At a glance.
- Less than meets the eye with Gale Healthcare data.
- National Health Service Trust apologizes for leak of COVID-trial participants' information.
- Update on the Planned Parenthood ransomware incident.
No sensitive data appear to have been compromised at Gale Healthcare Solutions.
Gale Healthcare Solutions says that an apparent data exposure incident reported by Website Planet didn't, in fact, amount to a breach. "The database was a temporary environment created for an internal system test," Gale wrote us. "When the researcher notified us of a potential vulnerability in September, the environment had already been deactivated and secured. There is no evidence there was any further unauthorized access beyond the researcher or that any personal data has been, or will be, misused. Contrary to the report findings, Social Security Numbers were not used in the file names, nor disclosed. Rather, file names featured auto-generated sequential ten-digit Unix timestamps that were used in the testing environment. Dates of birth were also not disclosed, and to our knowledge, the accounts did not contain active links to images of tax documents or other credentials."
Thus there appears to have been no threat to employee privacy. While of course one wouldn't want even a test environment exposed, even if it contained fictive data, there's an enormous difference between that and the exposure of a production environment with real personal information.
NHS Trust apologizes for leak of trial participants' data.
According to the BBC, participants in a trial of a COVID vaccine had their email addresses inadvertently exposed by the Midlands Partnership NHS Trust, which sent an email all of whose recipients could see each other's addresses. The Midlands Partnership NHS Trust regrets the incident, which sounds like the sort of rookie error any one of us might have committed.
Comment on the Planned Parenthood breach.
Infosecurity Magazine reports that Planned Parenthood Los Angeles continues to work on recovering from the criminal, financially motivated ransomware incident it sustained. Ric Longenecker, CISO at Open Systems, has advice for organizations that handle patient or client information:
"Healthcare organizations are appealing to cybercriminals due to the wealth of personal data these institutions and patient records contain. The information can include billing details, addresses, dates of birth and Social Security numbers, just to name a few. The attack on Planned Parenthood, with the bad actors obtaining records for over 400,000 people, not only increases the risk of fraudulent activity such as identity theft, it may also be used to disclose personal health information. This underscores the need for companies to have rapid detection and response plans in place, especially those in industries which may be considered data gold mines. Managed detection and response (MDR) services – which combine human expertise, advanced threat detection and AI-driven technology – are a good solution to combating cyberattacks, and the large number of providers means companies have many to choose from. Our advice to healthcare organizations is: find a security partner that not only helps you detect and respond to threats, but one that can enhance your security maturity, prevent security breaches impacting your business and ensure you have a comprehensive recovery plan ready.”