At a glance.
- US Marine Corps exposes private personnel data.
- NT government discloses medical records breach.
- Apria Healthcare discloses breach...twenty months later.
US Marine Corps exposes private personnel data.
The US Marine Corps has disclosed that the personal data of approximately 39,000 personnel were exposed in a data breach earlier this month. On May 9, an unencrypted email containing the sensitive info was sent from within Camp Pendleton-based Combat Logistics Regiment 17 to administrators of the Defense Travel System. The breach was detected on May 12, and according to a notification letter sent by J. S. McCalmont, the Commanding Officer of Combat Logistics Regiment 17, on May 19, the compromised data include personnel full names, last four digits of Social Security numbers, phone numbers, email addresses, mailing addresses, and checking account details. A Marine Corps spokesperson told NBC 7 San Diego, "At this time, there is no indication that any PII (personally identifying information) has gone outside of official government channels.” An investigation is ongoing.
NT government discloses medical records breach.
In Australia, the Northern Territory (NT) government exposed the health data of over 50,000 public health patients by transferring medical records to Core Clinical Systems Renewal Program (CCSRP) and Intersystems, a software vendor with offices in Europe, South America, and China. The breach, which occurred between 2018 and 2019, occurred as CCSRP made efforts to integrate four NT Health patient record systems into one new health record system using software purchased from Intersystems. The exposed data include highly sensitive records on psychiatric facility visits, termination of pregnancy or stillbirth, oncology treatments, and electroconvulsive therapy. NT Health commissioned an incident report in 2019 to determine the scope of the breach, but some experts say it’s unclear whether every file sent to Intersystems has been accounted for. Professor Richard Buckland, a cybersecurity expert at the University of New South Wales, says it appears those overseeing the data transfer failed to conduct privacy impact and security impact assessments, which would have called for the data to be de-identified and encrypted. "I suspect if a data governance plan had been worked out, they wouldn't have even used live data,” Buckland told ABC. “They would have made mock data based on live data, because there is no reason, in setting up a system, to use live data — you can make close enough replicas." NT Health reports that the files involved have been permanently deleted, and that internal cybersecurity controls have been improved.
Apria Healthcare discloses breach...twenty months later.
US firm Apria Healthcare, a leading home healthcare equipment provider, detected an intruder had gained unauthorized access to the personal data of up to 1.8 million individuals contained on its computer network. The breach spanned two periods: April 5 to May 7, 2019, and from August 27 to October 10, 2021. Apria learned of the incident on September 1, 2021, but it wasn’t until last week that the company filed a breach notice with the Maine Attorney General. The compromised data include patient names, Social Security numbers, medical records, and health insurance details, as well as financial data including account numbers, payment card numbers, account security codes, and PINs. Apria believes the.ackers’ main goal was not to access personal patient data, but to “fraudulently obtain funds from Apria and not to access personal information of its patients or employees.” However, patient data were exposed nonetheless, and Hackreads asks the appropriate question, why did it take Apria over twenty months to disclose the attack? It would appear that the victims are questioning Apria’s data handling practices as well, as GlobeNewswire reports that law firm Emerson PLLC has launched an investigation into the breach.
(Added, 5:15 PM, May 25th, 2023. We received some comments from security experts on the breach. Willy Leichter, VP at Cyware, sees the incident as exposing basic flaws in the way breach notifications are handled, "This is another example of the fundamental flaws in our breach notification system," Leichter wrote. "Learning that your personal data was breached two years ago is practically useless, and all the free credit reporting in the world won't help. While we try to mandate how quickly an organization must report a breach, there are no clear standards on how quickly breaches need to be discovered. In fact, there's a perverse disincentive - the more lackluster your security, the longer you can wait to discover or disclose breaches that can be damaging to your business.
Roy Akerman, Co-Founder & CEO of Rezonate, also deplores the time that lapsed between the incident and its disclosure. “Unfortunately, we see an example where time to report an incident is not measured in days but in years," he said. "Healthcare PII data is considered premium in the dark web forums as one cannot simply alter their information with a new one. It is critical now to complete the investigation and truly understand the chain of attacks that occurred in 2019 and 2021 and validate there is no additional stealthy adversaries hiding and no backdoors left behind.”)