At a glance.
- Attackers could track mobile devices by exploiting Wi-fi probe bug.
- Medical appointment check-in process could cost patients more than their patience.
- Two US healthcare data breaches confirmed.
Attackers could track mobile devices by exploiting Wi-fi probe bug.
Researchers at Germany’s University of Hamburg have detected a vulnerability that allows mobile devices to leak identifying information about their owners via Wi-Fi probe requests. Security Week explains, these requests help mobile devices establish connections with nearby Wi-Fi access points, but the researchers say about 25% of probe requests contain the Service Set Identifier (SSIDs) of networks the devices were previously connected to, which could allow intruders to track the devices and even suss out their location within 1.5 meters. “This is in fact employed in 23% of the stores already. Companies and cities that conduct Wi-Fi tracking take the legal position that only the MAC address contained in probe requests is considered personal data according to GDPR Article 4(1), which protects personal data from unlawful collection and processing,” the researchers said in their paper.
As part of their experiment, conducted last November, the researchers recorded probe requests in a German city pedestrian area using six off-the-shelf antennae, and of the 252,242 total requests recorded, 23.2% contained SSIDs. For a small subset of devices, the probe requests also included password info, user’s names, email addresses, and vacation destinations. The researchers concluded, “We argue that at least for as long as there are still devices broadcasting SSIDs, probe requests should be considered personal data and not be used for monitoring without legal basis.”
Medical appointment check-in process could cost patients more than their patience.
The Washington Post offers a look at the growing business of harvesting and selling patient data collected at doctors’ offices. By completing the seemingly innocuous (and tedious) process of checking in for a doctor’s appointment, patients could be giving pharmaceutical companies access to their medical data for targeted advertising campaigns. For instance, a company called Phreesia provides automated check-in software to over two thousand US medical facilities which replaces the thick stack of paper forms with screens or an app. The consent agreement when accessing Phreesia’s software includes verbiage allowing the healthcare provider to “release to Phreesia’s check-in system my health information entered during the automated check-in process…to help determine the health-related materials I will receive as part of my use of Phreesia.” These materials may include advertisements related to treatments and therapies based on the patient’s medical condition and Phreesia makes a nice chunk of its profits from selling ads to pharmaceutical companies who use the patient details to tailor their marketing.
Two US healthcare data breaches confirmed.
American integrated managed care consortium Kaiser Permanente has disclosed that an April employee email breach exposed the personal medical information on nearly 70,000 of its patients. Dark Reading explains that there is no evidence that sensitive data was breached, the intruder had access to the account for only a couple of hours. Still, during that time they could have accessed patient data including first and last name, medical record number, dates of service, and lab test results. The employee account has been reset, and the US Department of Health and Human Services Office for Civil Rights is investigating the incident.
Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, commented on the Kaiser Permanente incident, approving their notification of potential victims even before a compromise has been confirmed:
“While I applaud Kaiser Permanente for taking the proactive step to notify such a large group of people that their information may have been compromised despite reporting they have no clear evidence that it was, it demonstrates the need for organizations to have robust auditing controls to quickly identify what data was accessed by attackers during an incident. The breach occurred almost 3 months ago, yet Kaiser Permanente have only recently notified potentially impacted people that their data may have been compromised. During this time, the affected individuals could have been targeted by attackers using any specific information stolen in convincing social engineering campaigns. It’s critical that as a part of their larger cybersecurity culture organizations include assessing their ability to quickly understand the scope of a potential breach in risk analysis or tabletop exercises.”
In yet another medical data breach, Avera Health, a regional health system based in the US state of South Dakota, has confirmed an intruder gained access to the data of approximately seven hundred patients who received care at Avera McKennan Hospital and University Health Center. SDPB reports the compromised data includes Social Security numbers, medical codes, mail and email addresses, phone numbers, and birth dates. The incident appears to be the result of a third-party breach, as vendor MCG Health informed Avera about the breach and is sending notices to impacted patients.