week01-2022-min

Here’s your weekly #databreach news roundup:

McMenamins, FlexBooker, Fertility Centers of Illinois (FCI), Ciox Health, Ghanaian graduates, Florida Digestive Health Specialists, DatPiff, UScellular and Broward Health.

McMenamins

week01-2022-mcmenamins

A cyber-attack on the American hospitality chain McMenamins may have exposed data belonging to its current and former employees. 

The business, which owns and operates brewpubs, breweries, music venues, historic hotels, and theater pubs in Oregon and Washington, issued a data breach notice after suffering a ransomware attack.

Suspicious activity was identified in the company’s computer network on December 12. 

“As soon as we realized what was happening, we blocked access to our systems to contain the attack that day,” states McMenamins in a data breach notice updated on December 30. 

“It appears that cybercriminals gained access to company systems beginning on December 7 and through the launch of the ransomware attack on December 12.”

The company went on to say that the installation of malicious software on its computer systems prevented staff from accessing company files and data. 

FlexBooker

Accounts of more than three million users of the U.S.-based FlexBooker appointment scheduling service have been stolen in an attack before the holidays and are now being traded on hacker forums.

The same intruders are offering databases claiming to be from two other entities: racing media organization Racing.com and Redbourne Group’s rediCASE case management software, both from Australia.

All three breaches allegedly occurred a few days before Christmas and the intruder published the data on a hacker forum.

The latest data dump appears to be from FlexBooker, a popular tool for scheduling appointments and synchronizing employee calendar.

Among FlexBooker’s customers are owners of any business that needs to schedule appointments, which is everything from accountants, barbers, doctors, mechanics, lawyers, dentists, gyms, salons, therapists, trainers, spas, and the list goes on.

Fertility Centers of Illinois (FCI)

A company that operates multiple fertility centers across Northern Illinois has suffered a data breach because of a cyber-attack.

Fertility Centers of Illinois (FCIreported the data breach to the Department of Health and Human Services’ Office for Civil Rights (OCR), affecting 79,943 current and former patients.

The unidentified attacker had access to some of the patients’ protected health information (PHI) and could access personal data belonging to FCI employees.

FCI hired third-party computer forensic specialists after the company detected suspicious network activity on February 1 2021. 

While cybersecurity measures implemented by FCI ensured that the company’s electronic medical record system could not be accessed, the attacker was able to get into administrative files and folders. 

Ciox Health

A healthcare technology vendor is notifying dozens of its healthcare provider clients of an email security breach affecting their patients’ protected health information. Experts say the incident serves as the latest reminder of the risks business associates pose to sensitive healthcare data.

In a notice posted on its website, Ciox Health, an Alpharetta, Georgia-based healthcare information management vendor, says that between Nov. 23 and Dec. 30, 2021 it began the process of notifying healthcare provider customers of an email compromise last summer affecting some of their patients’ PHI.

Ciox in the notice also included a list of about 32 healthcare providers affected by the incident.

The affected entities include a wide range of different types of healthcare providers, including medical specialty practices such as Alabama Orthopaedic Specialists; community hospitals, such as Cameron Memorial Community Hospital; regional medical centers including Niagara Falls Memorial Medical Center; and large university-affiliated health delivery networks, including Ohio State University Health System.

Ghanaian graduates

Authorities in Ghana are investigating an apparent data breach that may have exposed the personal information of hundreds of thousands of citizens of the west African country.

Researchers at vpnMentor say they discovered a trove of unencrypted data tied to Ghana’s National Service Secretariate (NSS) in a storage silo from Amazon Web Services (AWS).

NSS administers mandatory one-year public services programs that are compulsory for most Ghanaian graduates and involve thousands of young people working in sectors such as healthcare and education for 12 months as a form of national service.

Some of the three million files related to NSS’s work and held on an AWS S3 bucket were password protected but many were not – an oversight that exposed data of an estimated 500,000-600,000 people from March 2018 to the end of 2021, vpnMentor said.

Florida Digestive Health Specialists

week01-2022-floridadigestive

Florida Digestive Health Specialists LLP on Dec. 27 reported to the state of Maine’s attorney general office that an email breach discovered more than a year earlier involving wire fraud, has affected 212,509 individuals, including 11 Maine residents.

Lakewood Ranch, Florida-based FDHS has more than a dozen healthcare locations throughout the state.

“On Dec. 16, 2020, an employee noted suspicious activity within their FDHS email account that resulted in suspicious emails having been sent from their employee account,” FDHS says in a Dec. 27 breach notification statement.

“Several days later, on Dec. 21, 2020, FDHS learned that funds had been misrouted to an unknown bank account.”

17 companies

The New York State Office of the Attorney General (NY OAG) has warned 17 well-known companies that roughly 1.1 million of their customers have had their user accounts compromised in credential stuffing attacks.

In such attacks, threat actors make automated and repeated attempts (millions at a time) to access user accounts using credentials (usually user/password pairs) stolen from other online services.

This tactic works particularly well against the accounts of those who reuse their credentials across multiple platforms.

The attackers’ end goal is to gain access to as many accounts as possible to steal the associated personal and financial information that can be sold on hacking forums or the dark web.

DatPiff

The account credentials and emails of almost 7.5m users of the mixtape hosting service DatPiff have been made available to download for free on a popular hacking forum.

First launched in 2005, DatPiff has over 15m users though the service also allows unregistered users to download or upload samples for free.

While it’s still unclear as to exactly when DatPiff suffered a data breach, the site’s database was first sold privately and then publicly on hacking forums beginning in July of 2020 according to a new report from BleepingComputer.

UScellular

week01-2022-uscellular

UScellular, self-described as the fourth-largest wireless carrier in the US, has disclosed a data breach after the company’s billing system was hacked in December 2021.

The mobile carrier said in data breach notification letters sent to 405 impacted individuals that the attackers also ported some of the affected customers’ numbers using personal information stolen in the incident.

“On December 13, 2021, UScellular detected a data security incident in ‘which unauthorized individuals illegally accessed our billing system and gained access to wireless customer accounts that contain personal information,” the carrier explained.

“Unauthorized individuals attempted to leverage access to that information to fraudulently port numbers. Based on our investigation, we believe that the incident occurred on December 13-19, 2021.”

Broward Health

The Broward Health public health system has disclosed a large-scale data breach incident impacting 1,357,879 individuals.

Broward Health is a Florida-based healthcare system with over thirty locations offering a wide range of medical services and receives over 60,000 admissions per year.

The healthcare system disclosed a cyberattack on October 15, 2021, when an intruder gained unauthorized access to the hospital’s network and patient data.

The organization discovered the intrusion four days later, on October 19, and immediately notified the FBI and the US Department of Justice.

At the same time, all employees were advised to change their user passwords, and Broward Health contracted a third-party cybersecurity expert to help with the investigations.