Cybersecurity Saturday

Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Cybersecurity Dive reports,
    • “U.S. government officials said critical infrastructure operators should be on alert for Iranian cyberattacks.
    • “In a threat advisory published Monday [June 30], multiple agencies said Iran might target U.S. firms “for near-term cyber operations” due to “the current geopolitical environment” — a reference to the Trump administration joining Israel’s aerial campaign against Iran’s nuclear program and related assets.
    • “Defense contractors, especially firms that have relationships with Israeli companies, are likely at heightened risk of targeting, according to the advisory.”
  • and
    • “The Department of Justice on Monday [June 30] announced a series of actions as part of an investigation into the North Korean government’s deployment of its citizens abroad to pose as IT workers and illicitly earn money for the regime.
    • “Newly unsealed charging documents describe two separate schemes to trick U.S. companies into hiring people who funneled their paychecks to the North Korean government and exploited their access to the companies’ networks to steal sensitive information and cryptocurrency.
    • “Law enforcement officials, who have repeatedly issued alerts about Pyongyang’s IT worker schemes, warned U.S. businesses on Monday to carefully screen their remote employees to avoid falling victim to similar ruses.
  • Cyberscoop tells us,
    • “The Chinese hackers behind the massive telecommunications sector breach are “largely contained” and “dormant” in the networks, “locked into the location they’re in” and “not actively infiltrating information,” the top FBI cyber official told CyberScoop.
    • “But Brett Leatherman, new leader of the FBI Cyber division, said in a recent interview that doesn’t mean the hackers, known as Salt Typhoon, no longer pose a threat.
    • “While there’s been some debate about whether Salt Typhoon should be getting more attention than fellow Chinese hackers Volt Typhoon — whom federal officials have said are prepositioned in U.S. critical infrastructure, poised for destructive action in the event of a conflict with the United States — Leatherman said the groups aren’t as different as some think.
    • “Salt Typhoon, even though it was [an] espionage campaign, had access to telecommunications infrastructure,” he said. “You can pivot from access in support of espionage to access in support of destructive action.”
  • and
    • “Federal authorities levied sanctions Tuesday on Aeza Group, a bulletproof hosting service provider based in Russia, for allegedly supporting a broad swath of ransomware, malware and infostealer operators.
    • “Aeza Group has provided servers and specialized infrastructure to the Meduza, RedLine and Lumma infostealer operators, BianLian ransomware and BlackSprut, a Russian marketplace for illicit drugs, according to the Treasury Department’s Office of Foreign Assets Control. Lumma infected about 10 million systems before it was dismantled through a coordinated global takedown in May.
    • “The Treasury Department’s action against Aeza Group follows a wave of cybercrime crackdowns across the globe. Prolific cybercriminals have been arrested, and infostealers, malware loaders, counter antivirus and crypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns since May.
    • “Officials accused Aeza Group of helping cybercriminals target U.S. defense companies and technology vendors.”

From the cybersecurity breaches and vulnerabilities front,

  • Cybersecurity Dive informs us,
    • “Australian carrier Qantas said hackers who breached one of its call centers stole a significant quantity of customer data.
    • “The airline said on its website that it detected unusual activity on Monday [June 30] on a third-party platform that one of its call centers used. The airline took immediate action and was able to contain the attack, which it blamed on a criminal hacker.
    • “Qantas said it is investigating the extent of the intrusion but warned that the hackers accessed a “significant” amount of customer data, including names, addresses, phone numbers, dates of birth and frequent-flyer numbers. 
    • “The breach did not compromise any credit card details, personal financial information or passport information, Qantas said, because those are stored in a separate system. The intrusion also did not expect login information for customers’ frequent-flyer accounts.
    • “Qantas said it was working with government authorities, including the Australian Cyber Security Centre and the National Cyber Security Coordinator, as well as independent forensic experts to investigate the breach.
    • “All of Qantas’ systems are now secure and the airline is operating normally, according to the company. It said it was in the process of contacting customers to alert them to the incident.” 
  • Per Security Week,
    • “Missouri healthcare provider Esse Health is notifying over 263,000 people that their personal information was stolen in a disruptive April 2025 cyberattack.
    • “The incident was discovered on April 21 and impacted the organization’s access to the electronic medical record system, while also taking down its phone system.
    • “By May 13, the healthcare provider had restored certain systems and was able to fulfill scheduled appointments or procedures. The phone systems were restored in early June, along with other primary patient-facing network systems, the organization said in an incident notice.
    • “On June 20, Esse Health said its investigation into the attack determined that a threat actor breached its network on April 21 and stole files containing personal information.
    • “The exfiltrated data included names, addresses, dates of birth, Social Security numbers, medical record numbers, patient account numbers, health information, and health insurance details.”
  • and
    • “Benefits and payroll solutions firm Kelly & Associates Insurance Group (dba Kelly Benefits) has informed authorities that a recent data breach impacts more than 550,000 people.
    • “The company revealed in April that hackers had gained access to its systems in December 2024, and an investigation had shown that the threat actor managed to steal files storing personal information.
    • “The incident resulted in the theft of information such as name, date of birth, Social Security number, tax ID number, medical information, health insurance information, and financial account information. 
    • “Kelly Benefits is notifying impacted individuals on behalf of more than 40 affected customers, including Aetna Life Insurance Company, Amergis, Beam Benefits, Beltway Companies, CareFirst, The Guardian Life Insurance Company of America, Fidelity Building Services Group, Intercon Truck of Baltimore, Humana Insurance ACE, Merritt Group, Publishers Circulation Fulfilment, Quantum Real Estate Management, United Healthcare, and Transforming Lives.
    • Data breach reports submitted by Kelly Benefits to the Maine Attorney General’s Office since early April show that the number of impacted individuals has steadily increased as the company’s investigation progressed.” 
  • The Center for Medicare and Medicaid Services announced on June 30,
    • The Centers for Medicare & Medicaid Services (CMS) is notifying Medicare beneficiaries whose personal information may have been involved in a data incident affecting Medicare.gov accounts. CMS identified suspicious activity related to unauthorized creation of certain beneficiary online accounts using personal information obtained from unknown external sources. CMS takes this situation very seriously. The safeguarding and security of personally identifiable information is of the utmost importance to CMS. 
    • Following detection of the incident, CMS worked quickly to deactivate affected accounts, assess the scope and impact of the compromise, and mitigate the effects on impacted individuals. CMS is working closely with appropriate parties to investigate this situation.
    • Approximately 103,000 beneficiaries may have been impacted. Notifications to affected individuals are being mailed, informing them of the incident, outlining steps being taken to protect their information, and providing guidance on actions they may wish to take. 
  • The Cybersecurity and Infrastructure Security Agency added five known exploited vulnerabilities to its catalog this week.
  • Dark Reading warns
    • “While browser extensions add useful functionality to Web browsers, such as blocking ads, managing passwords, and taking notes, they also increase the organization’s security and privacy risks.
    • “Browser extensions require certain levels of permissions that are attractive to attackers. Some extensions need access to the user’s location, browsing history, or the user’s clipboard to see what data the user has copied. Some extensions go further, requesting access to nearly all of the data stored on the user’s computer as well as the data accessed while visiting different websites. Attackers can exploit extensions with these heightened permissions to access potentially sensitive information, such as Web traffic, saved credentials, and session cookies.
    • “Even extensions with relatively modest permissions can manipulate those permissions to obtain access to the inner workings of every Web page displayed on a user’s screen, warns LayerX CEO and co-founder Or Eshed. LayerX research shows that 53% of enterprise users have installed extensions labeled with “high” or “critical” permissions scope. This is why browser extensions are a prime avenue for exploitation by threat actors, he adds.  
    • “[Attackers] can use it to copy or rewrite data or exploit Web page permissions for even more access,” Eshed says.”
  • Security Week adds,
    • A vulnerability in the Forminator WordPress plugin could allow attackers to take over more than 400,000 impacted websites.
    • A popular form builder plugin with more than 600,000 active installations, Forminator supports the creation of various types of forms, including contact and payment forms, polls, and more.
    • The WordPress plugin was found vulnerable to CVE-2025-6463 (CVSS score of 8.8), an arbitrary file deletion flaw that exists because file paths are not sufficiently validated in a function used to delete a form submission’s uploaded files.

From the ransomware front,

  • Bleeping Computer reports,
    • “The Hunters International Ransomware-as-a-Service (RaaS) operation announced today that it has officially closed down its operations and will offer free decryptors to help victims recover their data without paying a ransom.
    • “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with,” the cybercrime gang says in a statement published on its dark web leak earlier today.
    • “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.” * * *
    • “Threat intelligence firm Group-IB also revealed in April that Hunters International was rebranding with plans to focus on data theft and extortion-only attacks and had launched a new extortion-only operation known as “World Leaks.”
  • Security Week advises,
    • The key tool for surviving ransomware, or any attack scenario, is an IR plan. But an IR plan is only worthwhile if it’s comprehensive, current, and tested. IR plans are not “best practices”, nor singular documents stored in a safe place. They are living resources that require attention and maintenance. In this way, the proof of an IR plan’s efficacy is in that organizational muscle memory – most effectively trained through Tabletop exercises.  So, what are the primary “muscles,” and the repetitive “exercises” in which you can train an organization to respond decisively, immediately, confidently, and automatically.”
      • Plan your workout
      • Warm up
      • Train, recover, repeat
      • Measure your gains 

From the cybersecurity defenses and business front,

  • Withum offers guidance on how to align your firm’s cybersecurity practices with Labor Department best practices for ERISA plan fiduciaries.
  • Per Security Week,
    • Cloudflare has reversed its block on AI-crawling from optional to default, allowing finer grained crawling but only with agreement from all parties concerned.
    • LLMs are what they learn. From their inception the biggest source of learning has been the internet, so there has been a natural tendency for AI developers to scrape the internet as widely as possible.
    • Cloudflare has now introduced an option for their customers to accept or reject website scraping by AI vendors. Hitherto, internet scraping has been a major part of gathering training data for large LLM (gen-AI) developers; but the process has raised questions and objections over legality, copyright infringement, and accuracy.
  • Dark Reading lets us know,
    • “How businesses can align cyber defenses with real threats. Companies that understand the motivations of their attackers and position themselves ahead of the competition will be in the best place to protect their business operations, brand reputation, and their bottom line.”
  • and
    • “One year after a buggy CrowdStrike update knocked IT systems offline, organizations seeking to strike the right balance between security and productivity have viewed the incident as a learning opportunity.
    • “The cost of the CrowdStrike outage was estimated at $5.4 billion, affecting payment systems, airline reservations, and a variety of other industries. The impact of the outage highlights why many operational technology (OT) teams are as sensitive to patches and other updates in their critical infrastructure, as they are highly averse to outages that can happen if such updates are defective.
    • “But when balancing security and productivity, it is imperative not to view the CrowdStrike outage as a reason to forgo patching completely. The ever-growing volume of vulnerabilities and threats requires organizations to remain resilient and anti-fragile — that is, to have the ability to proactively respond to issues and continuously improve.”
  • Per Security Week,
    • “LevelBlue announced on Tuesday [July 1] that it’s acquiring managed detection and response (MDR) services company Trustwave from The Chertoff Group’s MC² Security Fund.
    • LevelBlue, formerly known as AT&T Cybersecurity, was launched in May 2024 as a joint venture between WillJam Ventures and AT&T. 
    • “The company’s acquisition of Trustwave comes shortly after it announced plans to buy Aon’s cybersecurity consulting business. The deals are part of a plan to become the largest pure-play managed security services provider (MSSP). 
    • “Once the acquisition has been completed, LevelBlue’s expertise in strategic risk management and cybersecurity infrastructure will be integrated with Trustwave’s platform and MDR service.”
  • Here’s a link to Dark Reading’s CISO Corner.

Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Federal News Network reports,
    • “House appropriators have advanced a homeland security spending bill that endorses many of the Trump administration’s budget proposals, while rejecting steep cuts to cybersecurity and artificial intelligence personnel.
    • “The fiscal 2026 homeland security appropriations measure includes $66.36 billion in discretionary spending. The GOP-led committee passed the bill Tuesday [June 24, 2025] on a 36-27 vote.
    • “The bill follows the broad contours of Trump administration policies by prioritizing funding for Customs and Border Protection and Immigration and Customs Enforcement. Appropriators are also expecting significant funding for the Department of Homeland Security to be included in the budget reconciliation bill.”
  • Cyberscoop tells us,
    • “With time running short before expiration of a cyber information-sharing law highly valued by the private sector, Congress is taking a look at the possibility of a short-term extension.
    • “The 2015 Cybersecurity Information Sharing Act, which provided legal safeguards for companies to share threat data, is due to sunset at the end of September, and Congress doesn’t tend to work much in August.
    • “A bipartisan pair of senators have introduced a bill to simply extend it for another 10 years. But a House bill is still in the works and might take a different approach that involves making changes to the law going forward, industry officials told CyberScoop on Wednesday. Getting competing proposals through both chambers, then settling differences and finalizing a bill to get to the president’s desk, could take significant time.
    • “There are other things that are being considered in the mix,” said John Miller, senior vice president of policy for trust, data and technology and general counsel at the Information Technology Industry Council. One would be attaching language to a continuing resolution funding measure that would extend the 2015 law for a short period of time.”
  • Cybersecurity Dive informs us,
    • “Federal officials and private-sector security leaders said Tuesday [June 24, 2025] that they are closely monitoring for cyberattacks related to the Iran conflict but thus far have not observed any significant activity. 
    • The Department of Homeland Security warned Sunday that Iran-linked actors or hacktivist groups may launch attacks against U.S. critical infrastructure operators, citing a recent history of attacks against poorly configured water utilities and other systems. 
    • “An apparent truce announced late Monday by President Donald Trump appeared to lower international tensions, but officials remain on guard for any potential threat activity.
    • “The Cybersecurity and Infrastructure Security Agency (CISA) “is actively coordinating with government, industry, and international partners to share actionable intelligence and strengthen collective defense,” CISA spokesperson Marci McCarthy said in a statement. “There are currently no specific credible threats against the homeland.”
  • NextGov/FCW notes,
    • “Morgan Adamski is leaving her role as executive director of U.S. Cyber Command, handing the reins to Patrick Ware.
    • “After 17 years of service at the National Security Agency, I’ve decided to turn the page to an exciting new chapter in my career. It has been an extraordinary journey contributing to the defense of our Nation and advancing the cybersecurity mission across the U.S. Government,” Adamski wrote in a LinkedIn post Friday [June 27, 2025].
    • “The number three spot in the combatant command is typically held by a civilian on detail from the National Security Agency.
    • “Though Adamski did not clarify where she would be headed next, she noted her commitment to ensuring there were cyber solutions on “both sides of the fence.”
  • CISA and the National Security Agency have released a report titled “Memory Safe Languages: Reducing Vulnerabilities in Modern Software Development.’
  • Per Cyberscoop,
    • Kai West, a prolific cybercriminal better known for operating under the moniker “IntelBroker,” was arrested in France earlier this year and faces federal charges for allegedly stealing data from more than 40 organizations during a two-year period, the Justice Department said Wednesday [June 25, 2025]. 
    • Federal prosecutors unsealed a four-count indictment charging West, a British national, with conspiracy to commit computer intrusions, accessing a protected computer to obtain information and wire fraud. The United States is seeking his extradition for the charges, which each carry maximum sentences of five to 20 years in prison. 

