In a rare sharing of information about vulnerabilities in a blog post, Microsoft this week urged customers to download software patches to Microsoft Exchange Server after it detected “multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks.”

According to Microsoft’s Threat Intelligence Center, “[W]e are sharing this information with our customers and the security community to emphasize the critical nature of these vulnerabilities and the importance of patching all affected systems immediately.” In the attacks Microsoft has observed, “the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

According to the blog post, the vulnerabilities being exploited were from state sponsored actors operating out of China.

The vulnerabilities being exploited were CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Microsoft issued a patch, which can be accessed here.

MICROSOFT STRONGLY URGES CUSTOMERS TO UPDATE ON-PREMISES SYSTEMS IMMEDIATELY.

The post includes information on the threat actor, HAFNIUM, which has been behind numerous malicious exploits against “infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”

The vulnerabilities detected by Microsoft affect Microsoft Exchange Server 2013, 2016, and 2019. If your company is running any of these versions, please consult Microsoft’s instructions on patching.

The Financial Crimes Enforcement Network (FinCEN) recently issued an advisory to banks that outlined fourteen red flag indicators to be on the lookout for (and report) related to pandemic related economic relief payments. Entitled “Advisory on Financial Crimes Targeting COVID-19 Economic Impact Payments,” FinCEN issued the advisory based on its “analysis of COVID-19-related information obtained from Bank Secrecy Act (BSA) data, public reporting, and law enforcement partners.”

The types of fraud that have been detected include criminals sending fraudulent checks to potential victims, and then requesting personal information in order to cash them; altering checks and depositing them via ATMs or mobile devices; counterfeit checks; theft of economic relief payments from the U.S. mail; phishing schemes using economic relief as the subject matter; and seizure of economic relief payments inappropriately (wage garnishment or debt collection).

FinCEN outlines fourteen financial red flag indicators that include “fraudulent, altered, counterfeit, or stolen EIP checks, Automated Clearing House deposits and prepaid debit cards.”  The indicators can be accessed here.

A new commercial has hit the airwaves in Israel. It begins with a door swinging open to reveal a beautiful seaside patio with a couple awaiting their dinners as a voiceover says, “How much have we missed going out with friends?” Well, with the Green Pass “a door simply opens in front of you” and we can “return[ ] to life.” This commercial is advertising Israel’s version of a digital vaccine passport.

Although there are still lots of unknowns, there are many countries and industries considering vaccine passport programs like Israel’s, including  Japan, the United Kingdom and the European Union, as well as airlines and some concert venues, to name a few.

Israel’s vaccine passport was released on February 21.  There, vaccinated people can download an app that displays their Green Pass when they are asked to show it. The app also can display proof that someone has recently recovered from COVID-19, which also allows passage. Other proposed ”passport systems” offer several ways to show you are not a threat, such as proof of a negative COVID-19 test. Israel hopes this technology will encourage more citizens to get vaccinated.

However, the Green Pass and other passport programs may also bring up some big privacy concerns. Orr Dunkelman, a computer science professor at Haifa University, says that the Green Pass displays more information than simply whether the individual has been vaccinated or has recently recovered from COVID-19. The pass also displays the date of the recovery and the date of the vaccine and uses outdated encryption technology that is potentially vulnerable to security breaches and hackers. Orr also says that because the app is not open source, no third parties can test whether these concerns are founded.

In the United States, PathCheck Foundation at MIT is working with Ideo on a low-tech solution that may address these privacy concerns before any kind of ”passport” is available here. The prototype uses a paper card similar to the one that individuals are currently receiving once they are vaccinated. However, to avoid fraudulent cards, the paper card being developed by PathCheck Foundation and Ideo would use multiple forms of verification such as QR codes for scanning (maybe at the gate of a concert or movie theater entrance) that only displays an individual’s vaccination status, while other entities (such as health care providers) would be able to scan the card and receive more detailed information (e.g., the type of vaccination received, the date, the location it was administered, etc.). Additionally, PathCheck Foundation points out that privacy is important to those who are undocumented or simply don’t have trust in the government, and we don’t want to create yet another repository that is hackable (and may potentially contain entire state populations).

