Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for January, 2018 is… the breach of 280,000 Medicaid patients’ data from the Oklahoma State University Center for Health Sciences (OSUCHS).
In early January, OSUCHS began notifying patients of a data breach that was discovered in November of last year. An “unauthorized third party” accessed a server that held Medicaid billing data belonging to 279,865 people. Medical records were not included, but the files did include patient names, Medicaid numbers, provider names, dates of service, and some treatment information. It is not certain that the patient information was viewed or stolen during the breach.
OSUCHS has not revealed how the unauthorized third party gained access to the server, or even who the third party may have been. This leaves the possibility open that they don’t know, or they could just be keeping the information secret. Either way, it makes it difficult to assess the vulnerability that was exploited.
We can, however, look at a similar incident that was reported within a few days of the OSUCHS breach. It was a bad start to the year for Medicaid patients, because Florida’s Agency for Health Care Administration (AHCA) also experienced a major breach. The AHCA breach exposed 30,000 records, containing very similar data to the OSUCHS breach. AHCA was breached via a phishing attack against one of their employees.
Any organization that controls personally identifiable data—especially sensitive medical information—needs to understand the extent of their vulnerability to cyberattacks. As healthcare has become a more common target, we have repeatedly seen that organizations do not appreciate how large the potential attack surface has become, and what is required to defend it.
OSUCHS hired an independent data security firm to investigate the breach, which is an appropriate reaction, but organizations need to take proactive steps to understand and minimize risks. This can be as simple as taking the basic steps that we have often covered in this series, such as encrypting sensitive data, keeping patches up to date, conducting vulnerability testing, and training all employees in basic information security practices. Especially if the OSUCHS breach was a phishing attack like the AHCA breach, strong internal access controls would have been a useful safeguard. Access controls limit the possibility of insider threats, and minimize the damage that can result from successful phishing attacks, because the compromised employee is less likely to have access to the targeted data.
The US Department of Health and Human Services Office for Civil Rights publishes a “wall of shame” for all breaches affecting 500 or more people. The OSUCHS breach is by far the biggest breach currently on the front page of the site. This public notoriety is added incentive for healthcare providers to protect their data. Maybe your organization isn’t eligible for the DHHS OCR “wall of shame”, but we hope this post gives you some ideas about how to protect the data that your organization holds.
We’ll see you back here next month for a new Breach of the Month.