Privacy Briefs: November 2024

[author: Jane Anderson]

Report on Patient Privacy 24, no. 11 (November, 2024)

◆ Change Healthcare Inc. has amended its initial breach report to the HHS Office for Civil Rights (OCR) to state that 100 million individuals were impacted by its mammoth ransomware attack and breach. However, as of Oct. 24, OCR stated on its “Frequently Asked Questions” page about the Change Healthcare breach that the company, a subsidiary of UnitedHealth Group, “is still determining the number of individuals affected,” and that the posting on the HHS breach portal will be amended if Change Healthcare updates the total number of individuals affected by the breach. Change Healthcare said it first became aware of ransomware that had been deployed in its computer system on Feb. 21. The company turned off systems to contain the attack, prompting a massive health care authorization and billing crisis impacting claim submissions and payments nationwide.^[1]

◆ The FBI, Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency, in conjunction with security personnel from Canada and Australia, are warning that Iranian cyber-groups are using “brute force and other techniques” to compromise organizations across multiple critical infrastructure sectors, including the health care and public health sector. Since October 2023, Iranian actors have used brute force, such as password spraying and multifactor authentication “push bombing,” to compromise user accounts and obtain access to organizations, according to a joint statement from the agencies. The actors likely conduct reconnaissance operations to gather victim identity information, and once they have that information, they gain access to victim networks, the agencies said. Then the actors use a variety of techniques to further gather credentials, escalate privileges and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation. “The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access,” the joint advisory said. “The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.” To detect brute force activity, the agencies recommended reviewing authentication logs for system and application login failures of valid accounts and looking for multiple failed authentication attempts across all accounts. “Look for ‘impossible logins,’ such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location,” the agencies said. “Look for one IP used for multiple accounts, excluding expected logins. Look for ‘impossible travel.’ Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN [virtual private network] solutions before connecting into networks.” To mitigate this threat, CISA recommended reviewing helpdesk password management related to initial passwords, password resets for user lockouts and shared accounts; disabling user accounts and access to organizational resources for departing staff; and implementing phishing-resistant multifactor authentication. In addition, CISA recommended providing basic cybersecurity training to users and ensuring password policies align with the latest NIST Digital Identity Guidelines. Finally, the authoring agencies recommended exercising, testing and validating organization security programs against the threat behaviors, as described in CISA’s threat advisory bulletin.^[2]

◆ ASRC Federal Data Solutions LLC, based in Reston, Virginia, has agreed to pay $306,722 to resolve False Claims Act allegations in connection with a government contract related to its storage of unsecured personally identifiable information of Medicare beneficiaries. Under the resolution, the company “will also waive any rights to reimbursement for remediating a data breach involving the information, including at least $877,578 in costs it incurred notifying beneficiaries and providing credit monitoring.” ASRC provided Medicare support services under a contract with the Centers for Medicare & Medicaid Services (CMS). The settlement resolves allegations that from March 10, 2021, through Oct. 8, 2022, ASRC and a subcontractor “stored screenshots from CMS systems containing personally identifiable information and potentially personal health information of Medicare beneficiaries on the subcontractor’s server without individually encrypting the files to protect them against exposure in the event of a breach. The subcontractor’s server employed disk-level encryption that protected files from unauthorized access but not from access using authorized credentials.” The server was breached by a third party in October 2022, and the unencrypted screenshots allegedly were compromised. According to the settlement, ASRC promptly notified CMS of the data breach, worked with the agency to address its impact, cooperated with the Justice Department and took other remedial measures.^[3]

