At a glance.
- Healthcare data breaches: updates.
- Florida's Department of Economic Opportunity discloses data breach.
- US Homeland Security IG finds problems with Customs and Border Protection data handling.
Medical data breach updates.
As reported in May, Yale New Haven Health hospital system, based in the US state of Connecticut, was impacted by the data breach of Elekta, provider of a cloud-based cancer data reporting platform used by healthcare systems across the US. WTNH reports that the compromised data includes names, addresses, treatment locations, Social Security numbers, and for a subset of victims, financial info. The hospital system maintains that the hackers never accessed their electronic medical record system.
On the other side of the globe, Stuff reports that the Auckland District Health Board (DHB) was potentially impacted in the data breach of Health Alliance, the health IT provider that serves more than one-third of New Zealand A HealthAlliance spokesperson confirmed they “identified indications of unusual activity on its technology systems,” and an investigation supported by the Ministry of Health is underway. Though some are concerned the incident resembles May’s damaging attack on Waikato DHB, there is no indication that the two incidents are connected.
Florida DEO experiences unemployment data breach.
The US state of Florida’s Department of Economic Opportunity (DEO) experienced a data breach that impacted nearly 58,000 individuals seeking unemployment benefits, Spectrum News 13 reports. Personal data including Social Security numbers and bank account information stored in the CONNECT unemployment claim filing database were potentially exposed. The breach couldn’t come at a worse time, as unemployment fraud has been plaguing benefits agencies across the country. A DEO spokesperson explained that they’re working to combat the issue, stating, “The Reemployment Assistance program currently has 22 staff members dedicated to investigating Reemployment Assistance Fraud.”
Erich Kron, security awareness advocate at KnowBe4, wrote that the incident shows the risk obsolescent legacy systems pose to sensitive data:
“Florida’s unemployment insurance portal has frustrated some since COVID hit the state in 2020, and this is just the latest issue with the antiquated system. Once again, the decision to renew the contract in 2020 for $135 million dollars, despite the unfortunate handling of unemployment claims when people were most in need, is an issue for the users. Now, as the COVID-19 numbers are rising again, almost 58,000 people will be dealing with potential identity theft issues and other financial issues.
"When organizations handle sensitive information of this nature, it is critical that security is robust and effective in order to eliminate issues such as this. Users of the CONNECT system should closely watch bank accounts for fraudulent transactions and closely monitor or lock credit accounts and be on the lookout for scammers trying to use their information to perpetuate scams over the phone, via email or text messages.”
US border protection agency fails to protect data.
A report from the US Department of Homeland Security’s Office of Inspector General (OIG) reveals that the US Customs and Border Protection (CBP) put personal data from Mobile Passport Control (MPC) applications at risk, MeriTalk reports. An OIG’s audit conducted from March 2020 to April 2021 shows that the CBP neglected to scan 91% of MPC apps version updates for vulnerabilities. Among other issues, the report also found that the CBP did not complete seven security and privacy compliance reviews as required by the MPC Privacy Impact Assessment, likely due to the fact that the CBP did not have a review schedule in place. The report states, “Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ personally identifiable information at risk of exploitation.” The CBP has agreed to several OIG-recommended remediations, including scanning all app update versions before release, creating an organization system for scanning processes, and clearly defining roles and responsibilities for scanning procedures.