Category Archives: Breach

The Price of a Breach? Bankruptcy?

21st Century Oncology,  who bills itself as the world’s largest operator of cancer treatment centers with 179 locations, suffered a breach in 2015, losing control of 2+ million patient records.

According to law firm Motley Rice, they found out about the breach when the FBI notified them – not a great way to start your day – (see here).  The breach, they say, happened a month prior, in October 2015.A

While 21st Century is a bit of a high flyer – started in 1983, they sold out to Vestar Parters for $1 billion in 2008, planned to go public in 2014 but changed their mind and raised $325 million privately instead – they have all the problems of any business.

They filed for bankruptcy earlier this year, citing a bunch of reasons including uncertainty in the health insurance market as a result of the new administration, but also the cost of litigation and the cost of complying with regulations regarding electronic health records – in other words the cost resulting from the breach including setting lawsuits from patients who’s data was compromised and settling claims from Health and Human Services regarding the breach.

Health and Human Services said that 21st Century failed to:

  • Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information.
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
  • Failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
  • Failed to have a written business associate agreement before disclosing protected health information to third-party vendors.

In other words, failing to have any kind of reasonable cyber security program.

Last month 21st Century has agreed to pay a fine of $2.3 million in lieu of what HHS could have whacked them with, which is many times that number and:

  • Complete a risk assessment and create a risk management plan
  • Revise policies and procedures
  • Educate its workforce
  • Create and maintain Business Associate Agreements (BAAs) with people it shares patient data with
  • Submit to an internal monitoring plan – HHS’s version of an ankle monitor.

Also, if they fail to execute the corrective action plan all bets are off and HHS can go after them for real civil money penalties.

HHS will supervise this corrective action plan and if they don’t like something that 21st Century has done, like their security policies, for example, 21st Century has 30 days to fix it.

They are also required to engage and pay for an external third party to monitor their progress.  HHS gets to interview and approve this third party.  The assessor will submit a plan to play nanny to 21st Century within 60 days of selection and HHS must approve this plan.  The assessor, according to the terms of the corrective action plan must make unannounced site inspections during the term of the agreement.   The third party must provide an annual compliance report to HHS.

A copy of the agreement can be found here.

While there are other business reasons for filing for bankruptcy, the after effects, including settlements and lawsuits related to the breach are likely an important part of that filing.

While it is not clear to me what the effect of the bankruptcy filing is on lawsuits that not yet come to trial, there is certainly a short term effect of staying them while the bankruptcy court figures things out.  I am also not clear what effect the bankruptcy filing will have on lawsuits that were not filed prior to the bankruptcy filing date.  This could be a way to dramatically reduce their liability, although it certainly would not make them any friends with investors who were affected by the bankruptcy.  21st Century has been involved in a number of lawsuits related to over and fraudulent billing and fees paid to doctors for referring patients to company owned facilities.  Clearly security is only one of many problems they are dealing with.

Apparently the bankruptcy did not stop HHS’ actions including fines and the corrective action plan.

Information for this post came from Dark Reading.

 

 

 

 

 

Facebooktwitterredditlinkedinmailby feather

Russian Hacker Admits to Hacking DNC Last Year

A Russian hacker has confessed in court to hacking the DNC during last year’s election.  The Russian web site that is reporting this has not been friendly to Putin, so there are lots of dimensions to this conversation.

The web site says that Konstantin Kozlovsky stated that he was doing this on the direction of Russian state intelligence organizations.

Kozlovsky was arrested earlier this year for hacking Russian banks to the tune of $50 million.  He is currently being detained and the admission came from a pre-trial hearing regarding his detention.

He said that he reported to a major-general in the FSB, one of Russia’s spy organizations.  The intention was to manipulate the U.S. election process according to Kozlovsky.

He is now in prison for treason for reporting this information to U.S. intelligence agencies.  Is this part of the source for the U.S. intelligence community’s determination that Russia hacked our election last year?  Don’t know.

Suffice it to say that this will make some interesting fodder for all of the Russia investigations going on in Washington.

It is not clear to me what Koslovsky has to gain by either admitting he did that or by confessing to something he didn’t do.

*IF* Putin had admitted that he orchestrated the attack and was looking for a fall guy, then maybe lying about it, under coercion, might make sense, but in this case, it makes Putin a liar and our President, well, duped by Putin.  Based on that, none of this makes any sense.

