Deidre Frith Deidre Frith

HEALTHCARE PROVIDER hacked after employee downloaded a malicious file

If you needed a good object lesson to continue promoting regular security awareness training within your organization, here it is: Ascension hacked after employee downloaded a malicious file. The employee thought it was something legit, downloaded, and opened it.

If you needed a good object lesson to continue promoting regular security awareness training within your organization, here it is:

Ascension hacked after employee downloaded a malicious file.

The employee thought it was something legit, downloaded, and opened it. This gave the attackers access to a portion of Ascensions’ network and subsequently allowed access to a few of their servers, prompting them to enact their incident response plans and take some systems offline on May 8th, 2024 to contain the cyber security event – their words. 

QUICK DETECTION IS KEY

To their credit, Ascension appears to have quickly identified the issue, indicating an effective managed security service capable of detecting unusual behavior. This aspect forms a crucial part of a comprehensive approach to mitigating cybersecurity threats for the organization. Initial findings suggest that the intruders accessed files from a limited set of file servers. An Ascension representative's statement mentioned ongoing investigations revealing that some of the compromised files likely include Protected Health Information (PHI) and Personally Identifiable Information (PII) belonging to specific individuals, with variations in the data types exposed. 

This is a comprehensive explanation of the synergistic relationship between different cybersecurity layers in mitigating the impact of cyber attacks. It is evident that Ascension prioritizes the training of its employees in security awareness, a fundamental practice in minimizing cyber threats. Despite these efforts, human errors remain a possibility, necessitating additional proactive measures to further enhance cybersecurity defenses.

Other notable points:

  • Systems were set up to find and check strange actions. Nowadays, attackers use system tools to go unnoticed for a while. Many current EDR and MDR systems can spot user behaviors to some extent.

  • Data logging can show if information was viewed and taken from their systems. It helps you grasp the situation better, which many small businesses lack.

  • They have a plan for emergencies to show them what to do. It's better to have a simple plan than to figure it out suddenly. It helps to know what to do, who to call, and what to avoid.

  • They did a fairly good job with the message they conveyed to customers. On the internal front, though, there appears to have been some confusion and disarray.

Their systems were mostly down for about two weeks perhaps because of investigations and making sure the hackers were gone. A good Business Continuity Plan includes having instructions for backup methods when computer systems are down, so you can keep running your business with some limitations, depending on what you need. 

Ascension statement: https://about.ascension.org/en/cybersecurity-event

Read More
Deidre Frith Deidre Frith

DELL Data Breach, May 2024

Dell began warning customers via email on May 8th of a data breach that may have exposed the purchase related information of approximately 49 million customers. The breached data includes customer names, physical addresses, and order related information such as service tags, order dates, item descriptions and warranty information.

Dell began warning customers via email on May 8th of a data breach that may have exposed the purchase related information of approximately 49 million customers.

The breached data includes customer names, physical addresses, and order related information such as service tags, order dates, item descriptions and warranty information. However, Dell has stated that no email addresses or phone numbers or any financial information was involved in this breach.

OWN A DELL? What this mean for you…

If you have purchased a Dell, then you can expect to see a lot of phishing and social engineering attempts revolving around this information. Even though this particular data theft didn’t include your email address and phone number, it’s very simple for bad actors to associate those pieces of information (from prior breaches) with what was stolen from Dell this time. Keep in mind that with 49 Million possible targets, the bad actors will just blast out the phishing emails and hope that recipients were impacted by this breach, a not unrealistic expectation.

Be on the lookout for scams!

The scams could be similar to any of the following scenarios:

  • Dell warranty renewal emails and/or calls. We get these all the time legitimately. What we don’t know is how many more will we receive that are scams?
    BEST ADVICE: Know what legitimate emails/calls look like AND, if it’s over the phone, call Dell back on a previously known phone number. Do not ask the caller for the number as they could provide a fake number.

  • Urgent notices! These could be about security vulnerabilities and requests to call some number or click a link to fix the issue. Still a scam, don’t click the link!

  • Unironically, notices of this data breach. However, it will include a link for more information that lead to problems. Still a scam, don’t click the link!

  • Class action lawsuit notices. This may include calls to action like call or email the “attorney”. Once again, don’t do either of those items. It’s probably a scam.

DOUBLE-CHECK WITH REALTIME

If you’re a RealTime customer, you can always give us a call if you have any questionable emails, texts, even phone calls related to this matter. Additionally, if you’re a RealTime customer, you probably bought things through us and we manage on your behalf. We should be handling items related to this already; this is another reason it should give you a red flag if Dell contacts you.

