Illinois Department of Healthcare and Family Services Breach Incident Score: Analysis & Impact (ILDILD1767327524)

In this Rankiteo incident briefing, we review the Illinois Department of Healthcare and Family Services breach identified under incident ID ILDILD1767327524.

The analysis begins with a detailed overview of Illinois Department of Healthcare and Family Services's information like the linkedin page: https://www.linkedin.com/company/ildhfs, the number of followers: 3890, the industry type: Hospitals and Health Care and the number of employees: 340 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 763 and after the incident was 688 with a difference of -75 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Illinois Department of Healthcare and Family Services and their customers.

Illinois Department of Healthcare and Family Services (HFS) recently reported "Illinois Health Data Breach via Phishing Attack", a noteworthy cybersecurity incident.

Infiltration of an HFS employee email account via malicious emails sent via another hacked government account allowed threat actors to exfiltrate individuals' data, which may have included names, birthdates, driver's license and state ID numbers, and Social Security numbers, a...

The disruption is felt across the environment, affecting Employee email account, and exposing Names, birthdates, driver's license and state ID numbers, Social Security numbers, child support- or Medicaid-related financial details, with nearly 933 records at risk.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Malicious link blocking, employee password resets, and stakeholders are being briefed through Data breach notification to affected individuals.

The case underscores how Ongoing, and recommending next steps like Impacted individuals urged to track credit reports and enable fraud alerts to avert potential malicious activity, with advisories going out to stakeholders covering Affected individuals notified and advised to monitor credit reports and enable fraud alerts.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with high confidence (95%), with evidence including phishing attack compromised an employee email account, and sending malicious emails from a previously hacked government account and Valid Accounts: Local Accounts (T1078.003) with moderate to high confidence (80%), with evidence including compromised an employee email account, and hacked government account. Under the Credential Access tactic, the analysis identified Brute Force: Password Guessing (T1110.001) with moderate to high confidence (70%), supported by evidence indicating employee password resets (implied compromise) and Unsecured Credentials: Email Account Credentials (T1552.007) with moderate to high confidence (85%), supported by evidence indicating phishing attack compromised an employee email account. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), with evidence including exfiltration of personal data, and data exfiltration such as Yes. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Email Hiding Rules (T1564.008) with moderate confidence (60%), supported by evidence indicating malicious emails from a previously hacked government account (implied persistence). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.