Data Breach Roundup: U.S. Healthcare, Cryptopia, SingHealth and Experian

leaky data

January is off to a running start on the data breach front, while Experian is predicting new attack frontiers ahead.

Millions of people were affected by data breaches in 2018, and 2019 shows no signs of waning activity. The latest round of breaches as of Tuesday includes an attack on a managed-health provider in Indiana, an offensive against a rehab and wellness center in Michigan, millions in purloined funds at virtual currency broker Cryptopia Exchange and major fines levied against SingHealth in Singapore.

This is only the latest glut of data exposure news since the beginning of the new year.

Interested in learning more about data breach trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery

A third-party data breach at Managed Health Services (MHS) of Indiana has exposed around 31,000 patients’ personal data. The provider learned from its vendor, LCP Transportation, that unauthorized users had gained access to some employees’ email accounts, which contained patient information.

The incident was caused by a phishing attack on the vendor’s systems, MHS told patients.

“It is possible that emails in the accounts were accessed by the attacker,” it said. “Some of the emails in the compromised accounts contained plan members’ personal health information (PHI) including names, addresses, dates of birth, dates of service, insurance ID numbers and a description of medical conditions.”

MHS learned of the incident in October and issued patient notifications in late December, before going public with the incident in January. The company said that: “Email security has now been enhanced and employees have received further training on cyber-risks.”

Meanwhile, Sacred Heart Rehabilitation Center in Richmond, Mich., is now notifying patients after a very similar incident. Two phishing attacks last April resulted in a compromise of an employee’s email account.

The organization didn’t learn of the attack until mid-November, it said, adding that the email account in question contained patient names, addresses, health insurance information, treatment information, diagnostic information and Social Security numbers.

It didn’t say how many of its clients are affected, but it noted the victim footprint does not represent its full patient roster. It too is retraining employees on cyber-awareness, it added.

These types of breaches are set to increase as vendor ecosystems expand, the number of patients increases and business demands are growing, leading to ever-greater complexity when it comes to managing healthcare in a digital world.

“With medical data and personal patient information migrating to the digital world, and cyberattacks growing in complexity, the regulatory landscape is evolving,” said Jake Olcott, vice president at BitSight, via email. “Simple contractual provisions are not enough to manage this risk: healthcare organizations must perform robust diligence assessments and continuously monitor third-party business relationships to prevent catastrophic failure.”

In a different sort of data exposure, New Zealand-based Cryptopia Exchange has suspended trading while it investigates a hack.

It said via Twitter that an attack resulted in “significant losses,” but it didn’t quantify what those might be.

While the amount is unannounced, an Ethereum transaction from the exchange was logged over the weekend that totaled close to $2.5 million.

When users attempt to access the website, a “maintenance” message is displayed, noting: “We are currently experiencing unscheduled maintenance, we are working to resume services as soon as possible. We will keep you updated.”

As new incidents come to light, regulatory bodies are starting to take action when it comes to past problems.

In Singapore, The Personal Data Protection Commission (PDPC) has imposed financial penalties on Integrated Health Information Systems (IHiS1) and the country’s largest healthcare institution, SingHealth, for breaching their data protection obligations under the Personal Data Protection Act (PDPA).

PDPC has fined IHiS S$750,000 (about $553,000) and has levied $250,000 (about $184,000) on SingHealth as the owner of the patient database system – the highest-ever fines imposed by PDPC to date.

In July, it came to light that SingHealth was hit by a cyber-attack on its patient database system, with an extensive, 10-month malware and data-exfiltration campaign resulting in the theft of 1.5 million patients’ personal profiles – along with the details of prescriptions for 160,000 others. Included in the group was Singapore’s prime minister, Lee Hsien Loong, who the Ministry of Health said was targeted “specifically and repeatedly.”

“As noted by the Prime Minister and others in the Singaporean government, health records contain unique information about individuals with one of the broadest and most comprehensive datasets a thief can find,” director of solutions at Absolute, Josh Mayfield, told Threatpost. “As such, the information is highly valued on the Dark Web; often fetching prices of $300-$500 per record.”

He added, “So why didn’t anyone know it was happening? Often, detection systems are calibrated to spot anomalous behavior. But when an endpoint has access to patient records, it does not cause any alarms when that trusted device is accessing patient data, which it does all the time without incident. This dwell time for the attacker was extensive, allowing 1.5 million records to be swiped without notice.”

PDPC’s investigations into the data breach found that IHiS1, SingHealth’s technology partner, had failed to take adequate security measures to protect the personal data in its possession.

Also, “PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced,” the watchdog said in its decision. “Even if organizations delegate work to vendors, organizations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.”

PDPC characterized the attack as being carried out by a “skilled and sophisticated threat actor bearing the characteristics of an advanced persistent threat (APT) group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.”

As bad as things seem to be, there’s always the potential for them to get worse. That’s the takeaway from Experian’s latest Data Breach Industry Forecast issued Monday, which found that new breach frontiers, such as biometrics and gaming, along with susceptible breach targets such as the cloud and wireless networks, are widening the attack surface every day.

In all, the credit-reporting giant has made five data breach predictions for 2019, starting with biometrics.

“Attackers will zero in on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition and passcodes,” it said in the report.

The firm also predicted that card-skimming malware will be trained on enterprise networks going forward: “Skimming is the next frontier for an enterprise wide attack on a major financial institution’s national network, which could result in millions of losses.”

Meanwhile, it also predicts that we will see major attacks on top-tier providers of wireless (AT&T, Verizon, et al) and cloud service (think AWS or Microsoft Azure).

“A major wireless carrier will be attacked with a simultaneous effect on both iPhones and Android, stealing personal information from millions of consumers and possibly disabling all wireless communications in the United States,” the firm said. It added, “It’s a matter of when, not if, a top cloud vendor will suffer a breach, compromising the sensitive information of major companies.”

And finally, “the online gaming community will be an emerging hacker target, with cybercriminals posing as gamers and gaining access to the computers and personal data of trusting players,” according to the report.

Interested in learning more about data breach trends? Join the free Threatpost webinar on Wednesday, Jan. 23 at 2 p.m. ET, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.


Suggested articles