Security Leftovers
-
LWN ☛ Security updates for Wednesday
Security updates have been issued by Debian (gst-plugins-bad1.0, openssl, roundcube, and xorg-server), Fedora (dotnet6.0, dotnet7.0, roundcubemail, and wordpress), Mageia (redis), Oracle (dnsmasq, python27:2.7, python3, tomcat, and varnish), Red Hat (python39:3.9, python39-devel:3.9), Slackware (mozilla and vim), SUSE (openssl-3, poppler, ruby2.5, and xen), and Ubuntu (.Net, linux-gcp-5.15, linux-gkeop-5.15, linux-intel-iotg-5.15, linux-starfive-6.2, mysql-5.7, ncurses, and openssl).
-
Millions of Highly Sensitive Patient Records Exposed in Medical Diagnostic Company Data Breach
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 12 million records containing medical diagnostic scans, test results, and other potentially sensitive medical records.
The database contained a massive amount of medical test results that included the names of patients, doctors, if the testing sample was done at home or at a medical facility, and a wide range of other sensitive health information. The total number of records was significant, at a count of 12,347,297 with a total size of 7TB. Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs. I immediately sent a responsible disclosure notice, and I received a reply acknowledging my discovery and thanking me for my efforts. Public access was restricted the same day, but it is unclear how long the database was exposed or if any unauthorized individuals accessed the purported health records.
-
The Record ☛ 1Password, Cloudflare affected by Okta compromise
Password manager 1Password and cybersecurity and networking giant Cloudflare were targeted by hackers following the breach affecting single sign-on provider Okta, according to statements from both companies.
First reported by Ars Technica and later confirmed in a blog post directly from company chief technology officer Pedro Canahuati, 1Password said it detected suspicious activity on its Okta instance that was related to the company’s Support System incident —- which was revealed last Friday.
-
ASIC modifies licensees' breach reporting obligations
Failure to comply with the mandatory breach reporting regime is arguably the canary in the coal mine for regulatory compliance to Australian Securities and Investments Commission (ASIC).
We are expecting ASIC’s second annual report on the regime to be published very shortly, and we expect compliance has not significantly improved over the past 12 months since ASIC published its first annual report and stated that compliance with the regime requires greater regulatory attention from licensees.
In the meantime, ASIC has modified licensees’ obligations under the regime to attempt to make it less burdensome for licensees.
-
Data Breaches ☛ In the throes of bankruptcy and hit by a ransomware attack, Akumin still unable to provide many diagnostic services to patients
On October 18, WFLX reported that Akumin was turning away patients after an apparent ransomware attack. The attack was potentially very concerning because Akumin provides medical scans and radiology services for about 1,000 hospitals and health systems in 48 states, although it is headquartered in Florida.
Akumin first noticed suspicious activity on Oct. 11 and proactively shut down computer systems. In an update on the incident posted yesterday on its website, Akumin writes that patients are still unable to make appointments at some fixed-site locations and “Access to certain imaging results from prior years may be currently unavailable.”
-
Data Breaches ☛ October 31: OCR Webinar on The HIPAA Security Rule Risk Analysis Requirement
Threats and vulnerabilities to electronic protected health information (ePHI) in today’s healthcare environment are numerous and varied. ePHI is under constant threat from malicious insiders selling PHI for financial gain, sophisticated hackers seeking to compromise healthcare systems and blackmail them with ransomware, and the sheer complexity and reliance on technology of today’s healthcare systems. All of these risks to ePHI, and more, need to be identified, understood, assessed, prioritized, and mitigated by HIPAA regulated entities to ensure the confidentiality, integrity, and availability of ePHI.