Neither Putin nor Trump have said anything about this testimony, so at this point all there is to is stand to the side and watch the fight.

Information for this post came from Fortune.

Facebooktwitterredditlinkedinmailby feather

Smart Homes – Not So Smart

While people are purchasing  Internet of Things devices at record numbers, most people are not looking at the security implications of them.

Given that, here is something to ponder.

Apple, like every other company on the planet, is trying to capitalize on the IoT craze.  They sell software that allows developers to build software to control home automation.   From your iDevice and iCloud.

Home automation is, of course, an example of IoT and even though this software is sold by Apple, it suffers from the same problems as all other software.  Bugs.

The particular bug in question is kind of important.  Among other things, it allows non-authorized users to unlock your doors and open your garage.   Not a great idea from a security standpoint.

And, kind of like the problem that caused the Equifax breach, this problem was caused by a problem with the Apple Homekit framework.

The good news is after the bug was announced, Apple was able to make some server side changes that blocked the attack.  It also disabled some functionality, but that is certainly preferable to allowing anyone on the planet to unlock your door and steal your stuff.

Apple is expected to roll out a fix very soon and, I assume, after allowing some time for people to install the fix, Apple will restore the blocked functionality.

This is not really about beating up Apple.  Software is complicated and all software has bugs.  In fact, Apple blocked the attack very quickly after being notified.

What it is about is people jumping on the IoT bandwagon without understanding the implications – security implications of the jump.  It is great that people want to adopt new technology, but will they they be so happy when the technology isn’t quite perfect.  If they don’t implement the controls needed to make the use of the software secure.

Recently, my dishwasher broke and when the service person came to fix it, he had to patch the dishwasher software before he left.  It turns out the patch was related to a safety problem (as in the dishwasher catching fire), so I am glad that he patched it, but, to be honest, if the dishwasher hadn’t broken it would still be a safety problem because I HAVE NO CLUE AS TO HOW TO PATCH MY DISHWASHER.  Do you know how to patch YOUR dishwasher?  This is one of the problems with IoT.

The good news is that since this attack was blocked very quickly, the damage was minimal.  If this wasn’t Apple and it wasn’t blocked within 48 hours, there could have been more damage.

IoT, in spite of the craze and the expectation of the deployment of 20 billion devices in the next few years, it is still, at this time, a niche item.  The vast majority of homes do not have door locks controlled by their iPhone.  But that, likely, won’t last and when it takes hold we better have this security thing figured out.

Information for this post came from 9to5Mac.

Facebooktwitterredditlinkedinmailby feather

Mecklenburg County Hit With Ransomware Attack

Mecklenburg County, North Carolina, home to Charlotte, was hit with a ransomware attack that the county was clearly unprepared to handle.

The good news, if there is any in a situation like this, is that the attackers only compromised about 48 out of the county’s 500 servers, but other servers were shut down to make sure the ransomware didn’t spread to those servers.

The bad news, and there is much more of that, is that the county says it will be some time in 2018 before they get everything put back together.

Some reports say that the attackers wanted two bitcoins or about $30,000, but other reports say they wanted two bitcoins per server, which would have put the bill in the millions.  The county has decided not to pay the ransom.

The county said that because of a backup system, the hack didn’t compromise any personal information.  Clearly, the county officials do not understand how technology works.

This is also one reason why these local governmental organizations can be picked off pretty easily.  Likely due to staffing, money and lack of executive support, these local governments have  poor to non-existent cyber security, disaster recovery and business continuity programs.

Examples of the effects of the backup system that was in place are that calls to the domestic violence hotline are going to voice mail and being picked up later by counselors.

The county jail is having to process inmates in and out of the jail using paper forms.  I am highly confident that nothing will go wrong.

Social Services is having to recreate rides scheduled for seniors and many of those ride requests have been forever lost.

Payments to the tax department have to be made by cash or check and building inspections are using paper forms.

The goal is to attempt to get life preserving services up first and the rest of the services restored in 2018.

Mecklenburg is far from alone in this plight.  City and County governments, especially, do not have either the budget or the expertise to deal with modern day, real world cyber attacks.  All they can do is hope that no one clicks on an infected link in an attack email.

The private sector is in better but not great shape.  They are much more motivated to have systems that work and not spend the millions of dollars that I am sure Mecklenburg is spending to rebuild servers from scratch.  Businesses also don’t want to lose customers.  When Fedex got hit with the WannaCry virus, customers switched to their competitors.  Many of those will never come back.  Mecklenburg doesn’t have that problem – there is no competing government to switch to.

