Yahoo confirms data breach of 500 million user accounts

While it does not appear that any PHI or health-related data was exposed, the breach is considerably larger than the Anthem attack in 2015. And as with every major breach, there will be takeaways for healthcare CIOs and CISOs to learn from.
By Jessica Davis
04:03 PM
Yahoo breach 500 million

Yahoo revealed a massive data breach that affects at least 500 million user accounts, far surpassing the estimated 80 million records hackers stole from health insurer Anthem in 2015, and potentially marking it as the largest successful breach in history.

The state-sponsored attack stole account information from Yahoo’s network in 2014 and may have included names, email addresses, telephone numbers, dates of birth, hashed passwords, and for some users, encrypted or unencrypted security questions and answers, Yahoo CISO Bob Lord said in a statement.

While the investigation is ongoing, it appears the stolen data didn’t include unprotected passwords, payment card data or bank account information, according to Lord. Credit card and bank account information aren’t stored on the system affected by the breach. Although Yahoo did not specify this, it's unlikely any protected health information or personally identifiable information would reside in those accoounts either. 

According to the announcement, the cyber attacker is no longer in the network. Yahoo is working with law enforcement during the ongoing investigation. Officials will contact potentially affected users via email and have asked users to change passwords and account verification means.

All unencrypted security questions and answers have been invalidated by Yahoo to prevent unauthorized access, while the company is asking users to review accounts for suspicious activity and avoid downloading links from suspicious emails.

“An increasingly connected world has come with increasingly sophisticated threats,” Lord said. “Industry, government and users are constantly in the crosshairs of adversaries.” 

Healthcare organizations are certainly no exception. Whereas it is too early to know for certain what the state-actor was seeking, much like the high-profile hacks of Target and Sony, lessons for healthcare chief information security officers, CIOs and other executives will likely emerge as the story unfolds.

Helpful advice on planning your purchase of IDS and IPS tools:

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.