From the cybersecurity breaches and vulnerabilities front,

  • Beckers Health IT identifies the top ten states for healthcare data breaches between February 2023 and April 2025.
  • CISA added three known exploited vulnerabilities to its catalog this week.
    • June 25, 2025
      • CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
        • Network World discusses this KVE here.
      • CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
        • Cybersecurity News discusses this KVE here.
      • CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability
        • Cybersecurity News discusses this KVE here.
  • Cyberscoop reports,
    • Citrix on Wednesday [June 25, 2025] disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees.
    • The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway. 
    • “Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix said in a security bulletin for the zero-day. Citrix did not respond to a request for comment. 
    • Citrix described the critical zero-day CVE-2025-6543, which has a base score of 9.2 on the CVSS scale, as a memory overflow defect that attackers can exploit for unintended control flow and denial of service. Exploitation can only occur if targeted NetScaler instances are configured as a gateway or an authentication, authorization and accounting (AAA) virtual server, according to Citrix.”
  • and
    • “The aviation industry has seemingly become the latest target of Scattered Spider, a sophisticated cybercriminal group that has shifted its focus from retail and insurance companies to airlines in what cybersecurity experts describe as a coordinated campaign against the sector.
    • “Hawaiian Airlines disclosed a cybersecurity incident Friday [June 27, 2025] affecting some of its IT systems while maintaining that flights continued operating safely and on schedule. The attack, first detected June 23, according to SEC filings, prompted the airline to engage federal authorities and cybersecurity experts for investigation and remediation efforts.
    • “Multiple incident responders have attributed the Hawaiian Airlines attack to Scattered Spider, also known as Muddled Libra or UNC3944. The assessment comes as cybersecurity firms Unit 42 and Mandiant issued warnings about the group’s apparent pivot to targeting aviation companies.
    • “Charles Carmakal, chief technology officer at Mandiant Consulting – Google Cloud, confirmed his company is “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.” The group has demonstrated a pattern of focusing intensively on single industries before moving to new sectors.”
  • Per Hacker News,
    • “Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.
    • “NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”
    • “The malicious payload delivered via the rogue VPN software has been code named SilentRoute by Microsoft, which detected the campaign along with the network security company.” * * *
    • “The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.
    • “The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.”

From the ransomware front,

  • Bleeping Computer notes,
    • “Ahold Delhaize, one of the world’s largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.
    • “The multinational retailer and wholesale company operates over 9,400 local stores across Europe, the United States, and Indonesia, employing more than 393,000 people and serving approximately 60 million customers each week in-store and online.” * * *
    • “In a Thursday filing with Maine’s Attorney General, the retail giant revealed that the attackers behind the November breach stole the data of 2,242,521 individuals after gaining access to the company’s internal U.S. business systems on November 6, 2024.”Mich
  • Michigan Health Watch adds,
  • Dark Reading reports,
    • “A newly discovered ransomware group dubbed “Dire Wolf” has already taken a bite out of 16 organizations globally since its emergence only last month, mainly across the technology and manufacturing sectors, researchers have found.
    • “The group uses a double extortion tactic with a monthlong turnaround time for paying ransom, and deploys custom encryptors tailored to specific victims, security firm Trustwave revealed in a blog post published June 24. Researchers from Trustwave SpiderLabs recently uncovered and observed a ransomware sample from the emerging threat group and gained insights on how it operates, they said.
    • “So far, the group’s victims have spanned 11 countries, with the US and Thailand reporting the highest numbers of attacks, followed by Taiwan. So far, five of the 16 victims listed on the group’s data leak site have data scheduled to be uploaded by the end of June, presumably because they didn’t pay the ransom, according to the post.”
  • Per Cybersecurity Dive,
    • “Only half of ransomware attacks on organizations this year have involved data encryption, once the attack’s defining feature, according to a Sophos report published on Tuesday [June 24, 2025].
    • “Both the average ransom demand and average ransom payment have dropped significantly over the past year (by 34% and 50%, respectively).
    • “Less than a third of respondents in the survey who paid a ransom said the amount matched the attackers’ initial demand, with 53% of victims paying less and 18% paying more.”

From the cybersecurity defenses front,

  • Cyberscoop reports,
    • “When a faulty software update from cybersecurity firm CrowdStrike last year caused possibly the largest IT outage in history, Microsoft ended up taking much of the blame.
    • “CrowdStrike’s Falcon endpoint detection and response was on millions of Windows devices worldwide, and like most antivirus products that need broad access to different systems to do their job, the software had direct access to the Windows kernel.
    • “When CrowdStrike’s update crashed, so did millions of Windows-powered systems and devices around the world. A series of security announcements by Microsoft on Thursday [June 26, 2025] are designed to reduce the possibility of future third-party outages and other security threats that can take an organization’s IT out of commission for extended durations.
    • “Among those changes: antivirus software like the kind installed by CrowdStrike and other third-party cybersecurity will no longer have direct access to the Windows kernel. The company will be previewing a new endpoint security platform to vendors next month that requires security updates to go through layers of testing and review before they ship to Windows devices and systems worldwide.”
  • Per Cybersecurity Dive,
    • “Cybersecurity insurance premiums declined 2.3% year over year to roughly $7.1 billion in 2024, according to a new report released on Monday [June 23, 2025] by credit rating agency AM Best.
    • “Meanwhile, cyber insurance providers’ loss ratio — the proportion of premiums they use to pay out claims — remained below 50%, indicating that the market remains profitable.
    • “AM Best offered several possible explanations for the slight premium decline.”
  • and
    • “Two reports — one that KPMG released on Thursday and one that Thales released last month — illustrate how generative AI is raising security concerns for business leaders.
    • “Business leaders surveyed by KPMG reported prioritizing security oversight in their generative AI budgeting decisions, with 67% saying they plan to spend money on cyber and data security protections for their AI models. Fifty-two percent cited risk and compliance as a budgetary priority.
    • “Those spending decisions reflect corporate executives’ growing worries about AI security. ***
  • WEDI is offering a free healthcare cybersecurity webinar on June 15, 2025, at 1:00 pm ET.
  • The ISACA Blog considers Proactive Approaches to Identify Cyberthreats.
  • Here is a link to Dark Reading’s CISO Corner.

Midweek report

From Washington, DC,

  • The Wall Street Journal reports,
    • “Senate Republican leaders kept pressing the gas pedal Wednesday to get their “one big, beautiful bill” passed by this weekend, even while hundreds of billions of dollars in crucial decisions are being negotiated, key senators are holding out, and some House lawmakers are crying foul.
    • “President Trump wants the legislation on his desk by July 4, and Republicans hope the megabill’s perceived inevitability overcomes any momentary implausibility. Senators aim to start votes as soon as Friday on the legislation, which would cut taxes, reduce spending on Medicaid and nutrition assistance, and boost spending on border security and national defense. The House could send the bill to Trump early next week. 
    • “For now, there aren’t enough votes for a bill that isn’t finished yet. 
    • “It is this mysterious process of trying to be able to move specific ideas through 53 other people and trying to be able to get ideas and opinions,” said Sen. James Lankford (R., Okla.). “And where do people land? It’s a moving target.”
    • “Senators aren’t quite ready to vote, and they expect to change the legislation in the days ahead. Several senators, including Josh Hawley (R., Mo.) and Dan Sullivan (R., Alaska), said they want to be able to review the whole bill before taking the first procedural step—a vote to open debate. 
    • “Our guys are all going to keep advocating for what they want, till the final minute, till we pass it,” said Sen. John Hoeven (R., N.D.) “That’s how it works.” 
  • and
    • “Health Secretary Robert F. Kennedy Jr.’s new panel of vaccine advisers will re-evaluate the recommended schedule for vaccines for children and teenagers, including for measles and hepatitis B, its new chairman said Wednesday.
    • “The new slate of advisers met for the first time Wednesday in Atlanta, kicking off a two-day meeting with an agenda partially set by political appointees. Meanwhile, on Capitol Hill, the nominee to lead the Centers for Disease Control and Prevention, Susan Monarez, told senators she believes vaccines save lives and there is no causal link between vaccines and autism.” * * *
    • “Monarez, if confirmed, would have the power to decide whether or not to adopt ACIP recommendations. Asked if she agreed with Kennedy’s decision to remove all members of the previous committee, Monarez responded “that the secretary had to make a decision related to ensuring that the ACIP could be supportive of restoring public trust in decision-making.”
    • “The vaccine advisory panel is set Thursday to hear a presentation on thimerosal, a preservative that antivaccine activists have often blamed for autism, from Lyn Redwood, a nurse practitioner who is president emerita of Children’s Health Defense, an antivaccine nonprofit previously helmed by Kennedy. Antivaccine activists have long claimed that thimerosal causes autism. Rates of the disorder have continued to climb even after thimerosal was removed from most vaccines in the early 2000s.”
  • Beckers Health IT tells us,
    • “Health and Human Services Secretary Robert F. Kennedy Jr. says he wants every American using a wearable health device within four years, Politico reported June 24.
    • “Speaking during a June 24 hearing of the House Energy and Commerce Health Subcommittee, Mr. Kennedy said the department is preparing “one of the biggest advertising campaigns in HHS history” to promote wearable technology.
    • “The devices are central to Mr. Kennedy’s “Make America Healthy Again” initiative. He told lawmakers that wearables give people a way to “take control of their own health.”
  • Govexec fills us in on what happened at yesterday’s House Oversight and Government Reform Subcommittee on Government Operations hearing titled “The Route Forward for the U.S. Postal Service: A View from Stakeholders.”
  • The American Hospital Association News informs us,
    • “The Administration for Strategic Preparedness and Response June 25 announced it conducted an exercise transporting simulated patients with high-consequence infectious diseases in a new portable biocontainment unit from Toronto to U.S. hospitals in the northeast and southeast. The hospitals are all Regional Emerging Special Pathogen Treatment Centers for highly infectious diseases. ASPR said the biocontainment unit is the first domestic resource for isolating and transporting patients with high-consequence infectious diseases, such as Ebola, across long distances to RESPTCs. The unit can be transported by air or by ground.”
  • CMS called attention to its Medicare website explaining how to get medical assistance in a disaster or emergency.

From the state and local government front,

  • Politico lets us know,
    • New York City Mayor Eric Adams announced [June 22] he will not move forward with a contentious effort to cut costs by shifting retired city workers to a Medicare Advantage plan, bringing a sudden end to a four-year saga.
    • We have heard concerns from retirees about these potential changes at numerous older adult town halls and public events, and our administration remains focused on ensuring that New York City remains an affordable place to live,” Adams said in a statement Friday.
    • Just two days earlier, the state Court of Appeals ruled in City Hall’s favor in a lawsuit over the Medicare Advantage transition, handing Adams a rare win in the long legal battle to implement a plan he inherited from former Mayor Bill de Blasio.

From the Food and Drug Administration front,

  • STAT News reports,
    • Outgoing Food and Drug Administration regulator Jacqueline Corrigan-Curay acknowledged to staff [June 24] that much is still in flux at the agency, weeks before she retires.
    • “We are leaner and therefore we have to find ways to be efficient and do things in new ways,” she told staff, according to a recording of a town hall meeting obtained by STAT. 
    • She did not say who will be the next leader of the Center for Drug Evaluation and Research once she retires next month. Her retirement is the latest in a series of departures of senior officials at the FDA, who have either chosen to take early retirements, left for other jobs, or been forced out by political appointees.
    • “CDER has filled one leadership position, though. At the meeting, Corrigan-Curay introduced staff to the new deputy director of CDER, Mike Davis. Davis, a psychiatrist and pharmacologist, was most recently chief medical officer at the Usona Institute, a nonprofit organization developing psychedelic drugs for the treatment of depression and PTSD. He previously spent six years at the FDA as a clinical team leader in the psychiatry division.” 
  • Per BioPharma Dive,
    • “The Food and Drug Administration is investigating two deaths among [over 900] patients treated with Sarepta Therapeutics’ gene therapy Elevidys for Duchenne muscular dystrophy. Both patients died this year of acute liver failure after receiving Elevidys, with the second case reported earlier this month. The FDA said their deaths appear to be related to treatment and that it will evaluate “the need for further regulatory action.”
  • Per MedPage Today,
    • “The FDA said Wednesday it has expanded existing warnings on the two leading COVID-19 vaccines about a rare heart side effect mainly seen in young men.
    • “Myocarditis, a type of heart inflammation that is usually mild, emerged as a complication after the first shots became widely available in 2021. Prescribing information from both Pfizer and Moderna already advises doctors about the issue.
    • “In April, the FDA sent letters to both drugmakers asking them to update and expand the warnings to add more detail about the problem and to cover a larger group of patients. While the FDA can mandate label changes, the process is often more of a negotiation with companies.”

