Apr 182019

An article by William Maruca of FoxRothschild is headlined, “Ransomware Claims A Victim.” It discusses the case of  Brookside ENT, whose doctors decided to shutter their practice and retire a year early after a ransomware attack that encrypted their patient data, billing information, scheduling information, and even their backups. In other words, the attacker successfully crippled the practice and any chance it stood of restoring from the backups it had. Under the circumstances, I’m a bit surprised that the attacker only demanded $6,500.00.

In any event after reading more about the incident and mulling it over for the past two weeks, I’m going to politely disagree with the assessment that ransomware claimed a victim, because although ransomware was involved, the doctors., Dr. William Scalf and Dr. John Bizon, made a decision to sacrifice any chance of recovering files their patients needed for what? To save maybe $6500? Maruca writes:

Facing the expense and uncertainty of recovering from this attack, the two physicians, Dr. William Scalf, 64, and Dr. John Bizon, 66 (who also serves as a Republican Michigan state senator), decided to close their practice and accelerate their planned retirement by a year.  Unfortunately, with all their records wiped clean, they did not even have a list of patients and their contact information to allow them to communicate the closure of the practice.  Instead, Dr. Scalf said, “… what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”  Patients were given referrals to other otolaryngologists in the area, but their records, including test results, remained unavailable.

In explaining their decision not to pay the ransom, Maruca’s article cites a statistic from a cybersecurity firm that only 1/3 of victims who pay ransom get the decryption key. That percentage is significantly less than what the BakerHostetler law firm reports.  They report that in their experience handling hundreds of cases last year, the decryption key was provided in 94% of cases when  ransom was paid.  And these were not all small ransoms. The firm notes that already in 2019, they have had a few clients make ransom payments of more than $1 million — although they inform me that none of these are healthcare entities.

As other reports note, the likelihood of being able to recover data, even with a decryption key, is in no small part a function of what type of ransomware was involved. In the Brookside case, we haven’t been told that piece of information, but the doctors do not mention that as one of the factors that led to their decision not to pay the ransom.

Suppose the doctors had paid the decryption ransom of $6500.00 and gotten access to their data. They could have still decided to close the practice and retire early rather than rebuild their entire infrastructure and network, but at least they would have been able to contact patients and offer patients the ability to obtain copies of their medical records.

And if the doctors paid the ransom and got stiffed, then at least they could say they tried their best.

Over the past few years, I’ve often stated publicly that even though none of us want to reward criminals or encourage more ransom demands, I would never condemn a healthcare entity who decided to pay ransom because patient care or patient safety was being compromised.  I never anticipated that the day might come when I might actually criticize a healthcare entity for not paying a ransom demand, but this situation comes close.

So did the doctors make a decision in their own best interest that was also in the patients’ best interests at this point, or did they just do what was easiest for them, even though other options might have been better for the patients?

Yes, we can talk about how this all might have been prevented in a perfect world where the doctors had a copy of their updated patient roster with contact info printed out daily or where they had a different backup system that could not be corrupted by the ransomware, but that ship already sailed.  Let’s just look at the decisions that had to be made at that point. Did the doctors do the right thing? What do YOU think?  Either way, I want to be clear that I still do feel badly for the doctors, but right now, I’m just focused on the patients and whether this decision was appropriate given that it left patients definitely without access to their medical records.



Apr 182019

For the past year or more, I’ve been receiving numerous  tips and notifications  from trusted researchers about leaks and breaches involving entities in India.  While some of the incidents involve alleged miscreants, other incidents involve human error or misconfiguration situations.  But as many of us have experienced and reported, when it comes to data protection in India, it is often close to impossible to: (1) get entities in India to secure personal information and (2) notify them when their failures have been found by researchers (cf, this post). And then, as Brian Krebs has sadly noted, even when you do reach firms to notify them, they do not always respond appropriately.

Today, Gemini Advisory is releasing a new report their findings with respect to payment card data breaches in India. Of note, Stas Alforov and Christopher Thomas report that Gemini found more than 3.2 million Indian payment card records were compromised and posted for sale in 2018, which elevated India to third in the world in the total amount of stolen payment cards.

This was no small uptick, either.  Gemini reports that they identified a 219% spike in Indian payment cards added that year due to a significant rise in stolen Card Not Present (CNP) and Card Present (CP) data.

Of special note, the increasing demand was supported by a 150% surge in the sale price of card data, from a median price of $6.90 USD (approx. 478.02 Indian Rupees) in 2017 to $17 USD (approx. 1,177.73 Indian Rupees) in 2018.

Based on their data and analyses:

Gemini Advisory assesses with high confidence that fraud levels in India, particularly CNP fraud, will likely surpass those of the United Kingdom in 2019, making Indian-issued payment cards the second-most targeted cards in the world.

You can read their full report at https://geminiadvisory.io/india-rising-cybercrime-frontier/

Given how many U.S. firms outsource to India, Gemini’s report serves as a timely reminder that companies need to pay heightened attention to the data security deployed by their third-party providers or vendors. This also applies to the healthcare sector as payment card data, if linked to a patient’s name, are considered identifiers under HIPAA.


Apr 182019

Joseph Lazzarotti of JacksonLewis writes:

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.

Privacy Notices. During the examinations, OCIE observed advisors and broker-dealers were not providing initial privacy notices, annual privacy notices and opt-out notices to their customers. When these notices were provided, many did not accurately reflect firms’ policies and procedures and/or notify customers of their right to opt out of having their nonpublic personal information shared with nonaffiliated third parties.

Read more on The National Law Review.

Apr 162019

John Hultquist, Ben Read, Oleg Bondarenko, and Chi-en Shen of FireEye explain:

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.

This latest activity is a continuation of spear phishing that targeted the Ukrainian Government as early as 2014. The email is linked to activity that previously targeted the Ukrainian Government with RATVERMIN. Infrastructure analysis indicates the actors behind the intrusion activity may be associated with the so-called Luhansk People’s Republic (LPR).

Read more on FireEye.

Apr 162019

The new issue of Harvard Business Review has an article by Chirantan Chatterjee and D. Daniel Sokol. It begins:

When Marriott International acquired Starwood in 2016 for $13.6 billion, neither company was aware of a cyber-attack on Starwood’s reservation system that dated back to 2014. The breach, which exposed the sensitive personal data of nearly 500 million Starwood customers, is a perfect example of what we call a “data lemon” — a concept drawn from economist George Akerlof’s work on information asymmetries and the “lemons” problem.  Akerlof’s insight was that a buyer does not know the quality of a product being offered by a seller, so the buyer risks purchasing  a lemon — think of cars.

Read more on HBR.