Hackers have breached a HealthCare.gov sign-up system and have gotten their hands on the personal information of roughly 75,000 people, the government said on Friday, October 19. The CMS said that it detected “anomalous system activity” in the FFE on October 13, 2018, and started an immediate investigation. A breach was confirmed on October 16.
The system is named Federally Facilitated Exchanges (FFE), and is managed by the Centers for Medicare & Medicaid Services (CMS). Healthcare insurance agents and brokers use the FFE to enroll users into Obamacare plans made available through the official HealthCare.gov portal.
Further research indicated that in a survey of 100 internet users, 89% had used a medical website to help self-diagnose an ailment at some point, yet only 42% understood that the activity they conducted was then shared with other third-party companies. This means 58% of the users surveyed had no idea that their information was being passed onto companies after they had clicked ‘Accept’ on the site’s cookies policy.
Hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights, according to Zingbox. These insights are then used to refine the attacks, increasing the chance of successful hack.
The research revealed that hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings, and that leveraging this information quickens a hacker’s access to a hospital’s network.
Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. However, today’s medical devices connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization (HDO). Connecting devices to point-of-care medication systems and electronic health records can improve healthcare delivery processes; however, increasing connectivity capabilities also creates cybersecurity risks. Potential threats include unauthorized access to patient health information, changes to prescribed drug doses, and interference with a pump’s function. The NCCoE at NIST analyzed risk factors in and around the infusion pump ecosystem by using a questionnaire-based risk assessment to develop an example implementation that demonstrates how HDOs can use standards-based, commercially available cybersecurity technologies to better protect the infusion pump ecosystem, including patient information and drug library dosing limits. This practice guide will help HDOs implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of wireless infusion pumps.
UnityPoint Health, a multi-hospital group serving parts of Iowa, Illinois, and Wisconsin, is alerting 1.4 million patients to the second data breach the company has suffered this year. And it’s not just the second breach; it’s the second breach initiated through a phishing attack.
The most recent breach targeted employee email accounts, which could lead to the compromise of sensitive data. It is possible payment card information was obtained by the attacker(s) as well.
Read more about the UnityPoint Health second breach this year, which is far larger than the first, on DarkReading.
Sensitive and personal data of hundreds of thousands of people at Boys Town National Research Hospital have been exposed in what appears to be the largest ever reported breach by a pediatric care provider or children’s hospital.
According to the U.S. Department of Health and Human Services Office for Civil Rights, the breach incident affected 105,309 individuals, including patients and employees, at the Omaha-based medical organization.
Read more about the Boys Town data breach, which was discovered by the organization on May 23, 2018, on The Hacker News.
Singapore has suffered its “most serious” data breach, compromising personal data of 1.5 million healthcare patients including that of its Prime Minister Lee Hsien Loong. The affected users are patients of SingHealth, which is the country’s largest group of healthcare institutions.
Non-medical personal details of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics between May 1, 2015, and July 4, 2018, had been accessed and copied. The stolen data included patients’ name, national identification number, address, gender, race, and date of birth.
Read more about the cyber attack on SingHealth, which the Singaporean government has described as “deliberate, targeted, well-planned”, on ZDNet.
LabCorp, the US’ biggest blood testing laboratories network, has announced that hackers breached its IT network over the weekend. “At this time, there is no evidence of unauthorized transfer or misuse of data,” the company said. “LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation.”
LabCorp did not provide any details about the incident but said it shut down various portions of its systems to contain the intrusion. The hack could be dangerous, because although the company is trying to play down the incident, even the smallest hack affecting this organization has serious repercussions for millions of Americans.
Cybercriminals looking to make a profit are turning their attention towards an industry known for housing sensitive consumer data with weak security protocols: healthcare.
In April of 2018, Utah-based company HealthEquity reported 23,000 accounts were compromised in a data breach when an employee fell for a phishing scheme. The HealthEquity breach is hardly an isolated incident in healthcare. 2017 alone saw the U.S. Department of Health and Human Services report an approximate 477 healthcare breaches and the exposure of more than five million patient records.
Read how healthcare organizations can address how employees approach security, and mitigate the risk of a breach by strengthening internal cybersecurity habits, on Information Security Buzz.
More than one in three healthcare organizations have suffered a cyberattack within the last year, while almost one in 10 have paid a ransom or extortion fee, according to Imperva. Healthcare data is extremely valuable on the dark web as it contains highly sensitive data, both financial and protected health information. As a result, healthcare organizations are increasingly attractive to attackers.
Imperva’s survey of 102 Healthcare IT professionals, which was carried out at the 2018 Healthcare Information and Management Systems Society (HIMSS) Conference, revealed that 77 percent of respondents were very concerned about a cybersecurity event striking their organization and 15 percent admitted that their organization’s ability to handle a cyberattack needed work.