Buckle up, folks—this episode is a rollercoaster of cyber chaos! We kick things off with a quick chat about the upcoming PriSec Boot Camp (because let’s be real, who doesn’t love a good security boot camp?). But then, we dive headfirst into the madness: a fresh HIPAA smackdown over right-of-access failures, a rogue IT guy who locked down an entire company out of revenge, and some seriously sketchy Bluetooth vulnerabilities that could have hackers eavesdropping on your life. And if that wasn’t enough, the 2025 SonicWall Cyber Threat Report drops some terrifying stats on ransomware, business email compromise, and how AI is making cyberattacks even more dangerous. Grab your tinfoil hat and let’s get into it.
In this episode:
HIPAA, Hackers, and Havoc – A Cybersecurity Reality Check – Ep 501
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
When you see a couple of numbers on the left side of the text below click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Quick Review of the PriSec Boot Camp
[00:32] Our 4 day Boot Camp has a theme for each day:- Tuesday – Ya Gotta Prove It Day
- Wednesday – Risky Business Day
- Thursday – PriSec is a Team Sport
- Friday – Murphy’s Law Day
HIPAA Briefs
[07:59]Another enforcement initiative case was announced. Again, it is one that is an actual penalty without a cap. This is also another one in the Right of Access enforcement initiative, this one makes 53 of them.
Oregon Health & Science University was penalized $200k. Here are the details in the announcement from OCR:
OCR initiated an investigation of OHSU based on a complaint filed in January 2021 from the individual’s personal representative – the second complaint OCR received on this matter. In September 2020, OCR resolved the first complaint (received in May 2020) when OCR notified OHSU of its potential noncompliance with the Privacy Rule Right of Access provisions. Although OHSU provided part of the requested records in April 2019, OHSU did not provide all of the requested records until August 2021, which was nearly a year after OHSU received OCR’s September 2020 letter, and sixteen months after the first request for records in April 2019. OCR’s investigation found that OHSU failed to take timely action in response to the right of access requests.
In September 2024, OCR issued a Notice of Proposed Determination seeking to impose a $200,000 civil monetary penalty. OHSU waived its right to a hearing and did not contest OCR’s imposition of a civil monetary penalty. Accordingly, in December 2024, OCR finalized its determination and imposed the $200,000 civil monetary penalty against OHSU.
“The HIPAA Privacy Rule requires that individuals and their personal representatives receive timely access to their medical records,” said OCR Acting Director Anthony Archeval. “A covered entity’s responsibility to provide timely access continues, even when a covered entity contracts with a business associate to respond to HIPAA right of access requests.”
In the details of the case the problem came from the BA who handled their records request. All looked pretty good until the Personal Representative with a Power of Attorney requested the records and didn’t get all of them. They asked for the rest of them and things went bad then.
They got a letter stating that “the Affected Party’s request for access to her PHI was denied because the request must contain a date in order to be considered a valid request”. OHSU admitted that they submitted a valid request and the denial was erroneous.
The very next day the personal rep sent another fax for the same records saying it was an invalid denial and THEN got another response. This one said you are denied for not paying your invoice for medical records.
That is when it just kept going back and forth asking for the records and would get the run around or they would get partial records. The first OCR complaint resulted in their “technical assistance” letter. Which said this is what you should do. The second complaint landed them here.
This looks like an attorney who has found a way around medical records request fees. They get it sent directly to them by becoming a personal representative. Nice play. It works under the rules.
HIPAA, Hackers, and Havoc – A Cybersecurity Reality Check
[16:59] We have a lot to cover today so let’s get to it!An interesting quick one about technical staff as insiders:
Developer sabotaged ex-employer IT systems with kill switch • The Register
Then, it’s said, Lu created what the Feds described as a kill switch – more like a dead man’s switch, perhaps – that would lock every employee out of their accounts if his credentials were ever revoked, and named the code IsDLEnabledinAD, as in “Is Davis Lu enabled in Active Directory.”
When his position was eventually terminated on September 9, 2019, the kill switch was activated and thousands of employees around the world were locked out of the network, causing hundreds of thousands of dollars of damage, it is said.
He was found guilty by the jury and is awaiting sentencing. He could get up to 10 years for it.
