Breach Roundup: Med Devices, Hospitals and a Death Registry
Fraud Management & Cybercrime , Incident & Breach Response , Ransomware
On Radar: Zoll, CHU Saint-Pierre, Latitude Financial, LA Housing Authority Mihir Bagwe (MihirBagwe) • March 16, 2023 Image: Shutterstock
Every week, Information Security Media Group rounds up cybersecurity incidents around the world. In the days between March 10 and 16, separate data breaches at medical device manufacturer Zoll affected 1 million people, operations at CHU University hospitals in Belgium and France were temporarily affected, and a Hawaiian death registry system hack led to the hacker gaining access to all data for three days. LockBit 3.0 claimed responsibility for a yearlong breach at the Los Angeles Housing Authority, an Indian Railway ticketing app custodian paid a penalty for a December 2022 data breach, and information leaked during the U.S. Marshals Service data breach appeared on Russian-speaking underground cybercriminal forums for sale.
A January data breach at medical device maker Zoll, which sells products across 140 countries, put at risk sensitive information of more than 1 million people. The company detected “unusual activity” on Jan. 28, followed by the hacker likely accessing names, addresses, birthdates and Social Security numbers of users of its LifeVest device – a wearable cardioverter defibrillator worn by patients at high risk of sudden cardiac death. Zoll offered victims two years of identity theft protection services (see: Heart Device Maker Says Hack Affected 1 Million Patients).
CHU Saint-Pierre, CHU Brest
A hacker attacked Centre Hospitalier Universitaire Saint-Pierre, a university hospital in Brussels, over the weekend, forcing it to temporarily disconnect servers. The hospital diverted ambulances for several hours but did not find evidence of medical data theft, hospital CEO Philippe Leroy told Belgian newspaper Le Soir.
CHU Brest, a university hospital in France, also faced a cyberattack last Thursday. It said that no data leaked and emergency services were unaffected. But the hospital disconnected its IT system from the internet as a precaution, which disrupted appointment booking services and staff communication.
A hacker’s unauthorized access to Latitude Financial’s system in Australia puts at risk data of more than 300,000 customers, including driver’s licenses of more than 100,000 people. The “unusual activity” was detected on Latitude’s systems through an unnamed “major vendor,” the company said. The attacker likely obtained Latitude employee login credentials, allowing the attacker to steal personal information, the company said in a filing with the Australian Securities Exchange (see: Australian Non-Bank Lender Discloses Hacks of Customer Data).
Hawaiian Death Registry
A hacker accessed the electronic death registry system of the Hawaii Department of Health in January using compromised credentials of an external medical certifier, the state disclosed last Thursday. An investigation showed that the compromised credentials belonged to a medical certifier at a local hospital who left employment in June 2021 but whose account had not been deactivated. The hacker on Jan. 20 accessed 3,400 death records but did not view or generate any death certificates.
Los Angeles Housing Authority
The Housing Authority of the City of Los Angeles disclosed a “data security event” after the LockBit ransomware gang leaked data stolen in the attack. The agency discovered its computer systems had been encrypted on Dec. 31, forcing it to shut down all servers, according to a data breach notice. The attackers gained unauthorized access to HACLA’s systems and sensitive data such as client names, Social Security numbers, passports, driver’s license numbers and medical information. LockBit uploaded sample files on Dec. 31 and then threatened to dump all files if ransom negotiations failed.
Indian Railways’ Rail Yatri
A vulnerability the Indian government at first said did not exist it now says is fixed. The Indian Ministry of Railways in December denied that the data of 30 million people allegedly on sale on the dark net came from a hacker breaching Rail Yatri, the official app of Indian Railways. On Wednesday, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the Indian Railway Catering and Tourism Corp. fixed the issue and took necessary precautions to prevent its recurrence. Neither Rail Yatri nor the minister disclosed the penalty paid for the incident.
Update on US Marshals Service
A February data breach of the U.S. Marshals Service systems, which led to hackers maliciously encrypting systems and exfiltrating sensitive data law enforcement data, got worse. A threat actor is reportedly selling 350 gigabytes of data allegedly stolen from the servers for $150,000 on a Russian-speaking hacking forum. The data on sale allegedly includes “documents from file servers and work computers from 2021 to February 2023, without flooding like exe files and libraries,” reported Bleeping Computer. Also reportedly on sale: aerial footage and photos of military bases and other high-security areas, copies of passports and identification documents, and details on wiretapping and surveillance of citizens.
Update on US Congress
The incident at the online health insurance marketplace serving members of the U.S. Congress and their staffs affected 56,415 customers. DC Health Link updated its breach notification March 10, revealing that hackers had obtained data including names, Social Security number, birthdates, gender, health plan information, emails and citizenship status. The data set is available for free on a criminal forum, reports NBC news. U.S. Capitol Police and the FBI are investigating.
Good news everyone: Kaspersky published a decryption tool “that helps victims of a ransomware modification based on previously leaked Conti source code.” The decryptor, reports say, works on a strain of ransomware deployed by a group some researchers dub MeowCorp.