[BreachExchange] Insult To Injury – Florida Health Care Management Firm Accidentally Gives Data To Attackers

Destry Winant destry at riskbasedsecurity.com
Tue Sep 4 23:43:00 EDT 2018


https://www.riskbasedsecurity.com/2018/09/insult-to-injury-florida-health-care-management-firm-accidentally-gives-data-to-attackers/

Who:
HMC HealthWorks

How many records impacted:
Undisclosed

Timeline:
Occurred: Undisclosed
Discovered by the Organization: July 16, 2018
Publicly Reported: August 22, 2018

What Happened:

On July 16, 2018 Health Management Concepts, also known as HMC
Healthworks, discovered they were the unlucky recipients of a
ransomware infection. Like so many other businesses, it seems HMC was
poorly positioned to respond to the attack. According to the
notification letter provided to the New Hampshire Attorney General,
HMC apparently paid the extortion demand in order to restore access to
their systems. To quote the letter, “HMC promptly obtained decryption
keys from the attackers and decrypted the data without any impact on
the services HMC provides.” It is curious why a firm that had just
provided a similar notice due to a ransomware event impacting an
employee’s computer would be left with little recourse other than
paying for the decryption key. Typically firms that suffer a painful
malware infection will invest in their security, taking a variety
steps to prevent such an event from happening again. So while an
organization being hit with two ransomware events just 7 months apart
did catch our eye, the story does not end there.

Three days after discovering the infection, HMC made another
surprising discovery. Somehow the attackers were given a file
containing personal information belonging to employees of a customer.
To quote the notification letter once again, “HMC discovered that the
attackers were inadvertently provided a file that contained personal
information of IBU’s members”. [emphasis added] Really? How does that
happen? Sadly – and perhaps understandably – the notification letter
provides little else in the way of detail and additional information
on the event has not be made publicly available.

Why It Matters:

Two ransomware infections and inadvertently handing over a file
containing sensitive information could be a case of very bad luck but
it does leave us wondering how HMC manages their security. Security
events are never good news but it’s especially damaging to the
organization’s reputation when their customers’ data is the subject of
compromise due to outright data mishandling. We can only speculate how
it came to pass that a file, containing their clients’ employee’s
data, accidentally ended up in the hands of malicious actors while
responding to a ransomware infection. Regardless, this breach
highlights how important it is for third party risk assessment to go
beyond the technical aspects of security and delve into the day-to-day
data handling processes.

It also highlights the importance of following up with vendors after a
breach event. However that file ended up in the hands of the
extortionist, it most likely would not have happened at all if HMC had
taken more proactive steps after the January event. If HMC’s customers
conducted a post-event assessment, they may well have prompted HMC to
be more proactive and improve their security practices, thereby
preventing the second event from taking place at all.


More information about the BreachExchange mailing list