November 28, 2023
Major Data Breaches and Hacking News in November 2023
Data Breaches
Perry Johnson & Associates (PJ&A)
Organization description: Nevada-based PJ&A is one of the largest transcription services providers for the medical, legal, and government sectors.
Breach size: 9 million
Data exposed: Names, address, dates of birth, medical record number, hospital account number, admission diagnosis, date/time of service, Social Security number, insurance information, and medical and clinical information.
On May 2, 2023, PJ&A discovered unauthorized activity in its IT systems, took action to confine the threat, and began an investigation with third-party cybersecurity experts. When the investigation concluded in September, it was determined that there had been unauthorized access to its network for nearly three months from March 27, 2023 to May 3, 2023.
The accessed healthcare data varied from patient to patient but may have included sensitive information like Social Security numbers. Fortunately, because PJ&A is not utilize credit card or bank account information, no financial details were exposed.
Although the company hasn’t publicly disclosed affected clients, Cook County Health in Illinois and Northwell Health in New York have confirmed their patients’ information was compromised. In total, it’s estimated that 9 million people have been affected, making this data breach the second-largest healthcare data breach this year and the 6th largest healthcare data breach ever reported.
Welltok
Organization description: Welltok is a Denver-based digital healthcare platform used by healthcare plans to increase consumer engagement.
Breach size: 8.5 million
Data exposed: Social Security numbers, Medicare and Medicaid ID numbers, and health insurance information.
Continuing the unfortunate trend of large healthcare data breaches, Welltok alerted millions of patients across the United States of a breach in late October. Initially, the company estimated the sensitive data of 1.6 million individuals was exposed, but in an update the U.S. Department of Health and Human Services, the number grew to more than 8 million.
The breach originated from its MOVEit Transfer server which was accessed on July 26, 2023. This makes Welltock’s breach the second largest incident resulting from the MOVEit mass hacks after services contractor Maximus, which impacted 11 million individuals. Currently, it’s estimated that 82 million people have been affected by the MOVEit cyberattack, but that number could grow as more organizations come forward.
Truepill
Organization description: Truepill Is an online pharmacy retailer also known as Postmeds.
Breach size: 2.3 million
Data exposed: Names, medication type, demographic information, and prescribing physician’s name.
On October 30, 2023, Truepill, a digital health startup providing pharmacy fulfillment services for healthcare providers mailed letters to patients impacted by a cybersecurity incident. After working with cybersecurity professionals to secure its private network, an investigation showed that bad actors accessed files between August 30, 2023 and September 1, 2023.
On its website, the company boasts serving over 3 million patients and delivering 20 million prescriptions since 2016. 2.36 million patients have been affected by the breach.
While it’s unclear how the breach occurred, some impacted patients have filed a class-action lawsuit in response. The suit alleges the company didn’t take sufficient measures to safeguard private information, leading to a “foreseeable and preventable” data breach.
The State of Maine
Organization description: The government of Maine, including various departments like the Department of Health and Human Services, Department of Education, the Department of Corrections, and the Bureau of Motor Vehicles.
Breach size: 1.3 million
Data exposed: Names, date of birth, Social Security numbers, driver’s license numbers, health insurance information, and other state or taxpayer identification numbers.
In a data breach notice filed with its own Attorney General’s office, the government of Maine disclosed it was one of the more than 2,500 organizations that experienced a data breach related to the MOVEit vulnerability. It confirmed that over a million individuals were affected by the data exposure and stolen data varies from person to person. More than 50% of the data exposed came from Maine’s Department of Health and Human Services while 10 to 30% came from the Department of Education. Other departments impacted included the Bureau of Motor Vehicles and the Department of Corrections.
New York City Bar Association
Organization description: Founded in 1870, the New York Bar City Association (City Bar) is a voluntary bar association comprised of over 23,000 lawyers and law students.
Breach size: 27,000 members
Data exposed: PINs, security codes, bank account details, and credit or debit card data.
After almost a year, the New York City Bar Association has confirmed a data breach unfolded between December 2, 2022 and December 24, 2022. Although the organization has refused to publicly disclose the hacking group at the center of the breach, the CL0P ransomware group has claimed responsibility.
