Bankers Life is notifying more than 566,000 individuals, including Medicare supplemental insurance policyholders, that their personal information was exposed in a hacking incident. Employee credentials were compromised, enabling unauthorized third parties to gain access to certain company websites containing personal data on policyholders and applicants, the insurer says.
The incident, which was reported by Bankers Life’s parent company, CNO Financial Group, to the Department of Health and Human Services as an “unauthorized access/disclosure” breach, is the fifth largest incident added to the HIPAA Breach Reporting Tool website so far this year. Commonly called the “wall of shame,” the HHS website lists health data breaches impacting 500 or more individuals.
Hackers have breached a HealthCare.gov sign-up system and have gotten their hands on the personal information of roughly 75,000 people, the government said on Friday, October 19. The CMS said that it detected “anomalous system activity” in the FFE on October 13, 2018, and started an immediate investigation. A breach was confirmed on October 16.
The system is named Federally Facilitated Exchanges (FFE), and is managed by the Centers for Medicare & Medicaid Services (CMS). Healthcare insurance agents and brokers use the FFE to enroll users into Obamacare plans made available through the official HealthCare.gov portal.
Further research indicated that in a survey of 100 internet users, 89% had used a medical website to help self-diagnose an ailment at some point, yet only 42% understood that the activity they conducted was then shared with other third-party companies. This means 58% of the users surveyed had no idea that their information was being passed onto companies after they had clicked ‘Accept’ on the site’s cookies policy.
Hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights, according to Zingbox. These insights are then used to refine the attacks, increasing the chance of successful hack.
The research revealed that hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings, and that leveraging this information quickens a hacker’s access to a hospital’s network.
Four years after its public disclosure, the Misfortune Cookie vulnerability continues to be a threat. The critical vulnerability was reported initially in 2014 by Check Point researchers, who found it lodged in some versions of the RomPager embedded web server, used for hosting the web-based administration panel by about 200 router models from different makers.
It turns out that the same versions of RomPager affected by the Misfortune Cookie run on different variants of Capsule Datacatptor Terminal Server (DTS) that is part of the medical device information system. The device is used in hospitals to connect bedside equipment (anesthesia and infusion pumps, respirators and IoT products) to the network.
Read more about the new threat posed by the 4-year old Misfortune Cookie vulnerability on BleepingComputer.
Augusta University Health said it was hit with a data breach that exposed the personal information of some 417,000 patients, faculty, and students at the Georgia institution.
Names, addresses, dates of birth, lab test results, diagnoses, medications, surgeries, and health insurance information were among the data exposed, as well as a “small percentage” of driver’s license and Social Security numbers, according to the hospital system, the HIPAA Journal reported.
Read more about the data breach, which was the result of a successful phishing attack that occurred in September 2017, on DarkReading.
A decade has passed since we learned about pacemaker hacks, but still implantable medical devices that can save patients’ lives can be hacked to potentially kill them. Even now, as was highlighted at Black Hat USA, attackers can cause pacemakers to deliver a deadly shock to the heart or deny a life-saving shock, as well as prevent insulin pumps from delivering insulin.
At the recent Black Hat and Def Con security conferences in Las Vegas, one set of researchers showed off hacks to pacemakers and insulin pumps that could potentially prove lethal, while another researcher explained how hospital patients’ vital signs could be falsified in real time.
Read more about the disturbing discoveries relating to medical device insecurity on CSO.
OpenEMR is a popular, open-source software solution for the management of millions of electronic patient records worldwide. However, the software, until recently, also contained over 20 severe security issues.
Discovered by Project Insecurity and disclosed in a security advisory (.PDF), the team said the bugs included multiple instances of SQL injection flaws, multiple security problems which could lead to remote code execution, and vulnerabilities leading to unauthenticated information disclosure.
Read more about the 20 severe bugs that were found in OpenEMR by a single cybersecurity group, on ZDNet.
A MongoDB database was exposed online that contained health care information for 2 million patients in Mexico. This data included information such as the person’s full name, gender, date of birth, insurance information, disability status, and home address.
The database was discovered by security researcher Bob Diachenko via Shodan, which is a search engine for all Internet connected devices and not just web servers. When discovered, this database was fully exposed to the Internet and could be accessed and edited by anyone without a password.
Read more about the massive health care data breach affecting 2 million patients in Mexico on BleepingComputer.
Thus far in 2018, organizations and individuals worldwide have experienced a large number of high profile cyber attacks, with criminals stealing billions of dollars as well as personal information from hundreds of millions of people.
Black Hat USA, an annual cybersecurity conference taking place in August, is a great opportunity for practitioners to get a glimpse into both emerging attack vectors and the latest technologies designed to protect against these attacks.
Read why Idan Ninyo, CTO at YL Ventures, believes that cybersecurity trends related to cryptocurrencies, medical devices and machine learning warrant a closer investigation at this year’s conference, on Help Net Security.