Skip to main content

Health-ISAC Hacking Healthcare 12-8-2023

|

This week, Hacking Healthcare™ explores a potentially novel event in the world of cybersecurity: ransomware group AlphV’s breach of and subsequent SEC complaint against lending company MeridianLink. We examine the substance of the incident and discuss a few takeaways for Health-ISAC members to consider. Next, we provide a brief update on last week’s topic of proposed hospital cybersecurity regulations in New York State.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:
Download

 

Text Version:

Welcome back to Hacking Healthcare™.

AlphV Ransomware Group Reports Its Victim to SEC Regulators After Hack

On November 7, members of the ransomware crime syndicate AlphV breached the network of MeridianLink, a publicly traded digital lending company that provides solutions for banks, credit unions, and fintechs. In an a potentially unprecedented step, members of AlphV allegedly filed a “failure to report” claim with the U.S. Securities and Exchange Commission (SEC). Let’s take a deeper look at what occurred and how it may impact healthcare sector entities.
AlphV’s Complaint and Stakeholder Reactions
On November 15, AlphV posted screenshots of what appears to be a digital complaint form it filed with the SEC. In the form, AlphV claims that MeridianLink violated the SEC’s new incident- reporting rules because it “failed to file the requisite disclosure under item 1.05 of form 8-K within the stipulated four business days” after the breach.[i]
In response, MeridianLink released a statement saying that “upon discovery [of the breach], we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident.”[ii] The statement continued, “[B]ased on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption. If we determine that any consumer personal information was involved in this incident, we will provide notifications, as required by law.”[iii]
Despite AlphV’s statement, the new reporting requirements it referred to in its alleged complaint were not yet entered into force. Additionally, as these are new rules, it is unclear whether MeridianLink would have been obligated to report the alleged breach anyway.
So what does this mean for Health-ISAC members?
Action & Analysis
**Available with Health-ISAC Membership**

New York State Proposed Hospital Cybersecurity Regulations Hit Open Comment Period

In a brief follow-up to last week’s Hacking Healthcare™ topic of proposed hospital cybersecurity regulations for New York State, the full 32-page proposed regulation has been posted.[vi] The New York State Register for December 6th has announced that the proposed regulations are now in a 60-day open comment period ending in early February.
Action & Analysis
**Available with Health-ISAC Membership**

Congress

Tuesday, December 5
No relevant hearings

Wednesday, December 6
No relevant meetings
Thursday, December 7
No relevant meetings
Report Source(s)
Health-ISAC
This site is registered on Toolset.com as a development site.