Authorities at the University of California, San Diego Health, in the US reported a phishing attack led to a major breach of its network, which allowed someone to gain access to sensitive patient, student & employee data.
Employee email takeover exposed personal, medical data of students, employees & patients.
A Wed. notice from UCSD Health explains the attack occurred between Dec. 2, 2020 & April 8, 2021 & exposed personal information including full names, addresses, date of birth, email, US social security number & the date & cost of medical services.
UCSD Health stated the matter was referred to the Federal Bureau of Investigation.
“This process of analysing the data in the email accounts is ongoing,” the notice explained.
“UC San Diego Health is moving as quickly as possible while taking the care & time to deliver accurate information about which data was impacted. At this time, we are aware that these email accounts contained personal information associated with a subset of our patient, student, & employee community. This review will be complete in Sept.”
After the investigation, UCSD Health commented that it will contact individuals whose personal data was exposed & offer them 1 year of free identity theft protection services. Experts point out, though, that the potential risks associated with this type of data loss could impact victims for many years.
“Fraudsters can use the medical records, lab results, US Social Security numbers & govt. identification numbers to impersonate legitimate patients & commit insurance fraud, seek covered medical care & refill unauthorised prescriptions,” Robert Prigge, CEO of Jumio observed.
“It’s also possible the exposed information is already circulating on the dark web – where it can command a high value since there’s more personal information in health records than any other electronic database.”
James Carder CSO at LogRhythm added the data could be used in threats far more serious than identity theft.
“They could also face extortion-based attacks threatening to disclose sensitive medical diagnosis or images if payments are not made,” Carder explained.
“Additionally, it is conceivable that the medical state, diagnosis or prescription information for high profile patients could be of interest to nation states, terrorist groups, or other threat actors looking to do physical harm.”
Despite the rising number of attacks against the health care sector throughout the COVID-19 pandemic, medical cyber-security hasn’t kept up, outlined Anurag Kahol, CTO & Co-Founder of Bitglass.
Kahol points out between 2019 & 2020 the number of healthcare breaches grew by 55.1%.
“Due to the massive amounts of personal health information (PHI) healthcare institutions store in their systems, the sector as a whole must take a more vigilant approach to security,” Kahol suggested.
“As such, these organisations must use a Zero Trust framework to ensure all their resources & data are granularly secure.
Also, using multi-faceted cyber-security platforms that include data loss prevention (DLP), multi-factor authentication (MFA) & user & entity behaviour analytics (UEBA) can provide them with full visibility & control over their entire network.”
Regardless of approach, it’s clear healthcare organisations need better cyber-security than basic firewall & employee awareness training. A recent Cloudian report revealed that 65% of organisations that fell victim to phishing attacks had previously conducted employee cyber-security training.
Alicia Townsend, Technology Evangelist, OneLogin pointed out that UCSD Health, in its public breach notification statement, suggested that even basic user training was lacking.
“UC San Diego Health has stated that they have taken steps to enhance their security processes & procedures,” Townsend explained.
“But even they admit that they need the ‘community to remain alert to threats.’ We have stated it before, & it needs to be stated again: healthcare institutions must implement security training for all of their users.
Everyone needs to be educated on how to spot phishing attempts, how to keep their passwords secure, the importance of using additional authentication factors, & what to do in case they suspect an attack.”