HealthEquity, a provider of health savings accounts, announced the personal and health information of 4.3 million individuals was compromised in a data breach involving an unnamed third-party vendor.
WHY IT MATTERS
The breach apparently occurred in March and was not discovered until June 26, leaving hackers more than three months inside the network, the company says.
“We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” HealthEquity’s notice of data breach explained.
Among the personal information exposed included full names, home addresses, telephone numbers, employer and employee IDs, and social security numbers – along with payment card information.
Healthcare organizations that use SSNs for customer attribution must include this information in operational data stores and data bases.
This results in a more attractive attack surface for cyber criminals – SSNs are easier to monetize for criminals – with a potentially more devastating impact for the consumers affected by this incident.
Erich Kron, security-awareness advocate at KnowBe4, cautioned that the theft of personal health information can be very detrimental to those impacted, due to the wealth of sensitive data – including, in many cases, information about procedures or ailments that may be embarrassing.
“It is also information that can be used for subsequent social engineering attacks,” said Kron, who notes that, by referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims.
“This is also a lesson in the protection of data outside of the most common systems,” Kron said. “It is not unusual to find that employees have used tools such as spreadsheets to collect information and process it without the knowledge of the IT and security staff.
He explained that this is often not malicious, but done to make work easier and more efficient.
THE LARGER TREND
This past week it was revealed approximately 12.9 million Australians had their health information, including healthcare identifiers, Medicare card numbers and prescription details, stolen in the recent MediSecure hack.
Fallout continues from the Change Healthcare breach earlier this year, with 39 healthcare providers suing Change, a unit of UnitedHealth Group, claiming the provider failed to implement basic IT security safeguards, including multifactor authentication.
The attack prompted action on Capitol Hill, where a trio of U.S. Senators recently introduced legislation in the form of the Healthcare Cybersecurity Act, designed to help mitigate the avalanche of cyberattacks on American healthcare organizations.
ON THE RECORD
“Organizations that deal with PHI or significant amounts of PII should ensure that employees are educated and trained about the proper handling of sensitive information,” Kron advised. “A good security culture, with employees considering the security implications of data duplication, is an important step toward reducing or eliminating situations such as this.”
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209