THE BEST PROTECTION

The best protection from these sorts of scams is to confirm legitimacy through previously known contact methods. Call a number you have for Dell instead of giving any credibility to someone over the phone, don’t click on links in emails, or lastly, call RealTime if you’re a client.

 

https://www.securityweek.com/dell-says-customer-names-addresses-stolen-in-database-breach/

Read More
Todd Swartzman Todd Swartzman

SHOULD YOU PAY IF YOU’RE HIT WITH RANSOMWARE?

Paying a ransomware ransom is not a Get Out of Jail Free card as Change Healthcare is slowly learning! The Ransomware that has impacted the customers of the United Health Care subsidiary, Change Healthcare, has lasting impacts beyond just not being able to confirm insurance coverage or delayed filing/reimbursements, which are already pushing many medical practices to their financial limits.

Image courtesy of my old Monopoly Board game.

CHANGE HEALTHCARE LEARNS THE HARD WAY

Paying a ransomware ransom is not a Get Out of Jail Free card as Change Healthcare is slowly learning! The Ransomware that has impacted the customers of the United Health Care subsidiary, Change Healthcare, has lasting impacts beyond just not being able to confirm insurance coverage or delayed filing/reimbursements, which are already pushing many medical practices to their financial limits.

Stories abound like this one : An Ohio Urgent Care may not be able to pay rent and their doctors are slashing expenses to try and stay afloat. Read more about this story in the NY Times:  https://www.nytimes.com/2024/03/05/health/cyberattack-healthcare-cash.html

criminals lie?? no way!

Let’s just talk about how much the criminals are actually making off of these ransoms. It looks like the criminals that got paid the $22 Million in Bitcoin took the money and ran! They closed up shop and even stiffed their partners in crime, who have come out and stated that they didn’t get paid! The worst part is that the criminals still have all the data from this event!

This story above reinforces that paying the ransom doesn’t guarantee that the criminals will delete their copies of your data that they stole, despite their promises. LockBit, a ransomware gang that was taken down by law enforcement agencies last month, admits to lying to their victims in their extortion notes. They were basically guaranteeing they will release their data, but never did. Obviously we are learning that criminals lie on all avenues, shocker!

“If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.” -Extortion notes by Lockbit to victims.

Britian’s National Crime Agency also reinforced that you shouldn’t trust Ransonware gangs to do what they say in their extortion notes. The NCA has a lot of of evidence that when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised. The NCA led the takedown of the LockBit ransomware gang and since discovered data still in the LockBit’s System from victims that had already paid the threat actors.

REPORT THE CRIMES TO THE FBI TO SAVE US ALL!

LockBit’s demise (for now) also showed that the vast majority of cybercrime goes unreported. Most of the identified victims did not report these crimes to relevant federal agencies. The Federal Bureau of Investigation’s (FBI) website has a place where victims can report crimes. By reporting crimes, it helps the FBI better understand what the criminals are up to and correlate this data to better understand how the criminals operate. That way the FBI can keep all of us updated on how to spot the crimes and how to respond. If you have had an incident related to cybercrime, please report it! FBI Website: IC3.gov

Read More
Todd Swartzman Todd Swartzman

United Health, Optum, Change Healthcare cyber attack and what it means to you

As of this afternoon, March 1, 2024 3pm EST, Change Healthcare announced that their ePrescribing service was operational and at 3:45pm EST they made this update: For clarity, Change Healthcare's Clinical Exchange ePrescribing providers' tools are still not operational.

As of this afternoon, March 1, 2024 3pm EST, Change Healthcare announced that their ePrescribing service was operational and at 3:45pm EST they made this update:

For clarity, Change Healthcare's Clinical Exchange ePrescribing providers' tools are still not operational.

Image Credits: Patrick T. Fallon / AFP / Getty Images

We have completed standing up a new instance of Change Healthcare's Rx ePrescribing service. Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types. As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.

If you are a medical practice, lab, pharmacy, or related business who is impacted by this event, you may have some possible opportunities and possible complications to consider:

  • UnitedHealth Group Chief Operating Officer Dirk McMahon has said the company was in the process of setting up a loan program for providers who are unable to submit insurance claims while systems are offline.  You should probably keep an eye on this possibility.

  • If you are impacted by this incident, for example you’ve been unable to submit claims and/or post payments, reach out to your practice’s insurance broker. You may have immediate cause to file a claim for contingent/dependent business interruption or something similar. These provisions most often provide up to $100k in many cyber policies. (Yet one more reason why you need cyber-liability insurance coverage.) Your E&O policy may come into play also in these situations. Remember your broker is the expert.

