Healthcare Cybersecurity Risks in 2022
The healthcare industry continues to face a considerable range of threats, with ransomware attacks and data breaches still highly prevalent. Throughout 2021, healthcare data breaches were being reported at a rate of almost 2 per day, and while there was a reduction in the number of ransomware attacks compared to 2020, ransomware remains a major threat with several ransomware gangs actively targeting the healthcare sector. In its Q4, 2021 Healthcare Cybersecurity Bulletin, released on Friday, the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned of some of the ongoing cyberattack trends that are expected to continue in Q1, 2022. Ransomware Law enforcement agencies in the United States and Europe have increased their efforts to bring the operators of ransomware operations and their affiliates to justice, with those efforts resulting in the arrests of key members of several ransomware groups. This year, in a rare act of cooperation between the United States and Russia, 14 suspected members of the notorious REvil ransomware gang...
Memorial Health System Confirms 216K Patients Affected by August 2021 Ransomware Attack
Ohio-based Memorial Health System has recently confirmed the ransomware attack it experienced in August 2021 potentially involved the protected health information of 216,478 patients. The ransomware attack forced the health system to divert certain patients to other facilities and cancel some appointments to ensure patient safety. The attack was announced shortly after the breach, which occurred on August 14, 2021. The investigation revealed its network was first breached on July 10, 2021. The HIPAA incident was reported to the HHS’ Office for Civil Rights promptly, although at the time it was not known how many individuals had been affected. Memorial Health System discovered patient data may have been involved on or around September 17, 2021, then followed a comprehensive review of all affected files. On November 1, 2021, the scope of the incident was determined but it took until December 9, 2021, to confirm the individuals affected and the specific types of data involved, hence the delay in issuing notifications. Written notices were sent to affected individuals on or around...
CISA Urges All U.S. Orgs to Take Immediate Action to Protect Against Wiper Malware Attacks
The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to all organizations in the United States to take immediate steps to prepare for attempted cyberattacks involving a new wiper malware that has been used in targeted attacks on government agencies, non-profits, and information technology organizations in Ukraine. The malware – dubbed Whispergate – masquerades as ransomware and generates a ransom note when executed; however, the malware lacks the capabilities to allow files to be recovered. Whispergate consists of a Master Boot Record (MBR) wiper, a file corruption, and a Discord-based downloader. The MBR is the section of the hard drive that identifies how and where an operating system is located. Wiping the MBR will brick an infected device by making the hard drive inaccessible. The Microsoft Threat Intelligence Center (MSTIC) has recently performed an analysis of the new malware. The first stage of the malware, typically called stage1.exe, wipes the MBR and prevents the operating system from loading. The malware is executed when an infected...
Mass General Brigham Settles ‘Cookies Without Consent’ Lawsuit for $18.4 Million
An $18.4 million settlement has been approved that resolves a class action lawsuit against Mass General Brigham over the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors. The defendants in the case operate informational websites that provide information about the healthcare services they provide and the programs they operate. Those websites can be accessed by the general public and do not require visitors to register or create accounts. The lawsuit was filed against Partners Healthcare System, now Mass General Brigham, by two plaintiffs – John Doe and Jane Doe – who alleged the websites contained third party analytics tools, cookies, and pixels that caused their web browsers to divulge information about their use of the Internet, and that the information was transferred and sold to third parties without their consent. While it is normal for websites to use third-party analytics tools like those on the defendants’ websites, the plaintiffs alleged they were not informed that...
4 Healthcare Providers and Health Plans Report Phishing-Related PHI Breaches
Email accounts containing the protected health information (PHI) of thousands of patients have been compromised at Loyola University Medical Center, Advent Health Partners, Signature Healthcare Brockton Hospital, and Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E. Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E has recently notified 20,579 individuals about an email security incident that resulted in the exposure of sensitive data. On December 21, 2021, suspicious activity was detected in an employee email account. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the nature and scope of the breach. The investigation determined on October 25, 2021, that the email account had been accessed by an unauthorized individual between May 11, 2021, and August 2, 2021, as a result of the employee responding to a phishing email. A manual review of the emails and attachments confirmed they contained the following types...