From the public health and medical research front,

  • The American Hospital Association News tells us,
    • “A study published June 25 by the Journal of the American Heart Association found that heart disease death rates fell 66% from 1970 to 2022. Deaths from heart attacks decreased 89% in that time span. The study attributed the declines to advancements in intervention and prevention efforts. Meanwhile, deaths from other types of heart disease, including arrhythmia, heart failure and hypertensive heart disease, increased by 81% during the same period. The study said the rising prevalence of obesity, diabetes, hypertension and physical inactivity have contributed to those causes.”
  • Cardiovascular Business adds,
    • “A team of surgeons with Baylor St. Luke’s Medical Center in Houston has made history, performing what is believed to be the first fully robotic heart transplant in the United States. 
    • “The procedure occurred in March 2025. Kenneth K. Liao, MD, PhD, chief of cardiothoracic transplantation and circulatory support at Baylor College of Medicine and chief of cardiothoracic transplantation and mechanical circulatory support at Baylor St. Luke’s Medical Center, and colleagues completed the transplant using an advanced Da Vinci surgical system. 
    • “The patient’s chest did not need to be opened all for the procedure—everything was done through small incisions.
    • “Opening the chest and spreading the breastbone can affect wound healing and delay rehabilitation and prolong the patient’s recovery, especially in heart transplant patients who take immunosuppressants,” Liao explained in a statement. “With the robotic approach, we preserve the integrity of the chest wall, which reduces the risk of infection and helps with early mobility, respiratory function and overall recovery.”
    • “The patient in question was a 45-year-old male who had been hospitalized with advanced heart failure for four months. He was discharged after being observed in the hospital for a month. There have been no complications.”
  • Per Medscape,
    • “The investigational non-peptide small-molecule oral GLP-1 agonist orforglipron significantly reduced A1c over 40 weeks in adults with early type 2 diabetes, according to the results of ACHIEVE-1 sponsored by Eli Lilly. 
    • “In the trial, orforglipron reduced A1c to the 6.5% range and produced clinically meaningful weight loss with a safety profile similar to that of other GLP-1 drugs. ACHIEVE-1 is the first of seven phase 3 studies of the safety and efficacy of the drug in over 6000 patients with type 2 diabetes and obesity,
    • “Orforglipron and other similar non-peptide small molecules “have the potential to be widely accepted as a much earlier therapy for type 2 diabetes,” Julio Rosenstock, MD, senior scientific advisor for Velocity Clinical Research and clinical professor of medicine at the University of Texas Southwestern Medical Center, Dallas, said at a press briefing here at the American Diabetes Association (ADA) 85th Scientific Sessions. The findings were simultaneously published in the New England Journal of Medicine.”
  • STAT New relates,
    • “A study tracking nearly 250,000 Swedish people using ADHD medication for 14 years found that these treatments can reduce risks of traffic crashes, injuries, and criminal behavior — and that conclusion remained true even as more girls, women, and adult men received a diagnosis.
    • “I wish we had access to this kind of data for the U.S.,” said Ryan Sultan, who was not part of the study and is a psychiatrist and professor at Columbia University Irving Medical Center where he specializes in ADHD. “Being able to follow them from birth means that their data is really, really powerful.”
    • “The study arrives as providers in the United States contend with twin realities: ADHD medication prescriptions are skyrocketing — largely thanks to telehealthand diminishing stigma — while medication shortages are imperiling people’s access to these critical treatments. Scientists are also learning more about how the condition interacts with other variables, such as how menstrual periods can affect symptoms and treatment. 
    • “We’re in a moment in U.S. society where … everyone and their grandmother are asking whether they have ADHD or not,” said Sultan. “It’s really interesting to be thinking about, when we’re expanding [access], who are we actually expanding it to, and who are we actually treating?”
  • Medical Economics points out,
    • “According to Dexcom’s 2025 State of Type 2 Report, most U.S. physicians now consider continuous glucose monitoring (CGM) one of the most impactful interventions for managing type 2 diabetes, surpassing even medications and lifestyle counseling in future importance.
    • “The findings are based on a national survey of 310 adults with type 2 diabetes and 111 U.S. health care professionals (HCPs), including primary care physicians, nurse educators and diabetes specialists.
    • “CGM adoption remains relatively low among patients — just 16% of U.S. adults with type 2 diabetes currently use the technology — but satisfaction among users is high. The vast majority report improved quality of life, reduced stress and better engagement with their glucose data. Physicians, meanwhile, see CGM as a key solution to longstanding pain points, including poor adherence, low health literacy and difficulty tracking glucose fluctuations outside clinic visits.
    • “The report highlights a disconnect between CGM’s perceived value and its real-world accessibility. Most patients cite cost or insurance coverage as the top reason for not trying it. Most physicians say they lack the tools to educate patients on its benefits. And nearly three-quarters of people with type 2 diabetes say they need better understanding of how diabetes technology can help them manage their condition.”
  • Per the American Journal of Managed Care,
    • The use of pre-exposure prophylaxis (PrEP) for prevention of HIV has helped to curb the spread of the virus nationally. Knowing how much PrEP is needed in certain areas can help to more specifically target vulnerable populations who need it more.
    • A model was developed that could estimate the need for PrEP, according to a study published in Annals of Epidemiology. Public health authorities can use this information to monitor progress and establish resource allocation.

From the U.S. healthcare business front,

  • Modern Healthcare reports,
    • “U.S. households, businesses and governments will spend $8.6 trillion on healthcare in 2033, when the sector will comprise just over one-fifth of gross domestic product, according to a federal report issued Wednesday.
    • “The Centers for Medicare and Medicaid Services Office of the Actuary attributes its forecast to factors such as a rapidly aging population and high demand for healthcare. The independent CMS division published its analysis in the journal Health Affairs.
    • “National health expenditures will increase 5.8% a year on average from 2024 to 2033, the actuaries predict. The healthcare spending trend is expected to continue outpacing economic growth, which the office projects will average 4.3% annually over the coming decade.”
  • Fierce Healthcare adds,
    • “In an uncertain policy and macroeconomic environment, healthcare finance leaders are concerned about what the future holds, a new report showed.
    • “Analysts at Deloitte surveyed 64 finance leaders, split evenly between executives from health systems and insurers, to capture what they view as the biggest challenges and opportunities coming down the pike. Most (84%) of those surveyed said they are worried about business conditions given the cloudy policy outlook, economic concerns and potential disruptions from tariffs and the supply chain.
    • “Over the past several years, workforce challenges, cost reductions and cybersecurity have all been top concerns for finance leaders in healthcare. However, this year’s survey found external factors taking on a much greater role.”
    • “Internal concerns like workforce challenges, cost reduction, and cybersecurity—once top priorities for healthcare chief financial officers in our previous surveys—seem to have become less urgent amid rising external factors, according to survey respondents,” the researchers said.”
  • Per a press release,
    • “Optum is accelerating the adoption of artificial intelligence (AI) for health care technology companies, providers and payers with the launch of the Optum AI Marketplace. The new marketplace is the only health care-specific AI digital platform of its kind, built by health care developers to simplify AI integration across clinical and administrative systems.
    • “Many emerging health care organizations want to modernize their systems but don’t have the time, resources, or infrastructure to build AI solutions on their own. The new marketplace addresses these gaps by offering a centralized, health care-specific ecosystem of curated solutions and APIs that are ready to implement, helping organizations streamline operations, reduce integration costs, and scale AI adoption.
    • “Optum brings decades of health care expertise and advanced data infrastructure to the AI Marketplace. This foundation ensures the platform is built for real-world health care needs and supports faster, more effective AI and API implementation. With more than 1.4 billion API transactions each year, the marketplace powers real-time insights and seamless integrations across the health care landscape.” * * *
    • Discover more at Optum AI Marketplace.
  • Per Beckers Hospital Review,
    • Overall demand for healthcare services is poised to continue its significant growth across various service lines over the next decade, with outpatient care expected to experience the highest growth rate and inpatient services seeing more moderate increases, according to Sg2’s 2025 Impact of Change Forecast published in June.
    • Sg2’s forecasting model integrates a broad range of factors, including national data, institutional data, and market trends. National population changes, epidemiological shifts, economic influences, policy developments and advances in technology were considered in the projections.
    • Sg2 used data from the HCUP National Inpatient Sample and CMS Limited Data Sets, alongside its own analysis of healthcare usage trends.
  • Per Beckers Payer Issues,
    • “Medicare Advantage enrollees experience longer hospital stays before being discharged to post-acute care settings compared to individuals enrolled in traditional Medicare, according to a June 2025 analysis by NORC at the University of Chicago.
    • “The analysis was commissioned by the Coalition to Strengthen America’s Healthcare, a group of more than 5,000 hospitals, businesses and hospital associations that includes the AHA and FAH. 
    • “The researchers found that while hospital discharges overall declined over the five-year study period, discharges to post-acute settings increased for MA enrollees and decreased slightly for traditional Medicare enrollees. At the same time, MA enrollees had longer hospital stays prior to post-acute discharge, with the gap widening over time.
    • “While the data is age-adjusted, the study did not control for clinical or demographic differences that could affect length of stay or discharge destination. Future research is recommended using tools like HCC risk scores and claims-based frailty index to better isolate coverage-related effects.”

Weekend update

From Washington, DC,

  • Per a Senate news release,
    • “Senate Finance Committee Chairman Mike Crapo (R-Idaho) today [June 22] released the Joint Committee on Taxation’s (JCT) revenue estimate of the Finance Committee’s tax title [of the budget reconciliation bill], which shows that under a current policy baseline, the legislation has a net revenue impact of $442 billion.
    • “Washington has a spending problem, not a tax problem.  Extending the Trump tax cuts prevents a $4 trillion tax increase—this is not a change in current tax policy or tax revenue. This score more accurately reflects reality by measuring the effects of tax policy changes relative to the status quo.”
  • Roll Call discusses expected Congressional activities on Capitol Hill this week.
    • “The budget reconciliation package continues to dominate the agenda in Congress this week, as lawmakers are also expected to debate President Donald Trump’s weekend military strikes against Iranian nuclear targets.
    • “An all-senators briefing on the situation with Iran is slated for Tuesday afternoon, and a war powers resolution from Sen. Tim Kaine, D-Va., could see quick floor action. Kaine wants senators on the record on whether the United States should engage in hostilities against Iran.
    • “While a Senate aide said the measure does not formally ripen for expedited consideration until the end of the week, Republicans may seek to clear it from the decks earlier in the week in order to get their sweeping budget reconciliation package on the floor.” * * *
    • “The House, meanwhile, returns from a Juneteenth recess poised to begin floor debate on fiscal 2026 appropriations, while waiting for the Senate to amend and send back the budget reconciliation package.”
  • The Supreme Court will be releasing more opinions on Thursday June 26 and likely also Friday June 27.
  • Per MedPage Today,
    • “Updated Dietary Guidelines for Americans, which could be released as early as this month, will drop a long-standing recommendation to limit alcohol consumption to one or two drinks per day, Reuters reported this week, citing three sources familiar with the matter.
    • It’s “surprising, especially given what we now understand about how alcohol impacts health,” Lindsay Malone, MS, a registered dietitian nutritionist at Case Western Reserve University in Cleveland, told MedPage Today by email.
    • “In the absence of clear guidance, people are left wondering: how much, if any, is actually safe and healthy?” she said. “I don’t see any upside to this.”
    • “The guidelines will likely still include a brief statement that encourages drinking in moderation or limiting intake due to associated health risks, Reuters‘ sources said.”

From the public health and medical research front,

  • Fortune Well reports,
    • “Millions more Americans should be taking weight-loss drugs to prevent heart disease, according to the American College of Cardiology. 
    • “Exercise and a clean diet aren’t always enough for heart health, the nation’s top cardiology organization said in new recommendations released on Friday. Weight-loss drugs should be used earlier, making them part of the first line of defense for obese patients, the group said.
    • Novo Nordisk A/S’s Wegovy and Eli Lilly & Co.’s Zepbound should be considered when choosing primary treatments to avert heart disease, the leading cause of death in the US, according to the new guidelines. The popular drugs are more effective than lifestyle changes and have fewer risks than surgery, the nonprofit medical association said.”
  • and
    • I woke up from surgery groggy, with three minuscule incisions in my abdomen and huge peace of mind. I’d just had my fallopian tubes laparoscopically removed, as it’s the best—and possibly only—defense against ovarian cancer, which, though rare, is the most lethal gynecological cancer there is.
    • “There is no detection method for ovarian cancer (a common misunderstanding is that it’s the Pap smear, but that’s for cervical cancer). That’s largely because of something discovered relatively recently: About 80% of the time, cancer of the ovaries forms in the fallopian tubes, which are not easily reached or biopsied. So, the cancer is not found until it spreads beyond the tubes, by which point it has typically reached a later stage and is harder to treat, with cure rates as low as 15%. 
    • “The cancer and its pre-cancer lesions are also not detectable through blood tests. 
    • “I myself had no idea about any of this until 2023, when I wrote about the Ovarian Cancer Research Alliance (OCRA) making sweeping recommendations: that all women get genetically tested to know their risk of the disease, and that all women, regardless of their risk factor, consider having what’s called an opportunistic salpingectomy—the prophylactic removal of fallopian tubes if and when they are already having another abdominal surgery.
    • “The strategy—endorsed by the American College of Obstetrics & Gynecology since 2015—was believed to cut down the risk of ovarian cancer by up to 60%. It was adopted as a wide recommendation after a sobering U.K.-based clinical trial followed 200,000 women for more than 20 years and found that screening and symptom awareness do not save lives.”
  • The New York Times adds,
    • “Doctors call the new weight-loss drugs revolutionary. Game-changing. Unprecedented.
    • “Soon, they may also call them obsolete.
    • “Drugmakers are racing to develop the next wave of obesity and diabetes medications that they hope will be even more powerful than those currently on the market.
    • “I think what we are going to see very quickly is that Wegovy has received a lot of the press attention, because it got there first,” said Simon Cork, a senior lecturer at Anglia Ruskin University in England who has studied obesity. “But it will be rapidly overtaken by much more potent medications.”
    • “On Saturday, researchers presented data at an annual meeting of the American Diabetes Association on perhaps the most anticipated of these medications: a daily pill. A late-stage study showed that the drug, called orforglipron, appeared to be about as effective as a weekly Ozempic injection at inducing weight loss and lowering blood sugar. It is just one of over a dozen experimental medications that researchers will share data about at the conference this weekend.
    • “Some of these drugs are still in early trials, but others could hit the market as soon as next year. They include medications that may lead to more weight loss than the roughly 15 to 20 percent body weight people lose on existing drugs. They may also be easier to take than weekly injections and help people shed pounds without dropping as much muscle. More competition — and, in the case of the pill, lower manufacturing costs — might also mean that, eventually, patients pay less.”
  • and
    • “A single infusion of a stem cell-based treatment may have cured 10 out of 12 people with the most severe form of type 1 diabetes. One year later, these 10 patients no longer need insulin. The other two patients need much lower doses.
    • “The experimental treatment, called zimislecel and made by Vertex Pharmaceuticals of Boston, involves stem cells that scientists prodded to turn into pancreatic islet cells, which regulate blood glucose levels. The new islet cells were infused and reached the liver, where they took up residence.
    • “The study was presented Friday evening at the annual meeting of the American Diabetes Association and published online by The New England Journal of Medicine.
    • “It’s trailblazing work,” said Dr. Mark Anderson, professor and director of the diabetes center at the University of California in San Francisco. “Being free of insulin is life changing,” added Dr. Anderson, who was not involved in the study.
  • Per STAT News,
    • “GLP-1 drugs could treat more than just diabetes and obesity. They may also reduce migraine frequency.
    • “That is according to the findings of a study presented on Friday at the European Academy of Neurology congress. The pilot study found that GLP-1 agonists reduced monthly migraine days by almost half. The authors hypothesized that the drug lowers migraine frequency by reducing intracranial pressure.”
  • The Washington Post reports,
    • “The lung tissue of people with chronic obstructive pulmonary disease contains triple the sootlike particle buildup found in similar tissue in smokers’ lungs, a recent analysis finds.
    • “The study found that COPD patients’ alveolar macrophages — a type of lung cell that removes dust, particles and microorganisms from the lungs — contain more carbon than those of smokers. The carbon-containing alveolar macrophages in COPD patients’ lungs were also larger than macrophages without visible carbon, the study found.
    • “Published in ERJ Open Research, the study looked at carbon deposits in the cells. Alveolar macrophages are an important part of the immune system, activating other immune defense cells to protect the body from inhaled invaders. People with COPD have inflamed airways and more alveolar macrophages than healthy people.” * * *
    • “The study does not prove what caused the changes in the COPD patients’ lung tissue. Those with COPD may be less able to clear carbon from their lungs, the researchers write, or perhaps those with a reduced ability to clear carbon are likelier to develop COPD. Pollution or indoor particulate matter may also be to blame, they conclude.”
  • and
    • “The thought of getting back to an exercise routine after surgery might make you wince. It can be a struggle to know where to begin, especially if your body isn’t working the way it used to.
    • “The good news is that heading to your local pool or aquatic therapy can be a great alternative to land-based physical therapy and exercise. Research, including a 2024 study, says aquatic exercise can significantly help patients recover both mentally and physically after most surgeries.
    • “Water therapy is sometimes even more effective than land-based therapy because surgery patients don’t have the same range of motion and mobility,” says Mara Karamitopoulos, a pediatric orthopedic surgeon at NYU Langone Health in New York.”

