Manufacturing Sector Getting Hit with Cyber-Attacks: Portable Oxygen Device Manufacturer Notifies 30,000 Patients of Breach

Inogen, which manufactures portable oxygen devices, has alerted the Securities and Exchange Commission in a recent filing that it is notifying 30,000 individuals that their personal information was compromised when a hacker gained access to one of its employees’ email accounts through a phishing scheme.

The incident illustrates how the manufacturing sector is continuing to get hit with cyber-attacks, despite the fact that manufacturing companies view the risk of a data breach as low because they don’t typically collect, use or disclose customer personal information.

In this incident, the compromised employee’s email account contained the Medicare identification numbers, insurance policy information and the medical equipment provided to the individuals by the company.

The manufacturing sector, including device manufacturers, is often surprised at the amount of customer and/or employee personal information it has access to, collects and maintains outside of the usual places like the human resources department. When we assist manufacturers with data mapping, clients find that personal information is located in surprising places, including email accounts that can be compromised by phishing incidents.

This case is a reminder that manufacturers are at risk of a data breach and may wish to consider developing a privacy and security plan for management of the risk of compromise.

HHS Warns Health Care Organizations About SamSam Ransomware

The health care industry continues to get hammered by SamSam ransomware attacks, to the point that the Department of Health and Human Services Healthcare Cybersecurity and Communications Integration Center (HCCIC) has issued a report outlining the danger of ongoing SamSam ransomware campaigns, with tips to help organizations detect and block SamSam.

According to the report, since December 2017, there have been ten major SamSam attacks on health care organizations and the government in the U.S. Those affected include AllScripts, whose system was down for days, preventing health care providers from accessing electronic medical records for up to a week, the City of Atlanta, which shut down its IT systems to prevent its spread, Hancock Health, which paid the ransom to recover its data, the Colorado Department of Transportation, and Erie County Medical Center, which took six weeks to recover from the attack, costing the organization several million dollars.

The tips offered by HCCIC include:

  • Conduct a risk analysis
  • Train end users to help them detect malicious software
  • Implement procedures to protect against malicious software and apply detection software
  • Back up data regularly—3-2-1—3 backups made on 2 different media, with 1 stored offsite
  • Develop (and I would add test) contingency plans to minimize business disruption
  • Develop (and I would add test) incident response procedures, including specifically for a ransomware attack
  • Conduct annual penetration testing
  • Use rate limiting to block brute force attacks
  • Restrict the number of users who can login remotely
  • Restrict access to RDP behind firewalls
  • Use a VPN or RDP gateway
  • Set up multi-factor authentication

Frankly, none of these tips are new and are a reminder that health care organizations are still struggling with implementation of basic security measures to protect data. These ransomware attacks continue to exploit the fact that organizations are finding it extremely difficult to train employees and prevent an employee from clicking on a link or attachment that introduces malware or ransomware into the system. Until we can change the entire culture around work flow with email, ransomware will continue to cripple organizations.

This fact was emphasized by Beazley this week in a report on recent data breaches, which indicated that companies using Microsoft Corporation’s cloud based products (also known as Office 365) are seeing a rise in cyber-attacks due to employees providing their credentials to a hacker who has gained access to the employee’s email account . We too have seen a dramatic rise in successful phishing attacks with clients using Office 365.

Beazley recommended that organizations implement two-factor authentication, enforce strong password policies and train employees to spot phishing emails to combat the ever increasing risk of ransomware attacks.

Update on the FAA Reauthorization Bill

On April 13, 2018, the U.S. House Transportation and Infrastructure Committee (Committee) leadership introduced a five-year Federal Aviation Administration (FAA) reauthorization bill, FAA Reauthorization Act of 2018 (H.R. 4) (the Act). This bipartisan Act focuses on stabilization of the FAA with consistent funding instead of efforts to reform the air traffic control system. The Act also seeks to continue investment in U.S. airports and make reforms to improve U.S. competitiveness and safety in aviation. Specifically, the Act includes proposed funding for the FAA’s operations account ranging from $10.4 billion in fiscal year 2019 to $11.3 billion in fiscal year 2023.

Additionally, according to the Committee leadership, the Act:

  • Helps the U.S. lead in the aviation industry by putting American jobs, American innovation, and the traveling public first.
  • Cuts “red tape” so that U.S. manufacturers can get products to market on time, stay competitive globally, and continue to employ millions of Americans.
  • Encourages American innovation in aviation technologies to promote a stronger American workforce.
  • Gives the American traveling public a better flight experience.
  • Helps the national airspace system remain as safe as possible for the American traveler and addresses factors related to recent incidents.

