How a Data Breach of 1M Cancer Center Patients Led to Extorting Emails (seattletimes.com) 37
The Seattle Times reports:
Concerns have grown in recent weeks about data privacy and the ongoing impacts of a recent Fred Hutchinson Cancer Center cyberattack that leaked personal information of about 1 million patients last November. Since the breach, which hit the South Lake Union cancer research center's clinical network and has led to a host of email threats from hackers and lawsuits against Fred Hutch, menacing messages from perpetrators have escalated.
Some patients have started to receive "swatting" threats, in addition to spam emails warning people that unless they pay a fee, their names, Social Security and phone numbers, medical history, lab results and insurance history will be sold to data brokers and on black markets. Steve Bernd, a spokesperson for FBI Seattle, said last week there's been no indication of any criminal swatting events... Other patients have been inundated with spam emails since the breach...
According to The New York Times, large data breaches like this are becoming more common. In the first 10 months of 2023, more than 88 million individuals had their medical data exposed, according to the Department of Health and Human Services. Meanwhile, the number of reported ransomware incidents, when a specific malware blocks a victim's personal data until a ransom is paid, has decreased in recent years — from 516 in 2021 to 423 in 2023, according to Bernd of FBI Seattle. In Washington, the number dropped from 84 to 54 in the past three years, according to FBI data.
Fred Hutchinson Cancer Center believes their breach was perpetrated outside the U.S. by exploiting the "Citrix Bleed" vulnerability (which federal cybersecurity officials warn can allow the bypassing of passwords and mutifactor authentication measures).
The article adds that in late November, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center "urged hospitals and other organizations that used Citrix to take immediate action to patch network systems in order to protect against potentially significant ransomware threats."
Some patients have started to receive "swatting" threats, in addition to spam emails warning people that unless they pay a fee, their names, Social Security and phone numbers, medical history, lab results and insurance history will be sold to data brokers and on black markets. Steve Bernd, a spokesperson for FBI Seattle, said last week there's been no indication of any criminal swatting events... Other patients have been inundated with spam emails since the breach...
According to The New York Times, large data breaches like this are becoming more common. In the first 10 months of 2023, more than 88 million individuals had their medical data exposed, according to the Department of Health and Human Services. Meanwhile, the number of reported ransomware incidents, when a specific malware blocks a victim's personal data until a ransom is paid, has decreased in recent years — from 516 in 2021 to 423 in 2023, according to Bernd of FBI Seattle. In Washington, the number dropped from 84 to 54 in the past three years, according to FBI data.
Fred Hutchinson Cancer Center believes their breach was perpetrated outside the U.S. by exploiting the "Citrix Bleed" vulnerability (which federal cybersecurity officials warn can allow the bypassing of passwords and mutifactor authentication measures).
The article adds that in late November, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center "urged hospitals and other organizations that used Citrix to take immediate action to patch network systems in order to protect against potentially significant ransomware threats."
Companies need to pay out big on these occasions (Score:3)
If your company's poor data practices lead to any sort of data leak, the company needs to expect to pay out BIG. It's only this which will ensure that data security will get the attention it needs from the CEO and the budget it needs. The banks have got this, and spend big on data security. Others need to do likewise.
Re: (Score:1)
Most breaches go unreported. Your proposal to punish the victims will mean even more go unreported.
It also empowers the criminals. They can boost their extortion payoff by threatening to report their victims, causing them to incur big fines.
Re: (Score:2)
hospitals some times can't update due to vendors (Score:2)
hospitals some times can't update due to vendors having control over their devices at the hospital.
Also things like well it will take way to long to do testing of each windows update each mouth on vendor systems (this is from the vendors).
Re: (Score:3)
Not quite. The company needs to payout reasonably, the upper management need to pay out big.
Re: (Score:2)
We used to not allow that (because it's effectively a veto on democracy) but we don't now so this will never happen. No large business will ever be held truly accountable like that.
Alas, "bring back control of the international flow of capital" isn't something people get excited about in elections.
For Gods sake (Score:2)
Keep this stuff air gapped!
How many times does this sort of thing have to happen before the people in charge of IT get a clue?
Re: (Score:3)
I know, right? All of these online systems allowing customers to interact with their healthcare providers need to be expunged, and we need to go back to the only truly safe way to share healthcare information -- in person! (okay, maybe some allowances can be granted for actual U.S. postal service mail and phone calls to properly vetted patient administrators, but that is it!). In addition, of course, computer systems allowing doctors/hospitals to share information amongst themselves will also need to be cut
Re: (Score:2)
Re:For Gods sake (Score:4, Interesting)
Somehow it's the fault of the person proposing to make things more accessible and not the company/organization who can't their act together.
Thanks Obama [forgifs.com]
Re:For Gods sake (Score:4, Funny)
Blame Pelosi and Obama. The digital medical records provision was a huge part of their ACA campaign. Dont believe me? Go re-listen to his speeches. Medical records online was a huge push in his second term. If only we could predict ransomware; oh wait, we could.
It was Nicky Haley that did this. How many times does Trump have to tell you guys? Nicky Haley, Nicky Haley, Nicky Haley.
Re: (Score:2)
And why not blame the CEO, whose interest in spending money on security approaches zero when they could increase ROI?
Re: (Score:2)
In Germany we have a health care ID card. (With a SIM)
In Thailand the ID card serves for that.
Except for actual treatments, everything relevant is on that card.
Re: (Score:2)
What if you lose it? What's the replacement mechanism? I'd bet that SOMEWHERE there's an accessible duplicate of that information.