From the U.S. healthcare business front,

  • Beckers Payer Issues tells us,
    • “At Becker’s 15th Annual Meeting, leaders from Microsoft and Blue Shield of California shared how AI is one tool to help transform payer operations — not by replacing humans, but by personalizing care, cutting friction and restoring trust.
    • “Christine McKinney, vice president of customer experience and digital transformation at Blue Shield of California (Oakland) emphasized the strategic use of AI as both a data enabler and an engagement enhancer.”
    • The article offers takeaways from the presentation.
  • Kauffman Hall adds,
    • “As AI transformation remains top of mind for healthcare leaders, I’ve noticed two common pitfalls plaguing new entrants and early adopters.
    • “Those in the early stages are often susceptible to the “ready, fire, aim” approach – quickly identifying a tool and searching for a problem to match.
    • “Early adopters are having trouble defining clear return on investment (ROI), which may go beyond financials.
    • “These pitfalls are reflected in our data as well. 36% of health systems lack a formal AI prioritization framework, and a recent Vizient benchmarking survey found the top barrier to implementing AI is a lack of clear ROI.
    • “A successful AI strategy must include a clear prioritization framework and a deeper understanding of value. With this in mind, here is an example of one organization’s success and three steps to move beyond the hype and maximize ROI.”

Cybersecurity Saturday

From the cybersecurity defenses and law enforcement front

  • Cyberscoop reports,
    • Congress should use renewal of an expiring [in 2027] terrorism insurance program to create a federal backstop for cybersecurity insurance, according to a report out Tuesday that tries to thread many difficult needles to bolster an industry that its author says isn’t developing fast enough.
    • In an ideal world, cybersecurity insurance can be a valuable tool to protect policyholders and push everyone into adopting better cyber practices, but it will need government intervention to reach its full potential amid an array of challenges, Nick Leiserson writes in a study for the Foundation for Defense of Democracies, a D.C.-based think tank. 
  • and
    • “As spring gives way to summer, a wave of cybercrime crackdowns has taken root, with law enforcement and private security companies directing a surge of takedowns, seizures, indictments and arrests.
    • “Prolific infostealers, malware loaders, counter antivirus and encrypting services, cybercrime marketplaces, ransomware infrastructure and DDoS-for-hire operations have all been seized, taken offline or severely disrupted by global coordinated campaigns over the past six weeks.
    • “It’s been really energizing to see the volume and velocity of these takedowns in such a short period of time,” Flashpoint CEO Josh Lefkowitz told CyberScoop. 
    • “I can’t think of such a flurry and rapid succession — and then magnified by complementary takedowns by Europol and international partners,” he added. “It’s been a great couple of weeks for the good guys, and I wouldn’t be surprised if there’s more around the horizon.”

From the cybersecurity vulnerabilities and breaches front,

  • Bleeping Computer informs us,
    • “News broke [on June 18] about “one of the largest data breaches in history,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
    • “To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
    • “Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
    • “Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples
    • “An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.”
  • Cybersecurity Dive reports,
    • “Major insurance provider Aflac Inc. said Friday [June 20] that it was the target of a cyberattack on June 12 that is linked to a major cybercrime spree focusing on the industry. 
    • “The company said it was able to contain the attack within hours and confirmed its systems remain operational. 
    • “We continue to serve our customers as we respond to this incident and can underwrite policies, review claims and otherwise service our customers as usual,” the company said in a Securities and Exchange Commission filing
    • “The incident is part of a larger crime wave targeting the insurance industry that researchers have linked to a collective known as Scattered Spider. The group recently conducted a weeks-long attack campaign against retailers in the U.S. and the U.K.
    • “Erie Insurance Group last week disclosed that it was the target of a cyberattack that began on June 7. The company said Tuesday that it has regained control over its systems and sees no further evidence of malicious activity.”
  • Cyberscoop adds,
    • Scattered Spider is an amorphous band of young English-speaking cybercriminals affiliated with the larger sprawling network known as The Com. Scattered Spider associates recently ran roughshod over U.K.- and U.S.-based retailers before pivoting, once again, to insurance companies.
    • The ring of cybercriminals historically focus on one sector at a time, resulting in a wave of extortion attacks on companies in the same industry, which often use similar systems and processes. 
    • Google previously warned that Scattered Spider shifted its attention to U.S. retailers after the group hit multiple retailers and grocery stores in the U.K. in April. The pattern of recent activities attributed to Scattered Spider has been consistent.
    • “We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, told CyberScoop on Monday. “Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.”
  • The Wall Street Journal points out,
    • “Hackers in recent months have disrupted retail sales in the U.K. and U.S. and stolen hundreds of millions of dollars from crypto holders by targeting the outsourced call centers that many American corporations use to save costs.
    • “The hacks are often meticulously researched and use a variety of techniques, but they have one thing in common: low-level workers who staff call centers and have access to the kind of sensitive information that criminals need to commit crimes.
    • “The focus on outside call centers has allowed attackers to trick workers to get around so-called two-factor account authentication techniques that send codes by text to mobile phones. Those methods are commonly used to protect millions of bank and credit-card accounts, as well as a host of other online portals.”
  • Security Week lets us know,
    • “Healthcare services firm Episource has been targeted in a cyberattack that resulted in a data breach impacting more than 5.4 million individuals.
    • “Episource provides medical coding and risk adjustment services to doctors, health plans, and other types of healthcare organizations. 
    • “The firm revealed in a data breach notice that it detected unauthorized access to its systems in early February. An investigation showed that “a cybercriminal” was able to view and copy data belonging to some Episource customers between January 27 and February 6, 2025. 
    • “We quickly took steps to stop the activity. We began investigating right away and hired a special team to help us. We also called law enforcement. We turned off our computer systems to help protect the customers we work with and their patients and members,” the company said, noting that it’s not aware of any misuse of the compromised data.”
  • Per Dark Reading,
    • Cybercriminals are using fake search engine listings to hijack the results for people looking for tech support from brands like Apple, Bank of AmericaFacebook, HP, Microsoft, Netflix, and PayPal.
    • This type of deceptive scam is common, taking advantage of users’ trust in big name brands, beginning with a sponsored search result on Google — but this time, there’s a twist.
    • According to Pieter Arntz and Jérôme Segura, researchers at Malwarebytes Labs, cybercriminals start by paying for a sponsored ad on Google pretending to be a major brand. This advertisement will then lead people to the fake website.
    • “However, in the cases we recently found, the visitor is taken to the legitimate site with a small difference,” the researchers wrote in a post this week. “Visitors are taken to the help/support section of the brand’s website, but instead of the genuine phone number, the hijackers display their scammy number instead.”
    • “So, while the browser address is legitimate and shows no cause for concern, the fraudsters overlay the actual website with misinformation, directing the user to seek help from a fraudulent source.”
  • Cybersecurity Dive tells us,
    • “Researchers are urging Veeam Backup & Replication users to make sure their systems are fully upgraded to the latest version after the company released a patch Tuesday to address a critical remote code execution flaw. 
    • “The vulnerability, tracked as CVE-2025-23121, allows an authenticated domain user to run code on a backup server. 
    • Researchers at watchTowr and Code White GmbH previously disclosed that a patch to address a prior vulnerability, tracked as CVE-2025-23120, could be bypassed. That disclosure led to the development of the new patch.”
  • and
    • “Hackers are exploiting a critical vulnerability in Zyxel’s Internet Key Exchange packet decoder, GreyNoise researchers warned on Monday.
    • “The vulnerability, tracked as CVE-2023-28771, powered a sudden wave of exploitation attempts Monday, with researchers observing 244 unique IP addresses involved in the activity. 
    • “All of the addresses were located in the U.S. and registered to Verizon Business, but researchers caution that because the vulnerability was located over UDP (Port 500), the attackers may have been spoofing those addresses.
    • “Additional analysis suggests that the activity may be related to a variant of the Mirai botnet, researchers said. 
    • “Mirai-linked payloads suggest the activity may be aimed at enrolling devices into botnets for automated attacks like DDoS or scanning,” GreyNoise researchers told Cybersecurity Dive via email.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added three known exploited vulnerabilities to its catalog this week.
    • June 16, 2025
      • CVE-2025-43200 Apple Multiple Products Unspecified Vulnerability
      • CVE-2023-33538 TP-Link Multiple Routers Command Injection Vulnerability
        • NIST discusses the Apple vulnerability here.
        • Security Week discusses the TP-Link KVE here.
    • June 17, 2025
      •  CVE-2023-0386 Linux Kernel Improper Ownership Management Vulnerability 
        • Security Week discusses this KVE here.

From the ransomware front,

  • The Hacker News reports,
    • “An emerging ransomware strain has been discovered incorporating capabilities to encrypt files as well as permanently erase them, a development that has been described as a “rare dual-threat.”
    • “The ransomware features a ‘wipe mode,’ which permanently erases files, rendering recovery impossible even if the ransom is paid,” Trend Micro researchers Maristel Policarpio, Sarah Pearl Camiling, and Sophia Nilette Robles said in a report published last week.
    • “The ransomware-as-a-service (RaaS) operation in question is named Anubis, which became active in December 2024, claiming victims across healthcare, hospitality, and construction sectors in Australia, Canada, Peru, and the U.S. Analysis of early, trial samples of the ransomware suggests that the developers initially named it Sphinx, before tweaking the brand name in the final version.”
  • and
    • “The threat actors behind the Qilin ransomware-as-a-service (RaaS) scheme are now offering legal counsel for affiliates to put more pressure on victims to pay up, as the cybercrime group intensifies its activity and tries to fill the void left by its rivals.
    • “The new feature takes the form of a “Call Lawyer” feature on the affiliate panel, per Israeli cybersecurity company Cybereason.
    • “The development represents a newfound resurgence of the e-crime group as once-popular ransomware groups like LockBit, Black Cat, RansomHub, Everest, and BlackLock have suffered abrupt cessations, operational failures, and defacements. The group, also tracked as Gold Feather and Water Galura, has been active since October 2022.
    • “Data compiled from the dark web leak sites run by ransomware groups shows that Qilin led with 72 victims in April 2025. In May, it is estimated to be behind 55 attacks, putting it behind Safepay (72) and Luna Moth (67). It’s also the third most active group after Cl0p and Akira since the start of the year, claiming a total of 304 victims.”

From the cybersecurity defenses front,

  • Cybersecurity Dive reports,
    • “For organizations aiming to deploy generative AI at scale, focusing on the cybersecurity guardrails surrounding the technology can help ease adoption rather than hinder it, according to AWS CISO Amy Herzog. 
    • “Herzog, who took on the CISO role earlier this month, made the case for a closer enterprise focus on security during the company’s annual re:Inforce conference Tuesday. The strategy can pay off by speeding up adoption. 
    • “Security, when done right, can be a true enabler in adopting new technologies,” said Herzog. “What we’re noticing is customers with mature security practices and the ability to innovate while maintaining a high security bar, they’re adopting Gen AI faster.
    • “Companies in highly regulated environments, from finance to healthcare, have been able to rely on their existing security, privacy and data management guardrails to speed up AI adoption, Herzog said. 
    • “This enables them to reduce risks and pragmatically focus on scaling their use cases,” Herzog said.”
  • and
    • “Nearly one in 10 publicly accessible cloud-storage buckets contained sensitive data, with virtually all of that data considered confidential or restricted, according to a new report from Tenable based on scans conducted between October 2024 and March 2025.
    • “On the other hand, more than eight in 10 organizations using Amazon Web Services have enabled an important identity-checking service, according to the report, published on Wednesday.
    • ‘The number of organizations with triple-threat cloud instances — “publicly exposed, critically vulnerable and highly privileged” — declined from 38% between January and June 2024 to 29% between October 2024 and March 2025.”
  • Per Bleeping Computer,
    • “Microsoft has announced plans to periodically remove legacy drivers from the Windows Update catalog to mitigate security and compatibility risks.
    • “The rationale behind this initiative is to ensure that we have the optimal set of drivers on Windows Update that cater to a variety of hardware devices across the windows ecosystem, while making sure that Microsoft Windows security posture is not compromised,” Microsoft said.
    • “This initiative involves periodic cleanup of drivers from Windows Update, thereby resulting in some drivers not being offered to any systems in the ecosystem.
    • “As the company explained on Thursday, the first phase of this “cleaning up” procedure will involve drivers with newer replacements already published on Windows Update.”
  • CSO lets us know,
    • “Ransomware tabletop exercises confront participants with an attack scenario, offering them a way to test and improve their organization’s readiness and response capabilities.
    • “During this month’s Infosecurity Europe conference, CSO took part as a media advisor to a blue team, pitched against a red team of attackers in a ransomware tabletop simulation focused on the water industry. The “Operation 999” exercise was devised and run by cybersecurity vendor Semperis, a specialist in protecting Active Directory (AD) and hybrid identity environments.” * * *
    • “The “Operation 999” exercise offered a cybersecurity tabletop simulation designed to allow participants to exercise incident response strategies. The tabletop exercise offered an immersive experience without featuring any hands-on keyboard or analysis of technical data (such as exercise specific log files, or similar).”
  • Security Week discusses “Choosing a clear direction in the face of growing cybersecurity demands. In a rapidly changing AI environment, CISOs are worried about investing in the wrong solution or simply not investing because they can’t decide what the best option is.”
  • Here is a link to Dark Reading’s CISO Corner.

Friday Report

FEHBlog note: Since the FEHBlog launched in 2006, the FEHBlog has featured a photograph at the top of the post. The FEHBlog learned today that email subscribers to the FEHBlog see a blank spot at the top of the page as the email system blocks photographs. For that reason, the FEHBlog has stopped using photographs in the blog except when necessary.

