NY AG Issues $450K Penalty To US Radiology After Unpatched Bug Led To Ransomware (therecord.media) 25
An anonymous reader quotes a report from The Record: One of the nation's largest private radiology companies agreed to pay a $450,000 fine after a 2021 ransomware attack led to the exposure of sensitive information from nearly 200,000 patients. In an agreement announced on Wednesday, New York Attorney General Letitia James said US Radiology failed to remediate a vulnerability announced by security company SonicWall in January 2021. US Radiology used the company's firewall to protect its network and provide managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York.
The vulnerability highlighted by the attorney general -- CVE-2021-20016 -- was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed "due to competing priorities and resource restraints." The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.
An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients. The data exposed during the incident also included driver's license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers. [...] In addition to the $450,000 penalty, the company will have to upgrade its IT network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program. The company will have to delete patient data "when there is no reasonable business purpose to retain it" and submit compliance reports to the state for two years. "When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care," said Attorney General James. "US Radiology failed to protect New Yorkers' data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems."
The vulnerability highlighted by the attorney general -- CVE-2021-20016 -- was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed "due to competing priorities and resource restraints." The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.
An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients. The data exposed during the incident also included driver's license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers. [...] In addition to the $450,000 penalty, the company will have to upgrade its IT network, hire someone to manage its data security program, encrypt all sensitive patient information and develop a penetration testing program. The company will have to delete patient data "when there is no reasonable business purpose to retain it" and submit compliance reports to the state for two years. "When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care," said Attorney General James. "US Radiology failed to protect New Yorkers' data and was vulnerable to attack because of outdated equipment. In the face of increasing cyberattacks and more sophisticated scams to steal private data, I urge all companies to make necessary upgrades and security fixes to their computer hardware and systems."
Lol (Score:5, Insightful)
Letting them off cheap, like always...
Re: (Score:2)
Functional IT (Score:4, Insightful)
This demonstrates that managers don't regard security or IT in general as much of a priority. It is a cost with no benefit they can put a value to.
But, by doing so, they've managed to spend an extra $450,000 for a firewall appliance that would have cost maybe $600 if they'd bought it straight off, and left them vulnerable to a class action suit from those whose data was stolen.
This is considered a financially acceptable blunder because companies don't generally get fined for placing customer/patient data at risk. As long as only one corporation in a thousand actually gets the fines, leaving infrastructure dangerously exposed is a profitable option.
Really, there should be fines issued for leaving critical infrastructure wide open, whether or not it's attacked, to make it unprofitable to defer critical updates.
But I do have to wonder. This was blamed on a firewall vulnerability. But why could hostiles on the network gain access to the database? Did they forget to set it up for passwords and encryption?
And even once they had access to the database, why was the data unencrypted? Encrypting the database is utterly standard practice.
So it sounds like there were other flaws in the system that could have still protected the data even if the network was vulnerable.
Re:Functional IT (Score:4, Interesting)
In an ICO (UK) judgement/finding, I happened to read, it can be the case that, an unpatched vulnerability, even if it wasn't directly responsible for a breach, is in itself evidence that the company was not taking care, and it's that failing to take to care, combined with some kind of incident, which really makes them subject to blame. So for companies, the risk calculation isn't about whether one specific vulnerability happens to get exploited, it's more about whether anything happens to the company, and when the investigators come looking, they find any evidence of the company not generally giving a fuck.
Re: (Score:2)
> This demonstrates that managers don't regard security or IT in general as much of a priority.
Our financial system values shorter-term ROI. Managers who plan ahead are rarely rewarded by financial stakeholders.
How it went (Score:4, Interesting)
I could see this happening just about anywhere:
Admin: we need to patch the system, it will take about a day
Mang: We will loose 10000 USD in revenue if we loose a day, so no
Admin: We can start it at 22:00
Mang: we will need to pay Overtime, no
Breach happens and company fined
Mang: Why did not not patch the system, you are fired
Use email trails (Score:2)
If that conversation was carried out on email, you've a smoking gun to show someone else is responsible. At least it will make you feel better. Snd try and make sure that if they escort you off the premises that there's something they will be deprived of access to because the password is only in your head...
more like we need to pay $250K-$500K for the new (Score:2)
more like we need to pay $250K-$500K for the new version that gets updates and then the boss says we don't have the funds for that.
MIsleading headline (Score:4, Insightful)
The headline says "ransomware attack", but the article is about a data breach.
Would be nice to get reporters who know the difference.
Re: (Score:2)
Many ransomware attacks now also extort their targets by threatening to disclose the information. Whether the attackers actually disclosed the info probably doesn't matter in this case, though -- personal health information is often protected by legislation that assumes damage for any unauthorized access, so just copying the data from the target's system would trigger that kind of law.
