The Hacking Group Dark Overlord hacked Athens Orthopedic 4 years ago and they are still dealing with the fallout, including paying a 1.5 million dollar fine to the feds.
The feds say that Athens management was not being good. In fact it was being naughty. HHS audited the doctors after the attack and found systematic non-compliance with HIPAA.
The hackers stole over 600,000 patient records. A journalist found some of their patient records on the dark web. Within a few days, the hackers contacted Athens demanding a ransom.
So this points out that ransomware 2.0 – the kind where hackers steal data, encrypt your systems and then hold both your systems and your data hostage – has been around for years. It is just becoming more popular now.
In addition to losing four years of their life and $1.5 million, the doctors now have to implement a corrective action plan (CAP). A CAP is HHS’s term for getting your security act together.
Oh, yes, the source of entry for the hackers? Credentials stolen from a third party. I guess the doctors will now implement a vendor cyber risk management program. A bit late, but better late than… Credit: Health IT Security
HHS also fined 4 other healthcare providers this year, fining them as much as a million dollars.
Fast forward to today.
This month hackers have posted the data of 5 different medical practices on the dark web in an effort to extort money. UCSF paid hackers over a million dollars just a couple of months ago.
So what are we seeing now?
Assured Imaging, University Hospital New Jersey, National Western Life, The College of Nurses of Ontario and Nonim Medical are all dealing with their data being hacked and posted on the dark web.
Assured Imaging is notifying 244,000 patients that their data may have been compromised. The hacker only had access to the data from May 15 to 17.
So what does all this tell us?
- The hackers are using any available option, including third parties.
- They do not need to have access for a long time to do a lot of damage.
- Some health care providers are not following the HIPAA rules including getting annual third party risk assessments.
- The companies that get hacked will be cleaning up the mess for years.
- And will likely pay HHS a lot of money as well as getting to execute a CAP.
- Finally, there will be lawsuits. There always are.
So I am going to leave you with just one thought and it doesn’t only apply to healthcare. Credit: Health IT Security
Do you feel lucky, punk?
I am sure that these organizations didn’t think they were going to get attacked. At least some of them were not taking security seriously enough.
Are you taking your company’s security seriously enough?