Universal Health Services Ransomware Attack Cost $67 Million in 2020
2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS). UHS, which operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country. The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack. UHS worked fast to restore its information technology infrastructure following the attack and worked around the clock to return to normal business operations; however, the...
Hospice CEO Pleads Guilty to Falsifying Healthcare Claims and Inappropriate Medical Record Access
The former CEO of Novus and Optimum Health Services, which operates two hospices in Texas, has pleaded guilty in a fraud case that saw Medicare and Medicaid defrauded out of tens of millions of dollars through the submission of falsified health care claims. Prerak Shah, Acting U.S. Attorney for the Northern District of Texas, recently announced that Bradley Harris, 39, pleaded guilty to conspiracy to commit healthcare fraud and healthcare fraud and is now awaiting sentencing. In addition to defrauding federal healthcare programs out of tens of millions of dollars, the actions of Harris resulted in vulnerable patients being denied the medical oversight they deserved, saw prescriptions for pain medication written without physician input for his financial benefit, and allowed terminally ill patients to go unexamined. Harris admitted billing Medicare and Medicaid for hospice services between 2012 and 2016 that were not provided, not directed by medical professional, or were provided to individuals who were not eligible for hospice services. Harris also admitted to using blank,...
FBI Warns of Increase in Business Email Compromise Attacks on Local and State Governments
State, local, tribal, and territorial (SLTT) governments have been warned they are being targeted by Business Email Compromise (BEC) scammers. In a March 17, 2021 Private Industry Notification, the Federal Bureau of Investigation (FBI) explained it has observed an increase in BEC attacks on SLTT government entities between 2018 and 2020. Losses to these attacks range from $10,000 to $4 million. BEC attacks involve gaining access to an email account and sending messages impersonating the account holder with a view to convincing the target to make a fraudulent transaction. The email account is often used to send messages to the payroll department to change employee direct deposit information or to individuals authorized to make wire transfers, to request changes to bank account details or payment methods. In 2020, the FBI’s Internet Crime Complaint Center (IC3) was notified about 19,369 BEC attacks and losses of almost $1.9 billion were reported. In July 2019, a small city government was scammed out of $3 million after receiving a spoofed email that appeared to be from a contractor...
UPMC and Charles Hilton and Associates Facing Class Action Lawsuit Over 36,000-Record Breach
University of Pittsburgh Medical Center (UPMC) and the law firm Charles Hilton and Associates are facing a class action lawsuit over a breach of the protected health information of 36,000 UPMC patients. Charles Hilton and Associates, which handles collections for UPMC, announced that hackers had gained access to the email accounts of some of its employees between April and June 2020. The investigation revealed the compromised accounts contained the protected health information of UPMC patients, some of which was potentially viewed or obtained by the attackers. The accounts contained a wide range of data including names, dates of birth, Social Security numbers, bank account information, driver’s licenses, health insurance information, and state ID card numbers. UPMC stated in its breach notice that no reports had been received to suggest information in the compromised accounts had been misused; however, the lawsuit alleges the plaintiffs’ personal and protected health information was obtained and used to open accounts in their names. Lead plaintiff, Vince Ranalli, received a letter...
Verkada Surveillance Camera Hacker Indicted on Multiple Counts of Conspiracy, Wire Fraud and Aggravated Identity Theft
The Swiss hacktivist who gained access to the security cameras of the California startup Verkada in March 2021 has been indicted by the US government for computer crimes from 2019 to present, including accessing and publicly disclosing source code and proprietary data of corporate and government victims in the United States and beyond. Till Kottmann, 21, aka ‘tillie crimew’ and ‘deletescape’ resides in Lucerne, Switzerland and is a member of a hacking collective self-named APT 69420 / Arson Cats. Most recently, Kottman admitted accessing the Verkada surveillance cameras used by many large enterprises, including Tesla, Okta, Cloudflare, Nissan, as well as schools, correctional facilities, and hospitals. Live streams of surveillance camera and archived footage were accessed between March 7 and March 9, 2021, screenshots and videos of which were published online. Ethical hackers often exploit vulnerabilities and gain access to systems and their efforts often result in vulnerabilities being addressed before they can be exploited by bad actors. The vulnerabilities are reported to the...



