Florida Division of Well being Informs RansomHub Hack Victims
Cybercrime
,
Fraud Management & Cybercrime
,
Government
Cybercriminal Group Claims to Have Printed 100 Gigabytes of Company’s Stolen Information
Nearly two months after RansomHub claimed to have published 100 gigabytes its stolen data on the dark web, the Florida Department of Health is notifying citizens that their sensitive information has been compromised. The attack affected the department’s vital statistics system used to issue birth and death certificates.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
The well being division said in a discover posted on its web site that it notified regulation enforcement in regards to the incident and has reported the breach to the U.S. Division of Well being and Human Companies, although on Thursday the report was not but posted on HHS’ Workplace for Civil Rights’ HIPAA Breach Reporting Tool web site itemizing main breaches affecting 500 or extra people.
The Florida Division of Well being didn’t instantly reply to Data Safety Media Group’s request for added particulars in regards to the breach, together with the variety of people affected, and in addition for touch upon RansomHub’s claims.
In early July, RansomHub claimed to have printed 100GBs of knowledge contained in 40,000 information on its darkish website after hacking the well being division.
The state later confirmed native media studies that the incident affected the division’s important statistics system used to challenge start and loss of life certificates, but it surely declined to supply additional particulars (see: Reports: Florida Health Department Dealing With Data Heist).
In its public breach discover, the division mentioned that on June 26, it found “a safety breach” in its community that led to unauthorized entry to a few of its information. “This unauthorized entry affected a restricted variety of our methods and resulted within the switch of knowledge from a particular location inside our community,” the well being division mentioned.
The company mentioned it instantly launched an investigation and collaborated with cybersecurity specialists to find out the character and scope of the breach. “The division additionally promptly knowledgeable regulation enforcement and referred the matter to the Florida Division of Legislation Enforcement for investigation,” the assertion says.
Data of people probably affected within the Florida Division of Well being breach is far-ranging.
Compromised information contains title, birthdate, tackle, Social Safety quantity, banking info, bank card info, driver’s license quantity, passport quantity, navy identification quantity, Nexus quantity, medical and dental historical past, medicine/prescription info, supplier/physician/care coordinator title, insurance coverage declare info, insurance coverage protection info and passwords.
The letter being despatched to every particular person by the well being division offers particular particulars in regards to the influence on their private information, the assertion says.
“As quickly because the division turned conscious of the breach, we promptly shut down the affected networks and remoted the compromised servers whereas implementing enhanced safety measures to forestall additional unauthorized entry,” the division mentioned.
Double Normal for Public Sector Breaches?
Though the sorts of info and demographic of individuals affected in breaches involving state companies may be broad, these authorities companies typically don’t face any further regulatory hurdles in comparison with nongovernmental health-related organizations in relation to responding to and reporting cyber incidents, some specialists say.
However the reverse is commonly true, mentioned regulatory lawyer Rachel Rose.
“State companies have already got an ‘inside monitor’ and may arguably coordinate extra rapidly with regulation enforcement and different authorities companies for reporting functions,” she mentioned.
These companies are additionally required to have a breach notification coverage and process. “Whether or not a person state is required to report back to a selected individual inside a selected company could be on a case-by-case foundation and ought to be delineated within the breach notification P&P,” she mentioned.
The HITECH Act offers state attorneys normal the authority to deliver civil actions on behalf of state residents for violations of the HIPAA Privateness and Safety guidelines, in line with Rose.
“The HITECH Act permits state attorneys normal to acquire damages on behalf of state residents or to enjoin additional violations of the HIPAA Privateness and Safety guidelines, as acknowledged on the HHS web site,” she mentioned.
“This might be an attention-grabbing merchandise to observe in gentle of who allegedly perpetrated the cyberattack” on the Florida Division of Well being, she mentioned.
The involvement of RansomHub may make it a higher-profile case for the lawyer normal. RansomHub, which first surfaced in February, has rapidly turn into one of the vital notable ransomware teams, and its assaults and enormous information thefts have included the healthcare sector.
RansomHub not too long ago claimed on its darkish website to have leaked 700 gigabytes of knowledge stolen from American Scientific Options, a Solar Metropolis Middle, Florida-based drug testing medical laboratory (see: Florida-Based Drug Testing Lab Says 300,000 Affected in Hack).
The gang additionally claimed to be behind the June assault on drug retailer chain Ceremony Help, which affected the data of two.2 million people (see: Rite Aid Says Ransomware Group Stole 2.2M Customers’ Data).
RansomHub was additionally embroiled within the large assault on Change Healthcare in February. The group claimed to have custody of 4 terabytes of knowledge stolen by an affiliate of one other ransomware group – BlackCat – in that hack (see: BlackCat Ransomware Group ‘Seizure’ Appears to Be Exit Scam).