The most important thing is that long-term data storage be immutable. Controlling access to it comes second. Or maybe third behind a mechanism for errata control
Re: (Score:2)
Write access needs to be air-gapped. Read access needs to be protected. The outwards facing programs have to be the ones in charge of validation to allow reads. But those programs can't, themselves, be allowed to write, merely to queue things up to be written. And the archives, themselves, need to be WORM. Like a muti-session CDROM (not the rewriteable kind).
Time to bring in the NSA (Score:2)
Now that we can trace cryptocurrency transactions, can't the intelligence agencies follow the bit trail back to the perpetrators? Hire some locals to do 'wet work' and kill them in the most spectacularly gruesome way possible.
And if we find that use of mixers has made a crypto trace impossible? Then apply supercomputers or quantum to break cryptocurrency itself, rendering it unusable and ransoms unpayable. As a bonus, North Korea goes bankrupt.
Re: (Score:2)
Brilliant!! And when the locals screw up and kill the wrong person, the relatives will feel good about that.
Re: Time to bring in the NSA (Score:3)
Re: (Score:2)
Yeah, sure. Let us know how that goes, when you trace the transaction to Moscow. Or any other place that cares less about your laws and is happy to have the money in their local economy.
That's when breaking crypto is the better solution. Scammers, launderers and rogue governments lose everywhere.
Until it happens to a celeb nobody cares (Score:3, Insightful)
When this kind of criminal behaviour impacts on the privileged class then we might get limited action. That criminals are extorting people on a regular basis without no punishment should be a source of unending shame for the local police forces.
Re: (Score:3)
When this kind of criminal behaviour impacts on the privileged class then we might get limited action.
Do you think the "privileged class" doesn't use doctors?
unending shame for the local police forces.
So the "local police" are supposed to check hospitals for zero-day buffer overflow vulnerabilities?
Prevented this with Comcast (Score:4, Insightful)
Recently, Comcast had its entire database of 30 some odd million customers compromised. As a result, they were forcing their customers to change their account password by disguising it as helping their customers prevent fraud during the holiday season. I should have taken a screenshot of their lie, but I disgress.
I had to contact the company to get a code to verify I was supposedly who I said I was. Two questions the Indian guy asked me were, what email address can this be sent to and what phone number can this be texted to? I told him I did not provide either on my account for the very reason I'm making the phone call. I didn't want that information spread to the four winds when the company gets compromised.
After some back and forth and being transferred to a different area, I was able to get a code and reset my account password.
Organizations need to stop requiring any additional information beyond what is absolutely necessary. A phone number is a necessity. An email address is not. It's obvious private industry doesn't take security seriously [slashdot.org] so it's up to the person to do so.
Re: (Score:2)
A phone number is a necessity. An email address is not.
Most people see that the other way around.
I can easy make me an individual email address for every service I use.
Phone numbers not so easy. And: unless it is an emergency, I do not want to be called.
Cybercriminals used to avoid (Score:2)
Re: (Score:3)
Cybercriminals used to avoid targeting medical institutions, hospitals and doctors offices.
No, they didn't. There was never a "golden age" when criminals were honorable. That never happened.
Of two minds here... (Score:2)
On the one hand, organizations need to be held responsible, when they screw up security. I recently saw an article that listed how many hundreds of data breaches US healthcare providers suffer per year. So, a lawsuit seeking compensation for the affected patients - that makes sense.
On the other hand, the US legal system sucks. If you read TFA, this data breach has already led to seven class action suits. That's just unethical lawyers looking for a payday. One class action suit, sure, but seven? That is rid
Crooks nominating themselves for Darwin Awards. (Score:3)
Threatening and extorting a million cancer patients seems like quite an elaborate way to commit suicide.
Re: (Score:2)
How do they no EXACTLY who to be angry at? They can describe certain things about them, but morals are not exactly an observable.
Re: (Score:2)
Re: (Score:2)
Nobody knows who to target. So no, this is not an "elaborate way to commit suicide".
Re: (Score:2)
As a cancer patient... (Score:5, Insightful)
As a cancer patient, I say, "fuck you! Go ahead and release all that info! I've only got a fucking year left to live anyway!"
Release of personal info? That's the least of my problems. Have at it, douchebags!
Re: (Score:2)
I was thinking the same thing.
As long as your credit is frozen, what is the worst they can do to you?
Re: (Score:2)
Even if it isn't, I don't care. My score is...let me go look....849 (FICO Bankcard 8). I'm not buying anything at this point. I've already transferred all assets into my wife's name. I own nothing. Just waiting to die, more or less. What the fuck are THEY going to do? They can eat a big bag of dicks.
I owe $107K on the house, that's it. No credit card debt, although my limit across all cards is over $300K. Maybe I should charge them up buying gold coins for my 7 year old and stick the banks with a loss. My
The whole heard of elephants in the room. (Score:4, Informative)
I'll start with the threats of swatting. If we could count on police to have a level headed response to potentially false reports (or any reports really) rather than a shoot first, ask questions later mentality, there would be no such thing as swatting. Police have actually allowed themselves to become pawns playing on the wrong side.
If we had decent healthcare in the U.S. people wouldn't have to worry about insurance companies or employers finding out they have a history of expensive medical events.
If our civil laws were appropriately administered and implemented, "identity theft" wouldn't be an issue. I put it in quotes because really, it's just creditors happily handing over scads of cash to people they don't even know and then expecting a wholly innocent 3rd party to foot the bill for them.
In a proper system, reporting adverse credit against such an innocent person would be libel at least. Likewise to the credit agencies propagating such reports like the town gossip.
Any attempt at foreclosures and garnishments would require REAL evidence that the defendant is ACTUALLY the person who received the loan, not just taking a bank's (or worse, used car dealer's) word for it. No, having a 9 digit number and (sometimes) a scrawl on a piece of paper does NOT constitute proof.
Were those very real issues actually addressed, the cyber criminal's threats would be toothless.