Who really has the 4TB of Change Healthcare data 4 sale? And in great timing, Optum lays off a rumored 20K–say wot?

The data is for sale! And the top does not go down, but the price definitely goes up! That old antique auto auction cry is paraphrased here because the 4TB of patient data hacked from Change’s systems is up for sale, since Change/Optum didn’t buy it. Interested parties should stroll over to the dark web and see RansomHub’s listing for details.

Unlike some news sources that got confused, this apparently is the same 4TB that BlackCat/ALPHV affiliate ‘notchy’ stole (technically, exfiltrated) posted about on a dark web site shortly after the attack [TTA 7 Mar]. According to those early reports, ‘notchy’ was dissatisfied that he didn’t get a cut of the $22 million ransom that Optum supposedly paid the BlackCat/ALPHV group.

For their $22 million ransom, which Change has not, repeat NOT, confirmed, ALPHV gave Change a decryptor key. But, they didn’t have the good manners to 1) return the stolen data to Change or delete it, which included highly sensitive data from multiple Change customers including active military PII (from Tricare), patient PII, payment and claims data, and much more, and 2) pay a cut to the affiliate. And then ALPHV shut down and ran out of town.

Here’s the latest updates from DataBreaches. net

Over a month later, an outfit called RansomHub posted, again on the dark web, that it has the 4TB of data. 

As reported here on 10 April, there was an announcement on the RansomHub website, not signed by ‘notchy’, that if Change wasn’t interested in paying for the data, it would be up for sale. There was some confusion, based on a WIRED report, that this was a second breach. The RansomHub information seemed to point to only ‘notchy’s’ data.

DataBreaches followed up with RansomHub to 1) verify they had the data, asking if 2) was it ‘notchy’s data’, and 3) how did RansomHub obtain it if not ‘notchy’? RansomHub also leaked some screenshots of  2011-2013 Medicare claims data. This old data raises even more questions on why this data was even available online and not stored offline…unless…. RansomHub’s 15 April posting included this statement, “The more we go through the data the more we are shocked of the amount of financial, medical, and personal information we find and it will be more devastating than the first attack itself.” 

By 16 April, DataBreaches reported that the listing read:

Change HealthCare – OPTUM Group – United HealthCare Group – FOR SALE

The data in now for sale. Anyone interested in the purchase should contact RansomHub. 

But does RansomHub actually have it? Are they ‘notchy’, in it with ‘notchy’, brokering ‘notchy’, or is it a second 4TB breach? Stay tuned.

Thousands at Optum won’t care one way or another. Reports since last Thursday have been that first hundreds, then thousands, then up to 20,000, have been laid off. These are based on social media postings on LinkedIn and boards like The Layoff where anyone can post. Optum has not confirmed any layoffs to industry media such as FierceHealthcare and Becker’s Hospital Review / Becker’s ASC Review which published reports starting last Friday. Federal and state WARN notices, which usually confirm mass layoffs by state, have been oddly empty. 

Across the reports, Optum has laid off staff from their California care division (400), home health provider Landmark Health (500), urgent care MedExpress (all as of 18 July), Genoa (OptumRx-unknown). Notices range from immediate, to two weeks into May, and forward. Types of jobs eliminated have been at all levels of regional and corporate, affecting engineers, care management, clinical, case directors, data operations, and integration managers. This LinkedIn post claims up to 20,000. Optum’s silence has let the rumor mill run overtime.

CMS has lowered Medicare Advantage reimbursement, but other insurers factored this in earlier this year. The major whack was the Change Healthcare cyberattack. Though the public posture of UnitedHealth Group is that most of the systems are back or being worked around, the financial truth is that the Change disaster will cost them $1.6 billion in 2024 as announced last week. It does lead one to wonder about how mighty UHG, on an acquisition tear for years through today, always doing well and pleasing Mr. Market, got quite so overstaffed. How would it be overstaffed by thousands or the rumored 20,000 who are suddenly, dramatically unnecessary? That may boost the stock, but it gives the Feds yet another ax to grind, what with the House savaging an absent UHG on the cyberattack handling and their payments to providers [TTA 18 April], DOJ taking a hard cold look into UHG’s business practices, specifically around antitrust between the payer group and Optum [TTA 6 Mar], and approvals for the Amedisys buy stalling.

Here’s a view at variance, not about the layoffs but about how UHG is really doing. STAT’s analysis of UHG’s financial report is that the Change losses barely dent the overall picture and won’t affect 2024 earnings. Q1’s loss was mostly the Brazil writedown. It also confirmed that CEO Andrew Witty had a certain gall to say in prepared remarks that the Change situation would have been so much worse had they not been owned by UHG. Mr. Witty will have some ‘splainin’ to do before the House and the Senate, 30 April and 1 May, respectively.

