Security
Millions of Medical Records Exposed in a Series of Data Breaches
In a disturbing revelation of privacy violations, Perry Johnson and Associates, a company providing transcription and dictation services to Northwell Health, has been the source of a significant data breach. The breach, which was first disclosed in a letter dated November 3, 2023, involved unauthorized access to files containing sensitive health information of patients, including the author of the letter. This breach is part of a larger pattern of cyberattacks targeting healthcare providers and their associates.
Personal Health Information Compromised
The compromised data includes a wide array of personal health information (PHI) such as names, birth dates, addresses, medical record numbers, and detailed medical conditions. The unauthorized party reportedly had access to the system between March and May of 2023, during which they engaged in a downloading spree of sensitive files. The breach affected almost 10 million people across multiple healthcare providers in various states.
Lack of Apology and Adequate Measures
The letter from Perry Johnson and Associates failed to include an apology but stated that the company takes the incident “very seriously” and promised to update their systems to prevent future breaches. This response raises questions about why more robust security measures were not in place beforehand.
In a similar incident, East River Medical Imaging informed patients of a breach between August 31 and September 20, where unauthorized access to documents could have exposed names, contact information, and even images from medical tests. Like Perry Johnson and Associates, East River Medical Imaging assured patients that they take privacy and security seriously but offered no concrete mitigation for the loss.
The Risks Beyond Financial
The theft of medical information carries risks that extend far beyond financial harm. According to Andrea Downing, co-founder of The Light Collective, a grassroots activist organization advocating for responsible medical data stewardship, “People can be targeted based on their health vulnerabilities and become easy fodder for medical fraud.” The medical information of nearly 10 million people would be a treasure trove for drug marketers, insurance companies, and manufacturers of illegitimate medical devices. Unlike financial information, medical history cannot be replaced or reset.
Regulatory Response and Penalties
The US Health and Human Services Office for Civil Rights is responsible for investigating incidents affecting more than 500 people. Currently, they are looking into more than 500 breaches reported last year. However, the penalties imposed on companies for such violations often amount to minimal fines, which are insignificant compared to the companies’ revenues and the potential damage caused by the breaches.
The Need for Stronger Laws and Community Approach
The article suggests that tougher laws are necessary to ensure that companies implement changes to protect sensitive data. Downing advocates for a community approach where patient representatives are involved in setting up the security infrastructure. The idea is that a collective effort might lead to more robust and effective data protection measures.
Who is Perry Johnson and Associates?
Perry Johnson and Associates, the company at the center of the breach, is part of a network of tech-related corporations founded by Michigan businessperson Perry Johnson. The current CEO, identified as Jeffrey Hubbard, describes himself as a “Chief Executive and Health Tech Care Innovator” on his LinkedIn profile. However, the company’s leadership has been circumspect about its operations, and inquiries about the breach have been met with limited responses.
A History of Data Security Negligence
The current situation echoes the author’s 2005 Newsweek story, “Grand Theft Identity,” which highlighted the cybersecurity problem that has only worsened over the years. Despite the transition to electronic medical records and assurances of enhanced security, the healthcare industry continues to grapple with significant data breaches.
In conclusion, the series of data breaches underscores the urgent need for improved cybersecurity measures in the healthcare industry. As millions of individuals face the consequences of exposed medical data, the call for stronger regulations and a community-based approach to data security becomes increasingly critical.
Privacy
Massive Intelligence Database Leak in Bangladesh Exposes Sensitive Personal Data
In a startling breach of privacy and security, the National Telecommunication Monitoring Center (NTMC), a key intelligence agency in Bangladesh, has suffered a significant data leak. This incident has led to the exposure of a vast array of personal information belonging to countless individuals.
The leaked data is extensive and varied, encompassing names, professions, blood groups, parents’ names, phone numbers, call durations, vehicle registrations, passport details, and even fingerprint photos. Unlike common database leaks that occur frequently, this data is tied to an intelligence database, raising serious concerns about the implications for those affected.
For several months, the NTMC, which plays a pivotal role in monitoring cell phone and internet activity in Bangladesh, had inadvertently made this sensitive information accessible through an unsecured database. The situation escalated when anonymous hackers targeted the database, erasing details from the system and claiming to have absconded with the data trove.
WIRED conducted a verification of a sample of the data, confirming the authenticity of real-world names, phone numbers, email addresses, locations, and exam results. The intent behind the collection of such data remains unclear, with some records appearing to be tests or incomplete. The NTMC has not issued any comments in response to inquiries about the leak.
