The Florida Department of Health is facing a cyberattack involving the theft of sensitive fitness data and non-public data. The RansomHub cybercriminal gang reportedly said it has begun publishing 100 gigabytes of data stolen in the hack, which is the newest in a series of at least a dozen primary fitness breaches so far this year involving public fitness departments.
See also: Webinar | Everything you can do to fight social engineering and phishing
RansomHub has threatened to start publishing stolen data from the Florida Department of Health unless the state pays a ransom until last Friday, but it is illegal for any Florida government company to pay extortionists, according to a report by local media outlet 4NewsJax.
The state showed that the incident affected the Health Ministry’s important statistical formula used to factor birth and death certificates, but declined to provide additional details, 4NewsJax reported. The Miami Herald reported that the incident disrupted tax collectors’ offices and funeral homes across the state. who want to access the formula.
The Florida Department of Health did not immediately respond to requests for comment from Information Security Media Group.
According to a report via StateScoop, RansomHub, which has claimed responsibility for several other recent knowledge extortion schemes, adding attacks on Christie’s and Change Healthcare, began publishing stolen knowledge from the Florida Department of Health on July 5, after the state refused to pay the gang. .
The Florida Department of Health hacking incident is the latest in a series of recent attacks and primary breaches of fitness knowledge involving public fitness departments.
“State and local fitness departments contain gigantic amounts of sensitive medical and private information, making them lucrative targets for hackers looking for insights they can monetize,” said Jon Moore, chief threat officer at Clearwater, a privacy and security firm.
“In addition, those departments operate with limited cybersecurity resources, which can make them more vulnerable to attacks. “
Public fitness departments face a variety of demanding internal and external situations that, combined, make them a target for cybercriminals, said Tom Walsh, president of privacy and consulting firm tw-Security.
“The leaders of state, county or municipal governments are elected officials. With limited budgets, leaders (elected officials) will need to fund projects that provide maximum tangible advantages to their constituents,” Walsh said.
“Public fitness is a mandatory service, but it does not have the same appeal to the public as the construction of a new park. The wishes of elected officials may outweigh the need for greater cybersecurity. It is possible for funds to be diverted from safety to safe projects. This may only be someone’s chances of being re-elected.
Meanwhile, state, county and municipal governments struggle to compete for talented IT staff, and far less cybersecurity expertise, because they typically pay less than larger companies, Walsh said.
“In rural areas and small townships, elected officials are unlikely to have the same deep wisdom as a career bureaucrat working in a fitness ministry. As a result, they may not fully perceive the consequences that can also arise if data generation and cybersecurity are underfunded. or the Ministry of Health.
“If an attacker manages to compromise a fitness service, they can create new opportunities to expand their attack base, knowing that other entities will gain advantages from a secure point of acceptance in any exchange of the fitness service. “
Even if state or local governments have strict policies against paying ransoms, hackers are probably unaware of those policies or the government’s determination to abide by them, Moore said.
“Hackers target those entities despite no-ransom policies, as even unsuccessful ransom demands can disrupt operations, causing significant damage and potentially leading to monetary gain through secondary means, such as promoting stolen knowledge on the dark web or even personally extorting money from Americans whose “information was stolen,” Moore said.
On Monday, the U. S. Department of Health and Human Services’ HIPAA violation reporting tool released the HIPAA Violation Reporting Tool. The U. S. Department of Health shows at least a dozen other primary fitness data breaches affecting nearly 444,000 people reported so far in 2024 through state and local public fitness departments.
The largest such breach, a hacking incident that affected approximately 253,000 more people, was reported in April through the Los Angeles County Departments of Health Services and Public Health.
In total, HHS OCR reports 190 primary violations (adding 64 hacking incidents) reported through public fitness departments since September 2009.
To date, the Colorado Department of Health Care Policy and Funding has reported the largest such breach in 2023: a hacking incident that affected nearly 4. 1 million people. This breach concerned MOVEit’s hacking of the cybercrime organization Clop (see: MOVEit Data Theft: Forty-Five Million More People Affected).
“Local and public fitness departments prioritize the implementation of robust basic controls,” adding comprehensive security education for staff, updates and patches of normal formulas, implementation of multi-factor authentication, endpoint detection and response, conducting common security testing to proactively identify and address vulnerabilities, and performing normal security testing. Risk analysis to perceive and mitigate potential threats, Moore said.
“These controls must be aligned with and grounded in identified security practices, such as the NIST Cybersecurity Framework or healthcare industry cybersecurity practices. “
Log in now
Complete your profile and get informed
Contact Support
Log in now
Log in now
Our website uses cookies. Cookies allow us to provide the most productive experience imaginable and help us understand how visitors use our online site. By browsing inforisktoday. com, you agree to our use of cookies.