At a glance.
- The limitations of HIPAA.
- Polish official quits after exposing physician data.
- Inadvertent police data leak in Northern Ireland puts officers at risk.
- Social services data exposed in third-party breach.
- Hospitality Staffing Solutions discloses breach.
The limitations of HIPAA.
In the US, many individuals assume that in most situations their medical data are automatically protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but as Wired explains, this is far from the truth. For instance, data generated by the consumer is not covered, and at-home devices like wearable health trackers that store and analyze the user's info become more popular, this has become a large loophole.
Nichole Sweeney, general counsel and chief privacy officer for nonprofit Chesapeake Regional Information System for Patients, explains, “The public may not realize that consumer-generated data is not protected…The federal government doesn’t regulate the health data itself. It’s the actual facility, medical office, or hospital—under HIPAA, a covered entity under that designation.” Hospitals and private medical offices are covered, as well as third-party associates like health plans, insurance companies, labs, clinics, and other businesses that accept payment for their medical services. This, notably, does not include social media platforms, which have become a popular way for medical professionals (and not-so-professionals) to engage with the public. And it’s important to note that if medical info is sent via text or email – communication methods that nowadays are often employed by medical providers for their expedience – it is not covered by HIPAA.
Polish official quits after exposing physician data.
BNN Bloomberg reports that Polish Health Minister Adam Niedzielski has resigned in the midst of a very public data privacy scandal. In an apparent attempt to demonstrate the difficulties of issuing digital prescriptions for patients, Niedzielski last week published a post on social media that disclosed the sensitive medical data of a physician. The public responded by calling for his resignation. It’s worth noting that Niedzielski is exiting his role just two months before a divisive parliamentary election. In response to the minister’s resignation, Premier Mateusz Morawiecki stated, “The election campaign period is a time when we must be especially sensitive to any mistake.” Morawiecki has proposed Law & Justice lawmaker Karzyna Sojka as Niedzielski’s replacement.
Inadvertent police data leak in Northern Ireland puts officers at risk.
Sky News reports that the Police Service of Northern Ireland (PSNI) has admitted that a data breach exposing the private info of all of the force's serving officers and staff was the result of an internal error. PSNI Assistant Chief Constable Chris Todd explained that the data were inadvertently published yesterday in response to a Freedom of Information (FOI) request. Todd issued an official apology, explaining, "This is human error. We've looked into the circumstances, we'll continue with our investigation, but the very early considerations are that this is simple human error and the people who have been involved in the process have acted in good faith."
The exposed data include the officers’ surnames, initials, rank or grade, location, and department. As well, the leak revealed members of the organized crime unit, intelligence officers stationed at ports and airports, officers in the surveillance unit and almost 40 PSNI staff based at MI5's headquarters in Holywood.
Legislative Assembly member Naomi Long, said the officers had been left "incredibly vulnerable,” especially given that the PSNI has been targeted by republican paramilitaries in recent years. Long asked, "Why was all this data held in one place? Why was it not encrypted? Why was a junior member of staff in a position to be able to access it? Given the sensitivity of such data, is that in itself not a concern?"
Northern Ireland Secretary Chris Heaton-Harris posted on Twitter – um, X, "I'm deeply concerned by the data breach involving the PSNI. My officials are in close contact with senior officers and are keeping me updated.” RTE.ie adds that the Police Federation for Northern Ireland is calling for an "urgent inquiry" into the leak. Federation chair Liam Kelly stated, "This is a breach of monumental proportions. Even if it was done accidentally, it still represents a data and security breach that should never have happened. Rigorous safeguards ought to have been in place to protect this valuable information which, if in the wrong hands, could do incalculable damage."
Social services data exposed in third-party breach.
The Department of Social Services (DSS) of the US state of Missouri has disclosed it suffered a third-party cyberattack linked to the (all together, now…) MOVEit file transfer software application. Hackers exploited the bug to infiltrate the systems of IBM Consulting, a vendor used by the DSS to assist in providing Medicaid services to state residents. IBM notified DSS of the incident on June 2, informing the department that the company had already applied the necessary MOVEit software security update and had stopped using the file transfer service. DSS immediately opened an investigation and has found that no department systems have been directly impacted. The potentially compromised data include a member’s name, department client number (DCN), date of birth, benefit eligibility status or coverage, and medical claims information.
Dror Liwer, co-founder of Coro points out the role the criminal-to-criminal market plays in attacks of this kind. “Attack-as-a-service lowered the barrier of entry to sophisticated cyber attacks. This means criminals who are not very technical can set their sights on smaller targets and still generate significant ROI on their investment.”
The incident is another case of MOVEit exploitation, and Roger Grimes, data-driven defense evangelist at KnowBe4, wrote to set the breach in context. "The involved vulnerability, called MoveIT Transfer, involving the Cl0p ransomware gang, was first announced by CISA on June 2nd, and really has become one of CISA's major concentrations this year," he said. "Since then, hundreds of organizations have been hit by Cl0p and other attackers using MoveIT. Most of the organizations that were hit by these gangs had weeks to patch the vulnerability, but didn't respond in time. Untimely patching is the second biggest cause of successful hacking, only behind social engineering. Patching seems like an easy thing to do. You can even automate it. But it can be difficult to even know you have something in your environment that needs to be patched. Oftentimes you buy software or services and you as the buyer or user don't know what's in it, much less that it possibly has a vulnerability and needs to be patched. That's why the security industry is working on something called the Software Bill of Materials (SBOM), https://www.cisa.gov/sbom, which is a list of every component of a piece of software and firmware. The idea is that if you have an SBOM of every piece of software, firmware, and hardware in your environment, you should have an easier time making sure it's kept up to date and patched. If the ultimate vision of SBOM's ever becomes a reality, and that's a huge IF, because it's very complicated, the idea is that these types of unpatched vulnerabilities that are used over and over for months and years by attackers becomes less frequent."
It's worth noting in this context that Progress Software was quick to deploy a patch in its MOVEit software, reporting the vulnerability on May 31st and patching that same day.
Hospitality Staffing Solutions discloses data exposure.
Hospitality Staffing Solutions LLC has filed notice of a data breach, JDSupra reports. The company said that the data accessed by an "unauthorized party" included consumer "names, Social Security numbers, financial account information and driver’s license numbers." Affected individuals have been notified. Roger Grimes, data-driven defense evangelist at KnowBe4, commented on the breach. "Hundreds of millions of records are involved in breaches each year," he said. "This is just another one. The question is how did it happen, which we don't know in this instance, yet. More than likely it happened because of social engineering or unpatched software. Every organization could significantly reduce their risk by focusing more and better on defeating social engineering and making sure their software is patched. Simply better focusing on these two things, if done well, would remove 90% - 99% of their cybersecurity risk."