Take a look
- Breach in medical technology company.
- How far will cybercriminals go?
- Never speak ill of the dead.
Breach in medical technology company.
Zoll Medical, a developer of medical technology based in the US state of Massachusetts, revealed a breach in which the data of approximately one million people was exposed. Zoll’s notification letter to those affected reads: “We determined that your information may have been affected on or about February 2, 2023.” The compromised data includes names, addresses, dates of birth, and Social Security numbers. Security Week notes that while Zoll says there are no signs the data has been abused, it’s reasonable that exposed information could be shared or sold online for use in phishing scams or other nefarious activities.
Stuart Wells, CTO of Jumio, points out the effects of major breaches on both individuals and organizations.
“Major breaches like this can have a devastating impact on both organizations and users. With personal details such as names, dates of birth, and Social Security numbers compromised, one million patients, current and former employees, as well as their families, are at risk of phishing attacks, insurance fraud, identity theft, and takeover attacks. of counts. This incident further demonstrates that healthcare organizations need to implement stronger security measures to protect their users, as well as their own reputations. For example, biometric authentication (which takes advantage of a person’s unique human traits to verify identity), life detection, and anti-phishing technology are strong security measures that can be used to ensure that only authorized users access the data, keeping the data protected and out. out of the hands of scammers.”
Data access for healthcare organizations is not frivolous or sloppy. But the data must be properly managed and protected. Jocelyn Houle, Senior Director of Data Governance at Securiti, explains: “Giving healthcare organizations access to patient data is essential to developing innovative treatments and improving the quality of patient care. The recent data breach from Zoll Medical highlights active threats and challenges healthcare organizations face in leveraging data and keeping it secure.While the exact cause of this cyberattack is still under investigation, personal health information (PHI) from Approximately one million people have been compromised, including names, addresses, dates of birth, and Social Security numbers.” He adds that “Understanding and tracking the PHI data one has is a priority for all healthcare organizations. With advances in artificial intelligence and machine learning techniques, organizations can now take advantage of automation to accurately discover data of PHI at scale, no matter where it is stored From a security standpoint, organizations must mitigate the risks of misconfiguration and enforce least privilege access to prevent unwanted data exposure Techniques such as data masking can enable key business users to leverage patient data and minimize the harm caused by a security breach.It is equally important to implement automation to identify what patient data lives where and for what purposes it is used to respect the privacy rights of the patient and understand the regulatory impact of a misfortune each data breach.”
How far will cybercriminals go?
As we discussed last week, following a recent cyberattack targeting US medical provider Lehigh Valley Health Network (LVHN), the BlackCat ransomware group released nude images of cancer patients stolen in the attack. Also last week, the Medusa threat group released screenshots of data stolen from the Minneapolis Public Schools detailing the sexual assault allegations, including the names of the alleged perpetrator and his victims. Such incidents indicate the lengths to which attackers are willing to go to pressure victims into meeting their ransom demands. Allan Liska, ransomware analyst at Recorded Future, told Wired: “As fewer victims pay the ransom, ransomware actors become more aggressive in their extortion techniques. I think we will see more of that. It closely follows patterns in kidnapping cases, where when the families of the victims refuse to pay, the kidnappers may send an ear or other body part of the victim.” Brett Callow, a threat analyst at antivirus company Emsisoft, says that in the past, attackers were reluctant to take such drastic measures, as it might motivate victims to end negotiations. Says Callow: “We haven’t really seen things like this before. The groups have done nasty things, but the target was adults, not cancer patients or school-age children.” The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) released its Annual Internet Crime Report this week noting that cybercriminals are becoming more aggressive in their extortion efforts. The report states: “In 2022, IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware. Threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom.” The silver lining is that these extreme tactics will likely only make victims less likely to want to do business with the perpetrators of such vile acts. Callow concludes, “I hope these tactics bite them in the butt and the companies say no, we can’t be seen funding an organization that does these egregious things.”
Never speak ill of the dead.
Facial recognition search engine PimEyes has faced criticism in the past for its use of extracted web images to populate its database without the consent of the subjects. More recently, Wired reports, it was discovered that the platform was also using images of the dead, culled from death announcements, memorial websites, and heritage-tracking sites like Ancestry.com. The practice raises many ethical questions, one of which is, is it possible (without a session) to obtain consent from the dead? Ancestry spokeswoman Katherine Wylie says users retain ownership and control of their data, including images, and the site’s terms and conditions prohibit scraping. Giorgi Gobronidze, director of PimEyes, says he didn’t know the Ancestry images were landing in his database. “PimEyes only tracks websites that officially allow us to do so,” says Gobronidze. “It was… very unpleasant news that our trackers somehow broke the rule.” PimEyes has now blocked the Ancestry.com domain from their site.
Meanwhile, Record by Recorded Future reports that data on the deceased was recently exposed in a hack by the Hawaii Department of Health in which hackers gained access to the state’s death registry. In January, Mandiant advised several state agencies that credentials for an external medical certifier of deaths account had been purchased for the state’s Electronic Death Recording System (EDRS). The compromised account belonged to a medical excertifier who had left the job in 2021, but his account had never been deactivated. Although the department immediately locked the account after Mandiant’s tip, a subsequent investigation revealed that an attacker had already accessed approximately 3,400 death records (which are separate from death certificates) dating from 1998 to 2023. The officials stated: “Death records contain the decedent’s name, social security number, address, gender, date of birth, date of death, place of death, and cause of death. The records that had been certified could not be altered and 99% of the records had been certified.
