Nearly half a million patients at New York-based non-profit healthcare system Catholic Health may have had their personal and medical information exposed due to a data leak. According to enterprise management solutions provider Serviceaide, an Elasticsearch database maintained for Catholic Health was inadvertently made publicly accessible, potentially compromising sensitive patient data.
The company informed the Department of Health and Human Services (HHS).
While Serviceaide did not find any evidence that the information was exfiltrated, it cannot definitively rule it out.
“While we have no indication of identity theft or fraud in relation to this incident, the review determined the universe of potential information present in the impacted data may include name, Social Security number, date of birth, medical record number, patient account number, medical/health information, health insurance information, prescription/treatment information, clinical information, provider name, provider location, and email/username and password. The specific type of information at issue varies per individual,” the company’s statement read.
The company added that it is mailing a notice letter to individuals whose information was determined to be contained within the potentially impacted data and for whom it has a valid mailing address. “If an individual does not receive a letter but would like to know if they are affected, they may call our dedicated assistance line.”
In addition, Serviceaid advised customers, saying: “If you believe this incident may have impacted your personal information, Serviceaide encourages you to remain vigilant against incidents of identity theft by reviewing your account statements and monitoring your free credit reports for unusual activity and to detect errors.”
Individuals can also contact the three major credit reporting agencies for advice on how to get free credit reports as well as how to place fraud alerts and security freezes on credit files.
Prolonging Risks
“The sheer volume of sensitive personal and healthcare data exposed in the Serviceaide breach highlights the critical ongoing need for robust cybersecurity measures across the healthcare sector,” comments Darren Guccione, CEO and Co-Founder at Keeper Security. “Determining the true impact of a breach of this scale often takes months or even years as organizations must uncover the full extent of data exposure, verify the accuracy of the breach reports and navigate evolving regulatory requirements.”
The exposed Catholic Health data remains a significant threat, says Guccione. “With personal, medical and financial information compromised, the risk for identity theft, medical fraud and targeted phishing attacks is high. While there may not be immediate signs of misuse, the stolen data could surface down the road, prolonging risks for both individuals and organizations. There are proactive steps victims can take to mitigate damage to the exposure of Personally Identifiable Information (PII), such as changing login credentials of online accounts and apps, utilizing a dark web monitoring service to check for leaked credentials, monitoring or freezing their credit bureaus and practicing consistent cyber hygiene.”
Healthcare leaders need to take a proactive stance in combatting cyber threats by allocating dedicated resources and a healthy budget to cybersecurity as well as it likw a core component of patient safety, Guccione adds. “Aligning with government and industry frameworks, such as those from CISA, NIST and HIPAA, is critical to ensuring strong security practices.”
Embrace Zero Trust
Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, says the breach resulted from an insecure direct object reference (IDOR) misconfiguration, allowing potential unauthorized access to sensitive data without evidence of data being copied. “This could affect individuals receiving medical care from Catholic Health’s 75 locations in Western New York, increasing risks of identity theft, financial fraud, and medical fraud, since the possible data loss of highly sensitive personal and health information.”
There are a lot of lessons for cybersecurity teams, but implementation is complex, adds Sarkar. “These include preventing misconfiguration risks, delayed detection, third-party vendor risks, sensitive data exposure, and regulatory implications. At a minimum, healthcare security teams must resolve IDOR vulnerabilities, audit configurations, enhance change governance, and implement passwordless least privilege access.”
These controls need discipline and correlation between teams and investment and monitoring of cybersecurity tools, Sarkar says. “The easier route to take is to embrace Zero Trust mechanisms like enhanced identity governance, microsegmentation and software defined perimeter augmenting a strong data leak prevention.”
Assume a Breach is Inevitable
Recent attacks highlight a critical need for CISOs to operate under an “assume breach is inevitable” mindset, comments Haviv Rosh, Chief Technology Officer at Pathlock. “The question isn’t if they get in, but what happens next. Specifically, security leaders should incorporate a strategy grounded on several key elements.”
First, Rosh says they should identify crown-jewel assets – the systems and data that drive revenue, trust, or operations. “Second, segmenting and isolating critical workloads is important to prevent lateral movement. Third, they must invest in recovery-first infrastructure. This task includes having in place immutable backups with fast restore capability. It also assumes incorporating infrastructure-as-code to redeploy environments quickly. Lastly, serverless or container-based services for modular failover, as well as privileged access governance with real-time audit and drift detection, are essential.”
The final yet critical element of this strategy is continuously testing resilience under real-world conditions, Rosh ends. “If you don’t test it, it won’t work when it matters. Tabletop exercises, red team drills, and recovery dry runs must be standard practice.”
Today’s modern security program isn’t defined by how many attacks it blocks, but by how confidently it recovers when hit. Resilience is now the most important control.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.