◆ The American Civil Liberties Union (ACLU) of Alaska said it has uncovered a “massive” violation of medical privacy laws by a software company used by the Alaska Department of Corrections. But the software company, NaphCare, said the complaint was “false and misleading” and that there was no breach of data privacy. The ACLU of Alaska asserted that TechCare, the electronic health record system provided by NaphCare, was displaying private health information of dozens of incarcerated Alaskans on a training website since at least November 2023. The ACLU said that electronic records displayed diagnoses, prescriptions and treatments of “at least 74” incarcerated Alaskans. NaphCare removed the records from the training site after the ACLU publicly demanded they be removed, but the company said the health-related information displayed on the training site was fictitious data put there for training purposes. NaphCare stated that its internal investigation found that the training website was made public inadvertently, but that none of the 74 patient records identified by the ACLU contained prisoner medical data. However, the ACLU of Alaska said that it does not intend to retract its lawsuit, and implied that real prisoner names may have been used on the website.^[4]

◆ A large primary care practice in the San Diego area is splitting with Palomar Health Medical Group, citing “inadequate support and response to the aftermath of the May 2024 cyber attack” directed against the medical group. The attack shut down both organizations’ computer systems, including digital phone services, and made electronic medical records inaccessible for months, according to primary care group Graybill, which serves around 45,000 patients and has 100 doctors and affiliated medical providers. “The breach and the inability to have all critical functions restored has hindered our group’s ability to deliver essential medical services to our patients,” said Kelly Boyatt, MD, a Graybill family medicine specialist in a statement issued by the organization. The two sides disagree on the extent to which the aftermath of the data incursion was resolved, with Graybill saying critical functions had not been fully restored, and Palomar saying that “operations have been fully and safely restored.”^[5]

◆ Pennsylvania State University has agreed to pay $1.25 million to resolve allegations that it violated the False Claims Act by failing to comply with cybersecurity requirements in 15 contracts or subcontracts involving the Department of Defense (DoD) or NASA.^[6] “The settlement resolves allegations that, between 2018 and 2023, Penn State failed to implement cybersecurity controls that were contractually required by DoD and NASA and did not adequately develop and implement plans of action to correct deficiencies it identified. DoD requires contractors to submit summary level scores reflecting the status of their compliance with applicable cybersecurity requirements on covered contracting systems used to store or access covered defense information,” and the department alleged that Penn State submitted scores showing it had not implemented certain controls, misrepresented when it would implement them and did not pursue plans of action for implementation. Penn State also failed to use an external cloud service provider that met security requirements, the settlement said. In another case involving cybersecurity, the defense department joined a whistleblower suit and filed a complaint-in-intervention against the Georgia Institute of Technology and Georgia Tech Research Corp., asserting claims that those defendants knowingly failed to meet cybersecurity requirements in connection with defense department contracts. The whistleblower suit was initiated by current and former members of Georgia Tech’s cybersecurity team.^[7]

1 U.S. Department of Health and Human Services, “Change Healthcare Cybersecurity Incident Frequently Asked Questions,” updated October 24, 2024, https://bit.ly/4eEDfwi.

2 Cybersecurity and Infrastructure Security Agency, “Cybersecurity Advisory: Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations,” CISA Alert, October 16, 2024, https://bit.ly/3NQWlmH.

3 U.S. Department of Justice, Office of Public Affairs, “Virginia Contractor Settles False Claims Act Liability for Failing to Secure Medicare Beneficiary Data,” news release, October 15, 2024, https://bit.ly/3Ypts6Z.

4 Sage Smiley, “Alaska Corrections contractor denies ACLU claim of ‘massive’ prisoner health data breach,” Alaska Public Media, October 3, 2024, https://bit.ly/4f8dyDW.

5 Paul Sisson, “Graybill to separate from Palomar Medical group, citing cyber attack,” The San Diego Union-Tribune, September 25, 2024, https://bit.ly/48HME3p.

6 U.S. Department of Justice, Office of Public Affairs, “The Pennsylvania State University Agrees to Pay $1.25M to Resolve False Claims Act Allegations Relating to Non-Compliance with Contractual Cybersecurity Requirements,” news release, October 22, 2024, https://bit.ly/4efMFfW.

7 U.S. Department of Justice, Office of Public Affairs, “United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations,” news release, August 22, 2024, https://bit.ly/3BzP8o6.

[View source.]