Earlier this month, I wrote about an organized cybercrime gang that has been hacking into HR departments at organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms. Today, we’ll look a bit closer at the activities of this crime gang, which appears to have targeted a large number of healthcare and senior living organizations that were all using the same third-party payroll and HR services provider.
As I wrote in the previous story, KrebsOnSecurity encountered a Web-based control panel that an organized criminal gang has been using to track bogus tax returns filed on behalf of employees at hacked companies whose HR departments had been relieved of W-2 forms for all employees.
Among the organizations listed in that panel were Plaintree Inc. and Griffin Faculty Practice Plan. Both entities are subsidiaries of Derby, Conn.-based Griffin Health Services Corp.
Steve Mordecai, director of human resources at Griffin Hospital, confirmed that a security breach at his organization had exposed the personal and tax data on “a limited number of employees for Griffin Health Services Corp. and Griffin Hospital.” Mordecai said the attackers obtained the information after stealing the organization’s credentials at a third-party payroll and HR management provider called UltiPro.
Mordecai said that the bad guys only managed to steal data on roughly four percent of the organization’s employees, but he declined to say how many employees the healthcare system currently has. An annual report (PDF) from 2009 states that Griffin Hospital alone had more than 1,384 employees.
“Fortunately for us it was a limited number of employees who may have had their information breached or stolen,” Mordecai said. “There is a criminal investigation with the FBI that is ongoing, so I can’t say much more.”
The FBI did not return calls seeking comment. But according Reuters, the FBI recently circulated a private notice to healthcare providers, warning that the “cybersecurity systems at many healthcare providers are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data.”
According to information in their Web-based control panel, the attackers responsible for hacking into Griffin also may have infiltrated an organization called Medical Career Center Inc., but that could not be independently confirmed.
This crime gang also appears to have targeted senior living facilities, including SL Bella Terra LLC, a subsidiary of Chicago-based Senior Lifestyle Corp, an assisted living firm that operates in seven states. Senior Living did not return calls seeking comment.
In addition, the attackers hit Swan Home Health LLC in Menomonee Falls, Wisc., a company that recently changed its named to Enlivant. Monica Lang, vice president of communications for Enlivant, said Swan Home Health is a subsidiary of Chicago-based Assisted Living Concepts Inc., an organization that owns and operates roughly 200 assisted living facilities in 20 states.
ALC disclosed in March 2014 that a data breach in December 2013 had exposed the personal information on approximately 43,600 current and former employees. In its March disclosure, ALC said that its internal employee records were compromised after attackers stole login credentials to the company’s third-party payroll provider.
That disclosure didn’t name the third-party provider, but every victim organization I’ve spoken with that’s been targeted by this crime gang had outsourced their payroll and/or human resources operations to UltiPro.
Enlivant’s Lang confirmed that the company also relied on UltiPro, and that some employees have come forward to report attempts to file fraudulent tax refunds on their behalf with the IRS.
“We believe that [the attackers] accessed employee names, addresses, birthdays, Social Security numbers and pay information, which is plenty to get someone going from a tax fraud perspective,” Lang said in a telephone interview.
ULTIPRO & THE TWO-FACTOR SHUFFLE
I reached out to Ultipro to learn if they offered their customers any sort of two-factor authentication to beef up the security of their login process. Jody Kaminsky, senior vice president of marketing at Ultipro, confirmed that the company does in fact offer multi-factor authentication for its customers.
“We strongly encourage them to use it,” Kaminsky said. “We’d prefer not to provide any specific details about how it works that might assist or enable those who may attempt to break the law. Unfortunately, it does seem like this tax fraud scheme is pretty widespread and certainly not limited to our customers. We are aware of a few of our customers who have been impacted, however we can’t provide any further information due to confidentiality obligations.”
Kaminsky did not respond to questions about how long UltiPro has been offering the multi-factor solution. But information shared by an employee at a victim firm that has not been named in this series indicates that UltiPro only recently added multi-factor logins — after a large number of its customers had already been compromised by fraudsters who were plundering W-2 data to file fraudulent tax refunds.
A copy of a message sent by UltiPro to its customer base indicates that on Feb. 6, 2014 the company temporarily suspended access to individual employee W-2 records for all customers. That message reads, in part:
“On February 6, 2014, we applied an update to UltiPro to remove administrator/manager access to W-2s as a proactive measure in response to a specific new security threat we have been alerted to this tax season. Across all industries and providers, there is increasing activity that targets payroll administrators and any user with access to multiple employee records, where malicious groups or individuals are attempting to obtain employee W-2 information for the purpose of committing tax fraud. Any organization, regardless of payroll provider, is a potential target of this threat where the malicious group uses malware to spy on customer or end-user’s workstation to obtain user names and passwords. If obtained, any user name and password can then be used to log in, obtain employee W-2 information, and file that information for tax fraud purposes.”
“For this reason, we took immediate action to protect your employees by removing access for managers and administrators to individual employee W-2s. We will be releasing an UltiPro update restoring administrator and manager access with an additional level of authentication to validate the identity of the user. This UltiPro update is targeted for Sunday, February 9.”
On Feb. 9, UltiPro told customers that it was restoring access to employee W-2 information, and that managers and payroll administrators trying to access those records would be presented with an eight-digit “security access code request” — a text message delivered to a mobile phone designated by each user. That communication stated that each access code would be valid for only a short time before it expired, and that administrators could view employee W-2s for an hour before being logged out and forced to request another code.
UltiPro also told customers that it was instituting new changes to alert administrators via email about any users that modify their contact information:
“If a user changes a primary email address in UltiPro, he/she will receive an email to the previous email address communicating that a change occurred and to contact the administrator if the change was not initiated by him/her,” the company said in an Feb. 10 email to users. “If a user changes a secondary email address, he/she will receive an email to the primary email address with that same message.”
It remains unclear why so many individuals in the healthcare industry have been targeted by tax fraud this year. Last week, I published a story showing that hundreds of physicians in numerous states were just discovering that they’d been victimized by tax fraud, although the pattern of fraud in those cases did not match the attacks against healthcare organizations detailed in this story. As I noted in that piece, the tax fraud committed against individual physicians this year was far more selective, and did not impact other employees at those healthcare organizations.
Earlier this month, the University of Pittsburgh Medical Center confirmed that a data breach thought to affect only a few dozen employees actually revealed the personal information of approximately 27,000 employees — including at least 788 who reported experiencing some form of tax fraud or bank accounts that were wiped clean as a result of the breach. It is unclear how the breach occurred, and the UPMC has declined a request for an interview.