One Friday night in September last year, a massive hack at the MGM Grand caused quite a stir in Las Vegas. Cybercriminals used tricky tactics to slip through the cracks, infiltrating the network, and disrupting services at the hotel and casino. It’s a wake-up call for everyone to step up their security game and stay one step ahead in this fast-changing world of cyber threats.
In this episode:
Learning From The MGM Hack – Ep 453
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Say What!?!
[04:37] The 47th enforcement action in the OCR Right of Access Initiative was announced.Phoenix Healthcare-Settlement Agreement | HHS.gov
The settlement agreement announcement says Phoenix Healthcare, an Oklahoma multi-facility organization in nursing care, came to the OCR’s attention based on a complaint. That is pretty much how all of these cases come to them.
In the announcement, the complaint came in April 2019. It was filed with OCR alleging that Phoenix Healthcare would not provide a daughter, who serves as a personal representative, with a copy of her mother’s medical records. After attempts at technical assistance and attempts to get the records by OCR, Phoenix Healthcare sent the requested records on January 30, 2020 – 323 days after the request.
The OCR Dir quote is much like the others in this initiative.
But it was not your average settlement agreement text. Numbered paragraphs got my attention right away with #2
2. By letter dated March 30, 2021, OCR notified Phoenix of its intention to impose a civil money penalty (“CMP”) against Phoenix in the amount of $250,000 for its failure to comply [with the right of access requirements under HIPAA]
3. On June 25, 2021, Phoenix requested a hearing before an Administrative Law Judge (“ALJ”) to contest OCR’s proposed imposition of the CMP, and the matter was docketed [on the appeals board for a hearing]
4. In Decision No. CR6232, dated February 16, 2023, the ALJ upheld the violations cited by OCR under 45 C.F.R §§ 164.524(b)(2), 164.524(c)(4), and 164.502(e) and directed that Phoenix pay a CMP in the amount of $75,000. The ALJ also upheld OCR’s determinations that Phoenix acted with willful neglect in violating sections 164.524(b)(2) and 164.524(c)(4).
5. On April 17, 2023, Phoenix filed its notice of appeal and written brief in support thereof, in which Phoenix contested the ALJ’s determinations that Respondent acted with willful neglect [they also challenged the $75k]
6. On August 4, 2023, the Departmental Appeals Board affirmed [the ALJ decision and penalty amount]
Now, we have the official settlement agreement where Phoenix agrees:
- No further appeals of the decisions in any court, other forum or manner.
- Pay $35,000 as a settlement amount on October 13, 2023
- Revise its HIPAA Policies and Procedures to address
- (1) the Privacy Rule’s requirements concerning an individual’s right of access to Protected Health Information, and
- (2) its obligations to enter into Business Associate Agreements.
- Phoenix shall submit its revised Policies and Procedures to OCR for review and make any revisions requested by OCR until it receives OCR’s approval. Phoenix must produce a set of HIPAA Policies and Procedures that OCR deems acceptable by October 16, 2023.
- On or before October 30, 2023, Phoenix will provide to OCR a signed attestation stating that it has implemented and distributed to its workforce members its revised set of HIPAA Policies and Procedures that OCR has deemed acceptable along with evidence of the training materials to be used to train the staff on these policies and procedures.
- On or before November 30, 2023, Phoenix will provide to OCR a signed attestation stating that it has trained all of its workforce members.
- Phoenix shall not contest the validity of its obligation to pay the Settlement Amount nor any other obligation it has agreed to under this Agreement.
- If they fail to meet these obligations, OCR reserves the right to seek payment of the $75,000 CMP imposed in ALJ Decision
This agreement was signed Sept 22, 2023 by OCR and the Owner and Court Appointed Receiver for
Phoenix Healthcare, LLC in Tulsa, OK.
Learning From The MGM Hack
[24:21]Casino giant MGM expects $100 million hit from hack that led to data breach | Reuters
The 2023 Cyberattack on the MGM Resort Explained
Note: one of the articles referred to in this episode requires subscription to WSJ or Apple News+ The Audacious MGM Hack That Brought Chaos to Las Vegas – WSJ
The MGM hack got the attention of a lot of people who have no idea about the attacks we talk about here all the time. This one involved Vegas baby! To think that huge entities like the MGM casinos could get hit so hard with a cyber attack that it shut down resort reservations and more.
Let’s look at what we know about the attack and see if we can learn from it.
Guess who initially claimed to be involved in the breach – AlphV/Black Cat. The same ones claiming Change Healthcare’s attack. Supposedly this one also involved Scattered Spider which is believed to be a subgroup of the ALPHV. Eventually, AlphV called up and said, our bad, not us. By now there are others supposedly involved using the name Star Fraud.
[32:09] It all started on a Friday night last September. Tech support gets a call from an employee asking for a password reset. Tech follows protocols and confirms personal information for the employee then reset the password.Tech support gets a call from the employee minutes later saying they got a changed password alert but they didn’t try to change their password. It was too late. That is when they experienced BOOM!
For at least 5 days the criminals fought MGM teams trying to take over $30m. As they watched the attackers move throughout the networks it kept getting worse. They had a full scale crisis on their hands by midnight. To gain control MGM shuts down things so much that the casinos and resorts make big news because of the chaos!
By Monday, it wasn’t just reservations that were impacted but casino visitors were aware there were big problems. When you can’t cash out your slot machine winnings you sit and wait. One couple interviewed explained how they were waiting for help for 45 minutes. No one seemed to know what was going on. Then they started to see all the machines flashing “shut down”. Nothing was working for check in, communications, and much more. They even had people standing at the elevators waiting with walkie-talkies to run them.
Since they had shut down emails the CEO didn’t see the email with the ransom demands that came in at 2am. It was asking for the $30m crypto to let them get back up and running. That was unfortunate because the attacks continued for 12 more hours until someone found the email.
By Thursday, execs for MGM were walking around the casinos with fanny packs full of cash to help people cash out on the slot machines. Cocktails were being served to people waiting in long lines to check in.
Operations were back up and running for MGM, they say, in about 6 days as far as the public operations. Behind the scenes it really took weeks. Then news came out that Caesars Entertainment had actually paid around $15m over the summer to get back control of their systems.
MGM took a one time expense write off in Q4 of just less than $10m for expenses due to the attack.
According to the WSJ article that just came out on this, the Star Fraud group used data mining to find employees and gather personal information that allowed them to get past the tech protocols. But they claim that other companies have been hit by threatening employees to give up their credentials via text messages. The example shared said:
“If we don’t get ur…login in the next 20 minutes, were sending a shooter to your house”
“Ur wife is gonna get shot if you dont.”
[47:57] These were not your normal hackers we have all gotten used to dealing with who are criminals after some cash and ready to move on to the next. This new version includes kids who are doing this because it is “fun” and they want to prove they can one-up each other. Well, and get the money too. They still want the money. Many of them apparently from the US, Canada, and the UK, according to some court filings.This proves that the criminals themselves continue to evolve as well as their tactics. No assumptions about their intent and behavior can be made anymore. All bets are off. What remains to be seen will be how they will handle themselves in a future, or yet to be learned about, attack on healthcare.
So there you have it, a deep dive into the MGM hack that shook up Vegas. It’s more than just a story about a big-name casino getting hacked; it’s a real-world lesson on the importance of cyber vigilance. These conversations remind us that in the digital age, everyone’s a target, and the hackers are always looking for the next big score. Whether you’re running a casino empire or just keeping your personal info safe online, it’s clear that staying ahead of the game isn’t just smart—it’s essential.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
