Sep 20, 2024

Privacy Briefs: September 202 To embed, copy and paste the code into your website or blog: <iframe frameborder="1" height="620" scrolling="auto" src="//www.jdsupra.com/post/contentViewerEmbed.aspx?fid=72c9280b-6991-46ce-9bba-53afdb606811" style="border: 2px solid #ccc; overflow-x:hidden !important; overflow:hidden;" width="100%"></iframe> [Author: Jane Anderson] ◆ The HHS Centers for Medicare & Medicaid Services (CMS) and Wisconsin Physicians Service Insurance Corporation (WPS) are notifying 946,801 people whose protected health information or other personally identifiable information (PII) may have been compromised in connection with Medicare administrative services provided by WPS. WPS is a CMS contractor that handles Medicare Parts A and B claims and related services for CMS. The notification comes following the discovery of a security vulnerability in the MOVEit software, a third-party application developed by Progress Software and used by WPS for the transfer of files in providing services to CMS. The MOVEit vulnerability impacted multiple organizations. Progress Software discovered and disclosed the vulnerability on May 31, 2023, and released a patch to fix it. WPS applied the patch in early June 2023 and investigated the potential impact of the vulnerability on its systems. In its initial 2023 investigation, WPS did not observe any evidence that an unauthorized party obtained copies of files that were within the WPS MOVEit application. However, in May, acting on new information, WPS conducted an additional review of its MOVEit file transfer system with the assistance of a third-party cybersecurity firm. The second review indicated that, before Progress Software released its patch, an unauthorized third party had copied files from WPS’s MOVEit file transfer system. In coordination with law enforcement, WPS evaluated some of those impacted files. The first batch of impacted files did not include personal information, but the second batch did. Information involved may have included: names, Social Security numbers or individual taxpayer identification numbers, dates of birth, mailing addresses, genders, hospital account numbers, dates of service, Medicare Beneficiary Identifier and/or health insurance claim numbers. WPS is offering 12 months of complimentary credit monitoring to those impacted. According to CMS, the security incident may have impacted PII of Medicare beneficiaries that was collected in managing Medicare claims as well as PII collected to support CMS audits of health care providers that some individuals who are not Medicare beneficiaries have visited to receive health care services. [1] ◆ The Cybersecurity & Infrastructure Security Agency (CISA) has moved its cyber incident reporting form to its new CISA Services Portal ( https://myservices.cisa.gov/irf ) as part of its ongoing effort to improve cyber incident reporting. The new portal is a secure platform with enhanced functionality for cyber incident reporting, including integration with login.gov credentials, CISA said. The portal’s enhanced functionality includes the ability to save and update reports, share submitted reports with colleagues or clients for third-party reporting, and search and filter reports. A new collaboration feature allows users to engage in informal discussions with CISA, the agency said. To guide incident reporters through the reporting process, CISA also released a voluntary cyber incident reporting resource to help entities understand who should report an incident, why and when they should report, as well as what and how to report. [2] ◆ FBI, HHS, CISA and the Multi-State Information Sharing and Analysis Center have issued a joint warning about RansomHub ransomware. RansomHub—which started operations in February—is a ransomware-as-a-service variant formerly known as Cyclops and Knight, the agencies said, adding that it “has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).” Since its inception, the agencies said, RansomHub has encrypted and exfiltrated data from at least 210 victims representing multiple critical infrastructure sectors, including health care and public health, water and wastewater, information technology, government services and facilities, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communications. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the agencies said, noting that data exfiltration methods are dependent on the affiliate conducting the network compromise. “The ransom note dropped during encryption does not generally include an initial ransom demand or payment instructions,” the joint statement said. “Instead, the note provides victims with a client ID and instructs them to contact the ransomware group via a unique.onion URL (reachable through the Tor browser). The ransom note typically gives victims between three and 90 days to pay the ransom (depending on the affiliate) before the ransomware group publishes their data on the RansomHub Tor data leak site.” The joint cybersecurity advisory listed multiple recommended mitigations to guard against RansomHub ransomware. [3] ◆ A majority of health care organizations say they rely on multiple communication tools to send and share sensitive content, according to a survey from software technology company Kiteworks, formerly Accellion Inc. The survey found that 53% of health care organizations said they