Feb 192019
 

John Leyden reports:

Calls recorded by a Swedish national health service hotline were stored on an unencrypted system that was publicly accessible to anyone with an internet connection, it has emerged.

An estimated 2.7 million phone calls were discovered to have been left open by an unprotected NAS (network attached storage) system, and were accessible without a password or any authentication, according to local reports.

Wav on MP3 files were reportedly stored but are no longer available.

An estimated 170,000 hours of calls dating back to 2013 were exposed, tech title ComputerSweden reports.

Read more on The Daily Swig.

Feb 172019
 

emptywheel writes:

JP Stadtmueller, the judge who will preside over MalwareTech (Marcus Hutchins’) case, last week denied his pretrial motions to get his post-arrest interview and all the charges of his indictment thrown out.

So right, that’s not great news for Marcus, or even good news. But to get a better understanding of how the case is shaping up, read emptywheel’s analysis and commentary on her blog.

Feb 152019
 

Yet another healthcare provider has revealed that they were hacked by thedarkoverlord (TDO).  Dr. Robert Spies, a plastic surgeon in Scottsdale, Arizona, has notified HHS and his patients of the hackers’ attempt to extort the practice.

Although he does not name the hackers responsible in a notice on his web site, Dr. Spies explains:

On December 10, 2018, we became aware cyber criminals gained unauthorized access to our computer network. We immediately contacted the FBI and local law enforcement authorities and have been cooperating with their investigations. We also engaged computer experts to determine if our systems and information were at risk. The investigation determined that the criminals could have viewed or accessed documents that contained patients’ personal and medical information, including names, addresses, dates of birth, procedure notes, diagnoses, medications and health insurance numbers. For a small handful of patients, the criminals could have viewed Social Security, driver’s license and/or passport numbers, if provided for verification purposes, a credit card number or financial account number, or pre-op photos. At this time, there is no evidence that patient information has been misused.

His report is entirely consistent with other information DataBreaches.net had obtained about this incident. In December,  thedarkoverlord had posted a notice on KickAss that said:

We’ve hacked a high-end plastic surgery business located in Arizona, United States. This surgery center is owned by Doctor Robert J. Spies and operates on celebrity patients. His website is (www.azplasticsurgerycenter.com). We’ll share some of his data with yoou, since he’s refused our most handsome business proposition.

Link: (link redacted by DataBreaches.net, even though it is no longer live).

If you’d like to let him know how foolish he’s been, you can SMS his mobile at (redacted by DataBreaches.net) or his e-mail at (redacted by DataBreaches.net).

The sample data was a 531.8 MB archive with folders containing “Dictations”  (75 files), “Photos” (more than 160 photos),  and “Patient ID Verification” (4 files).  The Dictations folder and Photos folder contained more than one file or image for some patients, so these were not all unique patients in each folder.

Many of the photos in the archive released by the hackers would permit identification of patients because in some cases, you can see the patients’ faces, and in other cases, the filenames for the photos may contain the patient’s first initial and last name.

DataBreaches.net is not reproducing any of the data from the archive the hackers provided.

Inspection of the meta data suggests that the newest dictation files were created December 5, 2018 and related to services or consultations conducted on November 28, 2018.

As with their hack of the London Bridge Plastic Surgery Center,  TDO may have hoped that people — especially celebrities — would pay good money not to have their before, during, or after pictures of plastic surgery released publicly.  Whether TDO is privately trying to extort patients directly is unknown to this site, but Dr. Spies seems to have refused to pay them, and has reported the incident to law enforcement, HHS, and his patients.  According to his notification to HHS,  he has notified 5,524 patients.

 

 

Feb 152019
 

So let’s be honest:  how often do you monitor your third-party vendors or business associates to ensure that the devices they may connect to your network are free from malware?

Julie Anderson reports:

CHI Health has caught a virus, but it’s not the kind the health system is used to battling.

Dr. Cliff Robertson, CHI Health’s chief executive, said that this week, a device brought in by a third-party vendor introduced a virus, also known as malware, into the health system’s network.

The virus affected some hospitals and clinics within the health care system Tuesday and Wednesday, he said. But he stressed that it did not result in an external breach or hack of patient information or disrupt patient care.

Read more on The Grand Island Independent.

Feb 152019
 

Ugh.DutchNews.nl reports:

Students working for extra cash at Amsterdam’s OLVG hospital group have for years been given complete access to the medical records system, allowing them to read personal information about friends, family and famous people, the Volkskrant said on Friday.

The leak was made public by a philosophy student who made telephone appointments for the hospital. Fellow students recommended digging up ‘juicy details’ in the files while doing boring jobs, she told the paper.

Read more at DutchNews.nl.