From Washington, DC,

  • Roll Call informs us,
    • “Senate Republicans say they are looking for ways to safeguard rural hospitals from proposed cuts to a key Medicaid funding method, amid concerns from the powerful hospital lobby and others that the budget reconciliation bill could force many facilities to close.
    • “The draft text that the Senate Finance Committee released this week reduces the ability of states who expanded Medicaid under the 2010 health care law to levy taxes on providers to fund their programs. 
    • “Senate Majority Leader John Thune, R-S.D., told reporters Wednesday he is working on the issue, though he did not offer details. Leadership is attempting to balance directives to cut government spending with demands from senators like Josh Hawley, R-Mo., who said that the bill should protect rural hospitals from the effects of shrinking provider taxes.
    • “The right thing to do is not defund rural hospitals to pay for your pet projects,” Hawley said. “So, if you want your pet project in the bill, go find your own money. Don’t defund rural hospitals.” 
    • “Medicaid is often one of the top payers for rural facilities.”
  • STAT News adds,
    • “Hospitals are now lobbying senators to return to the House’s version of the bill, which also is expected to substantially cut hospitals’ revenues and the number of patients covered — but less so than the Senate’s version of the bill. 
    • “But that lobbying effort is butting up against senators who want to further reduce government spending. The Congressional Budget Office has not yet projected the budget impact of the Senate bill.”
  • The American Hospital Association News tells us,
    • The Centers for Medicare & Medicaid Services June 20 announced it is finalizing its 2025 Marketplace Integrity and Affordability final rule. The rule shortens the open enrollment period for the federal marketplace to Nov. 1-Dec. 15 starting in 2027, and limits open enrollment periods for state-based marketplaces to Nov. 1-Dec. 31. The rule also includes a change to the premium adjustment percentage that would increase the maximum annual cost sharing limitation. Additionally, the rule makes updates to the income verification process and pre-enrollment verification process for SEPs, changes to the essential health benefits, modifications to the redetermination and re-enrollment processes, and ends a special enrollment period for low-income individuals, among other policies. Many of the provisions reinstate policies finalized during the prior Trump administration.
  • Here is a link to CMS’s fact sheet on this final rule.
  • Govexec lets us know,
    • “The White House and its Department of Government Efficiency are spearheading efforts to shake up the Postal Service, according to details of the meetings obtained by Government Executive, with topics including pricing for mail and general reform proposals. 
    • “The meetings were not clearly within the scope of a memorandum of understanding former Postmaster General Louis DeJoy signed with DOGE, which focused on specific cost-cutting measures and real estate planning. Some of the meetings also involved top officials from the Treasury Department, White House attorneys and policy advisors and additional USPS executives. A source familiar with the meetings confirmed DOGE has been active at the Postal Service’s Washington headquarters in recent months.” 
  • Per an OPM news release,
    • This week, the U.S. Office of Personnel Management (OPM) Inspector General (IG) released a report that uncovered widespread compliance failures and weak internal oversight in the agencyʼs telework and remote work programs during the Biden Administration.
    • The report revealed more than half of OPM employees reviewed failed to meet basic in-office requirements and nearly a third of sampled teleworkers had expired or missing agreements. Additionally, 15 percent of remote workers had no approved agreement on file, and many discrepancies flagged by HR remained unresolved for months.
    • Since President Trump took office, OPM has reinstated in-office requirements to restore a culture of accountability and public service.
    • “Under the previous administration, OPMʼs telework and remote work policies were mismanaged and oversight was virtually nonexistent,” Acting Director Chuck Ezell said. “That era of telework abuse is over. At President Trumpʼs direction, OPM has restored in-person operations to ensure federal employees are working for the taxpayers.”
    • OPM has already implemented new internal controls and compliance reviews, and effective March 3, 2025, all employees are required to report to their official duty station full-time.
    • Read the OIG report here.

From the Food and Drug Administration front,

  • The Wall Street Journal reports,
    • “Sanofi and Regeneron Pharmaceuticals said they got Food and Drug Administration approval for anti-inflammatory drug Dupixent as a treatment for a rare skin disease, adding an eighth indication in the U.S. for their blockbuster medicine.
    • “France’s Sanofi and Tarrytown, N.Y.-based Regeneron said Friday that the FDA gave the green light for Dupixent as a treatment of adult patients with bullous pemphigoid, a skin disease that mainly affects elderly people and is characterized by itch, blisters and lesions, as well as a reddening of the skin.”

From the judicial front,

  • SCOTUSblog reports,
    • In a splintered decision, the Supreme Court did not allow a retired firefighter to sue her prior employer under the ADA. The majority opinion, written by Justice Gorsuch, determined the retiree was not a “qualified individual” under the law. In dissent, Justice Jackson called the majority opinion “counterintuitive.”
  • and
    • “On Friday, the Supreme Court opined on a challenge by retailers of e-cigarettes to an FDA decision. The majority opinion, written by Justice Amy Coney Barrett, held that the challengers were “adversely affected” by the FDA’s decision and could thus seek judicial review in the 5th Circuit.”
  • The AHA News relates,
    • “The U.S. District Court for the Northern District of Iowa June 18 vacated components of the Centers for Medicare & Medicaid Services’ minimum nurse staffing rule requiring nursing homes to have a registered nurse onsite 24/7 and prescribing a minimum total nurse staffing hours per resident day. The court kept in place the rule’s enhanced facility assessment and Medicaid reporting requirements.
    • “CMS’s general rulemaking power to promulgate ‘such other requirements as the Secretary deems necessary’ does not constitute clear authorization to mandate rigid staffing requirements for [long-term care] facilities,” wrote District Court Judge Leonard T. Strand in the ruling. “Therefore, I find that CMS did not have authority to promulgate the 24/7 RN requirement and the HPRD requirements pursuant to its health and safety rulemaking authority.”
    • “A district court in Texas also vacated the minimum staffing mandate in April.”
  • Beckers Payer Issues points out,
    • “New York City can implement an Aetna Medicare Advantage plan for its retirees, the state’s highest court ruled June 18. 
    • “The city has pushed to switch its health benefits for retired city employees to a Medicare Advantage plan since 2021. A group of retired employees sued to block the plan, arguing that the city had promised to provide supplemental Medicare benefits, and that their healthcare benefits would be diminished under an MA plan. 
    • “The New York Court of Appeals ruled against the retirees, reversing lower courts’ decisions. The judges ruled the city was not obligated to offer Medigap plans to its retirees. The court also ruled the retirees did not prove their care would be harmed under an MA plan.” 

From the public health and medical research front,

  • The Centers for Disease Control and Prevention announced today,
    • “Seasonal influenza activity is low. COVID-19 and RSV activity is very low.
    • “COVID-19
      • “COVID-19 wastewater activity is low and emergency department visits and laboratory percent positivity are at very low levels.
    • “Influenza
    • “RSV
      • “RSV activity is very low.
  • The University of Minnesota’s CIDRAP adds,
    • “New findings presented at the annual meeting of the American Society for Microbiology suggest increased levels of fungal spores in the air are strongly linked to surges in cases of influenza and COVID-19.
    • The study was based on daily spore samples taken in 2022 and 2024 in San Juan and Caguas, Puerto Rico, where fungal spores and pollen are endemic and present year-round. The data on spores was matched to data on the daily incidence of people diagnosed with COVID-19 and flu.
    • “The researchers found increases in fungal spore counts matched surges in flu and COVID activity. There was no relationship between pollen levels and respiratory illness activity.
    • “The findings from our study suggest that monitoring airborne fungal spore levels could help predict short-term outbreaks (spikes) of flu and COVID-19, giving public health systems an early warning signal,” study author Felix Rivera-Mariani, PhD said in a press release from the American Society of Microbiology. “Our findings also highlight the potential role of environmental factors—not just person-to-person spread—in contributing to the incidence of respiratory viral infections. That could open new doors for targeted public health alerts, especially in areas with high outdoor airborne fungi.” 
  • and
    • “The US Centers for Disease Control and Prevention (CDC) reported 17 more measles cases today in its weekly update, bringing its total for the year to 1,214 confirmed cases from 36 jurisdictions.
    • “Although measles cases have slowed since peaking in late March, the uptick in cases brings the country closer to surpassing the 1,274 cases reported in 2019, which to date is the highest number reported in a single year since the disease was eliminated from the United States in 2020. There were 285 confirmed measles cases in 2024. 
    • “The CDC reported two additional outbreaks (three or more related cases), bringing the 2025 total to 23 outbreaks. Of the 1,214 confirmed US cases, 89% are outbreak associated. Only 16 outbreaks were reported in 2024, with 69% of confirmed cases associated with those outbreaks. The biggest outbreak in 2025 has been in West Texas, which has seen 750 confirmed cases since late January.”
  • and
    • “Since late April, an infectious diseases specialist at Stanford University and his colleagues have been volunteering their time on a project they hope will help educate the public, and combat misinformation, about the safety and efficacy vaccines.
    • “The project, led by Jake Scott, MD, is a spreadsheet of all the randomized controlled trials (RCTs) that have ever been conducted for licensed vaccines. The idea, hatched on the social media site X, was prompted by responses to an old video of current Department of Health and Human Services Secretary Robert F. Kennedy Jr., in which he claims that none of vaccines mandated for US children has ever been tested in preclinical studies against a placebo. In one of the responses, infectious disease physician Brad Spellberg, MD, suggested a crowd-sourced effort to identify and post all of the RCTs in which vaccines have been tested against a placebo.
    • “That night Scott, a self-proclaimed “spreadsheet geek” who has previously collaborated with Spellberg, began building a spreadsheet using Google Sheets, creating criteria for inclusion, and seeding it with seven vaccine RCTs. Each entry has columns for the name of the vaccine, the date the RCT was published, which populations were studied, how many people were involved in the study and, importantly, the types of placebo or active comparator that were used for the control group.
    • “By the next morning, there were 20 vaccine RCTs on the spreadsheet. By May 5, the list had grown to 100. The spreadsheet now stands at more than 270 RCTs and continues to grow. Scott and his colleagues, who aim to eventually publish a peer-reviewed paper on the project in a medical journal, thoroughly review each entry before inclusion and provide links to the RCTs on PubMed.
    • “I think we’re kind of looking at the tip of the iceberg,” Scott told CIDRAP News. “There’s going to be, I would say, easily 400-plus, maybe 500-plus trials with millions and millions of participants.”
  • The AP reports,
    • “Older U.S. adults are increasingly dying from unintentional falls, according to a new federal report published Wednesday, with white people accounting for the vast majority of the deaths. 
    • “From 2003 to 2023, death rates from falls rose more than 70% for adults ages 65 to 74, the report from the U.S. Centers for Disease Control and Prevention said. The rate increased more than 75% for people 75 to 84, and more than doubled for seniors 85 and older.
    • “Falls continue to be a public health problem worth paying attention to,” said Geoffrey Hoffman, a University of Michigan researcher who was not involved in the new report. “It’s curious that these rates keep rising.”
  • MedTech Dive notes five things to watch at the American Diabetes Association’s upcoming scientific session.
    • “At the American Diabetes Association’s Scientific Sessions, companies like Abbott, Dexcom and Beta Bionics will share the latest data on diabetes technology and new partnerships.
    • “The annual conference takes place June 20-23 in Chicago, with industry leaders gathering to discuss new developments in diabetes treatments. This year’s event follows new ADA standards of care that would expand access to continuous glucose monitors, recommending that the devices be used in adults with Type 2 diabetes who are taking glucose-lowering medications other than insulin.”

From the U.S. healthcare business front,

  • The Wall Street Journal reports,
    • “Health insurers will pledge to smooth the preapproval process following backlash after the killing of an executive last year.
    • “Insurers will create a standard for electronic requests by 2027, with 80% answered in real time if documentation is included.
    • “The industry plan includes reducing procedures subject to authorization, improving explanations, and helping patients changing insurers.”
  • and
    • “Planes have been jetting from Ireland to the U.S. this year carrying something more valuable than gold: $36 billion worth of hormones for popular obesity and diabetes drugs.
    • “The frantic airlift of those ingredients—more than double what was imported from Ireland for all of last year—reflects the collision of two powerful forces: tariff-driven stockpiling and weight-loss drug demand.
    • “The peptide- and protein-based hormones feed into a category of drugs that include wildly popular GLP-1 treatments and newer types of insulin known as analogues. Taken together the shipments weighed just 23,400 pounds, according to U.S. trade data, equivalent to the weight of less than four Tesla Cybertrucks.
    • “Fit into temperature-controlled air-cargo containers, the pharmaceutical ingredients have had a huge impact on the U.S. trade imbalance. The shipments have propelled Ireland, a country of only 5.4 million people, to the second-largest goods-trade imbalance with the U.S., trailing only China. They accounted for roughly half of the $71 billion in goods the U.S. imported from the country in the first four months of the year.
    • “Nearly 100% of the imports had a final destination of Indiana, according to U.S. customs records. Eli Lilly, the drug giant behind weight loss and diabetes drugs Zepbound and Mounjaro, is headquartered in Indianapolis.”
  • Mercer Consulting notes,
    • “It’s been over three years since group health plan sponsors and issuers, in order to comply with the Transparency in Coverage final rule, began posting Machine-Readable Files that contain in-network negotiated charges for every medical item and service with providers in their networks, as well as out-of-network allowed amounts and billed charges. This data had previously been considered by insurers as proprietary and confidential, but the government recognized the need to make healthcare costs more transparent. The rule also requires group health plan sponsors and issuers to post files for negotiated rates and historical net prices for covered prescription drugs, but regulators have delayed that particular requirement .
    • “But even though the data has been available to the public since July 2022, almost 70% of very large employers (5,000+ employees) responding to our 2025 Health Policy Survey report that they have yet to meaningfully use the data.
    • “Impeding use is the sheer amount of data that was dropped on the internet all at once, but not all in one place. According to a recent report from the Congressional Review Service, users have faced significant challenge * * *.
  • Per Fierce Healthcare,
    • “Hinge Health, which just went public last month, launched a referral network of in-person providers to complement its virtual physical therapy platform.
    • “The curated provider network for musculoskeletal (MSK) care, called HingeSelect, includes imaging centers and brick-and-mortar physical therapy providers to help bridge the gap between in-person and digital care. The aim is to offer a more comprehensive end-to-end MSK care model, executives said.
    • “Hinge Health’s technology and in-house orthopedic physicians triage and direct downstream care. When in-person care, such as imaging or injections, is required, members are connected to pre-vetted providers at up to 50% below PPO rates.” 
  • Per Beckers Payer Issues,
    • “Philadelphia-based Independence Blue Cross has launched a new GenAI customer service tool to support customer service representatives in improving accuracy and speed of customer interactions, according to a news release shared with Becker’s
    • “The pilot, initiated in February 2025, tasked more than 40 customer service representatives with using the tool to assist with member-specific questions, summarize complex medical policies and search benefits. 
    • “The AI tool was found to have reduced the number of steps customer representatives must take to access critical information and improved efficiency by increasing the percentage of customers who receive solutions on their first inquiry. It also documents responses and validates the information with Independence Blue Cross’ existing customer relationship system.”