  • The possible threat actors ALPHV/Blackcat, who are suspect in this event, are known to exfiltrate data as part of their attacks (I did a deep dive on this group a year ago, they are not amateurs). We may not know, however, for quite a while if this is the case.

  • Subscribe to updates on Change Healthcare’s website dedicated to this event – linked below, so you can stay informed as they release information. 

  • Pay special attention to any email communications that appear to be coming from UnitedHealth Group/Optum/Change Healthcare – big events like this that make the news are popular bait for phishing emails. Be aware of this possibility, especially if there is an “urgent” ask in the message and warn your employees. I can already envision phishing emails going out to medical practices such as: “United Health free loan program ends tonight, click this link to apply before it’s too late!” 

  • Should this event become a data breach - and this has not been determined yet - your practice and your impacted patients will be informed as part of that process, but it may be a while before anyone knows. Use this time now to think about how you’ll answer inquiries from patients – talk to your own legal counsel for advice on managing expectations. Keep in mind though, as of right now, we just don’t know if it is, or it isn’t a data breach since Change Healthcare hasn’t said anything yet. 

  • If you do medical billing in house or via a third-party medical billing service, there may be work arounds with some insurance companies to key claims directly to their portals or possibly submit paper claims. RealTime-Medical is doing these things where possible for our own clients, but it is a lot of extra work, so plan accordingly.

Talk to your cybersecurity and IT Teams to make sure they are aware of the issue and be sure to understand your own potential risks related to this event.

To be safe, and it’s a step we always recommend when cyber incidents occur – assume that your credentials used to access UHG/Change Healthcare/Optum are potential at risk and change them to unique, difficult to guess, long passwords. If your mobile phone number was associated with your logon information and it is used for MFA, see if you can switch to app-based MFA if possible – I don’t know if UHG supports that. Be careful about anything texted to your mobile number too.

Finally, if your business is financially impacted to the point you may not be able to pay invoices, it’s probably better to talk to those vendors sooner rather than later. Most everyone should be aware of this incident by now and they will hopefully understand that it’ll be sorted out soon (maybe that is just my endless optimism talking.) Again, your insurance policy may come into play with business interruption coverage, so please talk to your insurance broker – they’ll know the best way to proceed. 

Link to the SEC FORM 8-K related to this incident: https://www.sec.gov/Archives/edgar/data/731766/000073176624000045/unh-20240221.htm

Change Healthcare’s latest updates related to this incident: https://status.changehealthcare.com/incidents/hqpjz25fn3n7  Suggest you subscribe to updates if you are impacted.

Read More
I.T., Blog Deidre Frith I.T., Blog Deidre Frith

Shopper data stolen from major brands in December 2023.

VF Corporation, parent company to popular brands including, Vans, The North Face, Timberland, Dickies, JanSport and more, reported that their IT systems were impacted on December 15, 2023 and that some personal data was stolen.

CUSTOMERS OF VANS, THE NORTH FACE,
AND OTHER BRANDS PERSONAL DATA POTENTIALLY STOLEN.

VF Corporation, parent company to popular brands including, Vans, The North Face, Timberland, Dickies, JanSport and more, reported that their IT systems were impacted on December 15, 2023 and that some personal data was stolen.

They reported that their computer systems were affected and that personal information was stolen, but they haven't provided any specific details. This is important because cybercriminals commonly use stolen data from these breaches to launch scams, so please be cautious, particularly if you have a loyalty account or have made direct orders through their websites (such as Vans, North Face, Altra, Dickies, etc.). Visit their corporate website for a full list of their brands: www.vfc.com .

Assume that anything you shared with
these brands could be in the hands
of the thieves.

If you stored a credit card, monitor your account closely for any suspicious activity and report it promptly. If you use the same password for any of your online accounts, especially email or social media, update those passwords. According to their SEC 8-K report, the attackers disrupted VF Corporation's operations by encrypting some computer systems and stealing data, including personal information. The company is working to restore the affected systems and find alternative solutions to minimize disruption for customers. VF-operated retail stores are open, but there may be some operational issues. While consumers can still place orders on most brand websites, fulfilling those orders is currently impacted.

SEC 8-K report here: https://www.sec.gov/ix?doc=/Archives/edgar/data/103379/000095012323011228/d659095d8k.htm

Logos of Brands of VF Corporation
Read More