Rush Joins List of Healthcare Providers with Significant Breach

Image Source: https://www.rushu.rush.edu/rush-experience/our-location

A few weeks back we wrote about Easton Hospital and the lawsuit surrounding their 2014 loss of 4.5 million patients’ personal data.

Monday it was reported that a breach of similar data has occurred at Rush University Medical Center. At an estimated 45,000 records the breach is 100 times smaller than that which occurred at Easton Hospital and that is not the only dramatic difference between the two.

Chinese Hacking vs. Improper Disclosure

In the case of the Easton Hospital breach forensics traced the breach to the malicious efforts of a Chinese hacking group. In the case of Rush, no “hacking” took place. Instead, according to an article on the Chicago Tribune  website, “At Rush, an employee of one of the hospital system’s billing processing vendors improperly disclosed a file to “an unauthorized party,” likely in May 2018, according to a letter sent to affected patients.”

Wall of Shame

The U.S. Department of Health and Human Services Office for Civil Rights breach portal euphemistically referred to as the “wall of shame” points out several interesting things about the state of data security in the healthcare industry.

  • Breaches on the Rise – As compared to the same period during 2018, 2019 is so far on a pace that is more than DOUBLE! (24 vs. 59)
  • Averaging About 1 Medical Related Breach a Day – In the 65 days of 2019 we’ve flipped past on the calendar so far this year there have already been 59 data breaches reported on the wall of shame.
  • Big Breach Small Breach – The number of records disclosed range from as few as 576 (Managed Health Services) to as many as 400,000 (Columbia Surgical Specialist of Spokane)
  • Mainly Attributed to Hacking – 36 of the 59 breaches are attributed to Hacking/IT Incidents with Unauthorized Disclosure (14) and Theft (9) accounting for the majority of the remaining breaches.

Even the Best Security Can be Compromised

At Konsultek we develop world class security solutions that prevent, detect and respond to attempts to breach networks. However, as the Rush breach and the 13 other cases of Unauthorized Disclosure highlight, even world class security solutions can be compromised by inadvertent/malicious activities of employees and sub-contractors.  Ultimately, Network Access Control has to be more than a digital solution. Training, procedures and other management controls must work in concert with IT’s security efforts in order to prevent human powered security incidents.

Easton PA Hospital Getting Close to Settling Breach Lawsuit

Easton, PA is a small town in Pennsylvania’s beautiful Lehigh Valley with a population of just under 30,000. It is probably best known as the home of America’s beloved Crayola crayons.

Image Source: Google Maps

Targeted by Chinese Hackers

It wasn’t Crayola however that Chinese hackers were interested in back in August, 2014 when they executed a cyberattack on another Easton landmark, it was the local hospital. At the time, Easton Hospital was owned by CHS (Community Health Systems) of Franklin, TN. According to Easton Hospital and CHS thieves stole the personal data of some 4.5 million patients including names, birthdates, phone numbers and Social Security numbers.

Lawsuit Pending Approval

Today, nearly 5 years later a host of lawsuits have been consolidated into one larger suit that is about to be settled by a judge in Atlanta. If approved by the judge this August, qualifying victims would be eligible for two types of payments:

  1. Up to $250 for out-of-pocket expenses and documented time lost from the breach.
  2. Up to $5,000 for losses due to identify fraud or identity theft from the cyberattack.

Joining an Ever Growing List

ClassAction.com maintains a list of notable data breaches to which the Easton breach could potentially be added based upon its scope. Here is the list:

  • Anthem: $115 million
  • Target: $28.5 million ($18.5M for states, $10M for consumers)
  • Home Depot (affected 50 million cardholders): $19.5 million settlement
  • Sony (PlayStation network breach): $15 million
  • Ashley Madison: $12.8 million ($11.6M for consumers, $1.2M for states and the FTC)
  • Sony (employee information breach): $8 million
  • Stanford University Hospital and Clinics: $4.1 million
  • AvMed Inc.: $3.1 million
  • Vendini: $3 million
  • Schnuck Markets: $2.1 million

A Wakeup Call for All Healthcare Providers

This settlement should serve as a wakeup call for all healthcare providers. If only a quarter of the 4.5 million patients receive just the $250 payout the cost to the affected parties would be over $281 million dollars!

Healthcare providers by nature have access to the most sensitive personal data on the planet. You know that, I know that and the cybercriminal element knows that. Because of this we foresee a continued targeting of healthcare providers going forward. From simple information stealing to more elaborate ransomware attacks, healthcare providers need to make certain that their network security is as robust as possible.

How Konsultek Can Help

At Konsultek we eat, sleep and breathe security.

Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

If you are interested in getting an outside, independent and unbiased analysis of your network’s security, simply give us a call or click here: https://konsultek.com/executive-risk-assessment/.

The first 20 respondents will receive a complimentary Executive Risk Assessment. This assessment will not only show you the risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.

 

Mortgage and Loan Data Leaked Twice

7 days ago Techcrunch revealed that independent security researcher Bob Diachenko had found 24 million financial and banking documents exposed to the world as a result of a server security flaw. Considering the type of data exposed – loan documents, sensitive financial and tax documents – this was a significant and very serious breach.

“These documents contained highly sensitive data, such as Social Security numbers, names, phones, addresses, credit history and other details which are usually part of a mortgage or credit report,” Diachenko told TechCrunch. “This information would be a gold mine for cyber criminals who would have everything they need to steal identities, file false tax returns, get loans or credit cards.”

The leaked documents were OCR (Optical Character Recognition) files and while the compromised server was immediately shut down once the security flaw was identified there is no telling how many cybercriminals might have already accessed the files.

Who’s at Fault?

After working through the various parties involved it appears that the source of the breach was the machine learning firm OpticsML. Which according to their website (now offline) “will automate the page indexing and data extraction process entirely. Different from traditional OCR companies, Optics Machine Learning trains computers to read and understand documents like a human, enabling an 80% reduction in labor needs alongside higher levels of accuracy so your analysts can focus on higher level tasks.”

Same Documents Released AGAIN!

In a surprising “you can’t make this stuff up” twist on this already monumental breach, the following day Dianchenko found the original loan documents on an “easy to guess” web address on an Amazon AWS server without so much as simple password protection! Considering that Amazon AWS storage servers have a default privacy setting of “private” it seems that someone either accidentally or consciously set the permissions to public.

While this may not end up being the largest data breach of 2019, with more than 11 months left in the year it surely has secured its place in the top 10 most significant breaches by virtue of the fact that the same information was exposed twice in two different formats on completely different storage networks.

Security On Your Mind?

At Konsultek we eat, sleep and breathe security. If you are interested in getting an outside, independent and unbiased analysis of your network’s security simply give us a call or click here https://konsultek.com/executive-risk-assessment/  First 20 that click thru get a complimentary Executive Risk Assessment. This assessment will not only show you risk and impact to your most critical digital assets but demonstrate the likelihood of a breach happening.  Our team of engineers and account executives has the skills and resources to quickly and efficiently determine the vulnerability of your network and offer solutions for any weaknesses found.

© Copyright 2018 Konsultek