HHS: More than 2M patients affected by breaches reported in October
The U.S. Department of Health and Human Services released a snapshot this past week detailing breaches reported to the Office of Civil Rights in October.
In total, more than 2 million individuals had their records exposed by the 58 reported breaches, though it is possible that the same patients were affected by multiple incidents.
It's worth noting that the Secretary must, by law, post breaches of unsecured protected health information affecting 500 or more individuals – meaning breaches affecting fewer than that were not listed.
WHY IT MATTERS
According to HHS, slightly more than a third of the breaches reported in October took place over email, and about 40% took place over a network server.
Three of the breaches occurred within an electronic medical record – including an incident at the Mayo Clinic involving a now-fired employee inappropriately accessing reportedly sensitive photographs.
Although the breaches were all reported in October, they did not all take place last month. The largest breach – affecting more than 800,000 patients of Luxottica of America Inc., which operates vision care facilities – appears to have occurred in August, according to suits filed against the company.
More details about each breach were not included in the HHS list. However, a 2020 State of Encrypted Attacks report published by the Zscaler ThreatLabZ research team this past week found that cybercriminals are using industry-standard encryption methods, paired with malware, to enact attacks that bypass detection.
"Cybercriminals have created sophisticated attack chains that start with an innocent-looking phishing email containing an exploit or hidden malware. If an unsuspecting user clicks, then the attack moves into the malware installation phase, and ultimately to the exfiltration of valuable corporate data," wrote report authors.
The team found a whopping 260% increase in SSL-based threats in the last nine months, with 1.6 billion identified and blocked threats specifically targeting the healthcare industry.
More than 30% of SSL-based attacks hide in collaboration services such as Google Drive of Dropbox. And ransomware is on the rise: the Zscaler team reports a 500% increase in ransomware attacks over encrypted channels since March 2020.
"A notable change in many of these ransomware family variants during the past year has been the addition of a data exfiltration feature. This new feature allows ransomware gangs to exfiltrate sensitive data from victims before encrypting the data. This exfiltrated data is like an insurance policy for attackers: even if the victim organization has good backups, they’ll pay the ransom to avoid having their data exposed," wrote the report authors.
THE LARGER TREND
Cybercrime has taken on a renewed danger in the COVID-19 era, with already-strained hospital employees vulnerable to making mistakes such as clicking on phishing links in emails.
Meanwhile, HHS, along with the Federal Bureau of Investigations and the Cybersecurity Infrastructure and Security Agency, issued a bulletin late last month warning of "increased and imminent" cyber threats to hospitals.
"Ransomware attacks on our healthcare system may be the most dangerous cybersecurity threat we’ve ever seen in the United States," said Charles Carmakal, chief technology officer of cybersecurity firm Mandiant, in a press statement.
ON THE RECORD
"The consequences [of a cyberattack] can be grave. If an attack happens in the middle of a surgery, whatever machines are being used could go down, forcing medical staff to fall back on manual methods,” said Juta Gurinaviciute, chief technology officer at NordVPN Teams, in a statement.
"MRI machines, ventilators, and some types of microscopes are computers too. Just like our laptops, those computers come with software that the developers have to support," said Gurinaviciute. "When the machines become old and outdated, the people who made them might stop supporting them. That means that old software can become vulnerable to attacks."