Queen Creek Medical Center (QCMC), also known as Desert Wells Family Medicine, located in Arizona, has notified up to 35,000 patients of a data breach following a ransomware attack that corrupted its medical records system, leading to a loss of a significant number of records.

According to a letter sent to patients, QCMC discovered that during the ransomware attack, the threat actor corrupted the data and QCMC’s back-ups, and despite efforts to repair and restore the data, QCMC was unable to recover that information. Therefore, no patient electronic records prior to the attack on May 21, 2021 are recoverable and QCMC has to rebuild the entire medical record system from scratch.

Following the attack, QCMC stated that it will upgrade its electronic health records (EHR), enhance endpoint detection, implement 24/7 threat monitoring, and train employees. All of these measures are important for basic cybersecurity hygiene and their implementation before an attack occurs can either help prevent one, or aid in the recovery from the attack.

This attack emphasizes the importance of implementing tools that can help prevent or diminish the devastating effect of a cyber attack on a small organization and that investing in cybersecurity tools in advance of an attack may be a more effective use of resources.

FabFitFun, a fashion and beauty subscription service, settled claims that it failed to adequately protect and secure consumer data resulting in a data breach for a sum of $625,000 in the U.S. District Court for the Central District of California. In addition to agreeing to the monetary settlement, FabFitFun agreed to implement security measures, including engaging a third-party cybersecurity forensic vendor to conduct a risk assessment, offer multi-factor authentication for customers to access their accounts, and hire additional security and technical personnel to assist in building a more robust data privacy and security program for the company.

Plaintiff Cheryl Gaston sued FabFitFun in October 2020, alleging that the company failed to protect its customers’ data against hacker data scraping that compromised payment card information.

The settlement class includes 441,000 consumers; the deadline for individuals to opt-out of the settlement was June 16, 2021. To date, the claims administrator has not received any objections and only five (5) opt-out requests.

The Office for Civil Rights (OCR) recently announced that it has entered into the 20th settlement under its Right of Access Initiative. The settlement with Children’s Hospital and Medical Center in Nebraska includes an $80,000 payment by the hospital for failing to provide a mother with timely access to her daughter’s medical records.

According to OCR, after the mother first requested the records, the hospital provided her with some of the records, but failed to provide her with missing records after repeated requests. Once OCR intervened, the hospital provided all of the records to the mother.

In addition to the monetary penalty of $80,000, the hospital entered into a Corrective Action Plan with OCR.

Although executives of organizations report that ransomware is their number one security concern, and 87 percent of them expect an increase in cyber-attacks against their organizations over the next year, only one-third of them said they had conducted a tabletop exercise to prepare for a ransomware attack.

According to a survey of 50 executives, Deloitte found that although ransomware and cyber-attacks remain a top concern for executives, 54 percent of the executives surveyed stated that the organization had an incident response plan, but not specifically for a ransomware attack. Further, only one-third had actually conducted an internal simulation of a ransomware attack in order to prepare for such an eventuality.

Ransomware is not going away. One way to prepare for it is to conduct a tabletop exercise with your Incident Response Team. The most effective tabletop exercises in our experience are ones in which the team cannot prepare, is thrown into a scenario that has actually happened, and which the team has to work through, just like in real life. Such exercises are effective and eye-opening. When we conduct tabletop exercises, incident response teams have take-aways that they had never thought of before, and each member of the team understands their responsibility and the next steps if an incident occurs. The first tabletop exercise can be built upon to diminish the chaos that can happen when a security incident or ransomware attack occurs.

Now is the time to schedule your tabletop exercise to test your Incident Response Plan and your team.

Recently, the Hamilton City Council in Ohio proposed a new local ordinance that would specifically prohibit the use of drones to commit voyeurism in response to complaints from a resident that someone in his neighborhood was harassing individuals with a drone by recording images. The complainant explained to the Council that a man was operating a drone and peering into windows in his neighborhood, flying over children playing in their yards and even chasing a woman down a street. The resident took video footage of the drone operations and reported the operator’s actions to the police, but no specific law or regulation applied to this operator’s activity.

The proposed law would make it illegal to use drones “to invade the privacy of another’s home, office, enclosed space or the private space of another.” Further, drone flights over properties (such as individual homes) would be prohibited without the owner’s consent, along with flying over crime scenes or emergency scenes. The proposed law would also make it illegal to operate drones “in a manner that recklessly endangers persons, wildlife, or property or in a manner that harasses, disturbs, intimidates, annoys or threatens persons.”

Lastly, the proposed law would ban drone flights over public parks and schools as well as municipal buildings and property owned by the City of Hamilton School District, Hamilton Parks Conservancy, or the City of Hamilton. An exception for TVHamilton drones would be included in the law.

