Short takes: Legrand acquires Enovation, FDA nixes Cue Health’s Covid tests, Ascension confirms ransomware attack–who did it? (updated), beware of ‘vishing’ courtesy of ChatGPT

Legrand Care acquires Enovation. Enovation is a Netherlands-based digital health company with a connected care platform for care monitoring across prevention, early detection, medication checks, and remote healthcare. Its customer base includes ambulances, pharmacies, clinics, hospitals, and home care. With distribution in healthcare organizations across 18 countries, including Scottish Digital Telecare [TTA 11 Aug 2021], it will join the equally international Legrand’s Assisted Living and Healthcare (AL&HC) business unit with Intervox, Neat, Tynetec, Jontek, and Aid Call. Acquisition cost was not disclosed. Release   Legrand and Tynetec are long-time supporters of TTA.

The hammer drops on embattled Cue Health. The US Food and Drug Administration (FDA) has invalidated Cue Health’s Covid-19 Tests for Home and OTC Use and for the authorized lab test version. Home users were advised to discard unused kits in household trash. Both consumers and providers were advised to retest if symptoms persisted after a negative test result. This followed an FDA inspection of their operations that determined that unauthorized changes to the test kit design were made along with failures in performance testing. A Warning Letter was issued to Cue on 9 May. The company has not yet responded. FDA Safety Communication

Cue was one of many biotech manufacturers that marketed Covid-19 point of care/lab, and home testing kits after obtaining Emergency Use Authorizations (EUA) in 2020 and 2021. It exploded in size and went public in September 2021 at $200 million and $16/share with a valuation of $3 billion. Today HLTH shares trade on NasdaqCM at a little bit over $0.13. Their headquarters facilities in San Diego that once had 1,500 employees must be a lonely place, as the company reported another layoff of 230 employees, about half of remaining staff, after earlier layoff rounds of 245 in February and 880 in 2023. Their remaining test is one for Mpox on a EUA. Two other tests developed for flu and RSV are still under FDA review.  Cue Health’s financial reports for 2023 were dismal with revenue down to $71 million, an 85% reduction versus 2022, and a net loss of $373.5 million. Recent reports indicate that the company will refocus on marketing its Cue Health Monitoring System. Management and board changes have also been drastic, with a CEO change in March (Yahoo Finance) and the CFO departing this past Monday. MedTech Dive

Ascension Health finally acknowledged that its cyberattack was ransomware-based. On Saturday 11 May, their website event update confirmed that the cyberattack was ransomware. The Saturday and Monday 13 May updates also confirm that system operations will continue to be disrupted with no timetable set for restoration to normal status. Impacted systems include their EHR, MyChart, and some hospitals are diverting emergency care. The update page now has 12 regional updates and a general + patient FAQ. Update: in these states, Ascension’s retail pharmacies cannot fill prescriptions: Florida, Wisconsin and the District of Columbia. Their website recommends that patients bring paperwork and prescription containers. Lab and imaging results are delayed. Since the hospitals are on manual systems, overall there are delays in admissions–bring documentation. And the class-action suits have started, with reports that three have been filed already. Healthcare IT News

Who dunnit? DataBreaches.net reported over the weekend that Ascension’s hack has been attributed to interestingly named ransomwareistes Black Basta. Late last week, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Black Basta. It’s another charming ransomware-as-a-service (RaaS) with bad news affiliates like BlackCat/ALPHV wreaking havoc on over 500 organizations globally. No word on whether Ascension has paid ransom. 

Speaking of cybersecurity, now something else to worry about–‘vishing’. This is ‘voice phishing’, another generative AI-facilitated hack that uses snippets of a human voice to pose as people or representing organizations via phone call or voicemail. Not enough? There’s ‘smishing’–SMS or text phishing which can invade your phone with all sorts of nasty messages. These attacks, according to cybersec firm Enea, are up twelve-fold since the launch of ChatGPT. Vishing, smishing, and phishing (email) attacks have increased by a staggering 1,265%. 76% of enterprises lack sufficient voice and messaging fraud protection. Can we go back to the 1990s? 2000s? When we worried about “Nigerian princes” email scams? Becker’s, Enea survey report

Dry the tears: WannaCry stymied, North Korea hackers suspect. Is this a poke for a worse attack?

