The personal and medical information of 49,351 patients was exposed following a security incident involving two employees’ email accounts as disclosed by Minnesota-based Alomere Health. The Alexandria, Minnesota-based locally-governed hospital started notifying its patients of the security breach incident on January 3, 2020.
The security breach was discovered on November 6, 2019, when the hospital staff found that an employee’s email account was accessed by at least on unauthorized third party between October 31 and November 1, 2019.
After securing the breached account and starting an investigation with the help of a forensic security outfit, Alomere Health found on November 10 that a second employee’s email was breached on November 6.
After reviewing the emails contained within the two breached accounts, the staff discovered that the attackers might have gained access to patients’ names, addresses, dates of birth, as well as medical info such as record numbers, health insurance information, treatment information, and/or diagnosis information.
#Medical information of 50k clients exposed in #Minnesota #hospitalhttps://t.co/jmTxno8vol
— Adlice (@AdliceSoftware) January 8, 2020
While many of us were busy toasting each other “to our health!”, some attackers may have been toasting each other “we’ve got your health records!”. In the most recent medical breach at Alomere Health, small and mid-sized regional providers continue to be a target without abatement. The fundamental issue is how these providers manage data, such as in this case where “portions of some patients’ information were contained in the email accounts.” Regardless of whether the e-mail account was compromised via brute force, social engineering, or the more sophisticated persistent authentication token theft, the focus should be on ensuring that PHI and PII data are never in an e-mail in the first place. Enhanced security such as “additional security measures for all…employee email accounts” will not stop these attacks as these measures are simply virtual Band-Aids for our medical records. The best way to cure this is by prescribing the strong medicine of a data-centric security approach to protect and de-identify data while maintaining its analytic value – thereby ensuring that regardless of where the data is stored, sent, or shared and no matter who has access, it is protected.
Apparently this breach was as a result of two employees emails being compromised. This was likely either through a phishing email or because the staff reused passwords that were breached elsewhere. This is why security awareness and training should form a vital part of all organisations security plans, as many attacks originate through phishing or other social engineering techniques.
Multi factor authentication is also recommended for these reasons on high value systems such as emails, so that even if the password of a user is compromised, attackers can\’t gain access without the second factor.
However, it is commendable that Alomere Health was able to detect unauthorised access to its emails and kicked off the investigation, highlighting the value of actively monitoring systems. Although, having discovered the breach on November 6th, it should have taken nearly 2 months to begin notifying affected patients.
Medical records and other healthcare patient data are a treasure trove for criminals, and this is just another example of the severity of the problem that healthcare providers face from cyber attacks. Details are still scant, but regardless of the tactics that the attackers used to gain access to employees’ email accounts, one thing remains the same in most cyberattacks – the actions taken by the attackers once they penetrate their target’s network. The intruders look for ways to expand their access so that they can find the systems that contain valuable data. The best way to combat modern cyberattacks is with behaviour-based security analytics solutions that can detect anomalous actions that indicate a cyberattack in progress and can then respond in real-time to mitigate the threat.