The number of major health data breaches and the number of individuals posted to the HHS “Wall of Shame” so far in 2022 has surged in recent weeks as reports of large hacking incidents continue to flow into regulators. As of last week, the HIPAA Breach Reporting Tool website shows that 117 breaches affecting about 5.32 million people have been posted in 2022. That’s an increase of nearly 83% in the number of breaches posted on the HHS...

Healthcare entities should implement a more “proactive preparedness” approach for protecting their electronic health record/electronic medical record systems. Federal regulators warn that these are an increasingly attractive target for cyberattacks and other breaches. The DHHS Health Sector Cybersecurity Coordination Center, in a threat brief issued Thursday, reinforced that EHRs/EMRs are profitable to cybercriminals. Largely due to...

Alert Comes as Health Entities Globally Continue Battling Cyberattacks, Fallout The U.S. Department of Health and Human Services has posted a warning to the healthcare sector about increasing threats involving Pysa ransomware and the cybercriminal gang Mespinoza — also known as Gold Burlap and Cyborg Spider — which operates the malware variant. In an alert, the DHHS Health Sector Cybersecurity Coordination Center, or HC3, warns that since 2018,...

There are several trends emerging in the cyber insurance industry that are worrying for mid-size and local entities. These trends are largely a response to the havoc ransomware has caused across industries in the last 18 months. The emerging trends can be summed up as: Prices are increasing, in many cases in the range of 2x-4x Renewal and acceptance rates for policies are going down, in many cases, by 40%-60% compared to previous years Entities...

A recent breach affecting 37,636 individuals has been attributed to a terminated company executive. The information in the file included name, age, sex, race, county and state of residence, and zip code, as well as Medicare beneficiary information, such as Medicare eligibility period, spend information, and hierarchical condition category risk score. This breach highlights some of the top security and privacy challenges covered entities and...

Law enforcement and intelligence agencies in the U.S, the U.K. and Australia have issued a joint advisory on unidentified Iran government-backed advanced persistent threat (APT) actors exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to attack organizations in their respective countries. Attributing the attacks to a specific APT group is inherently challenging, but a senior cyber threat intelligence analyst has pointed out...

The FBI has issued a warning about Hive ransomware after the crime group took down IT systems at Memorial Health System in Ohio The alert details indicators of compromise and tactics, techniques and procedures—or TTPs—associated with ransomware attacks by the apparent ransomware-as-a-service operation. The full release can be found here:  https://www.ic3.gov/Media/News/2021/210825.pdf In addition to the details of the attack, the FBI has issued...

ENE Systems hack said to affect 3 Boston Hospitals   A hacking incident that reportedly targeted a Massachusetts-based ENE Systems that provides HVAC systems to several Boston-area hospitals and others shines a spotlight on the growing cybersecurity risks involving IoT devices and OT equipment.   Call to Action Perhaps the most high-profile incident involving an HVAC hack was the 2013 Target breach. It resulted in 41 million...

Ransomware Attacks, Vendor Incidents Continue to Dominate So far in 2021, some 383 health data breaches affecting more than 27 million individuals have been added to the HHS wall of shame. That includes 131 breaches affecting nearly 10 million since the end of May. Of the 2021 breaches, the vast majority — 283 breaches affecting 26.1 million individuals — were reported as involving hacking/IT incidents. Largest Breaches of 2021 Florida Healthy...

Complaint Alleged Multiple Security ‘Failures’ Leading to 2020 Cyberattack A federal court has approved a proposed settlement in a class-action lawsuit filed in February against Nebraska Medicine. This is in the wake of a 2020 malware attack and exfiltration of sensitive personal data and medical records of tens of thousands of individuals. The costs of the proposed settlement could exceed $37 million in patient reimbursements.  Out...