Healthcare , Incident & Breach Response , Industry Specific
Cardiology Practice: Hack Affected 281,000 Patients, Docs
Breach Spotlights the Cyber Woes Faced by Other Medical Specialty EntitiesAn Alabama cardiology practice is notifying nearly 281,000 current and past patients, physicians and employees that hackers stole their sensitive information.
See Also: Cloud Analytics & Data Masking: Making the Most of Machine Learning on the Public Clouds
Alabama Cardiology Group, which has about two dozen physicians and describes itself as a "relatively small" group practice, reported the breach to federal regulators on Aug. 2 as a hacking incident involving a network server.
"If you are a current or past patient of a physician at ACG, or a current or past guarantor, employee, or physician at ACG, your personal information may have been affected," ACG said in an online breach notice.
The practice said it became aware on July 2 that unauthorized parties accessed its computer network, leading to its network being severed from the internet. An investigation determined that between June 6 and July 2, threat actors gained obtained personal information. ACG said it notified law enforcement.
The information affected by the incident varies among individuals. It includes identifying information, Social Security numbers, health insurance information and claims, usernames and passwords. It could include financial information including payment card and bank account information.
Medical information potentially compromised includes dates of service, diagnoses, medications, images, lab results and other treatment information.
Details provided by Alabama Cardiology Group suggest that the practice was victimized through credential abuse, said Mike Hamilton, founder and CISO of security firm Critical Insight.
"Whether this was stuffing, brute-forcing, session-stripping or finding a password that was reused, it also seems indicative of a lack of multifactor authentication," he said.
The practice did not immediately respond to Information Security Media Group's request for comment.
A Rash of Breaches at Specialty Medical Practices
Data breach reporting to federal regulators shows a slew of incidents in recent months at specialty medical practices ranging from orthopedic to mental health.
Small practices typically don't have dedicated cybersecurity staff - and physicians and support staff mostly lack the expertise to implement adequate controls, Hamilton said. "The records they store are just as valuable as those from larger institutions so that the risk/reward calculation is favorable to criminals," he said.
Kate Borten, president of privacy and security consultancy The Marblehead Group, offered a similar assessment. Specialty practices face higher risks than other entities because they have large volumes of individually identifiable data, and they typically have less robust security programs, she said.
"Their security weaknesses may be due to budget constraints and failure to prioritize security and privacy," she added.
The lack of prioritization could come back to haunt them, according to Borten. Many practices face serious post-breach financial pressures and in some cases, even bankruptcy, she said (see: Rural Healthcare Provider Closing Due in Part to Attack Woes).
"If the practice survives, they are apt to invest more in their security program going forward," Borten said.
To help avoid such scenarios, smaller medical practices and specialty healthcare providers can consider using managed and professional security services to "raise the risk bar," Hamilton said. Practices should align their security practices with HHS' cybersecurity performance goals, "at a minimum," he said.