Apr 162019

John Hultquist, Ben Read, Oleg Bondarenko, and Chi-en Shen of FireEye explain:

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.

This latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014. The email is linked to activity that previously targeted the Ukrainian Government with RATVERMIN. Infrastructure analysis indicates the actors behind the intrusion activity may be associated with the so-called Luhansk People’s Republic (LPR).

Read more on FireEye.

Apr 142019

On April 7, RS Medical disclosed an incident that had the potential to compromise patient information. A copy of the notification from the Vancouver, Washington entity, obtained by DataBreaches.net, indicates that the attacker may not have been particularly interested in patient information, though:

The primary purpose of the breach, as determined by internal investigation, was to obtain an Outlook account from which to launch 10,000 phishing emails.

This incident, which occurred February 11 – February 12, 2019,  does not appear to be related in any way to the breach Microsoft has confirmed to TechCrunch. It appears to be due to just one more instance of an employee falling for a phishing attack.

The pain-relief device manufacturer says that after obtaining the employee credentials and testing the login o make sure it worked, the attacker launched a phishing attack. Ten thousand emails were reportedly sent out from the compromised account before the attack was detected and the password to the account was changed to lock out the attacker.

“The time the U.P. [unauthorized person] had access to the account totaled less than 2 hours. The likelihood that any PHI was acquired or viewed is low but cannot be disproven,” RS Medical’s Privacy Officer Joseph Basham writes.

But because access could not be disproved, RS Medical notified approximately 250 patients whose health information was potentially accessible in that employee’s mailbox. The PHI included name, home address,  phone number, and date of birth, as well as either diagnosis codes and/or type and quantity of medical equipment/supplies prescribed that RS Medical documented.

The RS Medical incident is just the latest in a slew of incidents where access to PHI may be highly unlikely but because an entity cannot definitively prove no access, entities have had to — or decided to —  to make notifications. It is also just the latest in a slew of incidents where if employees didn’t keep unencrypted PHI in their email accounts, no notifications might be required.

So why, when phishing accounts for approximately 1/3 of all attacks these days and when the costs of incident response may run into the millions of dollars, are people still retaining unencrypted PHI in email accounts?  And how can a covered entity justify to OCR, “Yes, we knew that having employees retain PHI in their email accounts contributed to a significant risk of a reportable breach even with providing training on recognizing phishing emails, but we let them store PHI anyway and didn’t even limit for how long it could remain in their email inboxes.”

RS Medical is regulated by the FDA.  They did nothing unusual, and I do not mean to suggest in any way that they should be singled out for any enforcement action. But maybe it’s time for HHS to send out a guidance about storing PHI in employee email accounts and how OCR views incidents of this kind — whether allowing such unencrypted storage is consistent with the Security Rule or not. Then again, maybe I’m not seeing something that others with actual security expertise would see.



Apr 112019

Kelly Sheridan reports:

One in every 99 emails is a phishing attack, and a new study shows 25% of those phishing attacks bypass default security measures built into Office 365, researchers reported today.

The data comes from Avanan’s Global Phish Report, which analyzed 55.5 million emails sent to Microsoft Office 365 and Google G Suite accounts. They found roughly 1% of all messages are phishing threats that use malicious attachments or links as the attack vector. Of those, 25% were marked safe by Exchange Online Protection (EOP) built into Office 365 and delivered to users.

Read more on DarkReading.

Apr 102019

Every time I think I’m ready to total out the March data on health data attacks or incidents, another incident pops up belatedly on HHS’s site. This time, there were two reports that I had to add yesterday.

One was a report from Palmetto Health in South Carolina (now part of Prisma). Palmetto reported that a phishing attack sometime in November, 2018 necessitated months of investigation.

After completing this extensive review process, on February 19, 2019, we were alerted to the names of the individuals whose information was within the accounts – which contained some patient names and other patient information typically used by a health care provider in the course of providing treatment or consultation. A lesser portion of the emails contained social security numbers and medical insurance information.

All told, 23,811 patients were sent notifications. HHS was notified on March 29.

Palmetto’s report was similar to another newly disclosed phishing attack that potentially compromised ePHI.

Womens’ Health USA, a business associate headquartered in Connecticut, disclosed that its employees were hit by a phishing attack that began in April, 2018 and also occurred in August.  It took months of investigation before covered entities could be notified on March 15, 2019.

Notification letters were sent out to 17,531 patients on March 29.

Apr 092019

AP reports:

A Massachusetts hospital says a data breach exposed information about some 12,000 patients.

Baystate Health of Springfield said Monday that a phishing incident resulted in unauthorized access to the email accounts of several employees between Feb. 7 and March 7.

The hospital says the accounts included patient names and dates of birth, certain health information and, in some cases, Medicare or Social Security numbers.

Baystate says it has received no indication that any of the patient information was misused. But they are urging patients that were affected by the breach to review statements from their providers and insurers to ensure they were not billed for services that they did not receive.

Read more on Daily Hampshire Gazette.