Patient Privacy Report 22, no. 8 (August 2022)
◆ The Department of Justice (DOJ) seized approximately $500,000 in Bitcoin ransom paid by two healthcare organizations in Kansas and Colorado to North Korean ransomware actors and their conspirators.[1] The seizure of the two ransoms resulted from “prompt reporting and cooperation from a victim” and disruption of the activities of a North Korean state-sponsored group known as “Maui”, it said. Deputy Attorney General Lisa Monaco told attendees July 19 at the International Cybersecurity Conference. . The report also allowed investigators to identify a previously unknown strain of ransomware, Monaco said. According to court documents, hackers used Maui in May 2021 to encrypt files and servers at a Kansas medical center. After more than a week of being unable to access encrypted servers, the Kansas hospital paid around $100,000 in Bitcoin to regain use of its computers and equipment. Because the medical center notified the FBI and cooperated with law enforcement, the FBI was able to identify the ransomware and trace the cryptocurrency to China-based money launderers, the DOJ said. Then, in April 2022, the FBI observed a Bitcoin payment movement of approximately $120,000 to one of the identified cryptocurrency accounts. The investigation confirmed that a Colorado medical provider had just paid a ransom after being hacked by actors using the same strain of Maui ransomware. In May, the FBI seized the contents of two cryptocurrency accounts that had received funds from Kansas and Colorado healthcare providers and began proceedings to return the funds to the victims.
◆ A sweeping bipartisan federal privacy bill that has already been approved by a key House subcommittee is facing headwinds in the form of massive corporate lobbying aimed at derailing it .[2] The US Privacy and Data Protection Act, which would restrict the types of data companies can collect from online users and how they can use that data, is the result of years of negotiations between Democratic lawmakers. and Republicans. Its provisions would impact businesses in all consumer-centric industries that compile massive amounts of user data and rely on targeted advertising to attract customers. This would have a significant impact on entities that currently collect, process, and transmit health information but are not subject to HIPAA. The proposed legislation would replace most state privacy laws, as Republicans have demanded, in exchange for giving consumers the right to sue violators, which Democrats have said. claimed.[3] However, several key senators have expressed concerns about the provisions of the law. Some California-based representatives said they would not support the bill if it overturned California’s extensive privacy protections. Additionally, the proposal has become one of the most solicited bills in Congress, attracting the attention of more than 180 corporate clients, including Amazon, Walt Disney Corporation and Target, according to data from research group OpenSecrets.
◆ A Colorado woman pleaded guilty to five counts of stealing medical records and was sentenced to 30 days in jail plus a $5,000 fine – the maximum under the plea deal – after being charged of stealing a doctor’s password and access recordings hundreds of times.[4] Nicole Grant was initially charged with 65 felonies and one misdemeanor for viewing medical records. According to a news report, Grant used medical records to locate and then send inflammatory messages to a victim, resulting in a felony stalking charge, which was dropped as part of the plea deal. A total of 16 patients had their medical records illegally accessed by Grant, who will appear in court on September 20 for a restitution hearing.
◆ The number of healthcare violations in the first half of 2022 impacting 500 or more cases reported to the HHS Office for Civil Rights (OCR) decreased approximately 9% from 2021, according to Fortified Health Security’s 2022 Mid-Year Healthcare Cybersecurity Report.[5] A total of 337 breaches were reported to the OCR in the first half of 2022, compared to 368 breaches in 2021, according to the report. Health care providers are responsible for the highest number of violations, at 72%, as in the last report. Business associates accounted for 16% of breaches, up from a year earlier, and health plans accounted for 12%, less than last year, according to the report. Malicious attacks ranked as the top cause of breaches for a sixth consecutive year, with the percentage of incidents related to hacking/hacking incidents rising from 73% to 80% so far in 2022, according to the report. Unauthorized access/disclosure accounted for 15% of incidents, with 5% attributed to loss, theft and improper disposal of documents or technology.