Cybersecurity Saturday

From the cybersecurity and law enforcement front,

  • Cyberscoop reports,
    • “A House panel approved a fiscal 2026 funding bill Monday [June 9, 2025] that would cut the Cybersecurity and Infrastructure Security Agency by $135 million from fiscal 2025, significantly less than the Trump administration’s proposed $495 million.
    • “The chairman of the House Appropriations Subcommittee on Homeland Security, Rep. Mark Amodei, said the annual Department of Homeland Security funding measure “responsibly trimmed” the CISA budget. But Illinois Rep. Lauren Underwood, the top Democrat on his panel, said the legislation “fails to address the catastrophic cybersecurity threats facing our critical infrastructure.”
    • “The subcommittee approved the bill by a vote of 8-4.
    • “CISA would get $2.7 billion under the measure, according to a committee fact sheet, or $134.8 million less than the prior year.
    • “While the full committee chairman Tom Cole, R-Okla., said “the bill provides critical support for cybersecurity technology,” Republicans also criticized the agency’s past work.”
  • and
    • “A familiar face is being promoted from within to lead the FBI’s Cyber division.
    • “In a LinkedIn post Sunday [June 8, 2025], Brett Leatherman said that FBI Director Kash Patel had selected him as assistant director and lead official for the FBI’s primary division for investigating cybercrimes.  The role is prominent in national security, espionage and counterintelligence investigations.” * * *
    • “Leatherman takes over the reins from Bryan Vorndran, who led the bureau’s Cyber Division from 2021 until this past spring when he left the federal government to take a job as Microsoft’s deputy chief information security officer.”  
  • The National Institute of Standards and Technology (NIST) illustrates “19 Ways to Build Zero Trust Architectures.”
    • “The traditional approach to cybersecurity, built around the idea of solely securing a perimeter, has given way to the zero-trust approach of continuously evaluating and verifying requests for access.
    • “Zero trust architectures can help organizations protect far-flung digital resources from cyberattacks, but building and implementing the right architectures can be a complex undertaking.
    • “New NIST guidance offers 19 example zero trust architectures using off-the-shelf commercial technologies, giving organizations valuable starting points for building their own architectures.”
  • Cyberscoop points out,
    • “Federal authorities on Wednesday [June 11, 2025] announced the seizure of about 145 domains and cryptocurrency funds linked to BidenCash, a cybercrime marketplace for stolen credit cards, compromised credentials and other personal information. 
    • “BidenCash was used by more than 117,000 customers, resulting in the trafficking of more than 15 million credit card numbers and personally identifiable information, the Justice Department said. Administrators of the cybercrime platform, which charged a per-transaction fee, generated more than $17 million in illicit revenue since its formation in March 2022, authorities said.
    • “Domains associated with BidenCash now redirect to a server controlled by U.S. law enforcement and display seizure notices. The U.S. Attorney’s Office for the Eastern District of Virginia, which is leading the case, said it seized cryptocurrency funds the BidenCash marketplace used to receive illicit proceeds from its operations.
    • “Authorities did not disclose the value of those seized cryptocurrency funds or identify the physical location of the administrators and infrastructure used by BidenCash. The U.S. Attorney’s Office for the Eastern District of Virginia did not immediately respond to questions.” 
  • Cybersecurity Dive adds,
    • “An international law enforcement operation has dismantled the computer infrastructure powering multiple strains of information-stealer malware.
    • “As part of “Operation Secure,” authorities in 26 Asian countries “worked to locate servers, map physical networks and execute targeted takedowns,” Interpol said in a statement. Law enforcement agencies worked with cybersecurity firms Group-IB, Kaspersky and Trend Micro to prepare assessments of their targets and shared that information with “cyber teams across Asia,” according to Interpol, resulting in “in the takedown of 79 percent of identified suspicious IP addresses.”

From the cybersecurity vulnerabilities and breaches front,

  • The Wall Street Journal reports,
    • “Supermarket shelves are emptying out at some stores around the country, after a cyberattack hit a major distributor to Whole Foods Market and other chains.
    • United Natural Foods said it detected unauthorized activity on its systems last week and took certain ones offline proactively.
    • “Disruptions to its operations have followed, United Natural said. Stores around the country have reported being unable to place orders. The company has told suppliers that it hopes to restore normal operations by Sunday, according to a notice viewed by The Wall Street Journal.” 
  • CISA added four known exploited vulnerabilities to its catalog this week.
    • June 9, 2025
      • CVE-2025-32433 Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability 
      • CVE-2024-42009 RoundCube Webmail Cross-Site Scripting Vulnerability” 
        • The Hacker News discusses these KVEs here.
    • June 10, 2025
      • CVE-2025-24016 Wazuh Server Deserialization of Untrusted Data Vulnerability
      • CVE-2025-33053 Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability”
        • Akamai discusses the “Wasuh Server” KVE here.
        • Security Week discusses the WebDAV KVE here.
  • Cybersecurity Dive adds,
    • “Government agencies are operating with massive amounts of “security debt” — meaning unresolved vulnerabilities — putting them and the public at increased risk of falling victim to hackers, according to a Veracode report released Wednesday [June 11, 2025]. 
    • “Roughly 80% of government agencies have software vulnerabilities that have gone unaddressed for at least a year, and roughly 55% of them have long-standing software flaws that place them at even greater risk, the report found.
    • “Veracode’s research shows that it takes government agencies an average of 315 days to resolve half of their software vulnerabilities, compared to the combined public- and private-sector average of 252 days.
    • “But companies and agencies alike are falling short of the necessary investments and procedures to address insecure software, according to Veracode.”
  • Dark Reading warns
    • “Secure Shell (SSH) keys are the backbone of secure remote access. They are everywhere, powering DevOps pipelines, enabling server management, and automating everything from deployments to patching. But despite their ubiquity, SSH keys often remain a blind spot in enterprise security. Why? Because unlike passwords, they don’t expire. They are easy to create, hard to track, and alarmingly simple to forget.
    • “In large enterprises, it is not uncommon to find hundreds of thousands or even millions of unmanaged SSH keys. Many of these grant access to sensitive systems but lack clear ownership or life-cycle oversight, turning what should be a secure authentication method into a major risk factor.
    • “If your organization cannot answer “Who can log in to what, using which key?” you are flying blind.”
  • Security Week notes,
    • “More than 40,000 security cameras worldwide are exposed to the internet, cybersecurity firm Bitsight warns.
    • “Operating over HTTP or RTSP (Real-Time Streaming Protocol), the cameras expose their live feed to anyone knowing their IP addresses, directly from the web browser, which makes them unintended tools for cyberattacks, espionage, extortion, and stalking, the company says.
    • “The HTTP-based cameras rely on standard web technologies for video transmission and control and are typically found in homes and small offices.
    • “Of the more than 40,000 cameras exposing their live feed, more than 14,000 are in the US, with Japan ranking second, at roughly 7,000 devices. Austria, Czechia, and South Korea have roughly 2,000 exposed cameras each, while Germany, Italy, and Russia have roughly 1,000 each.
    • “In the US, most of the exposed cameras are in California and Texas, followed by Georgia, New York, and Missouri. Massachusetts and Florida have high concentrations of exposed cameras as well.” * * *
    • “To keep these security cameras protected, users should secure their internet connections, replace default credentials, disable remote access if not needed, keep the devices always updated, and monitor them for unusual login attempts.”
  • and
    • “Trend Micro has released patches for ten vulnerabilities in Apex Central and Endpoint Encryption (TMEE) PolicyServer, including critical-severity flaws leading to remote code execution (RCE).
    • “The update for Apex Central resolves two critical bugs leading to RCE, tracked as CVE-2025-49219 and CVE-2025-49220 (CVSS score of 9.8). The security defects are similar, but were discovered in different methods, the company says.
    • “Both vulnerabilities are described as an insecure deserialization operation that could allow remote attackers to execute arbitrary code on affected installations, without authentication.
    • “Endpoint Encryption PolicyServer received fixes for eight flaws, including four critical and four high-severity defects.”
  • Per Bleeping Computer,
    • “Cloudflare has confirmed that the massive service outage yesterday was not caused by a security incident, and no data has been lost.
    • “The issue has been largely mitigated. It started 17:52 UTC yesterday [June 12, 2025] when the Workers KV (Key-Value) system went completely offline, causing widespread service losses across multiple edge computing and AI services.
    • “Workers KV is a globally distributed, consistent key-value store used by Cloudflare Workers, the company’s serverless computing platform. It is a fundamental piece in many Cloudflare services, and a failure can cause cascading issues across many components.”
    • “The disruption also impacted other services used by millions, most notably the Google Cloud Platform.”

From the ransomware front,

  • The HIPAA Journal informs us,
    • “It has taken three weeks, but Kettering Health has confirmed that it has resumed normal operations for key services following its May 20, 2025, Interlock ransomware attack. Kettering Health has been releasing regular updates on the progress being made restoring its systems, confirming that the core components of its Epic EHR system were restored on the morning on June 2, 2025, which allowed patient data to be entered, and the backlog of data recorded on paper to start to be entered into patient records.
    • “Interlock’s access to its network and system was immediately terminated when the attack was discovered, and Kettering Health confirmed on June 5, 2025, that all of the ransomware group’s tools and persistence mechanisms had been eradicated from its systems. Kettering Health also confirmed that all systems were fully up to date with the latest versions of software installed and patches applied, and security enhancements had been implemented, including network segmentation, enhanced monitoring, and updated access controls. Kettering Health said it is confident that its cybersecurity framework and employee security training are sufficient to mitigate future risks.”
  • Cybersecurity Dive reports,
    • “Ransomware gangs have exploited a vulnerability in the SimpleHelp remote support program to breach customers of a utility billing software vendor, the Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday [June 12, 2025].
    • “The government advisory follows an earlier warning from CISA and the FBI that hackers associated with the Play ransomware gang had been targeting critical infrastructure organizations using the flaw in SimpleHelp’s remote management software.
    • “The new CISA alert highlights the risks of vendors not verifying the security of their software before providing it to customers.” * * *
    • “In its Thursday alert, CISA said the breach of the utility payment vendor reflected a “broader pattern” of such attacks.
    • “The agency urged “software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.” 
    • “Vendors should isolate vulnerable SimpleHelp instances, update the software and warn customers, according to CISA, while customers should determine whether they are running the SimpleHelp endpoint service, isolate and update those systems and follow SimpleHelp’s additional guidance.’
  • Per Bleeping Computer,
    • “Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.
    • “The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks.
    • ‘Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage.
    • “Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints.”

From the cybersecurity defenses front,

  • Cybersecurity Dive lets us know,
    • “The threat of cyberattacks represents the most serious challenge for businesses in the coming year, the advisory firm Kroll said in a report published Thursday [June 12, 2025].
    • “Roughly three-quarters of respondents said their cybersecurity and privacy concerns had increased over the past year, with nearly half citing malware and more than a third citing data extortion as specific fears.
    • “Kroll’s survey of 1,200 respondents from more than 20 countries, conducted in February, provides some measure of how businesses are thinking about and dealing with cyber worries as global tensions escalate.”
  • and
    • “Artificial intelligence is poised to transform the work of security operations centers, but experts say humans will always need to be involved in managing companies’ responses to cybersecurity incidents — as well as policing the autonomous systems that increasingly assist them.
    • “AI agents can automate many repetitive and complex SOC tasks, but for the foreseeable future, they will have significant limitations, including an inability to replicate unique human knowledge or understand bespoke network configurations, according to experts who presented here at the Gartner Security and Risk Management Summit.
    • “The promise of AI dominated this year’s Gartner conference, where experts shared how the technology could make cyber defenders’ jobs much easier, even if it has a long way to go before it can replace experienced humans in a SOC.
    • “As the speed, the sophistication, [and] the scale of the attacks [go] up, we can use agentic AI to help us tackle those challenges,” Hammad Rajjoub, director of technical product marketing at Microsoft, said during his presentation. “What’s better to defend at machine speed than AI itself?”
  • Dark Reading explains “Why CISOs Must Align Business Objectives & Cybersecurity. This alignment makes a successful CISO, but creating the same sentiment across business leadership creates a culture of commitment and greatly contributes to achieving goals.”
  • Here is a link to Dark Reading’s CISO Corner.

Thursday report

Photo by Josh Mills on Unsplash

From Washington, DC

  • The Wall Street Journal reports
    • “House Republicans narrowly passed a $9.4 billion rescissions package that includes cuts to foreign aid as well as the entity that funds National Public Radio and the Public Broadcasting Service.
    • “The vote was 214-212, after some last-minute arm-twisting by GOP leaders convinced two Republicans to switch their votes to yes from no. All Democrats were opposed. The package now heads to the Senate, where it could face more scrutiny from Republicans.”
  • Beckers Payer Issues tells us,
    • “Proposed changes to Medicare Advantage are unlikely to be included in a final budget deal, The Hill reported June 11. 
    • “Senators had floated adding provisions of the No UPCODE Act, which targets overpayments in the program, to the massive federal budget bill. 
    • “Sen. Kevin Cramer, R-N.D., who first raised the idea of targeting MA savings in the bill, told The Hill the final legislation is unlikely to touch Medicare.”
  • STAT News informs us,
    • The Trump administration is pushing pharmaceutical companies to begin negotiations to bring their drug prices in line with what other countries pay — usually far less than Americans.
    • “Under President Trump’s direction, HHS is demanding that pharmaceutical companies end their obstruction and come to the table—just as they already do with nearly every other economically comparable nation—to negotiate fair, transparent pricing for Americans,” an agency spokesperson said in a statement to STAT, adding that the companies were “prevent[ing] progress of lowering prices for the American people.”
    • “The spokesperson did not immediately clarify how companies were preventing that progress. The administration’s statement comes after pharmaceutical executives said they were expecting more details about the kinds of drugs that would be up for negotiations and the price targets for them. 
    • ‘It also comes after a number of drug companies have met with the administration. At least three firms said this week that talks have not yet gotten into the details of pricing, instead mostly consisting of exchanging high-level ideas about the pharmaceutical market.”
  • The International Foundation of Employee Benefit Plans points out
    • The Internal Revenue Service (IRS) issued 2025 draft 1094-B, 1095-B, 1094-C, and 1095-C forms for use by employers, plan sponsors and group health insurers to report health coverage to plan members and the IRS.
  • Per MedTech Dive,
    • “Medtronic has recalled ventilators and asked customers to stop using the devices because of a fault linked to two serious injuries and one death, the company said Wednesday.
    • “Affected Newport HT70 and HT70 Plus ventilators can shut down during use or fail to effectively sound the shutdown alert alarm. The company also recalled certain related Newport service parts. There have been 63 medical device reports about the problem.
    • ‘The Food and Drug Administration said in a Class 1 recall database entry about the fault this week that 4,842 affected ventilators are in commerce worldwide.”

