UPMC Hacker Who Stole PII of 65,000 Employees Gets Maximum 7-Year Sentence
The hacker who gained access to the databases of University of Pittsburgh Medical Center (UPMC) and stole the personally identifiable information (PII) and W-2 information of approximately 65,000 UPMC employees has been handed the maximum sentence for the offenses and will serve 7 years in jail. Sean Johnson, of Detroit, Michigan – aka TheDearthStar and Dearthy Star – hacked into the databases of UPMC in 2013 and 2014 and stole highly sensitive information which was then sold on dark web hacking forums and was used by identity thieves to file fraudulent tax returns in the names of UPMC employees. The Department of Justice (DOJ) also alleged Johnson conducted further cyberattacks between 2014 and 2017 and stole the PII of an additional 90,000 individuals. Those sets of data were also sold to identity thieves on dark web forums. In total, fraudulent tax returns totaling $2.2 million were filed and around $1.7 million was dispersed by the IRS. The funds received were converted to Amazon gift cards, which were used to purchase high-value goods that were shipped to Venezuela. Three of...
September 2021 Healthcare Data Breach Report
There was a 23.7% month-over-month increase in reported healthcare data breaches in September, which saw 47 data breaches of 500 or more records reported to the Department of Health and Human Services’ Office for Civil Rights. While that is more than 1.5 breaches a day, it is under the average of 55.5 breaches per month over the past 12 months. While data breaches increased, there was a major decrease in the number of breached healthcare records, dropping 75.5% from August to 1,253,258 records across the 47 reported data breaches, which is the third-lowest total over the past 12 months. Largest Healthcare Data Breaches Reported in September 2021 16 healthcare data breaches were reported in September 2021 that involved the exposure, theft, or impermissible disclosure of more than 10,000 healthcare records. The largest breach of the month was reported by the State of Alaska Department of Health & Social Services. The breach was initially thought to have resulted in the theft of the personal and protected health information (PHI) of all state residents, although the breach was...
Data Breaches Reported by PracticeMax and UMass Memorial Health
Members of Anthem Inc, Humana, and DaVita health plan members with End-Stage Kidney Disease who are enrolled in the VillageHealth program have been notified that some of their protected health information has potentially been compromised in a ransomware attack at business associate PracticeMax. The VillageHealth program helps health plan members with care coordination between the dialysis center, nephrologists, and providers and shares the results with their health plan provider through PracticeMax. PracticeMax, a provider of business management and information technology solutions to healthcare organizations, identified the attack on May 1, 2021. The investigation revealed the attackers gained access to its systems on April 12, 2021, with access possible until May 5, 2021. PracticeMax said it regained access to its IT systems the following day. A forensic investigation of the attack confirmed one server was affected that contained protected health information (PHI) which may have been accessed and acquired by the attackers. The investigation into the attack concluded on August 19,...
Alert Issued About Ongoing BlackMatter Ransomware Attacks
A joint alert has been issued by the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA) about ongoing BlackMatter ransomware attacks. The group has been conducting attacks in the United States since July 2021, which have included attacks on critical infrastructure entities and two organizations in the U.S. Food and Agriculture Sector. Evidence has been obtained that links the gang to the DarkSide ransomware gang that conducted attacks between September 2020 and May 2021, including the attack on Colonial Pipeline, with BlackMatter ransomware potentially a rebrand of the DarkSide operation. Investigations into the attacks have allowed the agencies to obtain important information about the tactics, techniques, and procedures (TTPs) of the group, and an analysis has been performed on a sample of the ransomware in a sandbox environment. The group is known to use previously compromised credentials to gain access to victims’ networks, then leverages the Lightweight Directory Access Protocol (LDAP) and...
GDPR Requirements for US Companies
A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector. The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR. GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance. Why Does GDPR Apply to US Companies? GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the...



