'Cybersecurity intrusion' larger in scope than originally reported
In what United States Postal Service officials originally reported as a "cybersecurity intrusion" that compromised the Social Security numbers of some 800,000 USPS employees, turned out to be even bigger than they thought, involving scores of protected health records too.
The cyberattack, which targeted USPS information systems, compromised employee Social Security numbers, addresses and dates of birth. However, upon a "continuing" investigation, USPS officials discovered the cyberattack also involved a compromise of current and former employee injury claim data, according to a USPS patient notification letter provided to Healthcare IT News.
The file hacked contained injury compensation claims dating as far back as November 1980.
"We are unaware of any evidence that any of the compromised employee information has been used to engage in any malicious activity, such as identity theft crimes," wrote Jeffrey Williamson, USPS chief human resources officer, in the Dec. 10 letter.
There may be no current evidence, yet, but the chances of an individual who has had personal and protected health information compromised in a breach like this also being a victim of fraud is likely.
"In 2010 if you received a data breach notification, there was a better than one in 10 chance that you would also be a victim of fraud," said Al Pascual, senior fraud and security analyst for Javelin Research, in a 2013 interview with Healthcare IT News. "In 2012, the correlation jumped to one in four," he said, in discussing a fraud case study.
The Javelin report examined a HIPAA oversight by a contracted Utah Department of Health employee that resulted in a breach affecting 780,000 people. Due to a server's weak default password and failure to manage the department's IT assets appropriately, hackers exploited the vulnerability, snatching up Social Security numbers, medical diagnoses data and dates of birth.
Pascual, alongside Javelin researchers, estimated some 122,000 cases of fraud would occur, pegging the total cost at a whopping $406 million and representing some 20 hours to resolve each fraud case per person.
"These people are going to be at risk indefinitely," Pascual said, as something like a Social Security number has an "infinite shelf life."
Just this past August, the Franklin, Tenn.-based Community Health Systems reported a cyberattack after hackers were able to exploit the Heartbleed vulnerability and swipe the Social Security numbers of some 4.5 million people.
To date, nearly 42 million individuals have had their protected health information compromised in reportable HIPAA privacy and security breaches, according to data from the Department of Health and Human Services.