2 Vendor Hacking Incidents Affect Over 600,000 IndividualsBreaches Include 2021 Ransomware Attack, 2020 Wire Transfer Fraud Incident
Two recent hacking breaches affecting hundreds of thousands of individuals - one reported by a firm that provides services to health plans and the other by a government contractor - serve as the latest reminders of security and privacy risks involving vendors that handle sensitive personal information.
The other is a hacking incident reported on Feb 11, but detected in late 2020, affecting more than 94,000 individuals and involving the discovery of "multiple" fraudulent wire transfers. That incident was reported by Comprehensive Health Services LLC, a subsidiary of Virginia-based Acuity Inc., which is a provider of professional services, including medical, engineering and consulting to the U.S. government and commercial clients in the national defense, healthcare and homeland security markets.
As of Thursday, the Morley incident was the second-largest breach posted in 2022 to the Department of Health and Human Service's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Morley, in a sample breach notification provided to the Maine attorney general's office, said the incident involved "a ransomware-type malware" that had prevented access to some data files on its system beginning Aug. 1, 2021. An investigation found that the incident also involved unauthorized access to some files containing personal information, the notification says.
Morley says that upon discovery of the incidents, it "worked diligently" to prevent further access and identify affected individuals.
"Special programming was required and unique processes had to be built in order to begin analyzing the data," the company says. "The data complexity also required special processes to search for and identify key information." Morley describes the process as "lengthy," saying that on Jan. 18 the company confirmed whose information was involved.
Personal and protected health information potentially affected in the incident includes name; address; Social Security number; date of birth; client identification number; medical, diagnostic and treatment information; and health insurance information.
Morley says it is not aware of any misuse of personal information due to the incident.
Morley did not immediately respond to Information Security Media Group's request for additional details about the incident, including the type of malware involved and whether the company paid a ransom.
CHS, in a report submitted to the Maine attorney general's office on Tuesday, describes its breach as an external hacking incident that may have included unauthorized access to personal information such as names and Social Security numbers.
The company says that on Sept. 30, 2020, it detected unusual activity within its digital environment following discovery of multiple fraudulent wire transfers.
Upon discovering this activity, CHS says, it immediately engaged a team of cybersecurity experts to secure its digital environment and conduct a forensic investigation to determine the method of initial compromise and access, the scope of the incident, what systems were affected and whether any personal information may have been accessed or exfiltrated as a result of the incident.
Following review and analysis of the incident, CHS determined on Nov. 3, 2021, that personal information of a limited number of individuals employed by one of its customers may have been accessed or acquired by a malicious actor. Affected information includes names, dates of birth and Social Security numbers.
CHS says it is taking steps to prevent a similar event from occurring in the future, including investing in enhanced security measures.
CHS did not immediately respond to an ISMG request for additional details about the incident.
Some experts say the incidents involving Morley and CHS highlight various concerning data security and privacy risks posed by vendors.
"Our healthcare ecosystem is complicated and is made up of both large and small service providers and vendors," says Cathie Brown, vice president of consulting services at Clearwater, a privacy and security consultancy.
"A major lesson we can learn from these particular breaches is that a strong vendor risk management program is a must-have for any organization with PHI and other sensitive information," she says.
"That means knowing who your vendors and service providers are, having a strong contract in place, assessing the potential risks based on the type of information or services in scope, addressing those risks with the third party, and reassessing on a periodic basis."
Organizations should never assume that a vendor or service provider has a strong security program, regardless of the size of the company, she says. "This is an important case of 'trust but verify.'"
Michael Hamilton, CISO of security firm Critical Insight, says that both the CHS and Morley incidents are consistent with the findings of the company's recently released healthcare data breach report spotlighting 2021 trends.
"There has been an uptick in records theft from health plans and business associates, and a slight decrease from hospitals. That to me is the effect of rebranding ransomware as applied to hospitals as 'terrorism,'" he says.
Attackers are beginning to shift their targeting, "going down market, with newly restored focus on records theft. ...Once you've been hit with ransomware … or a business email compromise … you will very likely find that records have been disclosed, as well," he says.
According to Hamilton, "At some point, we're going to have to make the determination that all the records that can be stolen have been stolen." He says the large datasets compromised in some incidents - including the 2017 Equifax hacking breach that affected 147 million individuals - "have never been seen for sale."
"These are likely in the possession of China, and they are likely being mined for associations and networks for the purpose of espionage," he says.
Brown says she expects cybercriminals will continue to find different and damaging ways to use PHI and PII, and any notion of reaching a "saturation point" at which stolen data loses value is unlikely.
"As long as the data is valuable to consumers and organizations, the value for cybercriminals will be high. The flip side of this is to build very strong security programs that are effective at minimizing breaches to deter cybercriminals from attacks," she says.
"Healthcare organizations will state they protect PHI and PII, but in reality few have the resources to build and maintain high levels of security. Until we can do that, healthcare will be a profitable target."