It was reported that the nonprofit U.S. healthcare provider AspenPointe has notified patients of a data breach. In a media statement, AspenPointe said they discovered unauthorised access to their network in September 2020. The patients affected are over 295K.
It is important to remember that AspenPointe is a facility that specialises in mental and behavioral health. Was this a targeted breach or a run of the mill? Personal health data is incredibly sensitive. This is the kind of information that can be used for significantly more obscure purposes than just the normal breach information, so it is really a good sign to see that the company is trying to get ahead of it.
Ultimately, managing access rights with a least privilege model and using a privileged account management (PAM) system would likely have stopped this breach from happening. Remember, you can only leak information that you have access to. If you do not have access to information, you cannot leak it. Therefore, the cause of this breach was that certain users were granted too much access. Hopefully, AspenPointe will have already revised its access privileges and implemented a new PAM system. And, hopefully, others will take note.
We are just at the start of what can be expected to be a large number of data breaches that will be identified. Security has simply not been a focus during the pandemic, simple enablement took its place. It\’s time for security to move back to the forefront of organisations\’ priorities so that breaches like this do not happen.