Committee Chairman, Bill Shuster of Pennsylvania, said, “This FAA authorization is the culmination of years of hearings and listening sessions to solicit input from aviation stakeholders, commercial passengers, general aviation pilots and our colleagues. In the truest sense, this legislation represents bipartisan cooperation and compromise to advance the Nation’s aviation interests and safety in the skies.”

EPIC Files Suit to Enforce Transparency Obligations related to U.S. Drone Policy

Last week, the Electronic Privacy Information Center (EPIC) filed a lawsuit against the Federal Aviation Administration’s (FAA) Drone Advisory Committee (Committee) to enforce the open government obligations of the Committee. The Committee is an industry-led committee that advised the FAA regarding drone policy in the U.S. EPIC claims that for over one year, the Committee has conducted its work “in secret” and “ignored the privacy risks posed by the deployment of drones.” EPIC claims that the Committee violated the Administrative Procedure Act by failing to open its meetings to the public and failing to make its records open to the public. EPIC hopes to force the Committee to disclose its work to the public as a result of this lawsuit. EPIC’s complaint can be viewed here.

Privacy Tip #135 – Cybersecurity Spring Cleaning Tips

Here’s a great idea offered by the National Cyber Security Alliance and the Better Business Bureau: while you are doing your spring cleaning, don’t forget to do a digital spring cleaning too—that is, your computer, cellphone and Internet-connected devices.

The tips acknowledge that we all have information contained on our computers, cellphones and mobile devices that should be culled and discarded, just like our closets. While cleaning our closets and our sock drawer, take the time to clean your digital closets too.

Here are the seven tips they offer for digital spring cleaning:

  • Fortify your online accounts and enable the strongest authentication tools available, such as biometrics, security keys, or a unique one-time code through an app on your mobile device. Usernames and passphrase are not enough to protect key accounts like email, banking and social media
  • Delete unused apps and keep others current, including the operating system on your mobile devices
  • Clean up your email: save only those emails you really need and unsubscribe to email you no longer need/want to receive
  • Check that all software on Internet-connected devices is up to date to reduce risk of infection from malware, or implement automat updates
  • Permanently delete old files using a program that deletes the data, wipes it from your device and overwrites it by putting random data in place of your information ‒ so it cannot be retrieved
  • De-packrat your old digital devices you never use. Information still exists on them and could be stolen. Don’t wait: wipe and/or destroy unneeded hard drives as soon as possible. For devices like tape drives and thumb drives, remove any identifying information that may be written on labels before disposal
  • Review the privacy and security settings on websites (and I would add social platforms) that you use to privacy settings that are consistent with your comfort level.

These are all great tips to follow for cyber hygiene. And since it is still snowing in the Northeast and Midwest, now’s the time to do it while waiting for Spring to arrive!

EU-US Transatlantic Data Flows Subject to Further Legal Challenge

Last week, the High Court of Ireland submitted eleven questions to the Court of Justice for the European Union (CJEU) to consider about the personal data transfer regime between the European Union (EU) and the United States. This referral stems from a new claim by Max Schrems, an Austrian lawyer and privacy activist. Schrems previously challenged the adequacy of the U.S. Safe Harbor data transfer regime to protect EU personal data transferred by technology companies and affiliates in Ireland (including Facebook) to the United States. In 2015, the CJEU struck down the U.S. Safe Harbor as a valid mechanism to transfer data to the US as a result of a referral from the Irish High Court arising from Schrems’ prior lawsuit.

Schrems’ new claim specifically challenged whether EU’s standard contractual clauses (SCCs) adequately protect EU personal data transferred from Facebook’s Irish entity to the United States. Schrems’ concern is that EU personal data transferred by Facebook to the U.S. under the SCCs could be accessed by the National Security Agency as part of the NSA’s mass surveillance programs.

However, the Irish High Court’s eleven question referral to the CJEU was much broader than questioning just the adequacy of SCCs. The CJEU is being asked to consider the adequacy of the Privacy Shield mechanism (adopted in 2016 as a replacement to the EU-U.S. Safe Harbor) as well as SCCs, to address how to resolve conflicts between conflicting country data protection rules and regulations, as well as violations of individual rights caused by surveillance law and the authority of data protection authorities to suspend cross border data transfers, particularly based on concerns about mass surveillance law.

