HealthEquity, a provider of health savings accounts, has announced that the personal and medical information of 4.3 million individuals was compromised in a data breach involving an unnamed third party.
WHY IT MATTERS
The infringement According to the company, the attack is believed to have taken place in March and was not discovered until June 26, leaving the hackers in the network for more than three months.
“We have discovered a number of unauthorized accesses to and possible disclosures of protected health information and/or personally identifiable information stored in an unstructured data repository outside of our core systems,” HealthEquity said. notification of data breach explained.
The exposed personal information included full names, home addresses, telephone numbers, employer and employee IDs, and Social Security numbers, as well as payment card information.
Healthcare institutions that use BSNs for customer assignment must include this information in operational data repositories and databases.
This results in a more attractive attack surface for cybercriminals – SSNs are easier for criminals to monetize – with a potentially more devastating impact for consumers affected by this incident.
Erich Kron, security awareness advocate at KnowBe4, warned that the theft of personal health information can be extremely damaging to those affected, due to the wealth of sensitive data — which in many cases includes information about procedures or conditions that can be embarrassing.
“It’s also information that can be used for later social engineering attacks,” Kron said, noting that attackers can more easily build trust with potential victims by referring to a procedure or test that someone thinks is private and known only to medical professionals.
“This is also a lesson in protecting data outside of the most common systems,” Kron said. “It is not uncommon to see employees using tools like spreadsheets to collect and process information without the knowledge of IT and security staff.
He explained that this is often not malicious, but is intended to make work easier and more efficient.
THE BIGGER TREND
Last week it was revealed that the medical records of approximately 12.9 million Australians, including health IDs, Medicare card numbers and prescription details, were stolen in the recent MediSecure hack.
The fallout from the Change Healthcare breach earlier this year continues, with 39 healthcare providers are suing Changea unit of UnitedHealth Group, alleges that the provider failed to implement basic IT security measures, including multi-factor authentication.
The attack sparked action on Capitol Hill, where a trio of U.S. senators recently introduced legislation in the form of the healthcare cybersecurity actdesigned to limit the flood of cyberattacks on US healthcare institutions.
ON THE RECORD
“Organizations that handle PHI or significant amounts of PII should ensure that employees are educated and trained in the proper handling of sensitive information,” Kron advised. “A good security culture, where employees are aware of the security implications of data duplication, is an important step in reducing or eliminating situations like this.”
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC More information and registration.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Send an email to the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209