Security researcher Viktor Markopoulos from CloudDefense.AI was the one to uncover the unprotected database. He linked it back to the NTMC and discovered login pages for a national intelligence platform in Bangladesh. Markopoulos suspects a misconfiguration led to the exposure. Within the database, over 120 indexes of data were found, each storing different logs, including entries labeled “sat-phone,” “sms,” “birth registration,” and “Twitter.”
The majority of the exposed data consists of metadata, which reveals the “who, what, how, and when” of communications. While actual phone call audio was not disclosed, metadata could show calling patterns and contacts, which can be incredibly revealing.
Some of the logs, such as the “birth registration” index, contained detailed personal information including names in English and Bengali, birthdays, places of birth, and parents’ details. Another log, named “finance personal details,” included names, cell phone numbers, bank account details, and even account balances. National ID numbers and cell phone operators’ names were frequent in the data structures, along with lists of base transceiver stations and references to “cdr,” possibly indicating call detail records.
Jeremiah Fowler, a security consultant and co-founder of Security Discovery, reviewed the database and confirmed its connection to the NTMC. He highlighted the presence of IMEI numbers in the data, which could potentially be used to track or clone devices.
The NTMC has not acknowledged the leak, nor has it responded to WIRED’s questions regarding the purpose of the data collection and the extent of the information gathered. The Bangladesh government’s press office and the Bangladesh High Commission in London have also remained silent on the issue. Markopoulos reported the exposed data to Bangladesh’s Computer Incident Response Team (CIRT) on November 8, which acknowledged the report and thanked him for disclosing the “sensitive exposure.” The CIRT informed WIRED that they had notified the NTMC of the issue.
Before the publication of this article, the database was taken offline. However, Markopoulos noted that on November 12, the database was wiped clean, and a ransom note appeared, demanding 0.01 bitcoin (approximately $360) to prevent the public disclosure and deletion of the data. This type of ransom demand is not uncommon for exposed databases.
The NTMC, established in 2013 from a previous monitoring body, is described on its website as providing “lawful communication interception facilities” to other agencies in Bangladesh. Reports suggest that up to 30 agencies are linked to the NTMC through APIs, incorporating records from mobile operators, passport and immigration services, among others.
A telecoms expert with experience in Bangladesh, who chose to remain anonymous, alleged that the NTMC’s surveillance capabilities exceed those in many European countries, citing the absence of stringent data protection laws in Bangladesh.
The leak comes at a time when Bangladesh is experiencing political unrest, with the government cracking down on opposition ahead of the 2024 elections. A local researcher, who also requested anonymity, expressed concerns over increased surveillance and targeting of individuals in the lead-up to the elections.
This incident underscores the critical need for heightened awareness and education on digital rights and safety, especially for activists and those at risk of government surveillance. As the country grapples with fundamental rights issues, the protection of digital privacy remains a pressing concern.
Privacy
23andMe Data Breach Exposes Millions of Users’ Genetic Information
23andMe, a leading genetic testing company, has been grappling with the aftermath of a data breach that was first reported in October. As the company continues to disclose more details, the situation has become increasingly complex, leaving users uncertain about the extent of the fallout.
In early October, 23andMe acknowledged that attackers had gained unauthorized access to some user accounts by exploiting the company’s DNA Relatives feature, an opt-in social sharing service. Initially, the extent of the breach was unclear, with the company not disclosing the number of affected users. However, it was later revealed that hackers were selling data on criminal forums, which appeared to originate from over a million 23andMe users.
A recent U.S. Securities and Exchange Commission (SEC) filing by the company clarified that the breach affected “a very small percentage (0.1 %) of user accounts,” which translates to approximately 14,000 of their more than 14 million customers. This number, however, did not account for the additional users whose data was scraped via the DNA Relatives feature.
On Monday, 23andMe confirmed to TechCrunch that the attackers had harvested the personal data of about 5.5 million individuals who had opted into DNA Relatives. An additional 1.4 million users had their Family Tree profile information accessed.
The compromised data included display names, most recent logins, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. For some users, the breach was more severe, with ancestry reports, chromosomal match details, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, and links to self-created family trees also being exposed. The 1.4 million impacted DNA Relatives users had their Family Tree data specifically targeted, with display names, relationship labels, and in some cases, birth years and self-reported location data stolen.
