University Of Utah Health announced Friday afternoon another data breach taking place at the height of the COVID-19 pandemic. This is their second health breach this year due to phishing.
This breach is the latest in a series of medical breaches hitting Utah health providers. Since 2018, about 16% of Utah citizens have had their health information compromised in data breaches.
The First Wave
As I wrote about previously, U of U Health announced earlier this year a data breach involving email accounts. Beginning in January 2020, U of U health battled a particularly effective phishing campaign that compromised employee emails and at least one computer. Those email accounts had personal health information of 3,670 people according to the report U of U Health filed with the U.S. Department of Health and Human Services Office for Civil Rights. U of U said as of February 27 they had identified and secured the compromised email accounts.
The Second Wave
The timeline is unclear at this point based on available information. There appears to be a period the phishing attacks ceased during which U of U Health reports a second breach to the U.S. Department of Health and Human Services Office for Civil Rights affecting 5,000 people. It’s unclear if this second report is related to the previous U of U Health breach notification or part of the new one. The institution filed the report three days before this month’s press release indicated the new incident began.
Regardless of the start and end dates, a new wave of phishing attacks hit. For seven weeks the U of U security team battled with the phishers. The security team took “prompt action to secure each affected account shortly after identifying the unauthorized access” according to the press release. Almost 60 days after this new wave began, U of U Health released a security breach.
U of U Health Phishing Breach Timeline
January 7, 2020: First phishing incident begins
February 21: Previous phishing incident contained
March 20: Data breach press release issued
March 21: U of U notifies U.S. Department of Health and Human Services
Office for Civil Rights of breach.
April 3: U of U notifies U.S. Department of Health and Human Services
Office for Civil Rights of a separate breach.
April 6: Second phishing attack occurs. Unauthorized access begins.
April 7: U of U Security discovers successful phishing attack.
May 22: Latest unauthorized access discovered and contained.
U of U’s Ongoing Prevention Efforts
Patients may want to know what U of U Health is doing to prevent this same attack succeeding a third time. The press released states the team is “working to implement enterprise-wide security enhancements, including expanded use of multi-factor authentication.”
Turning on multi-factor authentication (MFA) for email is not easy and takes time. Not only do IT personnel need to make sure they integrate MFA properly, they also need to turn off old or legacy email protocols. Unfortunately, many systems only support older email protocols and can’t easily move to more secure ones. Getting rid of technical debt is costly and sometimes painful.
Although not mentioned in the press release, the University appears to place an emphasis on educating users about phishing and password security. Multiple sections of the U of U Cybersecurity homepage displays information about phishing and securing passwords, even if some of the password recommendations and restrictions are no longer considered best practice.
We can come to some possible conclusions based on the available information regarding the phishing attacks. Given these phishing activities came close together, we may suspect at least one threat actor (or group of hackers) has targeted the university during both periods. Often when phishers have a high success rate, they hit the organization again. Because two campaigns were successful, a third campaign is likely.
During the first incident the security team found malware on a workstation due to phishing, but the second press release did not mention malware. This difference in tactic may indicate multiple threat actors.
Given the length of time the incident occurred, it’s likely these breaches were not due to a single phishing incident, but rather a series of phishing attacks. Phishers often run campaigns for quite a while until the success rate falls below their level of profitability.
However, given the sparse details publicly available, I can only speculate on the number of threat actors and their techniques.
The People Behind the Scenes
What is not speculation is how cruel and heartless the people behind the attacks are. You have to be among the lowest scum of the earth to attack a healthcare organization in the middle of a pandemic.
As much as these hackers are the filth of the earth, U of U’s cybersecurity team counterbalances it with good people. Incredibly, they identified and remediated the compromised accounts and notify affected individuals. Not only were they on top of these breaches, they did it in the middle of the COVID-19 pandemic for a large healthcare organization. Once again, the cybersecurity team should be rewarded for their tireless and dedicated work. Hopefully someone at the University delivers them lunch or something.