Utah Imaging Associates (UIA), a Utah-based radiology center, has announced a data breach affecting 582,170 people after their personal information was exposed. According to the data breach notification sent to affected individuals, the security incident was discovered on September 4, 2021, and was remediated on the same day. However, the initial network infiltration happened on August 29, 2021, allowing the threat actors to explore UIA’s internal systems and potentially steal data for about a week. The subsequent forensic investigation carried out revealed that the unauthorized network intruder had access to patient medical records and social security numbers.
<p>Arguably the most private and sensitive data about ourselves relates to our medical and health data. Threat actors want data for just a handful of reason, all of which lead back to the sole motivator of profit: they want to leverage data, use it for potential ransoms, or even weaponized it against people or organizations. No threat actor ever should be able to gain access to a data subject’s PPI, PHI, or other health-related information. Not only do regulations say so, but also ethics and common sense.</p>
<p>Of course, that’s a utopia that doesn’t exist. Breaches like the one affecting Utah Imaging Associates, which could have exposed the PII and PHI of nearly 600K patients, unfortunately happen all too often, but the alarming thing is that they are happening with ever-greater frequency. Why? This data is so valuable to threat actors for the reasons stated above. The sobering reality is that these breaches don’t necessarily have to happen. Providers need to understand that they are high-profile targets, and they need to assume that a cyber-attack is imminent. They shouldn’t panic, though. IT leaders need to rethink their data security posture, strengthen outdated traditional controls such as border security with next-generation capabilities, and most importantly protect the very data itself that threat actors are after. Data-centric security such as tokenization can convert sensitive data to innocuous and incomprehensible information that hackers simply can’t use or compromise, even if they get direct access to it. If a healthcare organization isn’t actively assuming the worst and exploring data-centric security to protect patient data, the long-term prognosis doesn’t look good.</p>