Earlier today, DataBreaches posted an HHS OCR announcement of a settlement with a HIPAA covered entity. A former contractor had accessed its electronic medical record system on three occasions without authorization to retrieve PHI for use in potential fraudulent Medicare claims. OCR imposed a monetary penalty of $1.19 million for the entity’s failure to:
- conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems;
- implement procedures to regularly review records of activity in information systems;
- implement procedures to terminate former workforce members’ access to ePHI; and
- implement procedures for establishing and modifying workforce members’ access to information systems.
That’s a costly failure to terminate access.
A Second Example
The following is a second recently disclosed example of how failure to ensure termination of access contributed to a massive data breach. DataBreaches spotted this one in a court filing from Canada concerning Connor Riley Moucka, aka “Judische,” “Waifu,” and other monikers. The victims mentioned in the court filings refer to entities who suffered intrusions of their Snowflake instance.
On May 29, 2024, representatives from Victim-3 met with the FBI and confirmed that three categories of its information had been stolen from its cloud instance, including customer information for approximately 20 million customers, gift card information, and internal company business documents.
… Victim-3 hired an incident response company to investigate the breach and confirmed its instance had been compromised using stolen login credentials belonging to a former contractor located outside the United States. According to the incident response firm’s investigation, this former contractor’s credential was likely compromised via a credential stealer in approximately 2021 and available in cybercriminal marketplaces as early as May 2021. Stolen credentials are generally available for free and for purchase on the dark web.
Was the contractor still working for the firm in 2021 after their credentials were stolen? When did the contractor terminate employment? How often does this major retailer require all employees and contractors to reset their passwords? Does this retailer require 2FA? What procedures did this retailer have in place to terminate access for employees?
And why, oh why, did those credentials still work three years later in 2024?
How much will their failure to ensure termination of the former contractor’s access ultimately cost this retailer?