MFA Bypassed in Cyberattack on L.A. County Department of Mental Health
The Los Angeles County Department of Mental Health recently sent a notification to the California Attorney General regarding a breach involving the email account of an employee. The email account is protected by multi-factor authentication (MFA); nevertheless, the MFA was not enough. The cyber threat actors circumvented MFA by employing a strategy called push notification spamming. This strategy involves sending multiple MFA push notifications to a user’s mobile device. When the user responds, as in the case of the employee, the email account is compromised.
Based on the Department of Mental Health, the attack was linked to a breach at the City of Gardena Police Department (GDP). Because GPD has email conversations with the Department of Mental Health (DMH), the malicious actor or actors were able to send an email to a DMH staff and acquire access to that Microsoft Office 365 account of the employee. The account held information, such as names, addresses, phone numbers, birth dates, medical record numbers, and Social Security numbers.
This is not the first time the Department of Mental Health has dealt with this kind of attack. The same attacks happened on October 6, 2023, and October 24, 2023. The breach notifications sent to the impacted persons on December 6, 2023, December 22, 2023, and March 22, 2024, all mentioned that DMH has informed Microsoft about the exploitation of the vulnerability present in the Microsoft Office 365 multifactor authentication by the malicious actor or actors. The notifications also stated that new security measures had been implemented to deal with this specific attack. The HHS’ Office for Civil Rights breach portal only shows one report dated December 22, 2023, which indicates 1,284 persons were impacted. It is uncertain how many persons were affected by the data breach in the most recent attack.
6,836 Healthfirst Members Affected by Data Breach
The New York medical insurance company, Healthfirst, has recently informed 6,836 of its members regarding unauthorized access to its member website. Healthfirst, which offers health plans under the names Healthfirst Health Plan, Inc., Healthfirst PHSP, Inc., and Healthfirst Insurance Company, stated member names, birth dates, Healthfirst member ID numbers, and member zip codes were utilized to make unauthorized accounts. The accounts were already deactivated and internal processes for digital member account verification were updated to stop the same incidents later on. The investigation into the origin of the unauthorized activity is in progress. Healthfirst stated it believes that the unauthorized activity is not connected to the Change Healthcare cyberattack. The impacted persons were informed on March 19, 2024.
Cyberattack on Risas Dental & Braces
Risas Dental & Braces based in Phoenix, AZ recently informed patients concerning a cyberattack discovered in July 2023 wherein their protected health information (PHI) was compromised. Strange activity was discovered in its computer network on July 10, 2023, and prompt action was undertaken to protect its system. Third-party cybersecurity professionals investigated the occurrence to find out the nature and extent of the unauthorized activity. The digital forensics group confirmed that unauthorized persons acquired access to the system and potentially downloaded files that contained patient information.
The analysis of those files was finished on January 26, 2024. The breached files included PHI like names, contact data, high-level treatment details, names or notes of the procedure, insurance subscriber details, and/or the initial date or dates of service. The impacted persons were informed through mail on March 22, 2024. The incident report is not yet posted on the HHS’ Office for Civil Rights breach portal. The number of people affected by the breach is still uncertain.
2.86 Million Affected Individuals of Harvard Pilgrim Health Care Ransomware Attack
In February, Harvard Pilgrim Health Care modified the total number of persons affected by a ransomware attack in April 2023, increasing the total by about 81,000 to 2,632,275 people. That total was increased four times already on March 27, 2024, since the current investigation discovered more data that was breached in the attack. Currently, about 2,860,795 persons were impacted.
The ransomware attack was identified on April 17, 2023, with the forensic investigation identifying the unauthorized access to its network between March 28, 2023, and April 17, 2023. The extra 228,520 affected people were notified via mail. The notification letters mentioned the exact types of information that were probably compromised in the attack. Harvard Pilgrim Health Care stated it is giving complimentary credit monitoring and identity protection services via IDX.
It is not uncommon for data breach investigations to find further compromised information. In this incident, the data of patients from Brigham and Women’s Physician Organization (BWPO) were confirmed as having been accessed in the attack. BWPO is not associated with Harvard Pilgrim, although a staff of Harvard Pilgrim Health Care Institute was also a part-time employee at BWPO. The part-time worker had saved the contents of their laptop to Harvard Pilgrim’s servers, therefore, the copied file contained BWPO records. BWPO discovered the data exposure in January 2024.
BWPO mentioned the saved file contained information from January 1, 2017, to May 1, 2019, such as names, phone numbers, addresses, dates of birth, medical record numbers, health insurance numbers, and minimal clinical details, such as lab results, treatments, medicines, and diagnoses associated with the care offered at BWPO. A BWPO spokesperson stated appropriate steps, including HIPAA training for employees, were taken to deal with the breach and stop similar incidents from occurring later.
