Recommended Permanent(e) Changes for Healthcare Organizations: The Kaiser & Change Healthcare Breaches

It has been a busy time for cybersecurity professionals in the healthcare space. Kaiser Permanente, one of the largest nonprofit health plans in the United States and a leading integrated managed care consortium, recently disclosed a significant data security incident. This breach potentially impacts approximately 13.4 million current and former members and patients, raising concerns about the privacy and security of personal health information. Additional details have also come to light on the Change Healthcare ransomware story as expertly reported by BleepingComputer.com's Bill Toulas. 

Details of the KP Breach

Extent of the Exposure

According to a statement from Kaiser Permanente to BleepingComputer, the breach occurred due to third-party trackers on its websites and mobile applications. These trackers inadvertently leaked sensitive information to external entities such as Google, Microsoft Bing, and Social Media site X. The leaked data included IP addresses, names, and various interaction details with Kaiser’s digital platforms.

Data Involved

The specifics of the leaked information are concerning as they not only included IP addresses and names but also behavioral data such as account interactions, navigation details, and search terms used in Kaiser's health encyclopedia. Fortunately, no usernames, passwords, Social Security Numbers, financial account information, or credit card numbers were exposed.

Response to the Incident

Immediate Actions Taken

Kaiser Permanente promptly responded to the discovery of the trackers by removing them and conducting a thorough internal investigation. The organization has implemented additional security measures to prevent similar incidents in the future.

Notification and Caution

While there is no evidence of misuse of the exposed data as of now, Kaiser Permanente plans to notify individuals who might have been affected. This proactive step is part of their commitment to transparency and customer care.

Minimizing Data Sent to Third-Party Trackers

Understanding Online Trackers

Online trackers collect a wealth of information which often ends up in the hands of marketers, advertisers, and data brokers. This can lead to increased privacy risks for users.

Steps to Protect Your Data

Use Privacy-Focused Browsers: Opt for browsers that offer enhanced privacy settings and can block third-party trackers.

Adjust Privacy Settings: Regularly check and adjust the privacy settings on your web browsers and mobile applications to limit the amount of data shared.

Use Secure Connections: Employ VPNs or other secure methods to mask your IP address and reduce the risk of tracking.

Educate Yourself and Others: Stay informed about how online trackers work and spread awareness to help others protect their privacy.

Updates on Change Healthcare

Extent of the Exposure

Change Healthcare, a vital entity in the healthcare sector, faced a catastrophic blow in late February 2024 with a ransomware attack orchestrated by the BlackCat gang. The assault disrupted critical services, including payment processing and insurance claims, resulting in estimated financial damages of $872 million.

Data Involved

The breach was initiated by exploiting stolen Citrix remote access service, which did not have multi-factor authentication enabled. This led to the compromise of sensitive corporate and patient data. Although specifics were not disclosed, the breach encompassed a breadth of information, posing significant privacy risks.

Insights from CEO Testimony

Andrew Witty, CEO of Change Healthcare, provided invaluable insights into the attack's timeline and ramifications. He revealed the stealthy infiltration by threat actors ten days prior to encryption, underscoring the need for robust security measures.

Response to the Incident

Change Healthcare embarked on a swift remediation journey post-attack, characterized by decisive actions to fortify defenses and restore operational integrity. Despite the tumult, reassurances regarding the integrity of medical records provided a semblance of relief amidst the chaos.

Immediate Actions Taken

Following the attack, Change Healthcare implemented stringent security measures, including rebuilding infrastructure and fortifying defenses. These proactive steps aim to mitigate future vulnerabilities and restore trust in the organization's cybersecurity posture.

Time for Check-Ups: Incident Response Plans

The recent cybersecurity incidents at both Kaiser Permanente and Change Healthcare serve as reminders of the risks associated with third-party trackers and applications. These incidents also signal to every healthcare organization of the importance of robust data security practices.

The time is now for the healthcare industry to give their incident response plans a quality check-up to ensure incidents involving third-parties are addressed with clear plans of action. Nothing is worse for a security team than not having a playbook or set of processes to follow when stress is high and literal lives are on the gurney.

Information systems architectures heavily reliant on third-party applications require special expertise to ensure data privacy and protection. It is possible for organizations to reduce the risk of such breaches. This all starts with observability. 

Every organization should have an incident response plan. We recommend leveraging our free guide to third-party incident response preparedness, which is un-gated in our resources library.  

Specifically For Citrix

In the case of the stolen user credentials, Vorlon is able to collect Citrix users and their tokens. From there, Vorlon baselines normal access patterns, and raises an alert to abnormal activity such as unknown/new location or abnormal secret behavior. These serve as critical IOCs for the SOC to investigate and respond within a much faster timeline than allowing an attacker to go days, weeks, or months with this access.

So, How Else Can Vorlon Help?

Vorlon provides organizations with a continuous near real-time view of your data in motion between third-party applications, including Vorlon itself (since it is technically a third-party application as well). 

Vorlon provides organizations with the ability to keep a detailed inventory of third-party apps, secrets, and sensitive data, so security teams can better understand their third-party attack surface and respond to incidents quickly. 

In this case, organizations can use Vorlon for the following: 

Scope and Investigate:

• Detect if something abnormal is connecting to any of your third-party applications/entities, including unknown or suspicious IP addresses. 
• Provide visibility into sensitive data or PII consumed by any unknown entities. 
• Check API traffic for IOCs. 

Remediate: 

• Alert on anomalous API activity and provide response recommendations in near real-time (not days, weeks, or months after the abnormal activity occurs). 
• Revoke and rotate affected secrets (including credentials, tokens, OAuth, etc). 
• Create ITSM tickets for additional actions. 

Continued Monitoring:

• Behavioral alerting for further anomalous activity such as new secret creation and unknown source IP/geolocations.

If you and your organization are worried about a possible third-party breach, contact us here or call +1 (650) 456-2701.