Cybercrime , Fraud Management & Cybercrime , HIPAA/HITECH
Florida Department of Health Informs RansomHub Hack Victims
Cybercriminal Group Claims to Have Published 100 Gigabytes of Agency's Stolen DataNearly two months after RansomHub claimed to have published 100 gigabytes its stolen data on the dark web, the Florida Department of Health is notifying citizens that their sensitive information has been compromised. The attack affected the department's vital statistics system used to issue birth and death certificates.
See Also: Controlling Website Vulnerabilities to Protect Against Data Leakage and Magecart
The health department said in a notice posted on its website that it notified law enforcement about the incident and has reported the breach to the U.S. Department of Health and Human Services, though on Thursday the report was not yet posted on HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website listing major breaches affecting 500 or more individuals.
The Florida Department of Health did not immediately respond to Information Security Media Group's request for additional details about the breach, including the number of individuals affected, and also for comment on RansomHub's claims.
In early July, RansomHub claimed to have published 100GBs of data contained in 40,000 files on its dark web site after hacking the health department.
The state later confirmed local media reports that the incident affected the department's vital statistics system used to issue birth and death certificates, but it declined to provide further details (see: Reports: Florida Health Department Dealing With Data Heist).
In its public breach notice, the department said that on June 26, it discovered "a security breach" in its network that led to unauthorized access to some of its data. "This unauthorized access affected a limited number of our systems and resulted in the transfer of data from a specific location within our network," the health department said.
The agency said it immediately launched an investigation and collaborated with cybersecurity experts to determine the nature and scope of the breach. "The department also promptly informed law enforcement and referred the matter to the Florida Department of Law Enforcement for investigation," the statement says.
Information of individuals potentially affected in the Florida Department of Health breach is far-ranging.
Compromised data includes name, birthdate, address, Social Security number, banking information, credit card information, driver's license number, passport number, military identification number, Nexus number, medical and dental history, medication/prescription information, provider/doctor/care coordinator name, insurance claim information, insurance coverage information and passwords.
The letter being sent to each individual by the health department provides specific details about the impact on their personal data, the statement says.
"As soon as the department became aware of the breach, we promptly shut down the affected networks and isolated the compromised servers while implementing enhanced security measures to prevent further unauthorized access," the department said.
Double Standard for Public Sector Breaches?
Although the types of information and demographic of people affected in breaches involving state agencies can be wide, those government agencies generally do not face any extra regulatory hurdles compared to nongovernmental health-related organizations when it comes to responding to and reporting cyber incidents, some experts say.
But the opposite is often true, said regulatory attorney Rachel Rose.
"State agencies already have an 'inside track' and can arguably coordinate more quickly with law enforcement and other government agencies for reporting purposes," she said.
These agencies are also required to have a breach notification policy and procedure. "Whether an individual state is required to report to a particular person within a particular agency would be on a case-by-case basis and should be delineated in the breach notification P&P," she said.
The HITECH Act gives state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security rules, according to Rose.
"The HITECH Act permits state attorneys general to obtain damages on behalf of state residents or to enjoin further violations of the HIPAA Privacy and Security rules, as stated on the HHS website," she said.
"This could be an interesting item to watch in light of who allegedly perpetrated the cyberattack" on the Florida Department of Health, she said.
The involvement of RansomHub could make it a higher-profile case for the attorney general. RansomHub, which first surfaced in February, has quickly become one of the most notable ransomware groups, and its attacks and large data thefts have included the healthcare sector.
RansomHub recently claimed on its dark web site to have leaked 700 gigabytes of data stolen from American Clinical Solutions, a Sun City Center, Florida-based drug testing medical laboratory (see: Florida-Based Drug Testing Lab Says 300,000 Affected in Hack).
The gang also claimed to be behind the June attack on drug store chain Rite Aid, which affected the information of 2.2 million individuals (see: Rite Aid Says Ransomware Group Stole 2.2M Customers' Data).
RansomHub was also embroiled in the massive attack on Change Healthcare in February. The group claimed to have custody of 4 terabytes of data stolen by an affiliate of another ransomware group - BlackCat - in that hack (see: BlackCat Ransomware Group 'Seizure' Appears to Be Exit Scam).