Vendor: Data Breach Involved Security Product VulnerabilityClinical Review Firm: Nearly 135,000 Individuals, Dozens of Health Plans Affected
This article has been updated with a statement from SonicWall.
A vendor that provides clinical reviews and virtual second opinions is notifying nearly 135,000 individuals and dozens of its health plan and related clients of a recent cyberattack involving data exfiltration and an alleged SonicWall product vulnerability.
Experts say the incident is the latest reminder of the importance of strong and comprehensive vulnerability management and software patching programs for healthcare sector entities.
"Often, organizations focus patching efforts on workstations and servers," says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
"This is a great example of why a vulnerability management program should be developed to encompass all devices and applications."
In a breach report filed with the Maine attorney general on Friday, Salt Lake City, Utah-based Medical Review Institute of America says it was "the victim of a sophisticated cyber incident" discovered on Nov. 9, 2021, that resulted in unauthorized access to its network.
Upon discovery of the incident, MRIoA says it "took immediate steps to stop the threat and understand the full scope of the situation." This included hiring third-party forensic experts to conduct an investigation, technological remediation efforts, and contacting the FBI to seek assistance with the incident, MRIoA says.
"The forensic investigation recently concluded and found that the unauthorized individual gained access to its systems via a SonicWall vulnerability on Nov. 2, 2021, that has been removed, and MRIoA’s environment has been secured," says a sample breach notification letter MRIoA provided to the Maine attorney general's office.
"On Nov. 16, to the best of its ability and knowledge, MRIoA retrieved and subsequently confirmed the deletion of the obtained information," the letter says.
The MRIoA breach report and notification letter do not specify whether the incident involved ransomware or whether MRIoA negotiated with attackers to retrieve the compromised data and obtain confirmation of the data's deletion.
MRIoA's review of the affected data determined that the incident affected the personal information related to 134,571 individuals, including 194 Maine residents.
The breach report to the Maine attorney general includes a list of nearly three dozen affected clients - mostly health plans and large insurers - including Blue Cross and Blue Shield organizations in several states, including Rhode Island, Minnesota, Illinois, New Jersey and Texas. Other clients affected include health plans of organizations such as Twin Rivers Paper Co., Albertsons Companies and General Dynamics.
Information potentially affected includes demographic information, including first and last name, gender, home address, phone number, email address, date of birth and Social Security number; clinical information, such as medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name and medical account number; and financial information, including health insurance policy and group plan number, group plan provider and claim information.
The breach report and sample notification letter do not specify the SonicWall product or type of vulnerability involved in the organization's security incident
MRIoA did not immediately respond to Information Security Media Group's request for information about the incident and the vulnerability involved in the data breach.
SonicWall, a vendor of security devices, including firewalls and remote access products, in a statement provided on Wednesday to ISMG says it was unaware of the MRIoA incident involving a SonicWall vulnerability until contacted by ISMG for comment on the MRIoA breach.
"This is the first SonicWall has heard of this specific report; it had not been reported previously," a SonicWall spokesman says. "It is SonicWall’s understanding that the product issue referred to is related to a known vulnerability that was reported and patched by SonicWall.
"The privacy and protection of our customers is extremely important to us at SonicWall. We have not, and will not, comment on specific products or versions our customers are using or vulnerabilities that could have impacted their systems. We can confirm that an intruder accessed MRIoA’s environment through a SonicWall vulnerability on Nov. 2, 2021. That has since been resolved and MRIoA’s environment has been secured."
The SonicWall spokeman says the company's Product Security Incident Response Team works around the clock to identify vulnerabilities and provide patches and customer communications. He also says customers should not run end-of-life or unsupported products and should apply all available security patches as promptly as possible to avoid exposures and threats.
As of Tuesday, the U.S. Department of Homeland Security's CISA catalog for known exploited vulnerabilities lists 18 vulnerabilities related to SonicWall products, and several of them involve unauthenticated access issues.
In December, SonicWall issued an advisory urging users of its Secure Mobile Access 100 series and remote access products to immediately apply patches to certain devices that are affected by eight vulnerabilities ranked as having critical to medium severity, even after enabling their web application firewall (see: SonicWall SMA 100 Series Users Urged to Apply Latest Fix).
Tom Walsh, founder of privacy and security consultancy tw-Security, says that vulnerabilities can also arise in how a user organization configures a product, such as one provided by SonicWall or any other vendor.
"The organization using the product/tool - in this case SonicWall - has a responsibility in how the firewall or tool is configured and managed," he says. "The exact same firewall - hardware and software - could be configured differently at different organizations. An error in setting up or configuring the firewall could create a vulnerability."
In the wake of the incident, MRIoA says it is continuing to implement additional cybersecurity safeguards to better minimize the likelihood of this type of event reoccurring in the future.
That includes monitoring its systems with advanced threat hunting and detection software; adding authentication protection and installing new servers "built from the ground up" to ensure all threat remnants have been removed, MRIoA says.
The company also says it is working with external third-party cybersecurity experts, deploying "a hardened and new backup environment," enhancing employee cybersecurity training and amending its existing cybersecurity policies as necessary.
MRIoA says is has no evidence that affected information was misused, but it is offering affected individuals one year of complimentary credit and identity monitoring.
Patch Management Challenges
Some experts note that the MRIoA incident appears to spotlight a variety of common difficulties with, as well as the critical importance of, effective patch management.
"Patch management can be a challenging, even for organizations that are HITRUST-certified, such as MRIoA," Walsh says. "It seems like every day there is a newly discovered vulnerability in an application, database, operating system, tool, etc. In many cases, there is a delay between the discovery of the vulnerability and when the vendor releases an update/patch/fix," he says.
How can covered entities and business associates improve their patch management processes and programs?
"The first step in this process is have a clear picture of what assets the organization has in place," Denkers says.
"Coupling that with a mature vulnerability management program allows for the best chance of identifying applicable risks to those devices or applications. Lastly, a robust patching process will help ensure those issues identified are then remediated based upon the organization's risk tolerance policy."
Walsh suggests the entities subscribe to organizations that provide routine security updates. "The problem is that you have to shift through all of the alerts to find the one or two that may apply to your environment. This is a time-consuming task and not a fun task either."
Nonetheless, any device or application that is left unpatched to a critical vulnerability can potentially cause a compromise, Denkers says. "It's imperative organizations understand what devices and application they have and are continuously monitoring for patches to help minimize the chances of compromise."