Last week, healthcare data targeted by cybercriminals, lax security compromises PII, and Google has access to personal health information of millions.
United States - InterMed
Exploit: Compromised email account
InterMed: Maine-based physician group
Risk to Small Business: 1.777 = Severe: Hackers gained access to four employee email accounts that contained patients’ protected health information. The first employee account was accessed on September 6th, and the subsequent accounts were available between September 7th and September 10th. Although InterMed did not report the specific vulnerability that led to the breach, credential stuffing and phishing attacks were likely the culprits. The company’s slow response time and the sensitive nature of the compromised data will result in regulatory scrutiny that will amplify the post-breach impact.
Individual Risk: 2.428 = Severe: Patients’ protected health data was compromised in the breach. This includes names, dates of birth, health insurance information, and clinical data. In addition, some Social Security numbers were exposed to hackers. This information has a ready market on the Dark Web, and those impacted by the breach should take every precaution to protect their identity.
Customers Impacted: 30,000
How it Could Affect Your Customers’ Business: Data breaches are becoming increasingly costly, so sufficiently addressing defensible threats should be a top priority for every organization. Employee email accounts are often a top target for hackers who use phishing campaigns and credential stuffing attacks to gain access to their account data. Comprehensive awareness training and Dark Web services that provide advanced notification when credentials are compromised can position companies to protect this easy access point from bad actors.
United States - Brooklyn Hospital Center
Brooklyn Hospital Center: Full-service community teaching hospital
Risk to Small Business: 2.111 = Severe: A ransomware attack struck Brooklyn Hospital Center, making some patient data inaccessible while deleting other information entirely. The ransomware originated with unusual network activity in July, but it wasn’t until September that the hospital determined that certain data would never be recoverable. However, it’s unclear why it took another month to notify the public of the disabled or missing data. As healthcare providers both big and small face the threat of ransomware attack, this lengthy reporting delay can compound the problem as it ushers in the opportunity for more hostile consumer blowback.
Individual Risk: 2.285 = Severe: Brooklyn Hospital Center declined to identify the specific data compromised in the breach, but healthcare providers are often a target for cybercriminals because of the sensitive nature of this information. Therefore, anyone impacted by the breach should take the necessary steps to ensure their data security, including enrolling in identity monitoring services and closely evaluating their accounts for unusual or suspicious activity.
Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: This incident is a reminder that ransomware attacks can have ominous outcomes for any organization. While some are cut and dry transactions, others can be more damaging, resulting in permanent data loss or information exposure. Once your company’s data is in the hands of bad actors, there is no script for determining what happens next. With that in mind, preventing ransomware attacks proactively with proper cybersecurity measures must be a top priority for businesses of every shape, size, and sector.
United States - Utah Valley Eye Clinic
Exploit: Unauthorized database access
Utah Valley Eye Clinic: Utah-based eye clinic
Risk to Small Business: 2.333 = Severe: A cybersecurity vulnerability at a third-party affiliate compromised personal data for thousands of the clinic’s customers. The incident resulted in patients receiving fraudulent emails indicating that they received a payment from PayPal. The breach was only recently discovered, originally occurring on June 18, 2018, so patient data has been exposed for a significant duration. As a result, the company will likely face legal penalties and lost revenue due to exposed protected health information (PHI).
Individual Risk: 2.142 = Severe: The clinic confirmed that patient email addresses were compromised in the breach, but it also conceded that other personally identifiable information, including names, addresses, dates of birth, and phone numbers, may have been exposed. The prolonged time to the detection means that this information has been available for misuse, and they should be especially vigilant to evaluate online communications and credentials for suspicious or unusual activity.
Customers Impacted: 20,000
How it Could Affect Your Customers’ Business: Third-party partnerships are becoming increasingly important in today’s business environment, yet also capable of inviting potential cybersecurity vulnerabilities. It’s estimated that more than 60% of data breaches involve third-party exposure. Consequently, cybersecurity should be a top priority when considering partnerships, information sharing, or other collaborative opportunities.
1 - 1.5 = Extreme Risk
1.51 - 2.49 = Severe Risk
2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
In Other News:
Google Has Access to Personal Health Information of Millions of US Patients
Recently Google partnered with Ascension - one of the largest health systems in America - but did so quietly. This partnership allows Google access to all of Ascension's patients' data. Ascension operates 150 hospitals in 21 states.
The effort was code-named "Project Nightingale," and has allowed some Google employees access to data including names, birth dates, addresses, family members, allergies, immunizations, radiology scans, hospitalization records, lab tests, medications, medical conditions, and even some billing records.
The current agreement does not appear to be a violation of HIPAA (Health Insurance Portability and Accountability Act). Google has been looking to expand its health information efforts, including plans to acquire Fitbit. However, Google has responded to the news of the partnership to say the data will not be used other than to assist Ascension medical providers.
A Note From Kobargo.
Australian Cybersecurity Personnel Are On the Verge of Burnout
For companies around the world, the threat of a data breach is becoming ever-present. This reality is especially pronounced in Australia, where cybersecurity professionals are reporting fatigue and burnout as they battle the litany of threats facing their companies. According to the 2019 Asia Pacific CISO Benchmark Study, the burnout rate among Australian organizations is more than double the global average of 30%.
In total, 69% of Australian organizations are receiving more than 100,000 cybersecurity alerts every day, significantly higher than the global average. At the same time, the survey, which polled 2,000 information-security professionals, found that Australian organizations were slower to respond to data breaches than companies in other countries. Such behavior compounds costs, as 84% of Australian businesses that experienced a data breach admitted that the expenses exceeded $1 million, a significantly higher sum than other countries in the region.
SMBs are already struggling to hire sufficient cybersecurity personnel, so supporting IT professionals is a critical component of any company’s cybersecurity initiatives. Fortunately, they don't have to do it alone. The supportive services of an MSP can augment capabilities, lightening the load on in-house cybersecurity professionals.