Archive for November 12, 2023

US Radiology Slapped With $450K Fine For Creating The Conditions To Get Pwned By Ransomware

Posted in Commentary with tags on November 12, 2023 by itnerd

This is something that needs to happen way more often. I’ll explain why in a second. But here’s what happened. The AG of NY State has hit US Radiology with a $450K fine for the following:

In an agreement announced on Wednesday, New York Attorney General Letitia James said US Radiology failed to remediate a vulnerability announced by security company SonicWall in January 2021.

US Radiology used the company’s firewall to protect its network and provide managed services for many of its partner companies, including the Windsong Radiology Group, which has six facilities across Western New York.

The vulnerability highlighted by the attorney general — CVE-2021-20016 — was used by ransomware gangs in several attacks. US Radiology was unable to install the firmware patch for the zero-day because its SonicWall hardware was at an end-of-life stage and was no longer supported. The company planned to replace the hardware in July 2021, but the project was delayed “due to competing priorities and resource restraints.”

The vulnerability was never addressed, and the company was attacked by an unnamed ransomware gang on December 8, 2021.

“Once the threat actor gained access to the VPN, they leveraged 101 additional credentials to access various network data folders over the following week,” New York prosecutors said.

That’s bad. But it gets worse:

“While a subsequent forensic investigation was unable to definitively determine how the threat actor initially obtained credentials to access the SonicWall VPN, the vulnerability identified by the NCC Group in January 2021 could have allowed the threat actor to capture username, password and other session information stored on the SonicWall server through a process known as a SQL injection.”

An investigation determined that the hacker was able to gain access to files that included the names, dates of birth, patient IDs, dates of service, provider names, types of radiology exams, diagnoses and/or health insurance ID numbers of 198,260 patients.

The data exposed during the incident also included driver’s license numbers, passport numbers, and Social Security numbers for 82,478 New Yorkers.

Now for why this needs to happen way more often. If companies know that not patching all the things will lead to you being slapped with a fine from a government organization 100%, you’re going to patch all the things without fail. I guarantee it. Thus I applaud New York Attorney General Letitia James for doing this and other AG’s in other states, not to mention in other places around the world, should follow her lead.