News Insights: US Military Veterans’ Medical Data Exposed Online – Secure Thoughts

Cybersecurity researcher Jeremiah Fowler with Security Discovery reports the discovery of an internet-accessible database containing nearly 200,000 records of US vets containing sensitive data. The report notes “Upon further investigation of the data there were many references to a Jacksonville, North Carolina based company called United Valor Solutions. The records contained patient, physician, employee data, some contact information and diagnostic data, and other potentially sensitive information that should have not been publicly exposed. According to their website: United Valor Solutions provides disability evaluation services for the Veterans Administration and other federal and state agencies.”

News Insights:

Saryu Nayyar, CEO, Gurucul (she/her):

“If the researcher found this database of 200,000 medical records, then who knows who else may have also found it and made off with the highly sensitive PII data of veterans. United Valor does not appear to be in control of the situation. They claim only two IP addresses accessed the data: United Valor’s and the researcher’s. That sounds doubtful. All in all this is a troublesome discovery, especially given the sensitivity of the data.”

Dr. Chenxi Wang, General Partner, Rain Capital (she/her – a former Forrester VP of research, and Carnegie Mellon Professor):

“It is entirely possible that the United Valor systems had already been penetrated and infected by malware/ransomware.  We are seeing a change in the tactics of ransomware attacks. Instead of encrypting data and ask for a ransom, more ransomware attacks have been threatening to expose data instead. This happened with the recent Japanese toolmaker ransomware attack.  The data could show up on the darknet if the perpetrator’s goal is fetching a handsome price for it, as health records are a much more attractive of a target than credit card data these days. Healt h records can sell for $150/record while credit card data is only a few dollars per record. Usually such security incidents are not isolated. Once you discover some symptoms, you probably already had multiple incidents or breaches.”

Tom Garrubba, CISO, Shared Assessments:

“The only explanation for having a database publicly exposed is due to poor application design and development. It might also indicate that United Valor practices poor internal cyber hygiene as it appears that “the data has only been accessed via our internal IP and yours.” This could be an indicator as to the presence of an internal threat. There are numerous tools and logging functionality available to monitor such internal threats and it appears these are non-existent in the United Valor IT toolbox or, they exist but are poorly utilized. Such tools could have helped identify when the “ransomware” occurred and provided useful in their follow up investigations. It depends on the type of malware installed by the threat actor and the techniques employed to bypass any existing controls. It is possible that a ransomware incident and the exposed databases are related. In many cases poorly designed and tested application controls provide easily accessible gateways for threat actors to get to their targets: networks, systems, and data. This data could wind up on the dark net – for sale to the highest bidder. Such sensitive personal and health information are ripe targets for “Robin Hood theft” – a form of medical ID theft – which is rampant in the healthcare industry due to its difficulty in catching the user fraud in a timely manner. Such information carries a high price tag in the dark web.

Baber Amin, COO, Veridium (passwordless authentication security experts):

“An incident is discovered either by looking for it, or being notified of it.  I am sure that United Valor is going through the authentication and access logs to confirm who had access and whether all access is accounted for and mapping to authorized persons.  If access was obtained via a stolen credential, that will make it a bit more challenging to track.  This is one reason why organizations are moving away from static credentials like passwords.  You can’t steal something if it doesn’t exist. It is always possible that the veterans’ data contained in this exposed database could eventually show up on the darknet, since the data was available publicly. The mystery is how the data got there, and who was involved in that chain.

Our advice is to organizations is to follow zero trust principals and:

• Implement passwordless for employees
• Use a layered security approach using biometrics, FIDO2 keys, device biometrics
• Utilize risk signals to match an authenticated session with the risk associated with information/resource/service being accessed
• Encrypt all sensitive information at rest and in transmit
• Eliminate all extra standing privileges