At this point, it isn’t clear whether the United States will be able to implement a vaccine passport quickly because we don’t have a universal identity record or federal medical records system (which Israel does). However, whichever option eventually becomes widespread across the country, it will need to use a system that will be able to maintain certain individual privacy rights while also allowing businesses and venues to reopen safely.

Virginia Governor Ralph Northam signed the Consumer Data Protection Act (CDPA) on Tuesday, March 2, 2021. Virginia now joins California as the second state to have a data privacy law. The law takes effect on January 1, 2023, so businesses have some time to get ready. In our previous article on the proposed legislation, we described the new consumer rights available, the lack of a private right of action, and detailed which businesses will have to comply with the new law.  In addition to providing consumers with their rights regarding their data, the CDPA requires transparent processing of personal data through a privacy notice, which must include the following:

  • The categories of personal data collected by the controller;
  • The purposes for which the categories of personal data are used and disclosed to third parties, if any;
  • The rights that consumers may exercise via the new law;
  • The categories of personal data that the controller shares with third parties, if any; and
  • The categories of third parties, if any, with whom the controller shares personal data.

In addition, if a controller sells personal data to data brokers or processes personal data for targeted advertising, controllers must disclose such processing to consumers and inform them about how a consumer may exercise the right to object to such processing, in a clear and conspicuous manner.

Finally, the new law requires controllers to conduct a risk assessment of each of their processing activities involving personal data and an additional risk assessment any time there is a change in processing that materially increases the risk to consumers.

What do you do if your HR benefits and payroll vendor suffers a cyber-attack and payroll can’t be run? Do you have a backup plan for running payroll? How will you communicate with your employees? And if your benefits and payroll vendor has a cyber-incident and your employees’ highly sensitive data is exfiltrated, what will be your response and your liability?

Here is a perfect tabletop exercise that is real.

This week, it is being reported that PrismHR (which provides online payroll, benefits and human resources services to professional employer organizations offering those services to small businesses) suffered a cyber-attack over the weekend that caused outages to its systems. Although there is speculation that PrismHR was the victim of a ransomware attack, it has not confirmed that is the case, only that it suffered a cyber incident.

PrismHR stated that it is looking into the incident and that payroll will not be affected this week, and that it is waiving administrative fees for the current payroll period. Obviously, depending on the results of the investigation and whether any employee data were accessed or exfiltrated, PrismHR might have reporting obligations, including to its customers and their employees.

Whatever the outcome, the scenario is a perfect tabletop exercise to plan for and determine the risk and consequences for your organization. HR, payroll, and benefits vendors collect, maintain, use, and disclose highly sensitive data of employees, so managing the risk through security due diligence and strong contractual provisions is crucial for your risk management plan.

The news is full of stories about crashing vaccination scheduling websites, seniors who are unable to get their vaccine appointment, and how different states are rolling out their limited supplies of COVID vaccines.

People are becoming desperate in the scramble to get vaccinated during or even before their allotted time, and scammers know that and are banking on it.

Vaccine scams are so rampant that the Federal Trade Commission (FTC) issued an alert this week called “Help fight COVID vaccine scams: Share these tips with those you know.”   It urges us to help protect the most vulnerable, including our loved ones and friends, and those that are particularly isolated.

The tips to share to help protect those around you from COVID vaccine scams include:

  • Don’t pay to sign up for the COVID vaccine. Anyone who asks for a payment to put you on a list, make an appointment for you, or reserve a spot in line is a scammer.
  • You can’t pay to get early access to the vaccine. That’s a scam.
  • Are you on Medicare? You don’t have to pay to get the COVID-19 vaccine. Only scammers will ask you to pay.
  • Ignore sales ads for the vaccine. You can’t buy it – anywhere. It’s only available at federal- and state-approved locations.
  • No legitimate person will call, text, or email you about the vaccine or ask for your Social Security, bank account, or credit card number. That’s a scam, too.