Katie Watson, a spokesperson for 23andMe, explained that the company was “only elaborating on the information included in the SEC filing by providing more specific numbers.”
The company has attributed the account breaches to a technique known as credential stuffing, where attackers use leaked login credentials from other services that were reused on 23andMe. Following the incident, 23andMe enforced a password reset for all users and began requiring two-factor authentication. Other genetic services like Ancestry and MyHeritage have also started to promote or require two-factor authentication in the wake of 23andMe’s breach.
Despite the company’s explanation, some users, including Rob Joyce, the U.S. National Security Agency cybersecurity director, have expressed skepticism. Joyce, who uses unique email addresses for each account, noted on his personal X (formerly Twitter) account that his 23andMe credentials were unique and could not have been exposed in another leak. He later revealed that his unique 23andMe email address was compromised in a separate MyHeritage data breach in 2018, which may have been linked to the 23andMe breach due to a past partnership between the two companies.
The incident highlights the risks associated with user data sharing between companies and features that promote social sharing, especially when the data is deeply personal and tied to one’s identity.
Brett Callow, a threat analyst at the security firm Emsisoft, commented on the need for better policies, stating, “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It’s counterproductive and helps only the cybercriminals.”
In a separate development, 23andMe user Kendra Fee pointed out that the company is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company claims the changes will facilitate a quicker resolution of disputes and streamline arbitration proceedings. Users have the option to opt-out of the new terms by notifying the company within 30 days of receiving notice of the change.
Security
Cybersecurity Shaken by Arrests, Hacks, and Alleged Crimes
In a week marked by significant cybersecurity incidents, the digital world has been rocked by a series of events that highlight the ongoing battle between cybercriminals and law enforcement agencies. From OpenAI’s ChatGPT terms of use violations to international hacking campaigns, the landscape of cyber threats continues to evolve with alarming complexity.
OpenAI, the organization behind the AI-driven chatbot ChatGPT, has been in the spotlight after researchers discovered a method to potentially extract training data by using specific prompts. Although OpenAI did not respond immediately to a request for comment from WIRED, tests conducted by the publication indicated that the issue might have been addressed, as attempts to use the prompts resulted in flags for potential violations of ChatGPT’s terms of use.
In a more disturbing development, amidst the ongoing conflict between Israel and Hamas, US and Israeli government agencies issued warnings about a group of hackers identified as “Cyberav3ngers.” Allegedly operating under the direction of Iran’s Revolutionary Guard Corps, these hackers have breached networks of multiple US water and wastewater utilities. The number of affected utilities is reported to be less than ten, according to a source cited by CNN. The attackers exploited vulnerabilities in equipment from Unitronics, an Israeli company, defacing computer screens with anti-Israel messages. This breach underscores the vulnerability of critical infrastructure to foreign cyber threats, prompting the Cybersecurity and Infrastructure Security Agency to brief Congress on the matter.
The international law enforcement community has also made headlines with a significant crackdown on a ransomware gang. In a coordinated effort led by Europol, law enforcement agents from Ukraine, the US, Canada, the Netherlands, and other European countries arrested at least five key members of the gang across various Ukrainian cities. The group is accused of deploying ransomware variants such as LockerGoga, Hive, MegaCortex, and Dharma, causing an estimated $82 million in damages over five years.
In a separate case in Ukraine, a high-profile cybersecurity official, Viktor Zhora, the deputy director of the State Special Communications Service of Ukraine, was detained on allegations of involvement in a multimillion-dollar corruption scheme. Zhora, who has been a prominent figure in the global cybersecurity community, was released on bail and has vowed to defend his name and reputation in court, as he stated in an interview with TechCrunch.
Lastly, the founder of the infamous hacker-for-hire firm Hacking Team, David Vincenzetti, was arrested on charges of attempted murder after allegedly stabbing a family member. Italian-language media outlets, including Il Giorno and La Stampa, reported that the victim was caring for Vincenzetti due to his psychological issues. The incident has cast a shadow over Vincenzetti’s controversial career, which has been instrumental in the rise of the cyber-mercenary industry.
As the digital realm continues to grapple with these developments, the importance of robust cybersecurity measures and international cooperation in combating cybercrime has never been more evident. The recent events serve as a stark reminder of the ongoing threats posed by cybercriminals and the need for constant vigilance in the face of an ever-evolving cyber landscape.