Additionally, in the EU Article 29 Data Protection Working Party’s (WP29) first annual review of the Privacy Shield data transfer mechanism, it called for an appointment of a permanent Privacy Shield ombudsperson in the U.S. among other protective safeguards. The WP29 requested that the U.S. address these safeguards by May 25, 2018, when the GDPR, the EU’s new data protection law comes into effect. To date, the U.S. has not addressed the WP29’s concerns. If anything, US extension to FISA earlier this year may have created more questions, as it is did not include privacy protections for foreigners’ data. While CJEU’s response to the eleven questions is not likely to be issued for months, significantly higher fines for violations of the GDPR are possible beginning on May 25.

Pipeline Companies Targeted by Cyber-Attacks

Reports show that U.S. energy companies reported more than 350 cybersecurity incidents to the U.S. Department of Homeland Security between 2011 and 2015. Pipeline companies are included in that statistic.

Last week, Energy Transfer Partners (ETP) notified its oil and gas shippers that its pipeline network system was hacked. According to ETP, the hacking targeted an ETP contractor that manages the ETP system, ETP was not hacked directly. Further, the hacking did not affect the actual pipeline system, but targeted the electronic data interchange system that facilitates transactions regarding oil and gas movement through pipelines.

The incident is presumed to have been focused on gaining pricing information for competitive advantage as opposed to disruption of the pipeline. Nonetheless, it shows the importance of vendor management.

Four other gas networks shut down their communication networks in the last week as a result of cyber-attacks. One natural gas pipeline company disabled its communication system as a precaution after a third-party provider was the target of a cyber-attack. Three others reported communications breakdowns with customers and websites that are hosted by third-party companies. The Department of Homeland Security is investigating.

New Jersey AG Fines Virtua Medical Group $418,000 for Data Breach Caused by Vendor

The New Jersey Attorney General’s office announced this week that it has fined Virtua Medical Group, which is comprised of more than 50 medical practices in New Jersey, for failing to protect the privacy of 1,650 patients when their medical information was accessible online.

The information was uploaded to a password-protected FTP website, but during a software upgrade to the server the password protection was removed, which allowed the data to be accessed without a password. The information was also searchable, and 462 patients’ information was indexed by search engines.

Although the misconfiguration of the website was caused by Virtua’s business associate, the New Jersey AG fined the medical group for HIPAA violations because it found that Virtua failed to conduct a risk assessment, a security awareness program had not been implemented for the entire workforce, no procedures had been implemented to facilitate retrieval of copies of the ePHI maintained on the FTP site, no logs had been maintained, and the information was exposed. According to the AG, these constituted violations of both HIPAA and the New Jersey Consumer Fraud Act.

Outcome Health Settles TCPA Class Action Suit

Ever notice the flatscreen TVs and tablets in your doctor’s office that run different health-related and wellness stories? Many of them are provided by Outcome Health, which installs free TVs and tablets in doctor’s offices to provide educational material to patients while they are sitting in the waiting room.

The company makes its money by selling ads to pharmaceutical companies, which pop-up during the educational stories. It also offers patients the ability to receive automated daily nutrition tips via text message. One patient agreed to the tips, but then was inundated by them, and she tried to opt-out of the texts over 25 times. She got fed up and sued the company for violation of the Telephone Consumer Protection Act (TCPA).

The company denies violating the TCPA, but settled the case for $2.9 million.

Busy Data Breach Week

Unfortunately, it was another busy data breach week. Here’s a summary of the major ones.

Delta Airlines admitted in a statement that the payment card data of several hundred thousand customers might have been compromised by malware between September 26 and October 12, 2017, through a third-party vendor ([24]7.ai that provides online chat services to Delta. The information exposed included customers’ names, addresses, CVV numbers, expiration dates and payment card information.

This is the same malware that recently impacted Sears, Under Armour, Hudson Bay, and Boeing.

Hacker group JokerStash, which allegedly caused data breaches at Whole Foods, Omni Hotels and Chipotle, just hit Saks and Lord & Taylor, which have suffered a data breach of over five million credit and debit cards from May 2017 to the present day. The hackers are reported to be selling the credit card information on the Dark Web as we write.

And last, but not least, a class action lawsuit was filed against Panera Bread Co. in Illinois federal court within a week of the company reporting that it had been the victim of a data breach of its customer information through its customer rewards program.

LexBlog