HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail
Oct06

Netwalker Ransomware Affiliate Sentenced to 20 Years in Jail

An affiliate of the infamous Netwalker ransomware gang has been sentenced to serve 20 years in jail for his role in ransomware attacks on entities in the United States. Netwalker is a ransomware-as-a-service (RaaS) operation where affiliates are recruited to conduct attacks and deploy ransomware in exchange for a cut of the ransom payments they generate, typically receiving up to 75% of any ransoms paid. After gaining access to a victim’s network, sensitive data would be identified and exfiltrated and used as leverage to pressure victims into paying. Threats were then issued to publish or sell the data if the ransom is not paid. Ransom demands ranged from hundreds of thousands to millions of dollars. While some RaaS operations ban their affiliates from conducting attacks on healthcare organizations, that was not the case with Netwalker, which actively targeted healthcare organizations around the world. The gang also stepped up attacks on the sector during the COVID-19 pandemic.  Victims included the Champaign-Urbana Public Health District and the University of California San...

Read More
Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach
Oct06

Mon Health Faces Class Action Lawsuit Over 493K Record Data Breach

Mon Health is facing a class action lawsuit over a hacking incident that allowed unauthorized individuals to gain access to its network for an 11-day period in December 2021. Mon Health said it detected the breach on December 30, 2021, with the forensic investigation determining hackers accessed its network between December 9 and December 19. Mon Health announced the security breach on February 28, 2022, and confirmed that the hackers had access to the personal and protected health information of 492,861 individuals, including information about patients, employees, providers, and contractors. The information potentially accessed and stolen included names, addresses, birth dates, Social Security numbers, Medicare claim numbers, patient account numbers, health insurance information, medical record numbers, dates of service, provider names, claims information, and medical and clinical treatment information. The lawsuit, which names Monongalia Health Systems Inc. and affiliated hospitals, Monongalia County General Hospital Co., Stonewall Jackson Memorial Hospital Co., and Preston...

Read More
LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims
Oct06

LifeBridge Health Agrees to $9.5 Million Settlement to Resolve 2016 Data Breach Claims

LifeBridge Health Inc. has agreed to settle a class action lawsuit to resolve claims from patients affected by a data breach that was discovered in 2018. The total value of the settlement is $9.475 million, which includes an $800,000 fund to cover claims from class members. In March 2018, LifeBridge Health discovered a malware infection that provided unauthorized individuals with access to a server that hosted its electronic medical records, patient registration, and billing systems. The breach investigation determined the initial intrusion occurred 18 months previously in September 2016. The breach was disclosed by LifeBridge Health in May 2018, with the healthcare provider confirming the information of 582,174 patients had potentially been compromised, with the exposed information including names, dates of birth, addresses, diagnoses, medications prescribed, clinical and treatment information, insurance details, and a limited number of Social Security numbers. A lawsuit – Johnson, et al. v. LifeBridge Health, Inc. – was filed in the Circuit Court for Baltimore City,...

Read More
CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack
Oct05

CommonSpirit Health Experiencing Widespread Outage Due to Cyberattack

CommonSpirit Health is experiencing a data security incident that has affected many of its healthcare facilities. According to a statement issued by the health system on October 4, 2022, IT systems have been taken offline as a precautionary step while the incident is investigated, and the exact nature and scope of the incident is determined. A brief update was issued on Wednesday, October 5, 2022, confirming the IT security incident was still impacting some of its facilities and that staff members were operating under its tried and tested emergency protocols and are using pen and paper to record patient information while IT systems are offline. The incident was detected on October 3, 2022, but little information has been released at this stage about the exact nature of the incident.  CommonSpirit Health said it is doing everything possible to minimize the impact on its patients. Without access to certain IT systems, the decision has been taken to reschedule some appointments while the security incident is mitigated. Some patients have reported that it has not been possible to make...

Read More
Advisory Issued About BD Totalys MultiProcessor Vulnerability
Oct05

Advisory Issued About BD Totalys MultiProcessor Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a medical advisory about a recently discovered vulnerability that affects the BD Totalys MultiProcessor, which is used by hospitals and labs for processing clinical tissue specimens. The vulnerability is due to the use of hard-coded credentials, which could allow an attacker with access to a vulnerable Totalys MultiProcessor to access, modify, or delete sensitive data, including personally identifiable and protected health information. The vulnerability cannot be exploited remotely. In order to exploit the flaw, a malicious actor would need physical access to the BD Totalys MultiProcessor or network access to the system. Any additional security controls would also need to be bypassed. The vulnerability, tracked as CVE-2022-40263, affects all BD Totalys MultiProcessor versions including and prior to v1.70, and has been assigned a CVSS severity score of 6.6 out of 10 (medium severity). The vulnerability was discovered by BD and was reported to CISA under its responsible disclosure policy. BD says the vulnerability...

Read More