin Cimpanu reports:

An unidentified hacker group appears to have accidentally exposed two fully-working zero-days when they’ve uploaded a weaponized PDF file to a public malware scanning engine.

The zero-days where spotted by security researchers from Slovak antivirus vendor ESET, who reported the issues to Adobe and Microsoft, which in turn, had them patched within two months.

Read more on Bleeping Computer.

Ransomware attack on Family Planning NSW

 Posted by at 8:45 am  Malware, Miscellaneous, Non-U.S.
May 142018
 

Naven Goud reports:

Family Planning NSW(FPNSW), an organization looking into the reproductive and Sexual health of Australian populace is said to have become a victim of a ransomware on Anzac Day. Officials at the New South Wales based healthcare agency has confirmed that their database was hit by ransomware and information related to the customer’s who contacted the healthcare organization in the last two and half years was locked from access.

Sources reporting to Cybersecurity Insiders said that the data of over 8000 customers who have contacted the agency and left a feedback regarding the services could have been compromised in the potential data breach. But FPNSW authorities assured that no medical records were accessed in the breach.

Read more on Cybersecurity Insiders.

 Older Entries