OrthopedicsNY faces $1.95M penalty after INC Ransom attack

Show Notes

In this episode, we break down recent healthcare cybersecurity incidents including a $1.45 million class action settlement stemming from missing MFA and unencrypted data, a repeat ransomware attack on a small cardiology practice, and how attackers are bypassing traditional email authentication. We also discuss the emerging threat of AI-assisted cyberattacks and actionable steps organizations can take to address common security blind spots.

Transcript

SPEAKER_00 0:00

You're listening to Pow Box Weekly fully automated. I'm Jen. I read breach reports, so you don't have to. Well, so we can both lose sleep over them.

SPEAKER_01 0:08

And I'm Alex. I work in healthcare IT, which means I spend a lot of time explaining why password 123 isn't a security strategy.

SPEAKER_00 0:17

This week we've got ransomware repeat offenders, a massive ed tech breach, and AI that's making the White House nervous. Fun times.

SPEAKER_01 0:25

Let's start in New York. Orthopedics NY just agreed to a$1.45 million class action settlement. That's on top of a$500,000 state penalty they already got hit with.

SPEAKER_00 0:37

So nearly$2 million. And here's the thing: the INC ransom attack that caused all this, it worked because they didn't have multi-factor authentication. And they were storing patient data unencrypted. In 2023. In 2023. These aren't exotic vulnerabilities. This is basic hygiene. MFA and encryption.

SPEAKER_01 0:59

That's the floor, not the ceiling.

SPEAKER_00 1:02

Exactly. And when you skip the floor, you fall through it.

SPEAKER_01 1:05

Hard. Speaking of falling through floors, McGraw-Hill, the education giant. 13.5 million records exposed.

SPEAKER_00 1:14

Shiny Hunters, or someone who looks a lot like them, got into their Salesforce environment. Misconfiguration. Over 100 gigs of data just out there now.

SPEAKER_01 1:25

And this is interesting because it wasn't a flaw in Salesforce itself.

SPEAKER_00 1:29

Right. It's how it was set up. The article called it a broader issue with Salesforce's environment, meaning whoever configured it left doors open.

SPEAKER_01 1:38

So the takeaway for our listeners managing any kind of cloud platform.

SPEAKER_00 1:43

Audit your configurations regularly. These platforms give you a lot of rope. Make sure you're not hanging yourself with it.

SPEAKER_01 1:50

That's a visual. You're welcome. Okay, this next one is sneaky. Attackers are now abusing GitHub and Jira notification systems to send phishing emails.

SPEAKER_00 2:01

And these emails pass authentication. SPF, DKIM, DMARC, all green lights. Because they're actually coming from GitHub and Jira infrastructure.

SPEAKER_01 2:11

So traditional email security just waves them through.

SPEAKER_00 2:15

Yep. The signals we've trained systems to trust, attackers figured out how to hijack them.

SPEAKER_01 2:21

Which is why AI-based email security is becoming essential.

SPEAKER_00 2:25

It's not about the sender anymore. It's about the intent. You need systems that can look at context. What's the email asking you to do? Does it make sense?

SPEAKER_01 2:34

Legacy filters can't answer that question. No, they really can't. Alright, this next one is rough. Heart South Cardiovascular Group in Alabama, small practice, just disclosed their second ransomware breach in 18 months.

SPEAKER_00 2:50

Riceda Ransomware Group. They posted sample data on a leak site, demanded 6 Bitcoin. About$630,000.

SPEAKER_01 2:59

We don't know if they paid.

SPEAKER_00 3:00

We rarely do. But two breaches in under two years? That tells me whatever they fixed after the first one wasn't enough.

SPEAKER_01 3:08

Or they didn't fix it at all.

SPEAKER_00 3:10

Also possible. And that's the danger for smaller practices. Limited budgets, limited staff. But attackers don't care about your org chart.

SPEAKER_01 3:19

If you've got patient data, you're a target. Period. Last story, and this one's a little different. Anthropic CEO Dario Amode met with White House staff last week. First time since that dust-up with the Pentagon.

SPEAKER_00 3:34

They were talking about their new AI system, Mythos. And the concern is that it could make complex cyber attacks easier to pull off.

SPEAKER_01 3:41

So we're not just defending against humans anymore.

SPEAKER_00 3:44

We're defending against humans with AI assistance that can help them write better malware, find vulnerabilities faster, craft more convincing phishing campaigns.

SPEAKER_01 3:54

That's comforting.

SPEAKER_00 3:55

It's reality. And it means our defenses have to evolve too. AI on offense, AI on defense. It's an arms race now.

SPEAKER_01 4:04

So let's tie this together. We've got an orthopedic practice hit because of no MFA. An ed tech giant breached through a misconfiguration. Phishing that slips past authentication. A small practice hit twice. An AI that could make all of this worse.

SPEAKER_00 4:20

The thread isn't bad luck. It's blind spots, gaps in the basics, configurations no one checked, controls no one enforced.

SPEAKER_01 4:29

And most of it, fixable.

SPEAKER_00 4:31

That's the frustrating part. And the hopeful part. You can do something about this.

SPEAKER_01 4:36

Audit your MFA. Check your cloud configs. Look at your email security stack with fresh eyes.

SPEAKER_00 4:42

And if you got breached once, assume they'll try again.

SPEAKER_01 4:46

That's our show. Thanks for listening to Palbox Weekly.

SPEAKER_00 4:49

Stay safe out there. And turn on MFA. Seriously. See you next week.