Paubox Weekly Fully Automated - A HIPAA compliant email security Podcast

IBJI agrees to $4 million settlement after breach 

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 4:50
This episode examines recent healthcare data breaches and settlements, including the $4 million IBJI case involving extended attacker dwell time, Mission Community Hospital's $1.5 million RansomHouse extortion settlement, and third-party vendor risks exposed by the La Perouse billing breach. We also discuss Rutgers University research showing hospitals using third-party tracking pixels are 46 percent more likely to experience breaches, emphasizing the critical need for system patching, vendor oversight, and web property audits.
SPEAKER_00

You're listening to Pow Box Weekly fully automated.

SPEAKER_01

And I'm Jen, cybersecurity analyst, breach report enthusiast, occasional pessimist.

SPEAKER_00

I'm Alex, healthcare IT guy who keeps hoping next week's news will be boring. It never is.

SPEAKER_01

Spoiler alert, it's not boring this week either.

SPEAKER_00

No, it is not. Let's start with Illinois Bone and Joint Institute. IBJI. They've agreed to a $4 million settlement after a breach last year.

SPEAKER_01

This one's a slow burn. Attackers had access from late May through July 4th, over a month inside the network.

SPEAKER_00

And they didn't detect it until Independence Day, which ironic?

SPEAKER_01

Very on the nose. But here's what matters. The class action lawsuits came fast, consolidated into one big settlement. $4 million.

SPEAKER_00

The takeaway for administrators? Dwell time kills. If you're not actively hunting for threats, you might not know they're there until it's way too late. And too late now comes with a price tag. Speaking of price tags, Mission Community Hospital in San Fernando Valley. They're settling for one and a half million after a ransom house attack in 2023.

SPEAKER_01

Ransom House is interesting. They don't encrypt anything. No ransomware in the traditional sense.

SPEAKER_00

Wait, so what's their play?

SPEAKER_01

Pure extortion. They steal your data, in this case, two and a half terabytes, and threaten to publish it if you don't pay. When negotiations failed, they posted it publicly.

SPEAKER_00

Two and a half terabytes?

SPEAKER_01

That's a lot of patient data. It's everything. And they got in through vulnerabilities in Paragon and Cisco systems. Known vulnerabilities. Patchable vulnerabilities.

SPEAKER_00

So the lesson here isn't beware of sophisticated hackers, it's patch your stuff. It's almost always patch your stuff. Alright, next up, a breach at a medical billing company called La Peruse. Based in Vegas, at least seven healthcare providers affected.

SPEAKER_01

And here's where it gets messy. The breach didn't even happen at La Peruse directly. It happened at one of their third-party billing platforms.

SPEAKER_00

So patients are connected to a provider who uses La Peruse, who uses another vendor who got breached.

SPEAKER_01

Exactly. Two degrees of separation. And La Peruse didn't name the platform that was actually compromised.

SPEAKER_00

Which makes it almost impossible for the affected organizations to assess their own risk.

SPEAKER_01

That's the problem with vendor sprawl. You can't secure what you can't see. And if your vendors have vendors, good luck.

SPEAKER_00

The practical takeaway? Ask your billing partners who they're working with. Get it in writing.

SPEAKER_01

And make sure your contracts include breach notification requirements all the way down.

SPEAKER_00

Alright, last story. And this one's a bit different. Rutgers University did some research on tracking pixels. You know, those little bits of code that follow users around the web.

SPEAKER_01

Third-party tracking pixels specifically. The study found hospitals using them were 46% more likely to experience a breach. 46%?

SPEAKER_00

That's not a rounding error.

SPEAKER_01

No. And the reason is, these pixels let third-party vendors aggregate data across multiple sites. They can piece together browsing behavior, infer health conditions, build profiles.

SPEAKER_00

Even without accessing medical records directly.

SPEAKER_01

Right. Someone visits a cancer center's website, then a pharmacy page, then a clinical trial sign-up. You can connect those dots pretty quickly.

SPEAKER_00

What about first-party pixels? The ones you control.

SPEAKER_01

No significant relationship with breaches. It's the third-party stuff that's the risk.

SPEAKER_00

So the move here is audit your website. Know what's running. If you've got third-party trackers embedded, ask yourself if you really need them.

SPEAKER_01

And if the answer is marketing wants them, have a longer conversation with marketing.

SPEAKER_00

Fair. Okay, so stepping back, what ties all of this together? Configuration, visibility, blind spots. IBJI. Attackers inside for over a month. Mission Community, unpatched systems. LaPerouse, vendors you didn't even know existed. Tracking pixels, code you forgot was there.

SPEAKER_01

None of this is bad luck. It's bad hygiene. And most of it, fixable.

SPEAKER_00

Patch your systems, know your vendors, audit your web properties, hunt for threats before they find you.

SPEAKER_01

It's not glamorous work, but it's the work that keeps you off next week's episode.

SPEAKER_00

That's all for this week. Thanks for listening.

SPEAKER_01

Stay secure out there, or at least try.

SPEAKER_00

We'll see you next time.