Okta Affected by Third-Party Vendor Incident and Customer Support System Breach
Cloud identity and access management solutions provider, Okta, based in San Francisco has confirmed the exposure of the personal data of 4,961 present and past workers in a data breach that occurred at its vendor, Rightway Healthcare.
Rightway Healthcare helps Okta workers and their dependents find healthcare companies and their rates. Based on Okta’s breach notice sent to the Maine attorney General, Rightway notified Okta on October 12, 2023 about the unauthorized access to an eligibility census file that connected to the services rendered to Okta. The file included worker names, medical insurance plan numbers, and Social Security Numbers. Rightway’s investigation showed the unauthorized activity happened on September 23, 2023. The attacker stole files between April 2019 and 2020. Okta offered free credit monitoring, fraud detection, and identity restoration services to the impacted persons.
Customer Support System Compromised
Okta also investigated a compromise of its customer support system and reported the breach a couple of days after reporting the Rightway Healthcare breach. In this occurrence, an unauthorized person acquired access to 134 customer files.
As per Okta’s investigation of this breach, it was probably a result of a worker logging into their personal Google profile using the Chrome internet browser on their Okta-provided laptop computer. The worker had saved their Okta service account credentials in their personal Google account.
Using the worker’s Okta credentials, the attacker accessed client session cookies to bypass login pages and multi-factor authentication. 5 Okta sessions were accessed impacting 134 Okta customers. Three Okta customers impacted — 1Password, Cloudflare, and BeyondTrust –
– have publicly announced the breach. Okta stated its investigation showed the unauthorized activity happened from September 28 to October 17, 2023.
The breach investigation ended up being tricky because of the failure to determine file downloads in the vendor logs of customer support. Whenever a user opens support files, there is a particular log event created together with a record ID that is linked with the file; Whenever the user clicks the Files tab in the customer support system, various log events and record IDs are created.
The threat actor clicked directly on the Files tab, and Okta’s preliminary investigation looked only at access to support cases utilizing the preliminary log event and record ID. It was just on October 13 when BeyondTrust discovered a suspicious IP address that Okta recognized the extra file access events and connected them to the breached worker account.
BlackCat Ransomware Group Attack on Henry Schein
The BlackCat (ALPHV) ransomware group has professed to be responsible for attacking Henry Schein. This Fortune 500 company distributes dental and medical supplies and offers practice management software and solutions to healthcare companies.
Henry Schein reported on October 15, 2023 that it had encountered a cybersecurity attack, which was discovered on October 14, 2023. The incident impacted a part of its production and distribution company, which resulted in a temporary interruption to its company operations. For over three weeks, the company continues to encounter technical problems with its website and online shop. Third-party cybersecurity experts investigated the breach and affected data and informed law enforcement. The investigation of the incident continues but it was confirmed that users of its client management software program were not affected.
Based on information posted on the dark web data leak site of the BlackCat group, it stole 35 terabytes of data in the attack, which included payroll and shareholder information. The group stated it had encrypted files and was talking with the company. When the company was about to finish restoring its systems, the ransomware group encrypted files again because negotiations failed. BlackCat additionally threatened to post the selected company’s payroll and shareholder information. The posting is no longer available, suggesting that negotiations have continued.
Ventura Orthopedics Informs Patients Regarding 2020 Ransomware Attack
Ventura Orthopedics in California began informing patients about the compromise of some of their protected health information (PHI) in a ransomware attack on July 20, 2020. Based on the company’s substitute breach notice, Ventura Orthopedics detected the security breach in September 2020 upon encryption of files on its system. The company received a ransom demand but did not pay the ransom as the encrypted files were recovered from data backups. During the time, the investigation suggested the attackers acquired access to the data of one patient, who was informed during that time.
Further breach investigation has uncovered the incident’s impact on more patients. The hackers acquired access to the files of one doctor and his assistant. Those files contained names, birth dates, and drug and lab testing data from 2016 to 2018. Ventura Orthopedics is sending notification letters now to those persons.
As per DataBreaches, the Maze ransomware group included Ventura Orthopedics on its leak website and the Conti group afterward exposed the information of 1,850 persons on its data leak website. The site attempted to contact Ventura on several instances and additionally submitted a complaint with OCR regarding the incident. On September 13, 2023, the company mentioned it had identified further information impacted, after a conference call with the operator of the site.
Currently, the breach is not yet posted on the HHS’ Office for Civil Rights breach website. There is no mention yet by Ventura Orthopedics regarding the number of individuals impacted.
PHI Compromised in Edward C. Taylor, PhD Cyberattack
Edward C. Taylor, Ph.D., a counseling and psychoeducational assessment services provider based in Jacksonville, FL recently finished investigating a cyberattack. It discovered a security breach on August 19, 2023, and engaged third-party digital forensics experts to investigate and find out the nature and extent of the breach. On or about October 5, 2023, it was affirmed that an unauthorized person had acquired access to its system for one day and extracted files that contained company data.
It cannot be determined if the stolen files included any patient data; nevertheless, files were found on the breached part of the system that contained the PHI of 6,684 individuals. The exposed data contained names, contact details, birth dates, insurance data, and details associated with mental health which include clinical details, and diagnoses. Internal configurations and controls were updated including changing passwords to avoid the same breaches later on.