Twenty-three Texas Municipalities Crushed by Coordinated Ransomware Attack

We have definitely seen an uptick in the number of ransomware attacks against municipalities around the country. Thus far, the attacks have been against single cities, towns, and court systems, and recently against a Louisiana school system.

The pace and coordination of these attacks have magnified, as evidenced by the coordinated and simultaneous ransomware attacks this past week against 23 Texas cities. It is believed that the attack was instigated by one attacker. The attacks were deployed by this single individual like a well-trained army and crushed the cities’ ability to do business.

According to the Texas Department of Information Resources’ (DIR) press release, “Currently, DIR, the Texas Military Department, and the Texas A&M University System’s Cyberresponse and Security Operations Center teams are deploying resources to the most critically impacted jurisdictions. Further resources will be deployed as they are requested.” It is being reported that the Department of Homeland Security and the FBI are assisting in the investigation and restoration efforts.

According to reports, services such as paying taxes and water bills, conducting title searches for closings on residential real estate transactions, and other services are unable to be performed since the systems supporting these services were shut down. Several of the cities have resumed normal operations as of this writing, and it is being reported that not all systems in all of the affected towns were impacted. Nonetheless, it is a precursor of more to come, and demonstrates how the impact of a coordinated and simultaneous attack can be devastating to day-to-day life.

Court Finds That Insurer’s Quote Implied Coverage for Computer Hacking Losses

In an interesting case from Indiana, a court recently ruled that language in the insurer’s “quotes” for coverage in a crime policy led the insured to believe that losses for computer hacking would be covered under the policy if the insured purchased coverage. The case, Metal Pro Roofing, LLC v. Cincinnati Insurance Company, 2019 WL 3756738, found that the quotes provided to the insured stated:

Business owners typically think of your buildings, inventory, furniture, office equipment, automobiles and mobile equipment when designing an insurance program to protect your assets. Ironically, you would be overlooking what is arguably one of your most valuable assets – your money and securities.

Cincinnati can insure your money and securities while at your premises, inside your bank and even off site in the custody of a courier. While you’ve taken precautions to protect your money and securities, you run the risk of loss from employees, robbers, burglars, computer hackers and even physical perils such as fire.

Give yourself peace of mind with Cincinnati’s crime coverage to insure the money and securities you worked so hard to earn. (emphasis added).

The two roofing company plaintiffs sustained losses of more than $78,000 after their bank accounts were hacked and money taken out of their accounts. The plaintiffs submitted claims under their insurance policies, but the claims were denied when the insurer found that computer hacking was not covered by the policies.

It was clear that the language in the quote was not a policy. Nevertheless, the court still overturned the summary judgment for the insurer as the evidence indicated that the insured relied on the description in the quotes when deciding to purchase the coverage. The case was remanded to the lower court for trial.

While this case may be a bit of an outlier in terms of the facts, it illustrates an important point–always confirm that the cyber and/or crime coverage in your insurance policy(ies) matches your business needs and associated risks. In considering the facts of this case, it’s wise to review the policy to make sure you have the coverage you think you purchased.

Allscripts Announces $145 Million Preliminary Settlement with DOJ Related to an Investigation of Practice Fusion, a Recently Acquired EHR Company

In its second quarter Securities Exchange Commission (SEC) filing, Allscripts addressed its announced agreement in principle with the Department of Justice (DOJ) to resolve investigations into certain alleged practices of Practice Fusion, an electronic health records (EHR) vendor acquired by Allscripts in February 2018 for $100 million. Allscripts indicated the agreement is still subject to further negotiation and government approval, and would likely include additional non-monetary terms, including a deferred prosecution agreement, if a finalized settlement is reached.

The $145 million settlement would resolve potential criminal and civil liability facing Allscripts for practices of Practice Fusion that allegedly occurred, and were initially investigated by the DOJ  prior to the acquisition’s consummation. In its first quarter report to the SEC, Allscripts disclosed the receipt of six civil investigative demands and HIPAA (Health Insurance Portability and Accountability Act) subpoenas from March 2017 to January 2019, and a related criminal grand jury subpoena in March 2019. The investigation pertained to Practice Fusion’s certification under the U.S. Department of Health and Human Services’ (HHS) Electronic Health Record Incentive Program, which was designed to encourage providers to utilize EHRs by offering incentive payments for meaningful use of certified EHR technology. Marketers of EHR technology, such as Practice Fusion, can gain certification by demonstrating that their technologies meet characteristics defined by HHS. However, misrepresentations of product capabilities by marketers to gain certification could lead to claims by the government that these misrepresentations caused providers using the technology to submit false claims.

