Fred Hutchinson Cancer Center failed to reveal threats of potential swatting attacks until this site revealed the threat. Should they have disclosed it themselves?
Does claiming you were hacked when you had really just screwed up violate the FTC Act?
New: I have followed up on my recent OpEd with another example of misleading and deceptive notifications and why HHS and FTC can and should do more enforcement, but why we also need legislation enacted.
"Specifics of these attacks are rarely shared with the public as healthcare providers say they are bound by the Health Insurance Portability and Accountability Act — known as HIPAA — not to share protected patient information."
Ugh. Hunters International re-added the plastic surgery practice of Dr. Jaime Schwartz to their leak site. From their post, they seem to allege that there were negotiations that fell apart. Of course, it's possible that the negotiations were never in good faith and were just an attempt to get more info about what the threat actors had acquired or to stall for time.
Either way, this appears to be another ugly #databreach involving #ransomware where patients' sensitive and personal info, including nude patient photos, are used as leverage.
It seems that news outlets have suddenly caught up with the Hankins & Sohn plastic surgery breach because of the lawsuit. This is the incident that DataBreaches reported on back in July when patients' nude photos and personal info were first being leaked on the internet.
It seems like the physicians have not released any more significant info about the incident since I first reported on it back then:
👾 Hey Retro Gamers, Today's pull from my shelf is NES Mappy-Land & Sesame Street 123. Sesame Street 123 features 2 kids games to teach simple numbers & maths as well as simple shapes. Mappyland however, is still fun to play today & is still challenging (imo). If you haven't tried Mappy-Land, I would recommend it.
Morrison Community Hospital in Illinois did wind up issuing a statement on the day Alphv re-added them to the leak site. Unsurprisingly, it does not tell people that some protected health information was already leaked on the dark web and the TAs were threatening to leak a lot more within 48 hours:
This was one of those messes where the breach notification by the health care clearinghouse was so fouled up that people were getting multiple wrong letters and there was a HIPAA privacy breach while reporting about the HIPAA security breach...
C'mon #KENS5 News in Texas: Don't call this a "recent" breach just because Baptist Health calls it "recent." It was more than a year ago! Don't help them downplay this.
For those who have followed my watchdog efforts with HHS over the years, an update on one case:
Approximately 3 years ago, I filed a watchdog complaint with HHS about an entity that did not seem to disclose a ransomware incident involving patient data. The entity did not respond to my inquiries to them about their breach(es) and the incident never appeared on HHS's public breach tool. So I filed a complaint asking HHS to investigate.
The next year, I got a letter from HHS asking me if there was any update to my complaint. I told them there wasn't, and I answered other questions HHS posed to me.
The incident still didn't show up on HHS's public breach tool, but I have noticed that HHS often delays posting an incident that they are investigating until they are done and can post a closing note with it.
This year, I got another letter from HHS asking me if I still have all the data I had downloaded from the incident. I responded that I do, and we reviewed the complaint's allegations.
As part of that conversation with HHS, they asked me if I would contact the entity and give them all the data.
I responded, "No. I contacted them a number of times and they never answered me. If they want to know what data I have or if they need it, they can pick up the fucking phone and ask me for it."
(Okay, so that wasn't very polite, but hey...)
Apparently HHS subsequently suggested they do contact me, because three years after I first filed the complaint, the entity got in touch with me to ask me about the incident and what data I might have and if I would share it with them. We arranged a conference call.
The people who were involved three years ago are no longer there, and I feel somewhat sorry for the new folks trying to figure out what happened and what the incident response was back then because they now have 30+ questions from HHS that they are expected to answer.
Hopefully, they'll get back to me and let me know what they find out about their past incident response, but somehow I suspect their counsel will tell them not to be transparent with me even though I just helped them with their compliance.
And yes, I gave them all the data I had downloaded and gave them a briefing on the incident from my perspective outside the organization. As irate as I may be with their predecessors for not responding timely to me years ago or disclosing publicly, I want to make sure that all the patients were notified -- or if they were never notified, that they get notified that their data was leaked.
I just wish it hadn't taken HHS OCR three years to get to this point with them.
Repeat after me: "Date of discovery" does NOT mean the date you completed any investigation. It is the date on which you first knew or reasonably should have known that you had a breach of unsecured PHI.
It is not a huge breach as breaches go, but Sightpath Medical's breach notification raises a lot of questions about compliance with HIPAA's Breach Notification Rule. I hope #HHSOCR investigates this one.
If an entity decides to ignore contacts or demands from attackers, that's somewhat understandable. But if the threat actors added you to their leak site, maybe you should say something?