Other ordinances limiting drone flights can be found in this part of Ohio, including in Youngstown, Cleveland, Cleveland Heights and the Sandusky County Park District (and of course, many similar ordinances exist across the country). Whether this new proposal is ultimately adopted, it serves as a strong reminder to check local laws and regulations before you fly a drone.

We have noted before how important it is to update the operating system (OS) on your mobile phone as soon as you receive notice from the manufacturer. This week, Apple issued an update to the iOS that is considered urgent.

Apple released two patches this week to address two security vulnerabilities in iPhones, including to protect against Pegasus spyware and WebKit, which is related to how Safari is displayed on screens.

The first patch aims to prohibit a zero-click exploit that launches code in iMessage that allows spyware to be deployed and used against users. This vulnerability is concerning because it does not require the user to open a link for the malicious code to be deployed and have access to the mobile device.

The second patch is designed to fix a vulnerability discovered by a security researcher, which allows threat actors to use malicious web content to exploit iPhones and iPads.

Message today: UPDATE YOUR iPHONE OPERATING SYSTEM ASAP. To do so, plug in your phone, go to Settings, click on General, then click on Software Settings and download iOS 14.8.

On August 25, 2021, the FBI issued a Flash Alert to warn companies, especially in the health care industry, about the proliferation of attacks by threat actors using Hive ransomware.

According to the Flash Alert, Hive was first observed in June 2021: “Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network.”

“After compromising a victim network, Hive ransomware actors exfiltrate data and encrypt files on the network. The actors leave a ransom note in each affected directory within a victim’s system, which provides instructions on how to purchase the decryption software. The ransom note also threatens to leak exfiltrated victim data on the Tor site, ‘HiveLeaks.'”

The Flash Warning provides technical details, indicators of compromise, the content of a sample ransom note, and recommended mitigation techniques. The FBI also requests that all victims provide information to the FBI if they have suffered an attack using Hive.

When GDPR became effective three years ago, companies took notice of the fines and penalties attached to violations of the stringent privacy law—4 percent of global annual sales. The fines have been racking up, including the most recent one by the Irish Data Protection Commission against WhatsApp—$266 million. WhatsApp is owned by Facebook.

The fine follows what the Data Protection Commission says were violations by WhatsApp in the way it provided notice on how it was processing users’ and non-users’ data and how the data was being shared between WhatsApp and other Facebook-owned companies.

WhatsApp stated after the announcement of the fine that it disagrees with it and that it will appeal the decision.

In 20 years, could it be possible that 50 percent of all domestic ships on Japan’s coastal waters will be piloting themselves? Absolutely. A public interest organization in Japan, the Nippon Foundation, seeks to accomplish just that. The Foundation is backing Japan’s development of autonomous ships with the goal of making up 50 percent of Japan’s local fleet by 2040.

To reach this goal, in February 2022, a group of vessels, including Japan’s largest shipping company, Nippon Yusen, will test the use of a container ship autonomously piloting itself from Tokyo Bay to Ise (a small coastal city). While many autonomous ships have attempted journeys before, this one is different. This journey will be 236 miles and will be the first autonomous ship test in an area with heavy marine traffic. To conduct this test, the team will gather data such as weather and radar points at a support center on land. The support center will then send directions back to the ship. If there are any complications, the ship’s steering can be remotely taken over by the team at the support center.

By 2030, it is predicted that the global autonomous shipping industry could grow to a value of about $166 billion. Japan Marine Science general manager said that “[w]hen it comes to the automation of ships, our mission is to have Japan lead the rest of the world.” Japan is trying to position itself as the leader based on a need. Japan’s workforce continues to shrink and age. For example, in Japan’s domestic tanker industry about 40 percent of crews are aged 55 or older. Further, based on estimates of the Nippon Foundation, autonomous ships (and the artificial intelligence that they use) will improve efficiencies enough to have a positive effect of about $9 billion for Japan’s economy in 2040. Of course, the use of autonomous ships also increases safety as well with about 70 percent of maritime accidents resulting from human error.

The biggest challenge to the widespread use of this technology will be creating and implementing a regulatory environment and industry standards for autonomous shipping; even if the technology is ready and available, these regulatory hurdles could impact practical use in the near future.

In a second case against stalkerware apps and the first where the FTC has banned a company from doing business, the FTC announced on September 1, 2021, that it has “banned SpyFone and its CEO…from the surveillance business over allegations that the stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack.”

According to the FTC’s press release, “The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence. SpyFone’s lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats.”

The FTC has ordered SpyFone to delete any “illegally harvested information and notify device owners that the app had been secretly installed.”

To learn more about how spyware works and to protect yourself from it, see this consumer-friendly blog post by snoopza.