Seven of the ten most recent major data breaches posted on the Department of Health and Human Services (HHS) Wall of Shame all involve email. The number of individuals affected is 115,488.
All but one of the following are health care providers and one is a health plan – all are covered entities. These breaches were all submitted to HHS in the last three weeks, since December 31, 2020.
- Precision Spine Care – TX – 20,787 individuals
- Greater New Bedford Community Health Center – MA – 696 individuals
- Walgreen Co. – IL – 16,089 individuals
- South Country Health Alliance (a Health Plan) – MN – 66,874 individuals
- Prestera Center for Mental Health Services, Inc. – WV – 3,708 individuals
- Mattapan Community Health Center – MA – 4,075 individuals
- Simpson Senior Services, Inc. – PA – 3,259 individuals
Medical Identity Theft is Big Business
The motivation for cyber thieves is financial, because protected health information is worth a lot of money on the black market. All that is needed is the identity of an individual and the name of a provider in order to commit insurance or Medicare fraud. It’s also profitable when a ransomware victim organization will pay to get their data back.
Today, ransomware is skyrocketing in health care, because thieves use this tactic to extort payments out of health care organizations. Last year a predominant theme of ransomware attacks was COVID, because people were more vulnerable to messaging around COVID, looking for information, treatment and cures, and clicked on links to what they hoped was new information.
Theft Through Email Can Be Easy
Unfortunately, stealing data through email is still surprisingly easy, because people at work are busy and using email without thinking. Hackers use simple phishing tricks to cause people to open attachments and click on links in emails. Cyber thieves will make something sound urgent, will use a return email that looks familiar, or use a current topic, like COVID to break down caution. Once the email recipient clicks on that link or attachment, the door is open for thieves to walk in and steal data.
FBI Issues Warning about Egregor Ransomware
We wrote several times about ransomware last year as the news changed and ransomware grew during COVID. The warnings continue this year, as certain ransomware attackers ramp up their efforts. On January 6 an FBI warning described a newer ransomware group called Egregor that may use phishing emails with malicious attachments to gain access to network accounts.
The FBI Summary:
The FBI first observed Egregor ransomware in September 2020. To date, the threat actors behind this ransomware variant claim to have compromised over 150 victims worldwide. Once a victim company’s network is compromised, Egregor actors exfiltrate data and encrypt files on the network. The ransomware leaves a ransom note on machines instructing the victim to communicate with the threat actors via an online chat. Egregor actors often utilize the print function on victim machines to print ransom notes. The threat actors then demand a ransom payment for the return of exfiltrated files and decryption of the network. If the victim refuses to pay, Egregor publishes victim data to a public site.
The FBI does not encourage paying a ransom to criminal actors. Paying a ransom emboldens cyber thieves to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Worst of all, paying the ransom does not guarantee that a victim’s files will be recovered. The FBI also recognizes that the decision is difficult and some may pay even though it’s discouraged. In every case though the ransomware should be reported to the local FBI field office.
For health care organizations, a ransomware attack is also presumed to be a HIPAA breach, and triggers the Breach Notification Rule.
HIPAA Risk Analysis – Risk Management Includes Training
As ransomware and cyber crime grows, you need to ramp up cyber security to avoid becoming the next victim and HIPAA compliance is the best defense against cyber crime.
The nine mitigation steps listed by the FBI are all part of a regular HIPAA Risk Management program following the HIPAA Privacy and Security Rules. Things like backing up critical data offline, using anti-virus or anti-malware software, using two-factor authentication, etc.
Although not mentioned, one of the most critical mitigation steps is security awareness training for the workforce. HIPAA requires training, and since staff are the first line of defense, they need guidance about how to help the organization stay secure. The HIPAA E-Tool®includes security awareness training.
Evaluate your cyber security defenses and take stock. If you need advice, or have any questions about whether all the bases are covered, call us.