Sunshine Snag: Florida Department of Health Ransomware Attack

The Florida Department of Health (DOH) is currently addressing a significant ransomware attack that has severely impacted its vital statistics system, which processes birth and death certificates. The cybercriminal group RansomHub has claimed responsibility for the attack, asserting that it stole over 100 gigabytes of data, including personally identifiable information (PII) and protected health information (PHI). RansomHub began leaking the stolen data after the DoH missed a July 1 payment of ransom deadline.

Florida's State Cybersecurity Act, which prohibits state entities from paying ransom demands, remains a critical factor in this incident. RansomHub has a history of attacking healthcare organizations and government departments, including recent attacks on Frontier Communications and Christie's.

The ransomware attack on the Florida Department of Health involved the exfiltration of a substantial amount of data, which RansomHub began leaking after the state agency missed the ransomware payment deadline. The attack was detected in late June 2024, disrupting numerous services within the department.

The organization's network was likely compromised through phishing or a vulnerable server. Initial signs of the incident included disruptions in their vital statistics system.

Impact

The attack has profoundly affected the Department's ability to process vital records, leading to delays and manual processing for funeral homes across the state.

The leaked data, including service-related files, employee records, health program applications, and sensitive personal and health information, suggests a significant breach. Potentially compromised information includes names, addresses, phone numbers, dates of birth, Social Security numbers, appointment details, health insurance information, medical record numbers, screening results, health policy numbers, and more.

In response to the ransomware attack, the Department of Health took immediate actions to isolate the affected systems and limit the spread of the malware. The department has an incident response plan, though its adequacy is under review.

Communication with stakeholders is ongoing, with no public comment on ransom negotiations due to the legal prohibition on ransom payments.

Efforts to restore affected systems and data are underway, although the expected downtime and impact on business operations remain uncertain. The disruption of multiple services within the department, including the online system for issuing birth and death certificates, highlights the critical need for a robust recovery plan.

Phishing attacks and system vulnerabilities remain two of the most prevalent and dangerous vectors for ransomware attacks and other cybersecurity threats. The Florida Department of Health's recent incident underscores the critical importance of protecting against these risks.

Recommendations

Phishing is a favored technique for attackers because it targets human vulnerabilities rather than technical flaws. In the context of the Florida Department of Health attack, a successful phishing attempt could have granted attackers the initial access needed to infiltrate the system.

To safeguard against phishing:

Employee Training: Regular and comprehensive training programs should be implemented to educate employees about the common signs of phishing attempts, such as suspicious links, unexpected attachments, and urgent requests for sensitive information. Employees should be encouraged to report any suspicious communications.

Email Security Solutions: Deploy advanced email filtering and security solutions that can detect and block phishing attempts before they reach employees' inboxes. These solutions can use machine learning and threat intelligence to identify malicious emails.

Multi-Factor Authentication (MFA): Enforcing MFA adds an additional layer of security, making it more difficult for attackers to gain access to systems even if they obtain valid login credentials through phishing.

Exploiting unpatched vulnerabilities in software and systems is another common method used by cybercriminals to gain unauthorized access. Vulnerabilities can exist in operating systems, applications, or even hardware.

To mitigate the risk from vulnerabilities:

Regular Patching: Establish a robust patch management process to ensure that all systems and software are regularly updated with the latest security patches. This reduces the window of opportunity for attackers to exploit known vulnerabilities.

Vulnerability Scanning: Conduct regular vulnerability scans and penetration testing to identify and remediate security weaknesses before they can be exploited by attackers. These scans should cover both internal and external systems.

Security Configuration Management: Ensure that systems are configured securely according to best practices and that any unnecessary services or features are disabled to reduce the attack surface.

By focusing on employee education, implementing advanced security technologies, and maintaining diligent patch and configuration management practices, organizations can significantly reduce their risk of falling victim to attacks similar to the one experienced by the Florida Department of Health.

‍