Re: (Score:2)
In general, both are combined. A ransomware attack is almost always combined by a data destruction (usually nuking the backup servers, and if they are using immutable backups, writing garbage to the objects to make it impossible to find where the good data begins and the garbage ends), as well as a data exfiltration attack.
Ransomware people are smart, they know that it is good PR for companies to give the middle finger to them, so exfiltrating data and threatening to release it can be the difference betwee
Re: (Score:2)
In general, both are combined.
Half true. Ransomware gangs will "in general" also exfiltrate information. However, the converse is not the case; people exfiltrating information will not, as a general thing, also install ransomware.
But I wasn't talking about "in general." I was talking about in specific. Were both combined in this particular case? And, if so, why wouldn't it be mentioned?
The likely explanation is, no, the article writer just liked the word "ransomware".
For reference, here is the NY AG finding, which makes no mention of r
SSN? (Score:2)
SSN - a unique id would improve privacy (Score:3)
Only in the software industry (Score:3)
Can a vendor walk away from a product with a massive known safety issue and have no liability for their failure. In the real world vendors have liability for safety issues including paying for replacement of physical hardware decades after the fact.
In the magical world of software we can do whatever the hell we please. It's a privileged not a right to receive patches for safety issues that should have never existed in the first place. The end user should pay us for upgrades forever for the "privileged" of us fixing our (in this case negligent) mistakes.
Re: (Score:2)
Asking for liability for software can cut both ways. If someone writes a F/OSS utility just to encrypt some files for a backup, in theory, they could be held liable and sued if their product had a hole in it (perhaps because they used AES-ECB instead of XTS.)
Demanding laws on software will assure such a large barrier to new entry that we will never see anything new or innovative, just like we don't see anything new or inovative when it comes to appliances or electronic devices, as it takes so much money ju
Re: (Score:2)
Asking for liability for software can cut both ways. If someone writes a F/OSS utility just to encrypt some files for a backup, in theory, they could be held liable and sued if their product had a hole in it (perhaps because they used AES-ECB instead of XTS.)
Demanding laws on software will assure such a large barrier to new entry that we will never see anything new or innovative, just like we don't see anything new or inovative when it comes to appliances or electronic devices, as it takes so much money just to appease the regulators that it isn't profitable for newcomers.
What I would like to see stop is corporations walking away from dangerous software defects. I find it grossly disgusting to see entire business models evolve in which corporations benefit from their own safety defects actively refusing to fix known problems in order to provide an incentive for customers to buy new product or because they decided they no longer see fit to care.
What I would like to see is a safe harbor like scheme where you have three choices.
1. Offer free updates to everyone to fix your saf
Re: (Score:3)
Bullshit. Liability comes in when you pay for the product or service with a reasonable expectation of fitness for purpose.
That FOSS example will have an exclusion for that right in the license. When you buy it form somebody else with an assurance of fitness for purpose, you get the liability by that other entity. Or a more concrete example: CentOS (or its successor) comes with no liability. But why does a licensed copy of RHEL effectively come with no liability? That is messed up and has to stop.
Re: (Score:2)
Indeed. And that cannot continue. The reason for liabilities in other engineering fields (and qualifications and formal testing, etc.) is the massive cost to society of you do without.
Re: (Score:3)
It's not just the hardware vendor refusing to supply a security patch. The business also canceled a hardware upgrade. In addition, there was possibly a lack of cyber-security practices for the server.
What a bad joke (Score:2)
Assurance companies would probably buy that info for 10 - 100x that amount.
With such fucked up incentives, here is a good business model for US medical companies:
1 - pretend to be victim of a data breach
2 - signal it and get a ridiculous cheap fine
3 - sell the data yourself
4 - profit
Re: (Score:2)
I wouldn't be surprised that someone at a company which had a ransomware breach got approached and offered a percentage of the take if they would do something like click on a link as an elevated user or something similar. Of course, this is a dangerous game because the ransomware org can demand that person pay up or they will be turned over to their company, or the offer is really made by a company checking loyalty (sort of how the news article of Putin's death was used for the Kremlin to gauge reactions.)
do fines come out of profits (Score:3)
Or are they passed onto the consumer? I don't think there is any legal mechanism that goes through the pockets of the board members.
Re: (Score:3)
It hurts companies in competitive markets - they have expenses the competition doesn't. Healthcare isn't very price-competitive though and they certainly don't care about this slap on the wrist.
If we make this a criminal offense where executives can do prison time, they'll start caring a lot more.