A TechCrunch report this week found that the record-management vendor nTreatment left a cloud-storage server containing thousands of sensitive health records unprotected by password.
The server, said to include doctors’ notes, insurance claims, lab test results and other sensitive health information, was hosted on Microsoft Azure. Some of the records belonged to children, and none of the data was encrypted, according to TechCrunch.
In response to an email from TechCrunch, nTreatment cofounder Gregory Katz said the server was used as “general purpose storage” and that the company would notify the affected providers and regulators about the exposure. The information was later secured.
WHY IT MATTERS
Some experts speculated that the exposed data could already be spreading among bad actors who would use it for fraud or other crimes.
“Although the cloud server was secured, it’s very likely the exposed information is already circulating on the dark web – where it’s likely to command a high value, since there’s more personal information in health records than any other electronic database,” said Robert Prigge, CEO of the ID verification company Jumio, in a statement sent to Healthcare IT News.
“nTreatment’s exposure of thousands of private medical records confirms healthcare organizations need strong authentication to protect sensitive data (or any data for that matter),” added Prigge.
Such protected health information, they added, can be extremely valuable for cybercriminals – making the healthcare industry a juicy target.
“Healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come,” noted Mark Bagley, VP of product at cybersecurity consultancy AttackIQ.
“Healthcare organizations that manage large amounts of PHI must take proactive approaches to protect their data. In addition to the usual control-centric approach, holders of PHI need to add continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses, with a special eye to validation of the third parties they work with, given the sensitivity of the information,” Bagley added.
THE LARGER TREND
More than 2 million patients were affected by data breaches reported to the U.S. Department of Health and Human Services in October alone.
Some of these breaches were the result of targeted attacks, among the “increased and imminent” cyber threat against hospitals that federal agencies warned about this fall.
Others, however, appeared to be from internal snooping or human error resulting in breaches, such as an incident at the Mayo Clinic involving a now-fired employee inappropriately accessing reportedly sensitive photographs.
ON THE RECORD
“This breach illustrates the challenges of securing the increasingly complex digital ecosystems, particularly in sensitive industries like healthcare,” said Vinay Sridhara, chief technology officer at Balbix. “We are continuing to see companies compromise sensitive data and suffer costly breaches due to exposed, unsecure databases left open and accessible to anyone online without basic protection such as a password.
“To mitigate vulnerabilities across an organization’s entire IT infrastructure and safeguard databases, it is vital that healthcare organizations achieve clear and comprehensive visibility over all assets, threats and risks across their network,” Sridhara added.