As noted in Allscripts’ first quarter filing, since 2017, two other EHR vendors were investigated by the DOJ for allegedly misrepresenting capabilities of their technology to gain certification that the DOJ claimed caused providers to submit false claims, resulting in settlements of  $57.25 million and $155 million. In addition, the investigation into Practice Fusion further scrutinized Allscripts’ compliance with the Anti-Kickback Statute and HIPAA. The agreement reached in principle, as announced by Allscripts, would resolve the HHS’s investigations and the associated potential civil and criminal sanctions.

As HHS and other legislative efforts continue to incentivize EHR utilization, vendor compliance is likely to face continued scrutiny, and the DOJ has demonstrated its continued commitment to enforcement actions involving healthcare technology companies.

This post was authored by Karen Rabinovici. Karen is not yet admitted to practice law in Connecticut.

Choice Hotels Contacts 700,000 Customers About Data Breach Caused by Vendor

In another example of a data breach allegedly caused by a vendor, Choice Hotels is contacting approximately 700,000 of its customers regarding a data breach caused by a third-party vendor that “copied the impacted data from our environment without authorization” to its server. While the data was being transferred to the third-party vendor’s server, it was accessible on the internet for a few days.

According to Choice Hotels, although much of the information was “fake” (we are interpreting that to mean that it was test data as opposed to production data), some of it was the real information of guests, including names, addresses, telephone numbers and email addresses.

When researchers notified Choice Hotels of the exposed data, it contacted the vendor, which then deleted the database from its server, and Choice Hotels “ended its relationship” with the vendor.

In light of the compromising situation regarding its data, Choice Hotels is recommending to its affected customers that they be aware of phishing emails, texts and mailings , which is something customers should be doing anyway.

Initial Coin Offerings (ICOs) on SEC’s Radar

This month, the Securities and Exchange Commission (SEC) announced that it has entered into a settlement with SimplyVital Health, Inc., a blockchain company that offered and sold approximately $6.3 million worth of securities to the public. The SEC alleged that the plan to conduct an initial coin offering (ICO) to raise money to develop a “healthcare-related blockchain ecosystem” was done without proper registration with the SEC.

According to the SEC’s Order, SimplyVital Health, Inc. publicly announced its plan for the token sale and offered a new token called Health Cash or HLTH, to be used as currency in its Health Nexus. “SimplyVital concurrently announced that it would conduct a ‘re-sale’ of its HLTH tokens, in which it offered investors Simple Agreements for Future Tokens, or SAFTs, under which it sold HLTH tokens that would not be delivered to investors unless and until created by SimplyVital. The order finds that SimplyVital did not file a registration statement with the Commission or qualify for an exemption from registration before offering and selling HLTH to the public through the SAFTS.” The failure to register violated the registration provisions of Section 5(a) and (c) of the Securities Act of 1933.

SimplyVital agreed to a cease-and-desist order and to voluntarily return substantially all of the funds raised during the pre-sale back to investors.

There is a lot of chatter about blockchain technology and ICOs. People and entrepreneurs want to get in on the action. The SEC is following ICOs closely and its settlements, like other regulatory agencies, offer guidance as to its interpretation of governing laws that may have been enacted long before new technology. Following the guidance and being aware of legal requirements with new technology is key to compliance as regulatory agencies adapt to new technology.

Beyond Visual Line of Sight Drone Operations in Kansas

Last week, the Federal Aviation Administration (FAA) gave the go-ahead for the Kansas Department of Transportation (KDOT) to conduct beyond visual line of sight (BVLOS) drone operations. The KDOT team, which includes Kansas State University Polytechnic, Westar Energy and Iris Automation,  will fly a nine-mile track to evaluate technologies for power line inspections in rural Kansas without monitoring the drone by visual observers or ground-based radar. Westar Energy’s senior unmanned aerial systems (UAS) coordinator said, “Being able to operate under this waiver allows the [KDOT] team the ability to research and develop truly scalable BVLOS UAS operations for the automated inspection of linear infrastructure.” KDOT hopes to conduct exponentially safer and more cost-effective inspections using drones in this manner. The goal of the KDOT team and these missions is to assist in creating a safer, scalable means for all drone operations in the national airspace.

North Dakota Sheriff’s Department to Operate Drones Over People

Last week, the Burleigh County Sheriff’s Department in North Dakota received a four-year waiver from the Federal Aviation Administration (FAA) to operate drones over people. The Department will routinely conduct drone operations over people for purposes of public safety and monitoring. Currently, the Department has five drones –all equipped with a parachute recovery system. Specifically, the Department says it will use the drones to photograph, measure and document complicated crash scenes, which will remove troopers from dangerous roadways and lessen delays for motorists. The Department’s data collection or information retention procedures were not included in the announcements.