2023 US data breaches topped 171M records, up 187% versus 2022: Protenus Breach Barometer

2023’s US healthcare data breaches hit an all time high, both in reported breaches and number of records affected. Protenus, which publishes an annual Breach Barometer, uses multiple data sources including Health and Human Services’ public breach tool. The numbers are shocking for both:

  • HHS 2023 reported 725 reports and about 135 million records
  • Protenus‘ numbers are significantly higher: 1,161 reports and 171,139,241 breached records. In 2022, the totals were respectively 1,138 reports affecting a total of 59,664,152 breached records. Breached records were up 187% in 2023.

The variance in reporting is due to factors including not knowing the true scope of the breach in reporting to HHS, state reports being incomplete, and business associate reports covering all or only some of their clients.

Also included in their report is a discussion on how HHS through the Office of Civil Rights (OCR) response to breaches contained in HHS’s 2022 annual report released last month. In investigating, they seem to prefer voluntary resolutions and corrective actions. Only three  resolution agreements with monetary penalties and corrective action plans were imposed.

The Protenus Breach Barometer report is available for free download here. DataBreaches.net collaborated with Protenus in the report.

Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

The Breach Barometer hits a new high for healthcare–and the year isn’t over

31.6 million healthcare breached records can’t be right? But it is, and it’s double all of 2018. Protenus’ Breach Barometer for the first six months of the year tallied over double the number of patient records breached calculated for 2018 (15.1 million). The number of breach incidents reported was smaller–285 breach incidents disclosed to the US Department of Health and Human Services or the media–compared to 503 breaches in 2018, which means that individual data breaches affected far more records.

Hackermania is running wilder than ever. Nearly half the breaches were due to hacking. The big kahuna of breaches this year was reported in May at American Medical Collection Agency, a third-party billing collections firm. This eight-month breach affected 20 to 22 million records at Quest Diagnostics, LabCorp, Opko Health, under one of its subsidiaries, BioReference Laboratories, Inc., and Clinical Pathology Laboratories [TTA 5 June] This hack also involved Optum360, a Quest contractor and part of healthcare giant Optum. In terms of PII, the records breached included SSI, DOB, and physical addresses.

 Yet insider breaches are still a significant threat at 21 percent, whether from errors without malicious intent or deliberate wrongdoing. In the report, Protenus (with DataBreaches.net) calculated that 60 of the 285 breaches were insider-related affecting 3.5 million records. 35 were insider-error incidents, with 22 additional due to wrongdoing.

When it comes to breaches, the trend is easily not healthcare organizations’ friend, as 2018 tripled 2017’s total breached records. This is despite the new emphasis on healthcare IT security and insider training. Protenus release, FierceHealthcare, Protenus first half report (PDF)

More and more into the (data) breach: 3X more patient records in Q2, UnityPoint’s breach balloons to 1.3M

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]And we thought Healthcare Hackermania was following the Hulkster into retirement. After a quiet Q1, data breaches and hack attacks blew up both in Q2 and now in this quarter.

Data compliance analytics firm Protenus’ Breach Barometer (with DataBreaches.net) has been tracking healthcare data breaches for years. It was quiet last quarter with 1.13 million patient records affected in 110 separate health data breaches. But last quarter was a true triple threat with patient records up three times to 3.14 million, 142 separate breaches–which means more per breach on average. What is also distressing is that 29.71 percent are repeat offenses among employees, up from 21 percent in the previous quarter.

  • 36.6 percent of breaches were due to external hacking, nearly double that of Q1.
  • 30.99 percent were due to insiders, either through deliberate wrongdoing (theft) or insider error. Insider wrongdoing was led by family members snooping on other family members’ records. Not Russians, Chinese, NoKos, or Bulgarians bashing about. 
  • In contrast to Q1, where the biggest data breach was a network hack of an Oklahoma-based health network (reportedly the Oklahoma State University Center for Health Sciences), compromising nearly 280,000 records, Q2’s Big Breach was a physical burglary of the California Department of Developmental Services in Sacramento affecting over 581,000 records. After the usual ransacking and theft, the burglars started a fire before they left and the sprinklers did the rest.

It routinely takes nearly forever from when a breach occurs to when it is discovered: in Q1 244 days, in Q2 204 days. In Q2 the longest discovery time was over five years –2013 to 2018. This indicates that insiders may be good at covering their tracks, and/or IT staff don’t get around to detecting and policing breaches.

Protenus and DataBreaches.net compile incidents disclosed to HHS and reported in the media, and are now adding their own proprietary, non-public data on the status of health data breaches nationwide, including a review of tens of trillions of individual
accesses to EHRs which Protenus audits as part of their healthcare systems services. More detail in Protenus Q2 and Q1 full reports, HealthITSecurity (Q1)

Certain to lead their Q3 report is the 1.4 million patient record breach at UnityPoint Health, an Iowa-based health system. In May, a small phishing breach compromised 16,000 records. This cyberattack also started with email phishing and spread through employee networks. “The phishing campaign tricked employees into providing confidential login information, which hackers used to infiltrate email accounts and access data contained within.” Were the hackers after patient data? According to UnityPoint, “The phishing attack on UnityPoint Health was more likely focused on diverting business funds from our organization.” Healthcare Analytics News

You may not want a cyberattack, but cyberattacks and hacking want you….

MediBioSense and Blue Cedar take a new approach to secure medical wearable data (UK/US)

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2018/01/VitalPatch_Header_Photo_Tablet.jpg” thumb_width=”150″ /]Doncaster UK-based MediBioSense Ltd. has partnered with San Francisco-based Blue Cedar to protect their VitalPatch app on smartphones and tablets. MediBioSense uses VitalPatch in their MBS HealthStream system marketed in the UK in acute care and long-term care setting. Blue Cedar is securing the app through their patented code-injected technology which protects the VitalPatch-collected data from the app to the provider database. The system with Blue Cedar’s security is available directly from MediBioSense.

VitalPatch is a single-use adhesive biosensor patch applied to the patient’s chest (see left above). It monitors eight vital signs and activity signs: heart rate, respiration, ECG, heart rate variability, temperature, body posture including fall detection/severity, and steps as an indicator of activity. MediBioSense contracted with the US-based developer, VitalConnect, to sell the system in the UK. VitalPatch is US FDA-cleared (Class II) and CE Marked for the EU.

One impetus, according to the release (PDF), is the GDPR (General Data Protection Regulation), the pan-European/UK data-protection law slated to take effect in May. This not only applies to European Union citizens’ personal data but also requires reports on how organizations safeguard that data. 

Blue Cedar, which this Editor has previously profiled [TTA 3 May 17], has developed code-injection technology that secures data from the app to the provider location on their servers or in the cloud. It secures the app without the device being managed. Devices have their own vulnerabilities when it comes to apps even when secured, as 84 percent of cyberattacks happen at the application layer (SAP). Blue Cedar’s security also enables tap-and-go from an icon versus multiple security entries, thus quick downloading from app stores or websites. For companies, the secured app provides granular analytic reports about users, app usage, devices, and operating systems which are useful for GDPR requirements.

Blue Cedar’s latest release of app security is Enforce, to secure existing mobile apps using in-app embedded controls to enforce a broad range of security policies. It is sold on the Microsoft Azure cloud platform and is primarily targeted to the value-added reseller (VAR) market. 

All the more reason to use all means to secure devices and apps. When as of last week Allscripts‘ EHR for e-prescribing was hit with a ransomware attack (FierceHealthcare), yet another hospital (Hancock Regional in Indianapolis) paid $5,000 to hackers to get back online (Digital Health), and Protenus/DataBreaches.net tracks a breach a day [TTA 29 Dec 17], cybersecurity has become Job #1 for anyone in the healthcare field. (And Big Healthcare now votes for security. Protenus today announced their $11 million Series B led by Kaiser Permanente Ventures and F-Prime Capital Partners. Release.)

Rounding up the roundups in health tech and digital health for 2017; looking forward to 2018’s Nitty-Gritty

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/12/Lasso.jpg” thumb_width=”100″ /]Our Editors will be lassoing our thoughts for what happened in 2017 and looking forward to 2018 in several articles. So let’s get started! Happy Trails!

2017’s digital health M&A is well-covered by Jonah Comstock’s Mobihealthnews overview. In this aggregation, the M&A trends to be seen are 1) merging of services that are rather alike (e.g. two diabetes app/education or telehealth/telemedicine providers) to buy market share, 2) services that complement each other by being similar but with strengths in different markets or broaden capabilities (Teladoc and Best Doctors, GlobalMed and TreatMD), 3) fill a gap in a portfolio (Philips‘ various acquisitions), or 4) payers trying yet again to cement themselves into digital health, which has had a checkered record indeed. This consolidation is to be expected in a fluid and relatively early stage environment.

In this roundup, we miss the telecom moves of prior years, most of which have misfired. WebMD, once an acquirer, once on the ropes, is being acquired into a fully corporate info provider structure with its pending acquisition by KKR’s Internet Brands, an information SaaS/web hoster in multiple verticals. This points to the commodification of healthcare information. 

