HHS Launches 405(d) Program Website Providing Resources to Help Mitigate Healthcare Cybersecurity Threats
The Department of Health and Human Services has launched a new website that offers advice and resources to help the healthcare and public health sector mitigate cybersecurity threats. The website was created as part of the HHS 405(d) Aligning Health Care Industry Security Approaches Program, which was established in response to the Cybersecurity Act of 2015. The Cybersecurity Act of 2015 called for the HHS to establish the program and a Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures and processes that healthcare organizations can use. More than 150 individuals from industry and the federal government have collaborated under the program and provided insights into how best to mitigate cyberthreats. The new website supports the motto, Cyber Safety is Patient Safety, and provides videos and other educational material to raise awareness of pertinent threats along with vetted cybersecurity resources to drive behavioral change and...
400,000 Patients Potentially Affected by Planned Parenthood Ransomware Attack
Planned Parenthood has recently announced it was the victim of a ransomware attack in October that affected its Los Angeles branch. According to the announcement, a ransomware gang gained access to the network between October 9, 2021, and October 17, 2021, and deployed ransomware to encrypt files. A ransom demand was then issued, payment of which was required to obtain the keys to decrypt data. Prior to using ransomware, certain files were exfiltrated from its systems and were used as leverage to get Planned Parenthood to pay the ransom. It is currently unclear if the ransom was paid but, at the time of writing, the stolen files do not appear to have been published on any ransomware gang’s data leak site. The ransomware attack was detected by Planned Parenthood Los Angeles on October 17, 2021, and steps were immediately taken to secure its network and investigate the security breach. When it was confirmed that files had been stolen, a review was conducted to determine the types of information that had been compromised. On November 4, 2021, it was confirmed that some of the stolen...
Patient Sues Eskenazi Health Over Ransomware Attack After Misuse of Her Data
An Eskenazi Health patient whose protected health information was stolen in an August 2021 ransomware attack is suing the healthcare provider over the data breach. It is now common for ransomware gangs to exfiltrate sensitive data prior to using ransomware to encrypt files. The stolen data is used to threaten victims to encourage payment of the ransom, as was the case in the Eskenazi Health ransomware attack. Indianapolis, IN-based Eskenazi Health discovered the attack in early August and immediately shut down its computer systems in an attempt to prevent further unauthorized access and contain the attack. The healthcare provider took the decision to divert ambulances and cancel certain appointments as a safety measure while its electronic medical record system was offline. The investigation into the breach determined its systems had first been compromised in May and files containing sensitive patient data had been exfiltrated from its systems. Notification letters started to be sent to affected patients in early November and patients were informed of the data theft and were...
Ohio DNA Testing Firm Notifies 2.1 Million People About Breach of Personal Information
An Ohio-based DNA testing company has recently disclosed a hacking incident that involved the sensitive data of 2,102,436 individuals. DNA Diagnostics Center (DDC) said it detected suspicious activity in its network on August 6, 2021, and confirmed unauthorized individuals had accessed and acquired files from an archived database between May 24, 2021, and July 28, 2021. The data breach investigation confirmed that the files exfiltrated by the attackers contained full names, credit/debit card numbers and CVV codes, financial account numbers, Social Security numbers, and platform account passwords. The company said genetic testing data were stored on a separate system that was not accessed by the hackers and no data related to its current operations were stolen in the cyberattack. The database contained backups made between 2004 and 2012 that were associated with a national genetic testing organization that DDC acquired in 2012. DDC said the legacy system that was accessed had never been used in DDC’s operations and that the system has been inactive since 2012. DDC did not disclose...
Quest Diagnostics and Subsidiary Face Class Action Lawsuit Over Ransomware Attack
A lawsuit has been filed in the US District Court for the District of Massachusetts against Quest Diagnostics and its subsidiary, ReproSource Fertility Diagnostics, over an August 2021 ransomware attack that affected 350,000 patients. On October 8, 2021, ReproSource started sending notification letters to affected patients informing them that some of their protected health information had potentially been accessed or stolen prior to ransomware being used to encrypt files. The types of data stored on parts of its network that were accessible to the attackers included names, dates of birth, test results, medical histories, diagnosis codes, Social Security numbers, billing information, and other information. While breach notification letters were sent within the 60 days allowed by HIPAA, the lawsuit alleges Quest and ReproSource failed to issue timely notifications to patients, which violated Massachusetts law, and when the notification letters were issued – more than a month after the attack – they lacked important information about the breach, such as if the servers that...