Breaking News This morning’s (Tuesday 16 May) news is about reputable security organizations–Kaspersky Lab and Symantec–connecting the dots that lead for now to a North Korea-linked hacking organization, the Lazarus Group. This group has been identified in previous hack attacks and is based upon WannaCry code appearing in Lazarus programs. US Homeland Security has admitted seeing the same similarities, but all are working to gain more information.

Lazarus has been previously identified as the source of the 2014 Sony attack and the theft of $81 million from the Bangladesh central bank, again linked to fundraising for North Korea for its missiles, army, EMP and nuclear arming while its terrorized people starve. However, this attack was a flop; according to US Homeland Security, about $70,000 was raised in ransom. The Homeland Security spokesman also distanced the NSA from the original information which targeted weaknesses in Microsoft’s systems.

According to reports, WannaCry disproportionately affected Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. No US Federal government systems were affected. China on Monday reported that it attacked traffic police and school systems.

The Telegraph has posted a speculative list of 34 NHS organizations which suffered IT failure during the WannaCry attack. The article includes a map produced by MalwareTech that geographically spots the infection locations; the Boston to Washington corridor is a sea of blue dots. And…Marcus Hutchins has been identified as the young UK tech working for Kryptos Logic who redirected the attacks by buying a domain embedded in the WannaCry code. How it worked, according to PC World, is that if the malware can’t connect to the unregistered domain, it infects the system. By registering the domain and creating a page for the malware to connect to, he stopped the malware spread. (Video in Telegraph article)  Also FoxNews

But is this a prelude to more and worse? Is this testing our preparedness? If so, we’ve been found wanting on an enterprise level with vulnerable systems and administrators not updating their software and OS. George Avetisov, the CEO of HYPR, a biometric authentication company, in The Hill, summarized it neatly today: “We’ve also learned the hard way that, simply through a coordinated phishing attack on unsuspecting users, hackers can disrupt the day-to-day activities of enterprises that provide communications, travel, freight and healthcare administration simply by remotely deploying malware.” He then goes on to praise President Trump’s executive order (EO), “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which he signed on Thursday–right before all this began. As if in confirmation…ShadowBrokers, the group that hacked the NSA files, today announced the availability of a subscription to a ‘members only data dump’ like a Wine of the Month Club. Watch out, banks and healthcare, it’s open season! NHS, better pay attention to another kind of hygiene–cyberhygiene. Without it, plans for patient apps and data sharing will go sideways–and deserved fodder for Dame Fiona [TTA 10 May]. The Hill  Earlier coverage here

“The data security fault, dear Brutus, is not China, but in the company org chart”

[grow_thumb image=”https://telecareaware.com/wp-content/uploads/2015/06/Org-chart1.jpg” thumb_width=”150″ /]Mansur Habib, PhD and cybersecurity strategist, formerly CIO for the Baltimore City Health Department, proposes that any data breach analysis should start first with a hard look at the organizational chart. If the CIO or the chief information security officer (CISO) doesn’t report directly to the CEO, the executive clearly does not place priority on IT and data security, treating it as a cost center to be restricted; in his words, they do not ’embrace cybersecurity risk as business risk’. In his 2013 doctoral research in 2013 and subsequently, Dr Habib observed that about half of US HIT and cybersecurity heads report to the chief financial officer (CFO) or some other executive like a CAO (administrative). His withering take on most CEOs are that they are more concerned with stock price (more…)

PHI data: 361,000 examples that it’s more insecure than ever

We’ve been fairly consistent in our coverage of data breaches, including the regrettable fact that more digital data stored out there on EHRs and devices with low security means Happy Hacking (or Stealing) for Fun and Profit. [TTA 2 Apr] Here’s additional proof, including the first incident this Editor has seen of email phishing:

California, there they go: A theft of eight computers from Sutherland Healthcare Solutions’ medical billing and collections office compromised 338,700 patients’ personal health information (PHI), including SSIs. Sutherland provides services to the Los Angeles County Department of Health Services and Department of Public Health. Being California, three class action lawsuits have already been filed. Kaiser Permanente compromised 5,100 records at their Northern California Division of Research. According to iHealthBeat, it was on a laptop; Health Data Management reports it was on a server. The malware was lurking for 2 1/2 years (!) but it’s not determined whether the data was actually stolen. Phishing scam hits Catholic Health Initiatives, affects 12,000 in multiple states: What looked like an internal CHI email asking for patient information wasn’t– (more…)