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2017/12/canary-in-the-coal-mine.jpgw595.jpeg” thumb_width=”150″ /]Love that canary! We have a paradigm breaker in the pending CVS-Aetna merger into the very structure of how healthcare can be made more convenient, delivered, billed, and paid for–if it is approved and not challenged, which is a very real possibility. Over the next two years, if this works, look for supermarkets to get into the healthcare business. Payers, drug stores, and retailers have few places to go. The worldwide wild card: Walgreens Boots. Start with our article here and move to our previous articles linked at the end.

US telehealth and telemedicine’s march towards reimbursement and parity payment continues. See our article on the CCHP roundup and policy paper (for the most stalwart of wonks only). Another major change in the US is payment for more services under Medicare, issued in early November by the Centers for Medicare and Medicaid Services (CMS) in its Final Rule for the 2018 Medicare Physician Fee Schedule. This also increases payment to nearly $60 per month for remote patient monitoring, which will help struggling RPM providers. Not quite a stride, but less of a stumble for the Grizzled Survivors. MedCityNews

In the UK, our friends at The King’s Fund have rounded up their most popular content of 2017 here. Newer models of telehealth and telemedicine such as Babylon Health and PushDoctor continue to struggle to find a place in the national structure. (Babylon’s challenge to the CQC was dropped before Christmas at their cost of £11,000 in High Court costs.) Judging from our Tender Alerts, compared to the US, telecare integration into housing is far ahead for those most in need especially in support at home. Yet there are glaring disparities due to funding–witness the national scandal of NHS Kernow withdrawing telehealth from local residents earlier this year [TTA coverage here]. This Editor is pleased to report that as of 5 December, NHS Kernow’s Governing Body has approved plans to retain and reconfigure Telehealth services, working in partnership with the provider Cornwall Partnership NHS Foundation Trust (CFT). Their notice is here.

More UK roundups are available on Digital Health News: 2017 review, most read stories, and cybersecurity predictions for 2018. David Doherty’s compiled a group of the major international health tech events for 2018 over at 3G Doctor. Which reminds this Editor to tell him to list #MedMo18 November 29-30 in NYC and that he might want to consider updating the name to 5G Doctor to mark the transition over to 5G wireless service advancing in 2018.

Data breaches continue to be a worry. The Protenus/DataBreaches.net roundup for November continues the breach a day trend. The largest breach they detected was of over 16,000 patient records at the Hackensack Sleep and Pulmonary Center in New Jersey. The monthly total was almost 84,000 records, a low compared to the prior few months, but there may be some reporting shifting into December. Protenus blog, MedCityNews

And perhaps there’s a future for wearables, in the watch form. The Apple Watch’s disconnecting from the phone (and the slowness of older models) has led to companies like AliveCor’s KardiaBand EKG (ECG) providing add-ons to the watch. Apple is trying to develop its own non-invasive blood glucose monitor, with Alphabet’s (Google) Verily Study Watch in test having sensors that can collect data on heart rate, gait and skin temperature. More here from CNBC on Big Tech and healthcare, Apple’s wearables.

Telehealth saves lives, as an Australian nurse at an isolated Coral Bay clinic found out. He hooked himself up to the ECG machine and dialed into the Emergency Telehealth Service (ETS). With assistance from volunteers, he was able to medicate himself with clotbusters until the Royal Flying Doctor Service transferred him to a Perth hospital. Now if he had a KardiaBand….WAToday.com.au  Hat tip to Mike Clark

This Editor’s parting words for 2017 will be right down to the Real Nitty-Gritty, so read on!: (more…)

Hackermania meets The Dark Overlord with 2.3 million 2017 health data breaches

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]It’s a cage match! Reports are soaring, with a proliferation of data breaches year to date, after a relatively quiet period in 2016.

The Dark Overlord (TDO), in the mainstream news with dumping unseen Netflix program episodes on illegal file-sharing sites and demanding ransom (Guardian), also has been hard at work dumping PHI hacked from various clinics. DataBreaches.net tallied it at 180,000 records from at least nine medical clinics.

Health data security developer/provider Protenus, whose Breach Barometer tracks the numbers, counted 2.1 million breaches in 1st Quarter. March spiked with 700,000 coming from Commonwealth Health Corporation of Kentucky.

Our standby Privacy Rights Clearinghouse counted over 175,000 to date, but 160,000 came from MedCenter Health in Protenus’ total, so their net addition was 15,000. But PRC’s detail illustrates that ransomware is alive, well, and invading smaller healthcare organizations. Other reasons are unauthorized data server access, third-party vendors, email error, and theft.