Omaha-based Children’s Hospital, Boys Town National Research Hospital, confirmed on July 20 that it was involved in a security incident. The personal data of 105,309 individuals may have been exposed. The breach appears to be the largest reported breach by a paediatric care provider or children’s hospital.

How it happened

On May 23 this year, the hospital became aware of unusual activity relating to an employee email account. An investigation determined that an unauthorised individual gained access to the email account and subsequently access to a treasure trove of personal and medical information of over 100,000 employees and patients, many of which are children.

Personal and medical data compromised

The personal information includes names, date of births, Social Security numbers, diagnosis or treatment information, Medicare or Medicaid identification numbers, medical record numbers, billing/claims information, health insurance information, disability codes, birth or marriage certificate information, Employer Identification Numbers, driver’s license numbers, passport information, banking or financial account numbers as well as usernames and passwords.

The selection of information exposed is vast and highly sensitive. It’s frightening to imagine the harm that could be done with this type of personal information, especially since a large volume of the data concerns children. The data exposed is highly sought after and there’s a high probability that it will be sold on the Dark Web.

However, according to Boys Town, no reports of misuse of the stolen information have been received so far.

The hospital has informed the relevant authorities and regulators of the security incident and has notified those potentially affected. Additionally, it has offered free identity protection services to all affected individuals.

Most breaches are a result of email compromise and phishing scams

Cyber Security incidents in the health sector are increasing at a worryingly fast rate. It seems the health sector, in particular, is not as vigilant about cybersecurity. Hackers know this and are exploiting the security gaps in their systems and successfully utilising social engineering ploys to trick employees and successfully gain access to the valuable data that these institutes handle.

According to the US Department of Health’s statistics, the majority of the US health sector breaches have resulted from compromised email accounts and phishing scams. Knowing that this is happening and so frequently, the sector should be prioritising email security and data protection and should be ensuring that employees are properly trained to protect patient data.

Considering these statistics, it seems that email is the preferred route of entry for hackers to obtain access to health data in the US, likely due to its ease and high success rate.

Data protection as well as employee awareness training is vital

However, measures can be put in place to safeguard systems and data. Implementing strong access controls and authentication methods, utilising encryption technologies and prioritising employee awareness and data protection training are necessary and effective measures. Encrypting communications and data is vital. If the emails and data were encrypted the data would be unusable to unauthorised individuals.

Email encryption should be habitual and the norm within organisations so that when any data is communicated or stored in plain text a warning light shows — as this would be seen as out of the ordinary. Any phishing email is more likely to stand out and be noticed by employees and a resultant attack can be avoided.

Moreover, knowledgeable and trained employees are a necessary layer of defence, especially in situations where phishing and compromise through email are involved.  Together the right technologies and mindset can help to prevent such incidents and protect patient data.

The Hacker News: