HealthEquity, a provider of health savings accounts, announced that the personal and health information of 4.3 million individuals was compromised in a data breach involving an unnamed third party.
WHY IT MATTERS
The company said the breach appears to have occurred in March and wasn’t detected until June 26, leaving the hackers in the network for more than three months.
HealthEquity’s data breach notice explains: “We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in unstructured data repositories outside of our core systems.”
Among the personal information exposed was full names, home addresses, phone numbers, employer and employee identification numbers, social security numbers – along with payment card information.
Health care organizations that use SSNs to classify customers must include this information in their operational data warehouses and databases.
This creates a more attractive attack surface for cybercriminals – SSNs are more monetizable for criminals – with potentially more devastating effects for consumers affected by the incident.
Erich Kron, security awareness advocate at KnowBe4, warns that the theft of personal health information can be extremely damaging to those affected due to the huge amount of sensitive data involved – including, in many cases, information about potentially embarrassing procedures or illnesses.
“This is also information that can be used for social engineering attacks later on,” Kron said, noting that by referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims.
“It’s also a lesson in protecting data outside of the most common systems,” Kron said. “It’s not uncommon to see employees using tools like spreadsheets to collect and process information without the permission of IT and security staff.
He explained that this is usually not done maliciously but is intended to make work easier and more efficient.
THE BIGGER TREND
Last week, it was discovered that the health information of about 12.9 million Australians, including healthcare identification numbers, Medicare card numbers and prescription information, was stolen in the recent MediSecure attack.
The fallout continues from the Change Healthcare breach earlier this year, when 39 health care providers sued Change, a unit of UnitedHealth Group, alleging the provider failed to implement basic IT security safeguards, including multi-factor authentication.
The attack has spurred action on Capitol Hill, where three U.S. senators recently introduced legislation in the form of the Health Care Cybersecurity Act, designed to help mitigate the wave of cyberattacks on U.S. health care organizations.
ON PROFILE
“Organizations that handle PHI or significant amounts of PII should ensure that employees are educated and trained on how to properly handle sensitive information,” Kron advises. “A good security culture, with employees considering the security implications of data replication, is an important step toward minimizing or eliminating situations like this.”
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31 through November 1 in Washington, DC. Learn more and register.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the author: [email protected]
Twitter: @dropdeaded209