A post published on X/Twitter in January of 2023 was the first sign of trouble for the organization with the CL0P ransomware group threatening to release 1.8TB of stolen data. At the time, the association didn’t respond publicly. Instead, according to a notice filed with the Maine Attorney General, internal IT specialists at the NYC Bar isolated its networks and started an investigation.
On October 18, 2023, the investigation concluded, and the organization learned that sensitive financial information of its members was exposed. Members were offered free identity theft protection and credit monitoring services for a year.
Idaho National Laboratory
Organization description: Under the United States Department of Energy, the Idaho National Laboratory operates a major test reactor, tests advanced nuclear energy concepts, develops electric vehicle batteries, and performs research involving hydrogen production and bioenergy.
Breach size: Over 6,100 employees
Data exposed: Addresses, Social Security numbers, birth dates, employment information, and phone numbers.
Thousands of employees’ personal identifying information was leaked after the Idaho National Laboratory (INL) suffered a major data breach on November 19. A software application used by the Human Resources Department served as the vector point for the breach, giving the bad actors access to a plethora of personal details like Social Security numbers, dates of birth, and full names.
The INL is working with the FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to begin an investigation and determine the scope of the data breach. Although the INL claims no nuclear secrets or research and development information was accessed or stolen, the data exposure of staff carrying out this sensitive work is concerning. Politically motivated bad actors now have easy access to top Nuclear Energy researching information in the United States.
On November 20, the ransomware group, SiegedSec claimed responsibility for the attack and posted screen shots of the INL’s internal systems on the messaging app, Telegram, as proof of their role.
Hacking News
Hackers Taunt Victim by Filing a Premature SEC complaint
A ransomware group by the name of ALPHV/BlackCat reached new heights of internet trolling when they filed a complaint with the United States Securities and Exchange Commission against one of the organizations they hacked. In mid-November, the group added the software company, MeridianLink, to their list of cyberattack victims.
MeridianLink is publicly traded and provides digital tools for banks, credit unions, mortgage lenders, and consumer reporting agencies in the United States.
When MeridianLink was slow to respond to the group’s demand for money in exchange for the allegedly stolen data, ALPHV/BlackCat added pressure by filing an SEC complaint, accusing the company of failing to abide by new SEC rules that gives publicly traded companies a deadline to report cyberattacks that have a “material impact” within four business days.
However, the ransomware group jumped the gun as the new cybersecurity rules don’t take effect until December 15, 2023. Additionally, the vaguely defined “material” impact has been hotly debated among company executives and cybersecurity experts. Several government officials at a cybersecurity conference in Aspen clarified that the rules don’t require attacks to be reported four days after discovery, but instead, only after the cyberattack is determined to have had a significant effect on the company and its private data.
Still, a spokesperson for MeridianLink confirmed to news outlets that a threat was identified and contained, causing minimal business interruption. The spokesperson goes on to assure the public that there was no evidence of unauthorized access to production platforms and investigations will continue to determine if any consumer personal data was exposed.
Cyberattack on Home Improvement Retailer Halts Online Sales
The “helpful hardware folks” at Ace Hardware experienced operational disruptions after thousands of internal servers and network devices were hit with a cyberattack on the morning of October 29. Several key operating systems were nonfunctional, including Warehouse Management Services, the Ace Retailer Mobile Assistant, Invoices and Customer Care. Although online orders couldn't be fulfilled, in-person shoppers were unaffected.
Ace Hardware President and CEO, John Venhuizen, confirmed that 1,202 devices, including 196 servers were impacted and needed to be restored. Several days after the attack, placing online orders was still disabled as the holiday shopping season began in November. To make matters worse, several store owners reported follow up phishing attempts while the company worked to restore all affected systems.
Additionally, the company revealed that some customers were targeted with phishing attempts by email and by phone.
Eventually, the systems were restored just in time for Black Friday and Cyber Monday, but the incident serves as a reminder to organizations and their customers to remain vigilant and know the signs of social engineering attacks, like spoofed emails.