Another week, another hack. This time US health insurer Excellus BlueCross BlueShield has been breached and 10 million records exposed to the malicious actors:

The initial attack occurred in December 2013, but the company did not learn about it until Aug. 5. Since then it has been working with the FBI and cybersecurity firm Mandiant to investigate the breach.

The hackers may have had access to customer records which include names, addresses, telephone numbers, dates of birth, Social Security numbers, member identification numbers, financial accounts and medical claims information.

Records may contain all or just some of that information, depending on the customer’s relationship with the company. The breach doesn’t affect just Excellus members, but also members of other Blue Cross Blue Shield plans who sought medical treatment in the upstate New York area serviced by the company.

The information was encrypted, but the attackers gained administrative privileges to the IT systems, allowing them to potentially access it, the company said on a website that was set up to provide information about the incident.

No evidence has been found yet that the data was copied or misused by the attackers.

Excellus will send breach notification letters via mail to all affected persons throughout the month and is offering free credit monitoring and identity protection services for two years through a partner.

The health care industry is seeing its fair share of cyber attacks these days and is concerned about the need for an industry-wide baseline set of security controls. In order to accomplish this goal, the HITRUST certification is designed to improve health care cyber security by providing a basic framework to work from (emphasis added):

The certification will provide outside assurance to covered entities, but also be a plus for vendor partners, according to Ray Biondo, chief information security officer at HCSC, the largest customer-owned health insurance company in the United States.

“I want to make sure as an industry we don’t all go out and try to get minimum security requirements from each of these vendors and do it separately because it drives up costs for all of us, it’s inconsistent and it’s getting the vendors themselves bent out of shape,” he said. “Every time they try to sell their product or implement their solution to us or anybody else, they have to go through the same process over and over again. It’s very cumbersome.”

Adding some standardization to the process as an industry “will guarantee me that you’re at least meeting a minimum level of maturity with these common controls to protect your organization from a security breach,” he said. “These controls will not stop a hacker if they really want to get in, but if you can demonstrate you’re at least taking the necessary steps to increase your maturity level, our comfort level with doing business with you will greatly improve.”

Without such standards, he said, his company has to audit them individually.

“We’re in an awkward position. A lot of the companies that give us these solutions are as open to attack as anybody else, so it’s not just health care, it’s even the security suppliers. As an industry, we have to rally together to protect ourselves. I think this is the fastest, most efficient way to move that forward,” he said.

Even amid the growing prevalence of health care breaches, however, he said business associates are pushing back on making the certification mandatory.

Managing the security practices of business associates is a lot like herding cats. Add in a few offshore outsourcers who handle tasks such as medical transcription, coding and billing, and the scenario becomes even more complicated. Tennessee-based Cogent Healthcare learned that the hard way in 2013 when information was exposed on 32,000 patients when the firewall was down at an India-based transcription service.

The malicious actors responsible for the Anthem health care data breach shared their weaponized zero-day attacks with rival groups:

A quick review of the Black Vine timeline helps underscore the significant resources the group possessed. In late December 2012, independent security researcher Eric Romang uncovered the compromise of domain name capstoneturbine.com, which is owned and operated by Capstone Turbine, a maker of gas turbines used by energy companies. As a result, anyone who visited Capstone Turbine’s website using Microsoft’s Internet Explorer browser was infected with a backdoor that Symantec researchers have dubbed Sakurel.

The “watering hole” attack—so called because it targeted a website frequented by people in the energy and aerospace industries—exploited what in 2012 was an unknown vulnerability in IE, CVE-2012-4792. Further demonstrating Black Vine’s resources, the Sakurel malware the exploit installed was digitally signed using a certificate issued to an organization called Micro Digital Inc. to bypass Windows security checks. In the last week of 2012, Black Vine targeted a second turbine power and technology manufacturer, an indication that the hackers’ primary interest at the time was related to energy. In February 2014, as the group compromised the website of a European aerospace company, the hackers exploited a newer zero-day vulnerability in IE, this time CVE-2014-0322.

This does not come as a surprise. Once a group finds and leverages an attack technique, often times they will share the code or exploit with their peers, primarily as a way of bragging about their findings.

Hackers have breached the UCLA medical center network and potentially obtained access to medical records of 4.5 million US patients:

UCLA Health hospitals say hackers may have accessed personal information and medical records on 4.5 million patients.

The California medical group admitted today that miscreants infiltrated its computer systems as long ago as September. It is possible the intruders accessed databases holding patient names, addresses, dates of birth, social security numbers, medical records, health plan numbers, details of medical conditions, lists of medications, and medical test results.

UCLA Health said by October its IT staff thought something fishy was going on, and realized that patient data was at risk months later on May 5. We’re told that sensitive information on “UCLA Health patients and providers who sought privileges at any UCLA Health hospital” could have been viewed by the crims.

Hospital bosses aren’t convinced the attackers were able to copy the information out of the network, and claim it’s possible the hackers may not have viewed the medical records. El Reg reckons that’s wishful thinking.

“While the attackers accessed parts of the computer network that contain personal and medical information, UCLA Health has no evidence at this time that the cyber attacker actually accessed or acquired any individual’s personal or medical information,” the group said in a statement.

“UCLA Health estimates that data on as many as 4.5 million individuals potentially may have been involved in the attack, believed to be the work of criminal hackers.”

Another day, another breach. No matter what company, organization, or government agency has your data in a computer, that personally identifiable information is at great risk of being compromised by nation state attackers, criminals, or even hacktivists.

E-Hacking News on a new trojan hiding itself in PNG images is currently targeting and infecting the healthcare industry:

This new Trojan hides itself in PNG imaged to infiltrate personal computers of people and collect information. The malware hides in the pixels of the images.

The trojan hides in PNG images so it is able to circumvent security measures like network firewalls and personal antivirus software.

This malware was first spotted in 2013, but since then it has been reworked many times and multiple versions of Stegoloader now exist. Dell was the first company to report this malware.

Out of all the Stegoloader victims, 42 percent are in the healthcare industry.

Shannon Pettypiece at Insurance Journal writing about how 90% of the United States healthcare firms have been hit by cyber attacks and the industry requiring much stronger cyber defense and overall preparedness:

A rise in cyber attacks against doctors and hospitals is costing the U.S. healthcare system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records, security researchers say.

Criminal attacks against healthcare providers have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million, according to a study today from the Ponemon Institute, a security research and consulting firm. Nearly 90 percent of healthcare providers were hit by breaches in the past two years, half of them criminal in nature, the report found.