Social engineering & employee mistakes have led to breaches in the US Veteran’s Administration & the National Health Service in Wales.
The healthcare-related data breaches at high-profile government agencies has impacted 10s of 1,000s of people.
First, a cyber-attack at the US Department of Veterans Affairs (VA) has affected about 46,000 veterans, exposing their financial information. Another incident, at the NHS in Wales, exposed personal information for 18,105 Welsh citizens.
An internal tool used by the VA’s Financial Services Center (FSC) was hacked & used to intercept & steal funds that had been earmarked as payments to community healthcare providers, it explained. The VA’s coverage of these payments is handled by the software tool, which contains veterans’ financial data, Social Security numbers & more.
“The exposure could have been much greater. It’s likely that security technology was in place which detected a high volume of record changes in this event as the threat actor was editing the individual financial records to divert the payments,” Ilia Sotnikov, VP of Product Management at Netwrix, said via email. “Any time there is heavy, unusual activity the likelihood of a breach is high.”
The FSC took the application offline when the unauthorised access was discovered, but no timeline for when the breach occurred has been given.
“A preliminary review indicates these unauthorised users gained access, by using social-engineering techniques & exploiting authentication protocols,” according to a press release from the agency. “To prevent any future improper access to & modification of information, system access will not be re-enabled until a comprehensive security review is completed by the VA Office of Information Technology.”
The FSC is notifying affected veterans as well as the next-of-kin of those who are deceased.
“It’s too early to say whether new configurations related to the change to work from home played a role in VA hack or not, but it might be a good reminder for other companies to review decisions made in March & April as they were quickly adopting to the new ways of staying productive,”
Sotnikov commented. “Because this is just 1 of multiple breaches effecting veteran data, the VA needs to ensure they are taking every security step necessary to not only protect financial data, but also the sensitive personal & healthcare data for the veterans it serves.”
COVID-19 Patients Exposed
The Wales arm of the NHS announced that personally identifiable information (PII) of Welsh residents who have tested positive for COVID-19 was exposed, through “individual human error.”
The incident took place on Aug. 30, when positive coronavirus patients’ data was accidentally uploaded to a public server, instead of the correct server, where it was searchable by anyone using the site. The situation was rectified less than 24 hours later, & in the 20 hours it was online it had been viewed 56 times, NHS Wales commented in an online announcement.
“In the majority of cases (16,179 people) the information consisted of their initials, date of birth, geographical area & sex, meaning that the risk they could be identified is low,” according to the statement.
“However, for 1,926 people living in nursing homes or other enclosed settings such as supported housing, or residents who share the same postcode as these settings, the information also included the name of the setting. The risk of identification for these individuals therefore is higher but is still considered low.”
There is no evidence so far that the data has been misused, but the NHS Wales has opened an investigation. It also is researching actions for preventing this kind of mistake in the future, it explained.
“While the recent data breach of personally identifiable data of Welsh residents, as revealed by Public Health Wales, is not an unusual exploit or malicious stratagem, the disclosure statement is remarkable,” observed Mike Kiser, Senior Security Strategist & Evangelist at SailPoint.
“It is clear, timely, & accepts responsibility for the failure: A rare trifecta for breach notifications. The FAQ is particularly helpful, as many individuals may not have the inclination to sort through a formal statement.”
He concluded, “The note even includes a direct link to the public-facing system through which the data was mistakenly divulged. Demonstrating transparency & accountability through clear, honest communication is essential for the public to trust organisations with their personal data. Disclosures such as this one that demonstrate a commitment to an ethical approach deserve commendation.”