Healthcare // Security & Privacy
News
6/25/2014
05:20 PM
Connect Directly
RSS
E-Mail
50%
50%

Montana Health Department Hacked

State of Montana notifies 1.3 million patients of breach to Department of Public Health and Human Services server.

10 Ways To Fight Digital Theft & Fraud
10 Ways To Fight Digital Theft & Fraud
(Click image for larger view and slideshow.)

Hackers breached a server in the State of Montana's Department of Public Health and Human Services, prompting officials to notify 1.3 million people of the incident.

There is no evidence this information was used inappropriately -- or even accessed -- but the state is offering free credit monitoring and identity protection insurance to potentially affected individuals, said Richard Opper, DPHHS director. Montana also is alerting family members of deceased patients.

Officials discovered the breach after an independent forensic investigation determined a DPHHS server had been hacked. The department ordered the May 22 investigation from Kroll after DPHHS officials first noticed "suspicious activity" on May 15, Jon Ebelt, DPHHS public information officer, told InformationWeek.

[Researchers discover a flaw in two-factor authentication. Read PayPal Two-Factor Authentication Broken.]

Since the breach, DPHHS has "taken several steps to further strengthen security, including safely restoring all systems affected, adding additional security software to better protect sensitive information on existing servers, and continually reviewing its security practices to ensure all appropriate measures are being taken to protect citizen information," according to the release. For security reasons, DPHHS declined to expand on these additional measures.

Eyal Firstenberg, vice president of cyber research at LightCyber, a security breach detection company:

The time gap between the initial breach and the detection, while outrageously long, is far from being a rare occurrence. In fact, once mission-driven attackers have established a stable beachhead they leverage legitimate existing network resources, like user credentials, for the next phases of the attack. They thus render traditional security controls, like AV, firewalls, and sandboxes useless. With no system in place to monitor the internal network in real-time, attackers are effectively allowed to explore, compromise and exploit the network at their leisure.

DPHHS website displays help line information for potentially affected patients (Source: Montana DPHHS)

DPHHS website displays help line information for potentially affected patients (Source: Montana DPHHS)

The health department notified both Federal Bureau of Investigation and the Montana Attorney General's Office of the breach, said Ebelt.

No information about any potential suspects was available.

Although many healthcare breaches have historically resulted from employee carelessness or error, hackers are increasingly attracted to this industry's rich stash of personal data -- including Social Security numbers, credit card information, and addresses -- and personal health information, experts said. In its 2014 Data Breach report, Verizon determined physical theft and loss, insider misuse, and miscellaneous error accounted for 73% of healthcare breaches.

Michael Raggo, security evangelist at MobileIron, told InformationWeek last month:

I will never say never, but the healthcare industry has seen a disproportionately low instance of cyberattacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices. A major reason for a low instance of cyberattacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all healthcare organizations in the United States. That said, cyberattacks are increasing, as are the number of attack vectors organizations need to protect.

In mid-May, the Office for Civil Rights (OCR) posted 61 new breach incidents affecting more than 500 patients, bringing the 2014 tally to 992 organizations and more than 31,000 patients. More than one third were attributable to theft, and unauthorized access/disclosure accounted for about 15%.

A search of OCR's database reveals only a handful of hacking incidents in 2014. In April, DeKalb Health's website was compromised when the service provider operating the Indiana provider's website was targeted by an overseas hacking group. Hackers created a fraudulent page made to resemble the legitimate site of the DeKalb Health Foundation, a non-profit organization, and sent phishing emails seeking donations. Hackers also defaced DeKalb's website to link to the fake site.

During its investigation, DeKalb discovered that several patient databases were housed on the affected server, notified patients, and provided one year of free monitoring services.

Also in May, Centura Health fell victim to a phishing scam after hackers reportedly targeted employees at the non-profit division of Mercy Regional Medical Center. The organization notified about 1,000 patients whose information may have been compromised when hackers might have gained access to personal information including Medicare beneficiary numbers, Social Security numbers, and dates of birth. An external forensics firm confirmed this data could have been compromised.

Nobody wants to be the next data breach headline. But ensuring that cyber-security defenses are operating effectively and efficiently is a monumental challenge given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Alison_Diana
100%
0%
Alison_Diana,
User Rank: Author
6/26/2014 | 9:40:14 AM
Re: Leaker and Thief
Very funny! Political humor aside, I think we can unfortunately expect more of these incidents to occur as hackers turn their attention to healthcare websites -- both government and commercial. Most, if not all, security experts agree that healthcare networks, databases, etc., are often woefully ill-secured, especially when you consider healthcare records are valued at between $20 to $50 EACH (experts I've spoken to have given me estimates at both ends of that scale). Figure 1M records quickly becomes a pretty good haul.

Last year, there was a lot of discussion about the insecurities surrounding Healthcare.gov, which has a lot more than 1.3M records. When you figure we can individually choose to avoid Target or Michael's or whatever store gets hacked, that's one thing. But when your health records are hacked and your employer's insurer is breached, it gets a lot more complicated than switching out your credit card.
MikeW713
100%
0%
MikeW713,
User Rank: Apprentice
6/25/2014 | 8:15:51 PM
Leker and Thief
Web site leakes nad hacks...Darryl Issa must be in town.
<<   <   Page 2 / 2
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.