From the judicial front,

  • Bloomberg Law reports,
    • A trio of air ambulance providers lost [Dropbox link] an appeals court bid to overturn a decision in two surprise medical bill disputes, narrowing the legal path for physicians to challenge alleged malfeasance from health insurers in court.
    • The consolidated case revolves around two conflicting provisions of the No Surprises Act, which requires doctors and insurers to settle unexpected out-of-network bills via arbitration rather than balance billing the patient. 
    • The US Court of Appeals for the Fifth Circuit’s decision accompanies a separate ruling also issued [Dropbox link] Thursday in which the same panel of judges upheld a lower court’s decision, similarly, asserting that surprise billing arbitration disputes may not be addressed through litigation.
    • The Fifth Circuit sided against air ambulance companies Guardian Flight LLC, Reach Air Medical Services LLC, and Calstar Air Medical Services LLC in the consolidated case challenging Aetna Health Inc., Kaiser Foundation Health Plan Inc., and arbitrator Medical Evaluators of Texas ASO LLC over what the providers said were misrepresentations during the arbitration process. 
    • Judges Stuart Kyle Duncan, a Donald Trump appointee, Jerry E. Smith, a Ronald Reagan appointee, and Edith Brown Clement, a George H. W. Bush appointee, also reversed the lower court’s ruling in determining that MET was protected from litigation under the No Surprises Act.

From the public health and medical research front,

  • CBS News reports,
    • “Check your medicine cabinet — Zicam nasal swabs and Orajel baby teething swabs are being recalled due to potential microbial contamination, according to federal health officials.
    • “In an alert from the U.S. Food and Drug Administration, Church & Dwight Co., Inc., the brands’ manufacturer, voluntarily issued the recall after the potential contamination was discovered, which was identified as fungi in the cotton swab components of the products. 
    • “The recalled products include all lots of Zicam Cold Remedy Nasal Swabs (with UPC 732216301205), all lots of Zicam Nasal AllClear Swabs (UPC 732216301656) and all lots of Orajel Baby Teething Swabs (UPC 310310400002). All other Zicam and Orajel products are not affected by this recall, the FDA said.
    • “Consumers with any recalled products should stop using them immediately, the FDA advised.”
  • Health Imaging notes,
    • “New MRI data suggest that patients who weathered severe cases of COVID-19 may sustain long-lasting heart damage. 
    • “Specifically, researchers have uncovered evidence indicating patients who have been hospitalized with the virus may develop long-term left ventricular systolic dysfunction and coronary microvascular dysfunction. These findings were detailed this week in JAMA Network Open, where experts revealed the damage was evident on imaging nearly one year after patients had recovered from their initial infection. 
    • “In long COVID, or postacute sequelae of SARS-CoV-2 infection (PASC), patients commonly experience cardiopulmonary symptoms, including dyspnea, palpitations, chest pain, and fatigue, which impair quality of life and functional capacity,” Jannike Nickander, MD, PhD, with the department of clinical physiology at Karolinska University Hospital, in Sweden, and colleagues noted. “The underlying pathophysiological mechanisms are not fully understood but may stem from myocardial injury sustained during acute COVID-19 due to hypoxia, systemic hyperinflammation, hypercoagulability, and direct viral invasion of endothelial cells and cardiomyocytes.” 
  • Fierce Healthcare relates,
    • “Urine drug test (UDT) data can generate timely estimates of overdose deaths, a new study suggests. 
    • “The study, published in JAMA Network Open by specialty lab Millennium Health and The Ohio State University, aimed to determine whether UDT data could provide near real-time indications of overdose trends. Effective responses to the overdose crisis must be prompt, the study noted, which requires a timely evaluation of current trends. However, current publicly available data on fatal overdoses in the U.S. can lag by at least six months. 
    • “We were determined to close that gap,” Eric Dawson, vice president of clinical affairs at Millennium Health, told Fierce Healthcare. “We wanted to be able to tell people, here’s what’s happening today with overdoses—compared to here’s what you’re being told today happened six months ago.” 
  • The International Foundation of Employee Benefit Plans offers a new look at virtual care.
    • “What’s next for virtual care? One area of focus is the further development of hybrid solutions that offer virtual-first care coupled with in-person clinics. Many vendors are also introducing their own health plan and/or TPA for a virtual-first solution. These can be offered alongside traditional health plans (e.g., not necessarily as a full replacement offering). Supplemental and/or coordinating carrier care management is also an avenue explored by new digital health startups offering virtual care. Another trend influencing virtual care is the development of artificial intelligence (AI) as a tool and the related ability to become more predictive and proactive around population health management and outreach. It will be important, however, for employers to track how these virtual offerings impact quality outcomes, engagement and positive user experience.
    • “Overall, the opportunity is clear—Virtual care as a component of a broader health care system can provide convenient and efficient care while increasing access and lowering costs for employer populations. Integration with in-person care will always be important, but technological developments will pave the way to create a more seamless patient experience.”

From the U.S. healthcare business front,

  • BioPharma Dive reports,
    • “COVID vaccine maker BioNTech is buying rival CureVac, announcing Thursday an all-stock deal weeks before the two companies were due to face off in a German court over potentially billions of dollars worth of royalties related to intellectual property on messenger RNA drugs.
    • “Per deal terms, each CureVac share will be exchanged for about $5.46 worth of BioNTech’s U.S.-listed shares, valuing the company at $1.25 billion. Upon the deal’s close, CureVac shareholders will own between 4% and 6% of BioNTech.
    • “In the early days of the COVID-19 pandemic, BioNTech and CureVac were among the companies racing to develop the first coronavirus vaccines. BioNTech, however, partnered with Pfizer and won approval of the first COVID-19 shot, while CureVac’s program never made it to market. The two companies have since been embroiled in patent litigation.”
  • Per Healthcare Dive,
    • “Cigna unveiled a number of new digital tools on Thursday meant to improve customer experience with its health benefits portal, including a virtual assistant based on generative artificial intelligence.
    • “The rollout — part of the insurer’s larger push to make it easier for members to access and afford the benefits they’re due — also includes a new tool to match patients to in-network providers.
    • “Experts have raised concerns about rising adoption of AI in the healthcare sector due to the technology’s tendency to make mistakes. Cigna said its new features were developed with “rigorous” research and testing within an AI governance framework.”
  • and
    • “Mergers and acquisitions should play an “important role” in Teladoc’s future business strategy, the virtual care firm’s CEO said Wednesday. 
    • “We’re going to make investments not just for the short term, but things that we think are going to start to increase that [total addressable market], start to increase the scope and range of what we can do. And we think that’s the right place to deploy our capital,” CEO Chuck Divita said at the Goldman Sachs Global Healthcare Conference.
    • “The telehealth company has already completed two acquisitions this year, scooping up preventive care firm Catapult Health in February and virtual mental health provider UpLift last month.”
  • Beckers Hospital Review calls attention to “six hospital partnerships and proposed deals that were called off or unwound so far this year”

Weekend update

From Washington, DC,

  • The Senate maintains a daily Executive Calendar. There are now eight nominees whose names were reported to the Senate floor before Scott Kupor. According to the unanimous consent resolution page in the front of the calendar, the Senate will consider tomorrow the nominations of the earliest reported nominee David Fotouhi (March 13) and two nominees reported in May after Mr. Kupor (April 9). The FEHBlog think that this is the pattern that the Senate leadership is following, which means that the Senate is likely to take up Mr. Kupor’s nomination later this month. 
  • Roll Call summarizes expected Congressional activities for this week here.
    • As Senate committees continue to release their proposals for the House-passed reconciliation package this week, the House plans to vote on President Donald Trump’s proposals to rescind foreign aid and other spending, including for public broadcasting.
    • “The rescissions request sent to Congress by the Trump Administration takes the federal government in a new direction where we actually cut waste, fraud, and abuse and hold agencies accountable to the American people,” House Majority Leader Steve Scalise, R-La., said in a statement.
  • The Supreme Court will be issuing another batch of opinions this coming Thursday.
  • Last Thursday, HR Dive tells us,
    • “A federal appeals court’s “background circumstances” requirement for majority-group plaintiffs who seek to prove job discrimination cuts against both Title VII of the 1964 Civil Rights Act and U.S. Supreme Court precedent, Justice Ketanji Brown Jackson wrote for a unanimous SCOTUS on Thursday.
    • “The court reversed the 6th U.S. Circuit Court of Appeals’ decision in Ames v. Ohio Department of Youth Services, which had dismissed a heterosexual woman’s claim that she was unlawfully passed over for a promotion in favor of a lesbian woman and subsequently demoted, after which a gay man was hired to fill her original role. The plaintiff alleged that those decisions constituted illegal discrimination on the basis of her sexual orientation, which the Supreme Court has said is a form of sex-based discrimination under Title VII.
    • “The 6th Circuit held that the plaintiff could not show background circumstances to support her suspicion that her employer discriminated against her on the basis of her status as a member of a majority group.
    • “Justice Jackson, however, wrote that such requirements flout the Supreme Court’s case law, which “makes clear that the standard for proving disparate treatment under Title VII does not vary based on whether or not the plaintiff is a member of a majority group.”
    • “The court vacated and remanded the case to the 6th Circuit for further proceedings.”
  • Federal News Network interviews Tammy Flanagan about “what retiring feds need to know about their benefits in transition.”
    • “Timing is everything when thinking about when to drop your retirement paperwork. Understanding what happens to your leave balances, health insurance, and survivor benefits can inform that decision. Hear with more on those key considerations is the Founder and Principal Retirement specialist at Retire Federal, Tammy Flanagan.”

From the public health and medical research front,

  • The University of Minnesota’s CIDRAP informs us,
    • “A new gene-tracking study in Nature shows that mpox spread among people in Nigeria for 8 years before it sparked a global outbreak in 2022.
    • “Using genomic tracing, researchers from Nigeria, the United States, Cameroon, Ethiopia, and Belgium estimate that the ancestor of the clade 2 mpox virus (mpxv) that ignited an international outbreak beginning in May 2022 first emerged in southern Nigeria in August 2014 and spread to 11 Nigerian states before human infections were detected in 2017. 
    • “In light of the findings, the authors write, “We need improved surveillance in the wildlife population in the forest systems to better understand the transmission and maintenance of MPXV in animal hosts,” as well as better human surveillance.
    • “We could have very easily prevented the 2022 multi-country outbreak if countries in Africa were given better access to therapeutics, vaccines, and surveillance technologies,” says first author Edyth Parker, PhD, MPhil, a researcher with the Institute of Genomics and Global Health and with the International Biosecurity and Biosafety Initiative for Science, in a Scripps Research news release. “In a vulnerably connected world, we cannot neglect epidemics until they get exported to the Global North.”
  • Medscape offers these reports from the recent American College of Obstetricians and Gynecologists (ACOG) 2025 Annual Meeting.
    • Changing the prescribing protocol for low-dose aspirin (LDA) for preeclampsia prevention from risk-based to universal significantly increased aspirin use in pregnant patients, based on new data presented at the American College of Obstetricians and Gynecologists (ACOG) 2025 Annual Meeting.
    • The use of LDA to reduce the risk for preeclampsia has been well established as an inexpensive and simple intervention, but it has remained underutilized nationwide, said lead author Meryl Y. Grimaldi, MD, of SBH Health System, New York City, in an interview.
    • “Many of the patients we care for at SBH Health are at high risk for preeclampsia, but we wanted to ensure that our eligible patients received the benefits of this intervention,” said Grimaldi, who presented the study at the meeting.
  • and
    • “Clinicians need to discuss and offer all patients a variety of pain management options for in-office gynecologic procedures ranging from intrauterine device (IUD) insertion to biopsies, according to new guidance published by the American College of Obstetricians and Gynecologists (ACOG). The guidelines, published on May 15, are the first formal ones from ACOG to not only acknowledge the range of pain experiences that can be associated with different procedures but also to explicitly lay out recommendations for the conversations providers should have with their patients about what pain management options are available.
    • “This guidance speaks to more than just Ob/Gyns,” Co-Author Genevieve Hofmann, DNP, women’s health nurse practitioner and assistant professor of Ob/Gyn at the University of Colorado School of Medicine in Aurora, Colorado, said during a discussion with the press on May 17 at American College of Obstetricians and Gynecologists (ACOG) Annual Meeting in Minneapolis. “It speaks to any physician who’s providing these types of services and certainly to advanced practice registered nurses who work in women’s health and provide these services.”
  • Medscape adds,
    • Regeneron said on Monday [June 2, 2025,] its experimental drug helped patients preserve up to 51% of lean mass and lose more fat when used in combination with Novo Nordisk’s popular obesity drug Wegovy in a mid-stage trial. 
    • In the 599-patient study, those on Wegovy alone lost about 7.9 pounds of muscle, while those on a combination of Regeneron’s trevogrumab and Wegovy lost up to 4.2 pounds. 
    • The combination helped patients shed up to 11.3% of their body weight compared with 10.4% for those on only Wegovy. 
    • The results mark an early win for Regeneron in the race against nearly a dozen companies to develop obesity treatments that preserve muscle, as they vie for a share of the potential $150 billion weight-loss drug market. 

From the U.S. healthcare business front,

  • Medical Economics “spoke with Mark McClellan, M.D., Ph.D., director, Duke-Margolis Institute for Health Policy, and a former administrator at CMS, about why value-based care hasn’t been adopted more quickly.” and let us know that “New Marit Health data from May, 2025, reveal that physicians feel most satisfied where compensation aligns with cost of living, practice expectations and quality of life. These 10 states show that perceived fairness matters just as much as raw earnings.”
  • The Wall Street Journal reports,
    • Unexpected healthcare costs can arise in retirement, such as uncovered drugs, isolation and concierge care.
    • Medicare Part D may not cover all drugs, potentially leading to high out-of-pocket expenses for uncovered medications.
    • Retirees may face unexpected travel costs for medical care based on retirement location or feel compelled to pay for concierge medical care.
  • All PSHB plans and Most FEHB plans offer Medicare Part D plans which are integrated with the regular plan formulary, thereby reducing one of the Journal’s identified risks.
  • Per BioPharma Dive,
    • “Hiroyuki Okuzawa holds an enviable position. The veteran Daiichi Sankyo executive took over as the Japanese drugmaker’s new CEO two months ago and inherited a company whose cancer medicines have, over the past half-decade, won it three of the pharmaceutical industry’s largest licensing deals.
    • “One of those medicines, the antibody-drug conjugate Enhertu, again took the spotlight at the American Society of Clinical Oncology’s annual meeting here, showing potential to become part of standard therapy for the frontline treatment of advanced breast cancer. It did the same in 2022 and 2024.
    • “Okuzawa can point to Enhertu and four other antibody-drug conjugates Daiichi Sankyo’s developing with AstraZeneca and Merck & Co. as proof of the strength of its research laboratories. By 2030, the company plansto have these five “ADCs” approved across more than 30 tumor types, which would allow it to treat nearly 400,000 cancer patients each year.
    • “We’d like to become one of the most important players in oncology,” said Okuzawa, noting aspirations to crack the top 10 companies by cancer drug sales. “Our senior leaders are now talking about not only top 10, but maybe top 5. We’re very much confident in our ADCs.”
  • Per Fierce Healthcare,
    • Neuroscience technology company Brooklyn Health is using artificial intelligence to target a fundamental problem in neurology and psychiatry: the flawed approach to mental health outcomes measurement.
    • The startup aims to modernize mental health measurement and scoring in central nervous system (CNS) drug development, an area of CNS research that faces limitations in objectivity and standardization. 
    • “Clinical interviews, the standard for symptom assessment, are fundamentally unreliable and imprecise,” said Anzar Abbas, Ph.D., a neuroscientist and founder of Brooklyn Health, in an interview.
    • “Brooklyn’s platform uses AI and digital phenotyping methods it developed to evaluate the quality and scoring of clinical interviews in real time.” * * *
    • “Brooklyn’s current focus in on drug development and central nervous system clinical trials to improve outcome measurement, essentially, how well a drug is working. But the company has ambitions beyond clinical trials to support outcome measurement across all forms of behavioral health delivery, including in-clinic psychiatric care and virtual mental health platforms.” 
  • The Washington Post reports on a smartphone app Death Clock AI that predicts how many years a user has left before beginning to push daisies as they day.

