ER Physician Association HackedACEP Reports Tens of Thousands of Doctors Affected
The American College of Emergency Physicians says a "malware" attack affected tens of thousands of the group's current and former members as well as members of three other emergency medical professional organizations.
The Irving, Texas-based ACEP reported to regulators in early April that it had detected the security incident on Sept. 7, 2020, after discovering unusual activity on its systems.
"During the course of the investigation, it was determined that credentials to ACEP’s separate SQL database servers were stored on a server that was compromised by an unauthorized actor," ACEP says in California and Maine.
ACEP notes the Emergency Medicine Foundation, the Emergency Medicine Residents’ Association and the Society for Emergency Medicine Physician Assistants - to whom it provides management services - were also affected. Those three groups are not owned or controlled by ACEP, "although they all have similar missions to support and serve emergency physicians," an ACEP spokesperson says.
ACEP did not describe the type of malware used in the attack.
Tens of Thousands Affected
In its notification statement filed to the state of Maine, ACEP reports that the incident affected more than 70,300 individuals, including 808 residents of Maine.
"While there is no evidence the SQL servers were subject to unauthorized access or acquisition … it cannot be ruled out," the notification letters say. The potentially compromised information was at risk from April 8, 2020, to Sept. 21, 2020.
"The information that could have been subject to unauthorized access now includes the member/customer/donor name, address, Social Security number, and/or a username or email address and hashed password," the ACEP says. "Most of the information impacted was limited to names and usernames/email addresses with hashed passwords."
ACEP says it is offering affected individuals 12 months of prepaid credit and identity monitoring.
The association tells Information Security Media Group the unusual activity discovered on the organizations e-commerce site last year stopped within two days. "The affected server was replaced, and new cyber monitoring and security safeguards were installed," ACEP says.
"During the course of its investigation, ACEP determined that its member database was accessible during this incident. Though we have no information that the member database was impacted, we provided notice to certain members, staff and customers out of an abundance of caution. ACEP’s member database does not store any health or patient information."
A Gold Mine for Hackers
"Attackers search internet-facing database servers with weak passwords in order to siphon sensitive information," says privacy attorney David Holtzman of consulting firm HITprivacy LLC. "These hackers struck gold when a compromised server was found to have maintained unencrypted files containing the credentials and passwords to access other ACEP servers on which the personal information of physicians and other partners was stored."
Regulatory attorney Marti Arvin of the privacy and security consultancy CynergisTek, notes that association members "are likely high net worth individuals, so the risk is high. There may be opportunities for bad actors to get this information and impact the person’s financial circumstances before they even know it has occurred."
The compromise of personal information linked to medical professionals raises the possibility for healthcare billing fraud and other scams, she notes.
"While a little more complex than straight identity theft, [medical billing fraud] is a potential threat because combining the [personal] information that was potentially exposed with the provider’s National Provider Identifier - often publicly available - could give a bad actor sufficient information to submit claims under the physician’s name," she adds.
Holtzman notes that physicians are especially vulnerable to identity theft and financial fraud because they often miss the warning signs that someone is misusing their personal information and committing fraud.
"For example, physicians may not be attentive to careful review of banking and other financial statements that would reveal changes to direct deposit amounts for income received through their medical practice or unauthorized transfers to debiting the account," he says.
"Physicians may not see they have received notices from government agencies about claims filed using their provider number, a notice from the IRS that they didn't pay income taxes on the fraudulent claims or that their Social Security number was used on another tax return or get collection notices or bill for products or services they didn't receive."
Steps to Take
Preventing malware-fueled data breaches is "all about good data governance, including data classification and assigning appropriate controls around the data based on its sensitivity level," Arvin says.
"Many entities invest the resources to do this well. There is also the factor of human error and the need for redundancies so that if a human error occurs, there are additional controls to protect the information."
Privileged users should use stronger authentication methods, and organizations should ensure strong protections for credential storage, she adds.
Holtzman suggests that the most critical credentials should be hashed. "If a data hash cannot be applied, then the media on which the credentials or passwords are stored must be encrypted," he says.