In a data breach disclosure filed with the Maine Attorney General’s office, U.S. healthcare giant Blue Shield of California confirmed more than 63,000 customers may have been affected by a recent ransomware attack.
In early February Brightline Medical Associates, a Blue Shield of California provider, reported that Brightline’s subcontractor, Fortra, LLC, suffered a security incident in January. According to the company website, Brightline offers virtual behavioral health coaching and therapy for children aged 18 months to 17 years old.
Blue Shield members impacted by the cybersecurity breach have been notified of the incident and provided no-cost credit monitoring. In a release, Blue Shield said the organization takes the situation “very seriously and is committed to protecting the privacy of members.”
A forensic investigation conducted by Fortra revealed that between Jan. 28-31 an unauthorized individual gained access to Fortra’s GoAnywhere Managed File Transfer-as-a-service (MFTaaS) application. The individual was able to download files Brightline maintained on that system. According to the data breach disclosure, 63,341 customers were affected and potentially accessed information included name, date of birth, address, gender, phone number, member ID number, employer name and or e-mail address. However, there was no access to other types of protected health information, such as social security numbers, driver’s license numbers, or banking and credit card information.
Once discovered, Fortra deactivated the unauthorized user’s credentials, disabled the vulnerable application, and rebuilt the application and gateway. Fortra notified law enforcement and removed all data Blue Shield shared with Brightline from the GoAnywhere MFTaaS.
Cybersecurity leaders weigh in
“These breaches highlight an important aspect of security controls. Too often, I see organizations that fall into a false sense of security, thinking that they are protected by simply putting a security control in place. In this case, because the organization failed to follow a security best practice, i.e., limiting administrative access to known and trusted addresses, the malicious actors could get control over the secure transport layer,” said Avishai Avivi, CISO at SafeBreach. “Unfortunately, in this case, the real victims are not Fortra or Brightline — the actual victims are the 63,000 individuals whose data was stolen. Unfortunately, healthcare sector organizations are at the top of the list of targets for malicious actors. The data they’re responsible for safeguarding is highly valuable, and there’s a higher likelihood that these organizations will be willing to pay the ransom to prevent the data leak. Sadly, as can be seen through previous breaches involving the sensitive data of minors, the malicious actors have very little regard for the true victims of this breach.”
“The healthcare environment is a prime target for criminals based on the amount of highly sensitive personal and financial information being held,” said Tim Morris, chief security advisor at Tanium. “In this instance, stolen child data is particularly concerning as it is ripe for identity theft, easily going unchecked or monitored for multiple years.
“Of all the safeguards, an active patching program is essential to ensure security resources are updated and fully operational,” Morris continues. “Storage of data should be encrypted and strict polices in place to manage data control. Multi-factor authentication (MFA) and least access privileges can also delegate who can access what information and when.”
“The healthcare industry with so many intermediaries makes it an excellent target for malicious actors. From finding a doctor to seeing one, viewing lab reports to picking up prescriptions – we use multiple mobile apps to keep track of our overall health and wellness,” said Krishna Vishnubhotla, VP product strategy at Zimperium. “Most end up storing and processing patient PII and PHI regardless of where they originated. And some of these apps are excluded from HIPAA, HITRUST or FDA compliance, so their security measures will be minimal to be cost-effective. And attackers know that.”