In 2018, more than 15 million patient records were compromised in data breaches, and unfortunately, this trend seems to continue in 2019 with the American based physician-services management company EmCare being the latest victim.
EmCare officials stated that a recent data breach compromised the email addresses of their employees, contractors, and patients. According to the company’s press release, an “unauthorized third party obtained access to a number of EmCare employees’ email accounts”. That number is reported to be over 60,000, and 31,000 of those emails belong to patients. It should be noted that this estimate was reported Bloomberg and not by EmCare itself. According to the company statement, the emails contained personally identifiable information like “name, date of birth or age, and for some patients, clinical information, as well as Social Security and driver’s license numbers in some cases”.
WHEN IT HAPPENED?
According to the statement, company officials determined the impact of the data breach on February 19, after having launched a “comprehensive investigation and retained a leading forensic security firm” to learn more about who all were affected and to what extent. Two months later, on April 19, the company began notifying all those who may have been impacted by the data breach. It’s unlikely that the company will reveal when the breach actually happened as under HIPPA, “notifications must be provided without unreasonable delay and no later than 60 days following the breach discovery.”
HOW IT HAPPENED?
The company doesn’t seem to have identified the person(s) behind the data breach and has so far referred to the individual(s) as an “unauthorized third party”.
Generally, data breaches are driven in pursuit of profit, especially when the compromised information can be easily and immediately used for malicious purposes (like credit card information). It’s also possible that this was an attack to hurt the company as patient records are quite valuable (hacked patient records cost the healthcare industry over $8 billion in 2018 alone). In fact, attacks in the healthcare industry are more likely to happen than any in any other industry. But with the limited information we have, it’s hard to deduce the exact intent behind the attack.
Now it’s time for damage control. EmCare seems to have employed a security firm to help monitor the cyberspace for signs of malicious use (like selling the information on the Darknet). The company is also “implementing advanced technology solutions and providing all employees further training and reminders about email and information technology security.”
In the notification, the company sent steps that those affected can take in order to safeguard themselves from any potential misuse. Finally, the company has also signed up for a membership with Experian’s IdentityWorks for their credit monitoring and identity protection services.
RISING CYBER ATTACKS ON HEALTHCARE PROVIDERS
Healthcare data breaches are on the rise. In 2017, out of the 158 million social security numbers and 16.5 million credit card numbers stolen, 27% belonged to the healthcare industry. And it’s not only the number of breaches that are rising. The cost per record compromised in 2018 was $408 per record, up from $380 in 2017, which means data breaches are becoming costlier as well.
We’re only a few months into 2019 but we’re already seeing similar statistics. For instance, there were 33 data breaches in January and 32 in February – more than one breach a day. The 32 breaches in February resulted in over 2.1 million records being compromised including the UW Medicine breach that lead to 973,000 records being compromised at once.
What’s even worse is that anywhere between 60% to 89% of these incidents go unreported, that means, the actual number of breaches is most likely much higher. It also means your personal information could be compromised and wouldn’t be made aware in time to take prevent any misuse. With the extreme ramifications of a data breach, one might assume that an industry worth trillions would take more steps towards ensuring cybersecurity, but one will be wrong. In an interview, National Association of County and City Health Officials said that “only 33 percent of the local health departments in the association had plans on how to defend against a cyber attack. Only 23 conducted training on the issue, and only 8 percent participated in drills or exercises.”
Those numbers are staggering, to say the least. If you’re in one of the top 5 industries most likely to be hit by a cyber attack, you might want to take some steps to protect yourself against identity theft, misuse of personal information, and take action in time, you might want to read our other article on cybersecurity best practices.