Cybersecurity Saturday

From the cybersecurity policy and law enforcement front,

  • Yesterday, the President issued a cybersecurity executive order. Here is a link to related fact sheet.
  • Federal News Network adds,
    • “President Donald Trump has signed a new cybersecurity executive order that continues many of the policies of his predecessors, while also marking out some key changes in the approach to software security, digital identity and more.
    • “The new executive order, “Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity,” modifies many aspects of a cyber EO signed by President Joe Biden in January. It also makes changes to executive orders signed by President Barack Obama to focus federal cybersecurity law enforcement efforts on foreign nationals.
    • “But Trump’s new EO continues key aspects Biden directives, including an effort to strengthen the Cybersecurity and Infrastructure Security Agency’s role in defending civilian federal networks.” * * *
    • “The latest cybersecurity executive order also maintains federal efforts around post-quantum cryptography, Border Gateway Protocol, and advanced encryption.
    • “But it eliminates the January order’s directive for agencies to require federal software vendors to provide evidence of following secure development practices.
    • “Instead, Trump directs the National Institute of Standards and Technology to establish a new consortium with industry “that demonstrates the implementation of secure software development, security, and operations practices” based on NIST’s Secure Software Development Framework.”
  • Per Cybersecurity Dive,
    • “Trump’s elimination of Biden’s software security requirements for federal contractors represents a significant government reversal on cyber regulation. Following years of major cyberattacks linked to insecure software, the Biden administration sought to use federal procurement power to improve the software industry’s practices. That effort began with Biden’s 2021 cyber order and gained strength in 2024, and then Biden officials tried to add teeth to the initiative before leaving office in January. But as it eliminated that project on Friday, the Trump administration castigated Biden’s efforts as “imposing unproven and burdensome software accounting processes that prioritized compliance checklists over genuine security investments.”
    • “Trump’s order eliminates provisions from Biden’s directive that would have required federal contractors to submit “secure software development attestations,” along with technical data to back up those attestations. Also now eradicated are provisions that would have required the Cybersecurity and Infrastructure Security Agency to verify vendors’ attestations, required the Office of the National Cyber Director to publish the results of those reviews and encouraged ONCD to refer companies whose attestations fail a review to the Justice Department “for action as appropriate.”
  • Cyberscoop reports,
    • “Sean Cairncross laid out his vision to senators Thursday for the Office of the National Cyber Director if he is confirmed to lead it.
    • “A goal of mine is to make sure this office sits at the place that this committee and I believe Congress intended in the statute, and that is to lead cyber policy coordination across the federal government,” he told the Homeland Security and Governmental Affairs Committee at his confirmation hearing.
    • “In doing that, working with our interagency partners is vital,” he said. “We’ve been empowered to work with [the Office of Management and Budget] to ensure that budget alignment among the interagency aligns with administration policy, and I think those tools have to be leveraged, and relationships between us and the interagency — it’s making sure that it is monitored and enforced.”
  • Cybersecurity Dive adds,
    • “Two coalitions of cybersecurity companies, professional associations and experts have endorsed Sean Plankey and Sean Cairncross, President Donald Trump’s nominees to serve as director of the Cybersecurity and Infrastructure Security Agency and national cyber director, respectively.
    • “Plankey and Cairncross’s backers include executives at cybersecurity firms, former senior government officials from administrations of both parties and leaders of trade groups and think tanks.”
  • Per Bleeping Computer,
    • “The U.S. Department of State has announced a reward of up to $10 million for any information on government-sponsored hackers with ties to the RedLine infostealer malware operation and its suspected creator, Russian national Maxim Alexandrovich Rudometov.
    • “The same bounty covers leads on state hackers’ use of this malware in cyber operations targeting critical infrastructure organizations in the United States.
    • “This bounty is posted as part of the Department of State’s Rewards for Justice program established by the 1984 Act to Combat International Terrorism, which rewards informants for tips that help identify or locate foreign government threat actors behind cyberattacks against U.S. entities.”
  • Per Cyberscoop,
    • “Federal authorities on Thursday [June 5, 2025] said they seized $7.74 million from North Korean nationals as they attempted to launder cryptocurrency obtained by IT workers who gained illegal employment and funneled the wages to the North Korean regime.
    • “The allegedly illegally obtained funds were linked to Sim Hyon Sop, a representative of North Korean Foreign Trade Bank, and Kim Sang Man, CEO of Chinyong, an outfit associated with North Korea’s Ministry of Defense, the Justice Department said. Both North Korean nationals were added to the Treasury Department’s Office of Foreign Assets Control’s list of sanctioned individuals in 2023.
    • “The cryptocurrency seizure marks another action in a series of long-running law enforcement efforts to identify and prevent North Korean operatives from gaining employment at companies, evading U.S. sanctions, and sending payroll back to the North Korean government.”
  • Per Security Week,
    • “German authorities have named Russian national Vitaly Nikolaevich Kovalev as the founder and leader of the TrickBot cybercrime gang.”
    • “Established in 2016, the TrickBot group is believed to have infected millions of computers worldwide, exfiltrating sensitive information such as credentials, banking and credit card details, and personal information, while also enabling the deployment of other malware, such as ransomware.
    • “Authorities targeted TrickBot’s infrastructure in takedown attempts in 2020 and 2024 and announced charges and sanctions against over a dozen group members in 2023, including Kovalev, believed at the time to be a senior figure within the cybercrime ring.”

From the cybersecurity vulnerabilities and breaches front,

  • CISA added nine known exploited vulnerabilities to its catalog this week.
  • Bleeping Computer tells us,
    • “A threat actor has re-released data from a 2021 AT&T breach affecting 70 million customers, this time combining previously separate files to directly link Social Security numbers and birth dates to individual users.
    • “AT&T told BleepingComputer that they are investigating the data but also believe it originates from the known breach and was repackaged into a new leak.
    • “It is not uncommon for cybercriminals to repackage previously disclosed data for financial gain. We just learned about claims that AT&T data is being made available for sale on dark web forums, and we are conducting a full investigation,” AT&T told BleepingComputer.”
  • andD
    • “Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
    • “The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity’s Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
    • “The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.”
  • Dark Reading informs us,
    • “ClickFix campaigns are gaining steam according to various security researchers, with recent campaigns spotted across the globe from a wide swath of cyberattackers. The increasingly popular tactic represents a significant new evolution for social engineering, researchers say — and enterprises need to take note.
    • “ClickFix activity has been snowballing: Darktrace said yesterday that it recently identified multiple ClickFix attacks across customer environments in Europe, the Middle East, and Africa (EMEA), and in the United States; while SlashNext, in a separate report, detailed an unusual version of the attack vector that impersonates Cloudflare Turnstile, which is the Web protection company’s CAPTCHA-like Turing test. Also, this week, Cofense outlined a campaign that spoofed Booking.com CAPTCHAs, targeting hotel chains with remote access Trojans (RATs) and infostealers.”
  • and
    • The Federal Burau of Investigation (FBI) warned that cybercriminals are compromising Internet of Things (IoT) devices connected to home networks through the BADBOX 2.0 botnet.
    • The BADBOX 2.0 botnet was discovered several months ago after the original BADBOX campaign was disrupted in 2024. Human Security’s Satori Threat Intelligence and Research team, alongside Google, Trend Micro, the Shadowserver Foundation, and others, were able to partially disrupt the “complex and expansive” BADBOX 2.0 operation, noting that it remains the largest botnet of infected connected TV (CTV) devices ever uncovered.
  • Per Cybersecurity Dive,
    • “A financially motivated hacker group has been targeting Salesforce instances for months in a campaign that uses voice phishing to engage in data theft and follow-on extortion attempts, according to Google Threat Intelligence Group
    • “The hackers, whom Google tracks as UNC6040, impersonated IT workers and tricked employees at often English-speaking branches of multinational companies into sharing sensitive credentials that were then used to access the organizations’ Salesforce data, Google said in a blog post published Wednesday.
    • “As part of the social engineering campaign, the hackers tricked workers at these companies into visiting the Salesforce-connected app setup page, at which point the attackers used an unauthorized, malicious version of the Salesforce Data Loader app to access and steal sensitive information from the customers’ Salesforce environments. 
    • “Beyond the immediate data thefts, the hackers were able to move laterally within target networks, accessing victims’ other cloud services and moving into internal corporate networks.”

From the ransomware front,

  • The American Hospital Association warns,
    • “The FBI, Cybersecurity and Infrastructure Security Agency and Australian Cyber Security Centre June 4 released an advisory on updated actions and tactics used by the Play ransomware group. The group, active since 2022, has impacted a wide range of businesses and critical infrastructure in North America, South America and Europe. As of May, the FBI was aware of about 900 victims allegedly exploited by the group’s efforts.
    • “The threat actors are presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. They employ a double-extortion model that encrypts systems after exfiltrating data. Their ransom notes do not include an initial ransom demand or payment instructions. Instead, victims are instructed to contact the threat actors via email.
    • “Play ransomware was among the most active cyberthreat groups in 2024,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “This report highlights their evolving tactics, and health care cybersecurity teams should be aware of the changes.  As threat actors shift tactics, it is critical that network defenders keep pace. The double-layered extortion model and encryption of systems, as well as theft of data, pose a serious potential risk to hospitals and the delivery of health care.”
  • Cybersecurity Dive adds,
    • “Since mid-January, multiple ransomware groups, including initial access brokers affiliated with Play, have targeted vulnerabilities in a remote support tool called SimpleHelp. Researchers disclosed those flaws in January.  
    • “The new advisory updates the government’s original December 2023 warning about the Play ransomware group, which is also known as PlayCrypt. The hackers have previously been blamed for attacks targeting ConnectWise ScreenConnect and Rackspace
    • “The recent attacks exploiting SimpleHelp involve three flaws discovered by security firm Horizon3.ai.”
  • Bleeping Computer lets us know,
    • “Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack.
    • “Kettering Health operates over 120 outpatient facilities and employs over 15,000 people, including over 1,800 physicians.
    • “The healthcare network noted in a Thursday statement that its network devices have been secured, and its team is now working on re-establishing communication channels with patients disrupted by the outage triggered by last month’s ransomware attack.”
  • Security Week adds,
    • “American media company Lee Enterprises revealed this week that the disruptive cyberattack it dealt with earlier this year resulted in a data breach impacting nearly 40,000 individuals.
    • “Lee Enterprises owns 350 weekly and specialty publications across 25 states, and dozens of them suffered disruptions in February as a result of a ransomware attack that involved the encryption of critical applications and the theft of files.
    • “The company informed the Maine Attorney General’s Office this week that it recently completed its investigation into the incident and determined that personal information was compromised.
    • “According to Lee Enterprises, the attackers may have obtained the information of 39,779 people, including their names and Social Security numbers.
    • “Affected individuals are being offered 12 months of free credit monitoring and identity protection services.”
  • Honeywell lets us know,
    • “In a growing wave of sophisticated cyber threats against the industrial sector, ransomware attacks jumped by 46% from Q4 2024 to Q1 2025, according to Honeywell’s new 2025 Cybersecurity Threat Report. The research also found that both malware and ransomware increased significantly in this period and included a 3,000% spike in the use of one trojan designed to steal credentials from industrial operators.”
    • “To learn more and download the full report, visit our website.”

From the cybersecurity business and defenses front,

  • Cybersecurity Dive reports,
    • “Microsoft and CrowdStrike will lead a cooperative effort to map out the overlapping web of hacker groups that their researchers have disclosed and named, the companies said on Monday. 
    • “Palo Alto Networks and Google and its Mandiant unit have also agreed to join the collaborative effort on streamlining threat group taxonomy.
    • “For years, the companies’ different naming conventions for various criminal and state-linked threat groups have created unnecessary confusion and delays in the sharing of threat intelligence.
    • “Microsoft and CrowdStrike released an initial version of their threat actor matrix on Monday, listing the groups they track and each one’s corresponding aliases from other researchers.
    • “Palo Alto Networks and Google and its Mandiant unit are joining the collaborative effort on streamlining threat group taxonomy.”
  • The Wall Street Journal reports,
    • CrowdStrike swung to a loss in the fiscal first quarter and posted a lower-than-expected outlook, as the costs of its outage last summer continue to weigh on results.
    • “The cybersecurity company said Tuesday its revenue is still being hurt by an incentive program it launched last year to try to retain customers after a widespread software outage in July.
    • “CrowdStrike had implemented a customer-commitment program, which let customers try some products for free, and was weighing on its subscription revenue. The program wrapped up at the end of fiscal-year 2025, but its effects are lingering.”
  • Dark Reading tells us,
    • F5 this week announced the acquisition of Fletch, a San Francisco-based startup with agent-based artificial intelligence (AI) technology that analyzes massive amounts of threat intelligence data and remediates the most severe vulnerabilities in real time.
    • “Terms of the deal were not disclosed, but most of Fletch’s 15 employees have joined F5, which was seeking the technology and expertise to bring agentic AI capabilities to the recently introduced F5 Application Delivery and Security Platform (ADSP).”
  • Help Net Security points out,
    • “Cybersecurity leaders and consultants identified AI-driven automation and cost optimization as top organizational priorities, according to Wipro. 
    • “30% of respondents are investing in AI automation to enhance their cybersecurity operations. AI-driven automation can help in detecting and responding to threatsmore quickly and accurately, thereby reducing the need for extensive manual intervention. 
    • ‘26% of respondents are focusing on tools rationalization. This approach involves evaluating and consolidating duplicate security tools across platforms to eliminate redundancies and improve efficiency while reducing costs. 
    • “Another significant area is security and risk management process optimization, with 23% of organizations targeting this for cost savings. Streamlining these processes can lead to more effective risk management and better allocation of resources. Apart from these priorities, 20% are focusing on simplifying operating models to achieve better visibility and faster response across reduced attack surfaces.”
  • Here is a link to Dark Reading’s CISO Corner.