A quick couple of terrifying technical ones:
[20:09] Undocumented commands found in Bluetooth chip used by a billion devicesThe researchers warned that ESP32 is one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
Espressif published a statement Monday in response to Tarlogic’s findings, stating that the undocumented commands are debug commands used for internal testing.
“The functionality found are debug commands included for testing purposes,” reads Espressif’s statement. Espressif’s Response to Claimed Backdoor and Undocumented Commands in ESP32 Bluetooth Stack
Researchers Expose New Polymorphic Attack That Clones Browser Extensions to Steal Credentials
The only reason this isn’t freaking me out is because cybersecurity researchers demonstrated it. A technique that allows a malicious web browser extension to impersonate any installed add-on. Then, it can have access to the webpage when you click on that extension to use it in the browser.
“The polymorphic extension attack is extremely powerful as it exploits the human tendency to rely on visual cues as a confirmation,” SquareX said. “In this case, the extension icons on a pinned bar are used to inform users of the tools they are interacting with.”
The main event:
[31:23] 2025 SonicWall Cyber Threat Report Executive Summary- 61% of the time, hackers leverage new exploit code within 48 hours
- IoT attacks went up globally by 124%
- SonicWall identified 210,258 ‘never-before-seen’ malware variants that means 637 new ones every single day
Ransomware
Average Ransomware Cost: In 2024, the average ransomware payment reached $850,700, with total related losses often exceeding $4.91 million when factoring in downtime and recovery costs.
And while ransomware certainly affected industries across the board, healthcare was hit particularly hard with major impacts and catastrophic consequences.
Double and triple extortion really is becoming the standard in healthcare they report. One fee to decrypt, another fee to not release the data AND a third one to not notify your patients.
BEC – Business Email Compromise (BEC)
[42:38] At this point you should expect one of your clients will have a BEC reported on Friday or Monday of every week if you are an MSP.In 2024, global losses from BEC attacks exceeded $2.95 billion. To put this into perspective, that’s $150 million more than the entire budget for the Cybersecurity and Infrastructure Security Agency (CISA), which had a budget of $2.8 billion in 2024.
NOTE: We still say get the PHI OUT OF EMAIL ACCOUNTS!
They even use these accounts to mess with internal communications and impersonate authorized users asking questions or making requests that get answered and approved with no problem.
AI and IoT are making it worse
[48:48] Server-Side Request Forgery (SSRF) attacks were tricky and required high end skills but were very effective tools for hackers in the past. They use this method to trick servers into making requests of other servers in the network that have more sensitive information. That whole “don’t worry about that server it doesn’t have anything on it” argument is shot down by this technique. They could get deeper into a network and gather more sensitive info than ever before. But, it wasn’t easy to do. Until now…..Well, SSRFs became a critical cybersecurity concern in 2024. AI allows those with much less skill to launch these complex attacks. That likely accounts for the dramatic 452% increase compared to 2023.
The other thing that took off in 2024 was building IoT botnets using the broad number of vulnerabilities, SonicWall prevented more than 17 million attacks on IP cameras in 2024.
“Attackers are beginning to take note of the often-weak defenses of connected devices – specifically those used in government and critical infrastructure.”
One final point was the use of Open Source Software in conjunction with AI is allowing them to exploit many devices since so many IoT devices use the same version of software. Great for some reasons they exist but really bad when nothing is patching them.
They also featured this quote in the report. It came from OpenAI:
IoT attacks will continue to rise as more connected devices with weak security are deployed in critical sectors. Threat actors are shifting from opportunistic exploits to targeted attacks using botnets like Reaper and vulnerabilities in IP cameras and OSS components. Without stronger security frameworks, patch management, and threat monitoring, IoT devices will remain prime targets for cybercriminals. – OpenAI, 2/5/24, v4
There is much more info in the report but this seems like a great time to just say – have you been listening to our recent episodes?
If this episode didn’t give you at least three new things to stress about, were you even paying attention? Between HIPAA penalties, sneaky insider threats, and cybercriminals getting richer by the second, it’s clear that the bad guys aren’t slowing down anytime soon. The 2025 SonicWall Cyber Threat Report gave us a sobering look at just how fast ransomware, business email compromise, and AI-driven attacks are evolving—so if you’re still thinking security is “good enough,” it’s time to rethink that. Stay vigilant, stay patched, and for the love of data privacy, get PHI out of your email!
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
