A security incident at a nonprofit community hospital in Oklahoma may have exposed the personal data of more than 92,000 individuals.
Duncan Regional Hospital (DRH) found access to some of its systems mysteriously blocked on January 20 2022. The hospital disconnected all its systems from external access and notified law enforcement.
DRH triggered its cybersecurity incident response plan and hired an independent forensics firm to determine what had happened, how it had occurred and whether any sensitive information may have been impacted.
Although DRH was able to bring all systems back to normal operations within 24 hours, the investigating firm found that patient information and employee information may have been exposed during the incident.
A security notice, submitted to the attorney general of Maine on March 4 by law firm Clark Hill on behalf of DRH, stated that the impacted data might include patients' name, date of birth, Social Security number, limited treatment information and medical appointment information such as date of service and name of providers.
"For employees, this includes personal information associated with W-2s, such as name, date of birth, address, and Social Security number," stated the notice.
The data breach was reported as an "external system breach (hacking)" incident affecting 92,398 individuals.
KnowBe4 security awareness advocate, James McQuiggan, commented: "Cyber-criminals work to make money by selling data, which is stolen from the victims. Data breaches where they can steal names, social security numbers and email addresses are a good source of revenue."
JupiterOne CISO, Sounil Yu, commented that the value of a healthcare record is "pointedly higher" for cyber-criminals than the value of other information.
"The reason for this is that a healthcare record contains more PII than most other records," said Yu, "In addition, it enables attackers to defraud medical insurance and resell drugs purchased through the stolen identities."
Joseph Carson, chief security scientist and advisory CISO at Delinea, said that data theft involving medical records was particularly irksome for victims.
"Unfortunately, for medical records, you cannot change your medical history. Once stolen or disclosed, it is public knowledge whereas a credit card you can change and get back on track quickly."