Coastal Family Health Center Cyberattack Affects 62,000 Patients
Coastal Family Health Center (CFHC), the fourth largest community health center in Mississippi, has started notifying patients about a May 13, 2021 cyberattack that involved some of their protected health information. CFHC said hackers attempted to shut down its computer operations; however, that attempt failed and CFHC was able to continue treating patients and providing services to the community. An investigation was immediately launched into the incident to determine how the attack occurred and whether any sensitive patient information was accessed by the hackers. On June 4, 2021 the investigation revealed some files accessed by the attackers contained the protected health information of patients, including names, addresses, Social Security numbers, health insurance information, and health and treatment information. Independent cybersecurity professionals were engaged to assist with improving the security of its systems and policies and procedures have been changed to prevent further breaches in the future. After determining current mailing addresses, notification letters were...
Kroger Proposes $5 Million Settlement to Resolve Data Breach Lawsuits
The pharmacy and supermarket chain Kroger has proposed a $5 million settlement to resolve lawsuits filed by victims of data breach that exposed their personal and protected health information. Kroger was one of many victims of a cyberattack on Accellion’s File Transfer Appliance (FTA) in December 2020. The Accellion FTA is a legacy solution used to transfer files too large to be sent via email. Hackers exploited several zero-day vulnerabilities in the solution and gained access to the data of more than 100 companies. While ransomware was not used, the attack was linked to the Clop ransomware gang which threatened to publish the exfiltrated data. Individual companies were sent demands for payment to prevent the exposure of their stolen data. Kroger was notified about the breach on January 23, 2021 and received a ransom demand from the attackers on February 2. The FBI was notified, and Kroger paid the ransom on February 18, 2021. The attackers returned the stolen data the following day and provided a video demonstrating the stolen data had been deleted. Approximately 1% of Kroger...
Study Explores Why Many People Don’t Use a Password Manager
One of the easiest ways for hackers to gain access to accounts is to simply guess passwords. Hackers use lists of commonly used passwords and passwords that have been obtained in previous data breaches, and just try each one until the right one is guessed. This automated process can take seconds if particularly weak passwords are used to secure an account. Brute force tactics only work because a lot of users fail to change default passwords, set weak passwords, or reuse passwords across multiple platforms. In the case of the latter, if there is a breach of one platform, the password can then be used to access all other accounts where it has been set. Having – and enforcing – a HIPAA-compliant password policy that requires users to set complex passwords will help to ensure that strong passwords are set, but employees often still set weak passwords and circumvent their employer’s password policy. For instance, setting a password of Password1! to meet the lower/upper case, number, and special character requirements. The most secure passwords are randomly generated long...
Federal Judge Allows Blackbaud Consolidated Class Action Data Breach Lawsuit to Proceed
Plaintiffs in a class action lawsuit against Blackbaud sufficiently demonstrated they have standing, and the lawsuit has survived Blackbaud’s motion to dismiss. Blackbaud is a publicly traded cloud software company with headquarters in Charleston, SC. Blackbaud provides data collection and maintenance solutions for administration, fundraising, marketing, and analytics to entities such as non-profit organizations, foundations, educational institutions, and healthcare organizations. In the course of providing its services, the company collects and stores personally identifiable information (PII) and Protected Health Information (PHI) from its customers’ donors, patients, students, and congregants. From February 7, 2020 to May 20, 2020, cybercriminals gained access to Blackbaud’s systems, exfiltrated data, and then used ransomware to encrypt files on Blackbaud’s systems. A ransom demand was then issued by the attackers and the attackers claimed they would provide the keys to decrypt data on Blackbaud’s systems and permanently delete the data they had exfiltrated if the ransom was...
Healthcare Workers File Lawsuit Alleging Amazon Alexa Devices Violated HIPAA
A class action lawsuit has been filed against Amazon by four healthcare workers who allege their Amazon Alexa devices may have recorded conversations without their intent that potentially included health information protected under HIPAA. Amazon Alexa devices listen for words that wake up the devices and triggers them to start recording. Specifically, the devices listen for the word “Alexa,” and will then attempt to answer a question that is asked. However, the plaintiffs claim that there are other words and phrases will awaken the devices and trigger them to start recording when it is not intended by users of the devices. The lawsuit cites a study conducted at Northeastern University which showed the devices wake up and record in response to statements such as “I care about,” “I messed up,” and “I got something.” The study also found that the devices wake up and record in response to the words “head coach,” “pickle”, and “I’m sorry.” The plaintiffs allege “Amazon’s conduct in surreptitiously...



