More stories

  • in

    Sensitive personal data of US House and Senate members hacked, offered for sale

    Sensitive personal data of US House and Senate members hacked, offered for saleBreach in the systems of DC Health Link, a health insurance company, led to 170,000 records being compromisedMembers of the House and Senate were informed Wednesday that hackers may have gained access to their sensitive personal data in a breach of a Washington, DC, health insurance marketplace. Employees of the lawmakers and their families were also affected.DC Health Link confirmed that data on an unspecified number of customers was affected and said it was notifying them and working with law enforcement. It said it was offering identity theft service to those affected and extending credit monitoring to all customers.Lawmaker who gave tours of Capitol will lead inquiry of January 6 panelRead moreThe FBI said it was aware of the incident and was assisting the investigation.A broker on an online crime forum claimed to have records on 170,000 DC Health Link customers and was offering them for sale for an unspecified amount. The broker claimed they were stolen Monday. The broker did not immediately respond to questions posed by the Associated Press on an encrypted chat site.It was not possible to confirm the number claimed. Sample stolen data was posted on the site for a dozen apparent customers. It included Social Security numbers, addresses, names of employers, phone numbers, emails and addresses. The AP reached one of the dozen by dialing a listed number.“Oh, my God,” the man said when informed the information was public. All 12 people listed work for the same company or are family members.In an email to all Senate email account holders, the sergeant at arms said it was informed that the stolen data included full names of the insured and family members but “no other personally identifiable information”,It recommended that anyone registered on the health insurance exchange freeze their credit to prevent identity theft.In an emailed statement, congressman Joe Morelle said House leadership was informed by Capitol police that DC Health Link “suffered an extraordinarily large data breach of enrollee information” that posed a “great risk” to members, employees and their family members. “At this time the cause, size and scope of the data breach impacting the DC Health Link still needs to be determined by the FBI,” Morelle said.The hack follows several recent breaches affecting US agencies. Hackers broke into a US marshals service computer system and activated ransomware on 17 February after stealing personally identifiable data about agency employees and targets of investigations.An FBI computer system was breached at the bureau’s New York field office, CNN reported in mid-February. Asked about that intrusion, the FBI issued a statement calling it “an isolated incident that has been contained”. It declined further comment, including when it occurred and whether ransomware was involved.There was no indication the Health Link breach was ransomware related.TopicsUS newsWashington DCCybercrimeHouse of RepresentativesUS SenateHackingUS politicsnewsReuse this content More

  • in

    ‘Lives are at stake’: hacking of US hospitals highlights deadly risk of ransomware

    ‘Lives are at stake’: hacking of US hospitals highlights deadly risk of ransomwareThe number of ransomware attacks on US healthcare organizations increased 94% from 2021 to 2022, according to one report Last week, the US government warned that hospitals across the US have been targeted by an aggressive ransomware campaign originating from North Korea since 2021. Ransomware hacks, in which attackers encrypt computer networks and demand payment to make them functional again, have been a growing concern for both the private and public sector since the 90s. But they can be particularly devastating in the healthcare industry, where even minutes of down time can have deadly consequences, and have become ominously frequent.The number of ransomware attacks on healthcare organizations increased 94% from 2021 to 2022, according to a report from the cybersecurity firm Sophos. More than two-thirds of healthcare organizations in the US said they had experienced a ransomware attack in 2021, the study said, up from 34% in 2020.Ransomware attacks on healthcare are particularly common in the US, with 41% of such attacks globally having been carried out against US-based firms in 2021.“The current outlook is terrible,” said Israel Barak, CISO of Cybereason. “We are seeing the industry experience an extremely sharp increase in both the quantity and level of sophistication of these attacks.”Ransomware hacks have caused major healthcare disruptions, including delayed chemotherapy treatments and ambulances being diverted from a San Diego emergency room after computer systems were frozen. In 2021, a lawsuit filed by the mother of a baby who died in Alabama alleged the first “death by ransomware”, blaming a 2019 hack of a hospital for fatal brain damage of the newborn after heart rate monitors failed.‘We are not ready’: a cyber expert on US vulnerability to a Russian attackRead moreThe possibly devastating consequences for medical facilities may be one of the reasons hackers have identified them as a high-profile target. “The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” said the advisory from the Cybersecurity and Infrastructure Security Agency (CISA).CISA and others advise hospitals against paying ransoms, but providers often feel they have no choice, said Barak. In 2021, 61% of healthcare organizations that suffered a ransomware attack paid the ransom – the highest percentage of any industry sector.“When lives are at stake, it makes the decision very easy,” Barak said. “These attackers have identified medical organizations as very, very good targets because they are more likely to pay.”Attacks are typically carried out by private groups of criminals, experts say: in the third quarter of 2021, 30% of ransomware attacks on healthcare entities were carried out by Conti, a crime syndicate thought to be based in Russia, according to an industry report from cybersecurity firm BreachQuest.But the North Korea incident revealed last week is just the latest state actor to orchestrate ransomware attacks on health care organizations after the FBI revealed in June it had thwarted an attack from Iran on a Boston Children’s hospital.Underfunded hospitals hit by Covid squeezeThe healthcare industry has been hit by a perfect storm of factors that have escalated the ransomware problem, experts say: patient information is increasingly being digitized as hospitals struggle with small internet security budgets.In 2009, the Obama administration passed a bill requiring all public and private healthcare providers to adopt electronic medical records by 2014, resulting in a massive migration of paper patient records to online systems. But today, just 4-7% of the average healthcare provider’s annual IT budget is focused on cybersecurity, the BreachQuest study said.“Healthcare providers have gone through massive digital transformation in a very short amount of time,” said Hank Schless, senior security expert at the cybersecurity firm Lookout.The move was accelerated by the pandemic, he added, as more providers shifted to telehealth to connect with patients during lockdown and hospital staff were stretched thin by the influx of sick and dying patients.CISA has advised a “3-2-1 backup approach” for healthcare entities, including saving three copies of each type of data in two different formats, including one offline. But the agency’s advisory to hospitals is “somewhat unhelpful”, said Vincent Berk, chief security officer at the cybersecurity firm Quantum Xchange, offering generic recommendations about securing data with little clear path to doing so.“The issue with this attack, and any other ransomware attack, is that the cure doesn’t really exist,” he said. “In other words, if it happens, it is already too late.”Legislators are attempting to fill in those gaps. In May, Senator Patty Murray of Washington led a hearing on strengthening cybersecurity in the healthcare and education sectors, saying that the US “needs to address cybersecurity attacks and ensure they are treated like the national security threat they are”.“These kinds of challenges don’t just cause major headaches, lawsuits, and expenses for hospitals,” she said. “They put patients in danger. They undermine our national security. And in some cases they even cost lives.”In March 2022 the Senate introduced a bipartisan bill called the Healthcare Cybersecurity Act, which would direct CISA and the Department of Health and Human Services (HHS) to collaborate on a plan to bolster cybersecurity measures among healthcare and public health organizations.Those measures would include cybersecurity training to employees of health organizations and authorize studies from CISA to identify risks in the industry. It is unclear when the bill is set for a vote, but experts say such legislation is more urgent than ever.“There’s zero deterrence right now,” Barak said. “Until we find a more effective way to tackle this issue, I am afraid the outlook is not looking good.”TopicsHackingHealthcare industryData and computer securityCybercrimeUS politicsUS healthcarenewsReuse this content More