At a glance.
- Third-party breach compromises Ohio Medicaid data.
- Veterans enrolled in a now shuttered PTSD treatment program may have had personal data compromised.
- Updates on the Georgia fertility clinic ransomware incident.
- Catholic Health, CaptureRx, and third-party risks to sensitive data.
- Do fears of fines motivate privacy compliance?
Third-party breach compromises Medicaid data.
The Dayton Daily News reports that data belonging to providers of Ohio Medicaid were compromised in a third-party data breach last month. Ohio Medicaid’s data manager Maximus informed the US benefits facilitator that an intruder gained unauthorized access to a credentialing and licensing app containing Medicaid provider names, social security numbers, and street addresses. Fortunately, Medicaid recipients were not impacted, and there is no evidence that the data was misused.
US Veterans' information exposed in data breach.
Elsewhere in the US state of Ohio, NBC4 reports that the personal data of patients enrolled in Veterans NOW, a recently shuttered Ohio State University (OSU) program serving veterans with mental health issues, were exposed to an unauthorized party. According to a letter sent to the victims by OSU’s Wexner Medical Center’s Office of Compliance and Integrity, the breach occurred at some point between January 25 and March 4. Coincidentally, Veteran’s NOW was closed on March 4 due to a non-compliance issue, though a connection between the closure and the breach has not been confirmed.
Update on IVF clinic ransomware attack.
As the CyberWire noted yesterday, Reproductive Biology Associates (RBA), a fertility clinic in the US state of Georgia, experienced a ransomware attack that encrypted some file servers. Now, Threatpost reports that the attack compromised the private health data of 38,000 of RBA’s patients. The exposed information includes names, street addresses, Social Security numbers, lab results, and “information relating to the handling of human tissue.” However, RBA says the threat actor confirmed that the data had been deleted, and they’re monitoring the dark web for any sign of the exposed data. The clinic, considered a pioneer in the field of in-vitro fertilization, has not disclosed what type of ransomware was used or whether they met the attacker’s demands.
Casey Ellis, CTO and founder of Bugcrowd, commented on the sheer complexity of securing sensitive data of this kind:
"This breach is an intensely personal reminder of the complex cybersecurity risks which exist in all IT security systems. Vulnerabilities exist in every platform, and in spite of the best efforts of companies holding data as sensitive as My Egg Bank exposures can and do happen.
"The notion of securing data as personal as what has been compromised here against the variety of possible threat actors can seem like an insurmountable task, but that's where the crowd of hackers acting in good faith comes into level the playing field. A crowdsourced cybersecurity approach enables healthcare professionals to assess and mitigate the risks associated with disparate data sources and infrastructure so that patients do not have to worry about the privacy of their data. It’s imperative health organizations up-level their current cybersecurity measures with external security researchers via a bug bounty or vulnerability disclosure program (VDP) to help identify and disclose vulnerabilities before adversaries can exploit them.
"By doing so, organizations can learn of security issues before the adversary does, protect their users, and avoid a devastating breach. Failing to ensure security at the scale needed will grant attackers access to large quantities of patient data, as well as the ability to inject ransomware into insecure healthcare networks."
Comment on the Catholic Health breach.
We discussed yesterday a breach sustained by Buffalo, New York, based Catholic Health. It was a third-party issue traced to the pharma vendor CaptureRx. Demi Ben-Ari, co-founder and CTO of Panorays, commented on the way the incident puts third-party exposure on display:
"A lot of companies are waking up to the fact that their digital perimeter now extends to their vendors and that the security of their vendors is just as critical as their own security posture. While companies can do everything in their power to ensure their own systems are secure, they must also assess the cyber gaps in their vendors' external digital footprint; understand vendor compliance with their internal controls, regulations, and risk appetite; take into consideration the significance of the business relationship; and monitor third-party security risk continuously. The easiest way to do all of that is through automation."
Study shows privacy compliance not driven by fear of regulation.
A study conducted by market research firm Corinium shows that nearly all companies (94%) view data privacy compliance as a top priority, but the motivator is not to avoid regulatory penalties, BusinessWire reports. In fact, almost half of the one hundred twenty-five respondents say they’re unconcerned about regulation, but instead see privacy compliance as a means of gaining trust from customers and associates. According to Nick Halsey, CEO of Okera, the Universal Data Authorization company sponsoring the study, “It’s clear that as the market continues to grow, more sophisticated organizations will transition to a centralized platform for data authorization and control to ensure access to sensitive data at the fine-grained level, particularly if they want to retain the trust of their customers and partners.” That said, BusinessWire also reports that Scripps Health is facing a class-action lawsuit connected to their recent data breach, so while fines might not be a concern, privacy violation lawsuits could be a motivator.