Montana health data breach a textbook example of what not to do
When an organization experiences a major data breach and puts out a news release, the point is to comfort people that the news isn't as bad as it sounds. But at the same time, it's critical to be precise with language – lest that organization be compelled to subsequently issue the dreaded, "What we actually meant to say in Monday's statement…" statement.
[See also: Hackers steal health data of 1.3M]
With this in mind, consider the June 24 breach statement issued by the Montana Department of Public Health and Human Services as the quintessential example of what not to do in such a situation.
The statement about the incident, which notified some 1.3 million people that their sensitive medical data might have been grabbed by cyberthieves, started out by saying that state "officials said there is no knowledge that information on the server was used inappropriately, or was even accessed."
[See also: Breach response tips from experts]
But a few lines later, the statement noted that "an independent forensic investigation determined a (state) computer server had been hacked. The forensic investigation was ordered on May 15 when suspicious activity was first detected by (state) officials."
Let's give MDPHHS a pass for using a statement from state officials that references what "officials said." (Isn't the whole statement what officials said?) Let's also skip by "computer server," as if a reference to simply a "server" would have been interpreted to mean something else (a waiter or waitress, perhaps?).
No, the issue here is that a forensic probe established that unauthorized individuals had broken into the server, and yet they have no idea whether "information on the server" had even been accessed. Isn't the very nature of gaining access to a server proof of someone having access to the files? If not, what does it mean?
In the larger world, this would be analogous to the U.S. State Department confirming that agents from North Korea's Ministry of State Security had broken into a locked file room, which at the time was filled with unlocked file cabinets stuffed with secret documents.
Given that the agents were in the room for an extended period, they certainly had access to those files. Does the government know for fact that they looked? Technically, no. Realistically, why do you think intelligence agents would break into a file room?
Back to Montana. Officials could have said they don't know precisely how many files were accessed or copied – or, for that matter, altered or deleted. But to say that the attackers had no access to the files seems bizarre. How did the forensic team prove an intrusion if the attackers didn't have access to files? Is the state saying that someone tried to get through a firewall and failed? (Short answer: No, they're not saying that.)
It gets worse. Jon Ebelt, public information officer for Montana's Department of Public Health and Human Services, clarified that the "suspicious activity" referenced in the statement was that the cyberthieves made a post on an unidentified website – a post that showed "evidence" of a successful breach.
Ebelt wouldn't describe the nature of the evidence or the website, including whether the attackers forwarded the link as an implied – or direct – extortion attempt.
Presumably, "evidence" of a successful breach would be something that could be seen internally, such as server names, some personal information about a patient or a screen capture of some server activity. Wouldn't anything that would serve as evidence of a breach also pretty much establish that the bad guys had access to server data?
Ebelt emailed a clarification that the state did not "find evidence that information was actually viewed or copied once the unauthorized entry occurred."
First, that's not what the statement said. Second, does it make sense that they would break in, post something that was "evidence" of the breach and yet look at nothing?
Thus far, I've been reviewing the technical details of the statement and trying to illustrate that it did more to confuse the issue than to clarify. But this next comment from the statement, if believed to be truthful, is rather infuriating:
"The state upgraded its property insurance policy in 2013 to include cyber/data security coverage for incidents such as this one. The policy provides coverage of up to $2 million to cover costs associated with the toll-free Help Line, mailing notification letters, free credit monitoring and other services. State officials expect the majority of costs associated with this incident to be covered by insurance."
The line that's galling is the last one: "State officials expect the majority of costs associated with this incident to be covered by insurance."
How are you defining the "majority of costs associated with this incident"? How much for the lack of faith from your customers? How many potential injuries or deaths because of people avoiding healthcare facilities thanks to lost trust? How about the cost of upgrading security systems? Hiring more IT security people?
This all assumes that records were merely copied. What if they were altered? Will the insurance pay for staff to recheck every file before its data is relied on for treatment decisions? Will most even have access to paper records – assuming they still exist – that would allow for such verifications?
The problem is that organizations today often wildly underestimate the cost of such a breach, both direct and especially indirect. If state officials really believe that some insurance policy will pay for most of it, they need a lesson in true data breach costs. And in Montana, looks like they are about to get one – the hard way.