For private businesses, these attacks can be the difference between a profit and a loss, staying in business or going out of business.  Fedex, in the example above, spent $300 million recovering from WannaCry last quarter and will spend an equal amount this quarter.  Many businesses cannot afford the bills that these attacks generate and just go out of business.

Information for this post came from  The Washington Post  and NBC News.

Facebooktwitterredditlinkedinmailby feather

Be Careful When Completing Those Cyber Insurance Questionnaires

I have written about the troubles of Cottage Health System in California.  They were breached and the protected Health Information of at least 32,000 patients was compromised.

The situation was that they had outsourced the storage of patient records to InSync, which by itself is not a problem, but InSync made this data available on the Internet, unencrypted, where it was indexed by Google.

$4 million later, the hospital submitted bills to their insurance company, which paid the bills.

Except.

The insurance company later came back and said that the hospital lied when it filled out a risk control questionnaire and as a result, they want their money back.  Plus expenses and legal fees.  That is going back and forth and will probably be settled in private.

Now the California Attorney General has decided that Cottage broke the law by exposing patient data in two breaches, including the one above.

The state is fining Cottage $2 million (which their insurance carrier is not likely to pay) and also requiring them to make a number of changes to their previously non-existent cyber security program.  This includes risk assessments, vulnerability scans, training, policies and several other items.

The state said:

“Cottage was running outdated software, failing to apply software patches, not resetting default configurations, not using strong passwords, failing to limit access to sensitive PII, and failing to conduct regular risk assessments, among other things,”

Had Cottage not lied on their insurance questionnaire, the carrier would likely have paid for all of this making Christmas much merrier for the hospital administration.

Of course, if they had a good cyber security program they might not even have gotten breached, which would have been good news all around.

Cottage Health is not some huge organization, so having to come up with $6 million plus spending money on doing the things the state is making them do will probably put a significant crunch on their finances.

And it started from the hospital administration not doing what they said they were doing, on the insurance risk questionnaire.

Information for this post came from Healthcare IT News and Health IT Security.

Facebooktwitterredditlinkedinmailby feather

What if Your Payment Processor Shuts Down?

What would happen to your business if your credit card processor shut down?  If you do online bill pay, what would happen if it shut down?

Millions of people and businesses got to figure that one out this month when Paypal’s TIO Networks unit suddenly shut down.  TIO does payment processing, both for merchants and for consumers who use it to pay bills at kiosks in malls, at grocery stores and other locations.

Paypal paid over $230 million for the company earlier this year.

Whether they were aware of the breach at the time that Paypal bought it or not is not clear.

In fact, all that is clear is that over a million and a half users had their information compromised.

Paypal’s decision was, on November 10th, to shut the unit down until they could fix the problems.

The impact of this shutdown varied from group to group.

If you are using the bill pay service at the grocery store, you are likely to go to another location.  Unfortunately, for TIO Networks, many of those customers won’t come back.  While this may be annoying for customers, the annoyance was likely manageable.

For merchants who uses the vendor as a merchant payment processing service and magically, with no notice, the service is shut down, that could be a big problem.

This is especially a problem for organizations that depend on credit cards such as retail or healthcare or many other consumer services.

We often talk about business continuity and disaster recovery plans, but if you operate a business and credit cards are important to you, then your plan needs to deal with how you would handle an outage of your credit card processing service.

In the case of TIO, after about a week they started bringing the service back online for a few people who were most dependent on it.

Things get a bit complicated here.  Most of the time merchant payment processors require businesses to sign a contract for some number of years.  Since the contract was written by lawyers who work for the credit card processor, it likely says that they aren’t responsible if they shut down for a week or two without notice.  It probably even says that they aren’t liable for your losses and you are still required to pay on your contract.

If you switch to a new processor, you may have two contracts,  Now what do you do?

To make things more complicated, if your payment processor is integrated with other office systems or point of sale systems, switching to a new provider is even more difficult.

I don’t have a magic answer for you – unfortunately – but the problem is solvable.  It just requires some work.  Don’t wait until you have an outage – figure it out NOW!

This is why you need to have a written and tested business continuity and disaster recovery program.

Information for this post came from USAToday.

Facebooktwitterredditlinkedinmailby feather