[BreachExchange] ER Physician Association Hacked

[Destry Winant]

https://www.databreachtoday.com/er-physician-association-hacked-a-16453

The American College of Emergency Physicians says a "malware" attack
affected tens of thousands of the group's current and former members as
well as members of three other emergency medical professional organizations.

The Irving, Texas-based ACEP reported to regulators in early April that it
had detected the security incident on Sept. 7, 2020, after discovering
unusual activity on its systems.

"During the course of the investigation, it was determined that credentials
to ACEP’s separate SQL database servers were stored on a server that was
compromised by an unauthorized actor," ACEP says in California and Maine.

ACEP notes the Emergency Medicine Foundation, the Emergency Medicine
Residents’ Association and the Society for Emergency Medicine Physician
Assistants - to whom it provides management services - were also affected.
Those three groups are not owned or controlled by ACEP, "although they all
have similar missions to support and serve emergency physicians," an ACEP
spokesperson says.

ACEP did not describe the type of malware used in the attack.

Tens of Thousands Affected
In its notification statement filed to the state of Maine, ACEP reports
that the incident affected more than 70,300 individuals, including 808
residents of Maine.

"While there is no evidence the SQL servers were subject to unauthorized
access or acquisition … it cannot be ruled out," the notification letters
say. The potentially compromised information was at risk from April 8,
2020, to Sept. 21, 2020.

"The information that could have been subject to unauthorized access now
includes the member/customer/donor name, address, Social Security number,
and/or a username or email address and hashed password," the ACEP says.
"Most of the information impacted was limited to names and usernames/email
addresses with hashed passwords."

ACEP says it is offering affected individuals 12 months of prepaid credit
and identity monitoring.

The association tells Information Security Media Group the unusual activity
discovered on the organizations e-commerce site last year stopped within
two days. "The affected server was replaced, and new cyber monitoring and
security safeguards were installed," ACEP says.

"During the course of its investigation, ACEP determined that its member
database was accessible during this incident. Though we have no information
that the member database was impacted, we provided notice to certain
members, staff and customers out of an abundance of caution. ACEP’s member
database does not store any health or patient information."

A Gold Mine for Hackers
"Attackers search internet-facing database servers with weak passwords in
order to siphon sensitive information," says privacy attorney David
Holtzman of consulting firm HITprivacy LLC. "These hackers struck gold when
a compromised server was found to have maintained unencrypted files
containing the credentials and passwords to access other ACEP servers on
which the personal information of physicians and other partners was stored."

Regulatory attorney Marti Arvin of the privacy and security consultancy
CynergisTek, notes that association members "are likely high net worth
individuals, so the risk is high. There may be opportunities for bad actors
to get this information and impact the person’s financial circumstances
before they even know it has occurred."

The compromise of personal information linked to medical professionals
raises the possibility for healthcare billing fraud and other scams, she
notes.

"While a little more complex than straight identity theft, [medical billing
fraud] is a potential threat because combining the [personal] information
that was potentially exposed with the provider’s National Provider
Identifier - often publicly available - could give a bad actor sufficient
information to submit claims under the physician’s name," she adds.

Holtzman notes that physicians are especially vulnerable to identity theft
and financial fraud because they often miss the warning signs that someone
is misusing their personal information and committing fraud.

"For example, physicians may not be attentive to careful review of banking
and other financial statements that would reveal changes to direct deposit
amounts for income received through their medical practice or unauthorized
transfers to debiting the account," he says.

"Physicians may not see they have received notices from government agencies
about claims filed using their provider number, a notice from the IRS that
they didn't pay income taxes on the fraudulent claims or that their Social
Security number was used on another tax return or get collection notices or
bill for products or services they didn't receive."

Steps to Take
Preventing malware-fueled data breaches is "all about good data governance,
including data classification and assigning appropriate controls around the
data based on its sensitivity level," Arvin says.

"Many entities invest the resources to do this well. There is also the
factor of human error and the need for redundancies so that if a human
error occurs, there are additional controls to protect the information."

Privileged users should use stronger authentication methods, and
organizations should ensure strong protections for credential storage, she
adds.

Holtzman suggests that the most critical credentials should be hashed. "If
a data hash cannot be applied, then the media on which the credentials or
passwords are stored must be encrypted," he says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210426/5f18695c/attachment.html>