Privacy Tip #204 – Has Your Doctor (or other Professional) Downloaded Apps With Microphone Access?

I have the great pleasure to present annually to doctors who are in their fellowship (which means they are post-med school and continuing their training in a particular specialty) about lawyerly things before they go out into the real world. I have been doing it for years for an old friend of mine who is their attending physician. I love being with these bright, young and very talented individuals who are eager to help people with their medical problems, and they like getting to ask questions of a lawyer for free.

Since I am focused on data privacy and security, during my presentation this year I spoke to them about the use of their personal phones during treatment sessions with patients. As I always do when talking to people about their phones, I asked them to go into their privacy settings and into the microphone section and see how many apps they have downloaded that asked permission to access the microphone. How many green dots are there? Almost all of them looked up at me with wide eyes and their lips formed a big “O.”

Yes, I said, these apps have access to everything you are saying, including with your patients. They immediately clicked them all off, and we continued to chat about what this means in their profession.

I am not picking on them—I do the same thing with lawyers, financial advisors and CPAs, and any other professional that has access to sensitive information.

When a professional downloads an app that allows access to the microphone, all of the conversations that you believe are private and confidential are now not private and confidential if that phone is in the room with you.

It is rare for individuals to understand that when these apps are downloaded the company has full access to everything happening while the phone is on. Professionals, including doctors, need to understand the implications of taking their phones into treatment rooms if they have downloaded apps that allow full access to the microphone on the phone. Those apps’ access should be turned off, or the phone itself should be turned off, during treatment sessions.

Not only because I am on a one-woman bandwagon trying to get people to better understand the capabilities of their phones, but also so that I can assure that my conversations with my doctor and other professional advisors are private and confidential, I specifically ask them to turn off their phones or app access to the microphone while I am meeting with them. This is for my privacy–but is also a teaching moment so professionals understand the issue.

Security Researchers Find Biometric Data on 28 Million Records Is Exposed

It was reported this week by The Guardian and Forbes that security researchers from Vpnmentor have discovered and published a report that Suprema, a company that collects and monitors biometric information such as fingerprints and facial recognition data, has left exposed the biometric information of 28 million records and 23 gigabytes of data insecure.

Suprema services police departments, banks and defense contractors, and provides identity and time and attendance solutions, fingerprint scanners, and mobile authentication tools for employers. According to The Guardian, the system involved is Suprema’s Biostar 2 biometric identity solution, which “is used by 5,700 organisations in 83 countries, including governments, banks and the police.”

According to the researchers, highly sensitive biometric data and administrative usernames and passwords were left unencrypted. The researchers found plain-text passwords of administrator accounts and they were “able to change data and add new users.” The ability to add new users or manipulate the integrity of the data is frightening. The theft of biometric information also is frightening because we only have one set of fingerprints and one face. The researchers stated “they are saving people’s actual fingerprints that can be copied for malicious purposes.”

Suprema says it has shut down the vulnerability and is investigating the report. The information that was reported exposed includes “fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.”

Can You Really Protect Against Ransomware?

We’ve written a few times recently about municipalities, companies, and government agencies hit with ransomware attacks this year. In early July, it was reported that a court system in Georgia was attacked with ransomware, causing lawyers, court employees and the public to have to rely on “old school” paper to file pleadings and keep the court system running. This got me thinking about ransomware, and then I came across a Security Tip (ST-19-01) sheet from the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) that I thought was worth sharing.

The tip sheet has three key suggestions to protect data and networks: back up data, store backups separately, and train your staff. Anyone who ever had a personal computer “crash” back in the day knows that having backup files is invaluable. Imagine if your entire company’s data, or your municipality’s or court system’s data were completely inaccessible. What would you do?

Being prepared by having data properly and completely backed up with files off-site and able to be restored in the event of a ransomware attack means the difference between being down for a brief period of time and being locked out of data permanently or potentially paying thousands of dollars for a decryption key that may or may not work. The federal government wants you to report ransomware attacks to the FBI and not to pay ransom at all.

Staff training is also critical, so staff is aware of all of the things that bad actors will do to try to trick people into clicking on malicious links. Simple things like calling someone to verify if they actually sent an email with new bank routing information or if they sent a request for confidential documents go a long way to protecting a company from a cyber-attack.

What else can a company do? Think about cyber liability coverage for ransomware attacks and other cyber threats. That premium payment for cyber coverage would be minuscule compared to the potential cost of a ransomware attack.