◆ Microsoft warns of a large-scale phishing campaign that targets Office 365 credentials and attempts to bypass multi-factor authentication.[6] Based on the tech giant’s threat data, the so-called “adversary in the middle” (AiTM) tactic has attempted to phish more than 10,000 organizations since September 2021. In the case of the AiTM phishing , attackers deploy a proxy server that impersonates the website. the target user intends to visit. Such a setup allows the attacker to steal the target’s password and session cookie that proves their authentication with the website. The attacker can then use the password and the session cookie to enter the site. “Using Microsoft 365 Defender threat data, we detected multiple iterations of an AiTM phishing campaign that attempted to target more than 10,000 organizations since September 2021,” Microsoft said. “These executions appear to be interrelated and target Office 365 users by spoofing the Office online authentication page.” In one of the phishing attacks observed by the Microsoft security team, the attacker sent emails with an HTML file attachment to multiple recipients in different organizations. The email informed the target recipients that they had a voicemail message. When a recipient opened the attached HTML file, it downloaded to the user’s browser and displayed a page informing the user that the voicemail message was being downloaded. However, the download progress bar was fake and no files were being downloaded. Then the page redirected the user to an impersonation site which asked them to log in. Microsoft noted that organizations can guard against phishing by enabling conditional access policies, investing in advanced anti-phishing solutions, and continuously monitoring suspicious or anomalous activity.
◆ Facebook parent company Meta is facing second-class lawsuit over disclosure that a tracking tool installed on hospital websites allegedly collects protected health information about patients— including details about their medical conditions, prescriptions and doctor’s appointments — and sending them to Facebook.[7] The first class action lawsuit was filed June 17 in the U.S. District Court for the Northern District of California and argued that Facebook knew — or should have known — that its Meta Pixel tracking tool was being misused on websites. hospitals. In the latest lawsuit, Meta, the University of California San Francisco (UCSF) Medical Center and the Dignity Health Medical Foundation are targeted.[8] The class action lawsuit, filed by “Jane Doe” in the same U.S. District Court, alleges that Doe began receiving emails and seeing targeted ads on Facebook related to her medical conditions after she made appointments and contacted physicians using the UCSF and Dignity patient portals. Meta Pixel is a snippet of JavaScript code that tracks the activity of individuals on a website and sends it to Facebook. According to the new class action lawsuit, “when Plaintiff Doe logged into the Health Defendants’ Patient Portal, there was no indication that Meta Pixel was embedded or that it would collect her sensitive medical information.” The lawsuit also argues that Meta violates its own policies on sensitive health information.
1 United States Department of Justice, “Justice Department Seizes and Forfeits Approximately $500,000 from North Korean Ransomware Actors and Their Conspirators,” press release, July 19, 2022, https://bit.ly/3vFhB5Q.
2 Karl Evers-Hillstrom and Rebecca Klar, “Corporate Lobbying Could Jeopardize Data Privacy Bill”, The hillAugust 3, 2022, https://bit.ly/3JxsIUh.
3 Cristiano Lima, “The House panel advances a major privacy bill, making a long-awaited big deal”, Washington PostJuly 20, 2022, https://wapo.st/3zw4O72.
4 Michael Logerwell, “Mesa County Women Violated HIPAA Protections, Charged with 5 Felonies”, KREX, July 18, 2022, https://bit.ly/3zzRqyU.
5 Dan Dodson, “2022 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare,” Fortified Health Security, July 2022, https://bit.ly/3d0IACx.
6 Microsoft 365 Defender Research Team, “From cookie theft to BEC: Attackers are using AiTM phishing sites as an entry point to pursue financial fraud,” Microsoft Threat Intelligence Center, July 12, 2022, https://bit.ly/3PZk7fJ.
seven Jane Anderson, “In wake of meta-pixel claims, CEs and BAs may be at risk under HIPAA, experts say” Patient Privacy Report 22, no. 7, 7 July 2022, https://bit.ly/3vFOZti.
8 Sophie Putka, “Meta, hospitals sued for sharing private medical information”, MedPage Today, August 3, 2022, https://bit.ly/3oWuiWe.