Heed these tips and share them widely with those you know.

The Center for Internet Security (CIS) announced last week that it has launched the Malicious Domain Blocking and Reporting (MDBR) service to assist U.S.-based private hospitals with ransomware and cyber-attacks for free. CIS, a not-for-profit entity, “is fully funding this for private hospitals at no cost, and with no strings attached, because it’s the right thing to do, and no one else is doing it at scale.” According to the announcement, the product is designed as a ransomware protection service and a “no-cost cyber defense for U.S. hospitals.”

CIS teamed up with Akamai to offer its Enterprise Threat Protector software to proactively identify, block and mitigate targeted ransomware threats. The service was previously available (and is still) to public hospitals and health departments through the Multi-State Information Sharing and Analysis Center (MS-ISAC), and according to CIS, over 1,000 government entities have used the product through MS-ISAC. To date, MDBR has blocked almost 750 million requests for access to malicious domains. If an organization uses MDBR, the software will cross-check the request with its database of known and suspected domains and “attempts to access known malicious domains associated with malware, phishing, ransomware, and other cyber threats will be blocked and logged.” The logged data are then analyzed, aggregated reporting is made available for the benefit of the hospital community, and remediation assistance is provided as appropriate.

CIS is now offering the service for free not only to public entities and governmental agencies, but to private hospitals, multi-hospital systems, integrated health systems, post-acute facilities and specialty hospitals. Sounds like a great opportunity for hospitals and facilities to add another tool in their toolboxes to combat ransomware and other cyber-attacks. For more information and to sign up, the CIS website is available here.

Renown Health, P.C. (Renown), a non-profit health system in Nevada, settled with the U.S. Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services in a matter resulting from an enforcement action for a potential violation of patients’ access rights under the OCR’s Health Insurance Portability and Accountability Act of 1996 (HIPAA) Right-of-Access Initiative. The Renown settlement is the 15th settlement under this initiative.

Renown paid $75,000 and agreed to:

  • Develop and maintain written access policies and procedures to comply with HIPAA
  • Distribute updated policies and procedures related to the right-of-access to all workforce members
  • Train workforce members on the right-of-access
  • Revise its Notice of Privacy Practices to reflect the steps that patients need to take to access their PHI (including billing records)

OCR alleged that Renown did not respond to a patient’s request that an electronic copy of her protected health information (PHI), including billing records, be sent to a third party in a timely manner under HIPAA. The OCR’s investigation determined that this failure to provide timely access was a potential violation of Renown’s obligations to the patient. As a result of the investigation, Renown also provided access to all the requested records.

Acting Director of OCR, Robinsue Frohboese, said “Access to one’s health records is an essential HIPAA right and health care providers have a legal obligation to their patients to provide access to their health information on a timely basis,” and OCR will certainly continue to enforce these types of violations throughout 2021. OCR announced this initiative in September 2019 seeking to support patients’ right to timely access to their PHI at a reasonable cost under HIPAA.

To view the corrective action plan that Renown has agreed to, click here.

This week, Consumer Reports published a Model State Privacy Act. The Consumer advocacy organization proposed model legislation “to ensure that companies are required to honor consumers’ privacy.” The model legislation is similar to the California Consumer Privacy Act, but seeks to protect consumer privacy rights “by default.”  Some additional provisions of the model law include a broad prohibition on secondary data sharing, an opt-out of first-party advertising, and a private right of action in addition to enforcement by state Attorneys General.

While the introduction of a model privacy law is an interesting development, we also continue to track state privacy laws in multiple states right now, as several states have recently introduced consumer privacy legislation. Connecticut, Massachusetts, Illinois, Minnesota, New York and Utah recently saw the introduction of new privacy legislation. As legislative sessions move forward into 2021, we expect even more states to follow suit.

Our list of pending state privacy legislation includes:

We will continue to provide updates as these bills move forward.