use five or more communication tools for sensitive content. In addition, the study found that 53% of health care organizations said they can track and control sensitive data sent and shared internally, whereas 44% said they can do so when sensitive data is exchanged externally. When asked about sensitive content communications privacy and compliance priorities, 61% of survey respondents said that preventing leakage of confidential intellectual property and corporate secrets was a top priority, and 56% of respondents said avoiding regulatory violations resulting in fines and penalties was a top priority. “Like most other industry segments, health care respondents marked ‘avoidance of detrimental brand impact’ the least often (19%),” the report said. Managing third-party risk is a critical challenge for health care organizations, with 38% reporting that they exchange sensitive content with more than 2,500 third parties, Kiteworks said, adding, “an astounding 69% have over 1,000 third parties in their content supply chain.” Nearly three-quarters of health care respondents said they can track and control most sensitive content when it leaves an application, according to the survey. Still, 90% of health care organizations reported that their measurement and management of compliance for sensitive content communications requires “some to significant improvement.” Health care firms cited the General Data Protection Regulation as their biggest focus area over other data privacy and compliance regulations, while HIPAA was second, the survey found. [4] ◆ Some 40% of cyber teams have not reported a cyber incident out of fear of losing their jobs, according to research from cyber firm VikingCloud. The study—conducted among nearly 170 cybersecurity professionals in the U.S., United Kingdom and Ireland—also found that 96% of the same companies are confident in their ability to detect and respond to cyberattacks in real-time, “leading to a false sense of security which could lead to an even higher cyber risk for organizations.” The research also found that 49% of companies said cyberattacks increased in frequency over the past 12 months, while 43% said they increased in severity. One-third of companies said they were late to respond to cyberattacks because they were dealing with a false positive, the survey found. Finally, VikingCloud reported that 68% of cyber teams would not be able to meet the Security and Exchange Commission’s new four-day disclosure rule. [5] ◆ Young Consulting LLC, also known as Connexure—a company that provides software for the employer stop-loss market—has reported a ransomware attack involving the PHI of 954,117 individuals. According to the notification provided to the Maine attorney general’s office, Young Consulting experienced the breach on April 10 and discovered it on June 28. The company confirmed that some of the impacted data belonged to Blue Shield of California and other health care organizations covered by HIPAA. Data potentially breached includes names, Social Security numbers, dates of birth, prescription information, insurance policy information and claims information. Young Consulting is offering 12 months of credit monitoring to those whose data was impacted. [6] ◆ Specialty Networks Inc., which provides radiology information systems, digital transcription services and enterprise practice management solutions for health care facilities, said it experienced a breach that exposed the PHI of 411,037 patients. The company said it first became aware of unusual activity in its network on Dec. 18 and immediately took steps to secure the network. The subsequent investigation determined that an unauthorized actor acquired data from Specialty Networks’ systems “on or around December 11, 2023.” The company determined in late May that personal and/or PHI may have been involved. Information potentially involved included: name, date of birth, driver’s license number, Social Security number, medical record number, treatment and condition information, diagnoses, medications and health insurance information. Specialty Networks is offering complimentary identity protection services to those whose information was breached. [7] 1 Centers for Medicare & Medicaid Services, “CMS Notifies Individuals Potentially Impacted by Data Breach,” news release, September 6, 2024, https://bit.ly/4ejSvxD . 2 Cybersecurity & Infrastructure Security Agency, “CISA Launches New Portal to Improve Cyber Reporting,” news release, August 29, 2024, https://bit.ly/4edQyCG . 3 Cybersecurity & Infrastructure Security Agency, Federal Bureau of Investigation, Multi-State Information Sharing & Analysis Center, and the U.S. Department of Health and Human Services, “#StopRansomware: RansomHub Ransomware,” Joint Cybersecurity Advisory, August 29, 2024, https://bit.ly/3TlgrZg . 4 Kiteworks, 2024 Analysis of Sensitive Content Communications in Healthcare: Security and Compliance Trends, July 10, 2024, https://bit.ly/4cUmH0V . 5 VikingCloud, 2024 Cyber Threat Landscape Report: Cyber Risks, Opportunities, & Resilience, 2024, https://bit.ly/3zkdPnx . 6 Office of the Maine Attorney General, “Data Breach Notifications: Young Consulting LLC,” August 26, 2024, https://bit.ly/4efLzBp . 7 Specialty Networks, Inc., “Specialty Networks provides Notification of Data Security Incident,” news release, August 15, 2024, https://bit.ly/4dRWQYX .