UC San Diego Health Hacked, Stolen Information Likely Used for More Crimes
Health care organizations have long been a prime target for cyber criminals.
![Medical data breach Medical data breach](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt61ee2b542bc12cec/65244b9ff2a4c5fee139aa05/Medical-Data-Breach.jpg?width=700&auto=webp&quality=80&disable=upscale)
Dirk Schrader is global vice president of security research at New Net Technologies (NNT), now part of Netwrix.
“Stating that ‘continuity of care’ was never affected is meant to be reassuring,” he said. “However, it is also a distraction from the issue. The systems and device used to provide care (such as radiology or patient monitoring) may not have been affected, still there is a serious aspect of this incident. Looking at the details that ‘may’ have been accessed, it seems likely that the accounts in question were linked to UCSD’s electronic medical record (EMR) system and attackers seem to have been able to access the system via these compromised accounts. So far, UCSD hasn’t stated how many patients are affected, but the data that has been accessed can be used in health insurance fraud or any other form of identity theft as it is quite comprehensive. Any patients being informed about their data being accessed should be cautious, not only about monitoring their credit information, but also about any phishing attempts using the compromised details against them.”
Purandar Das is co-founder and the chief security evangelist at Sotero.
“I think it will be important to understand the specific nature of the breach,” he said. “More importantly, it is too early to claim that the data has not been misused. In fact, it may be hard to quantify what the long-term impact of the stolen data on the individuals are. Also concerning is the breach was not identified based on sources other than organization. That fact alone may suggest that the stolen data may have been spotted in an illegal store front. Obviously, the hospital will be taking a hard look as to how the activity went undiscovered for an extended period of time. The learnings should be used to help other organizations prepare better.”
Joseph Carson is chief security scientist and advisory CISO at ThycoticCentrify. He said health care organizations have long been a prime target for cybercriminals.
“This is likely due to the amount of sensitive personally identifiable information (PII) organizations collect and store, as well as a traditionally large number of connected devices integrated into respective networks,” he said. “The result is a massive, more easily exploitable threat vector. At the same time, disruption to any mission-critical processes can have life-or-death implications for patients, which makes health care organizations more inclined to pay out a ransom if targeted.”
The average health care worker isn’t trained in cyber hygiene and best practices, Carson said. That makes them easy prey for cybercriminals looking to access an organization’s networks quickly and easily.
“By ensuring that a comprehensive system for monitoring and controlling privileged access credentials is in place, health care organizations can greatly lower the success rate and risks of a ransomware attack,” he said. “If attackers do gain initial access to a network, they’ll begin to look for ways to escalate their privileges to fully compromise a network and spread the attack. Privileged access management (PAM) tools can slow that spread and keep ransomware contained at its inception point (e.g. a single endpoint or set of credentials).”
Kevin Dunne is president of Pathlock. He said security professionals often focus undue effort on how to respond once ransomware has made its way on to the network, rather than working to prevent it from entering the network in the first place.
“Even in the case you can restore your systems from backup, that often means the ransomware group has made off with your critical data, which might include sensitive financial, customer, employee or patient information,” he said. “Security professionals need to focus on how to keep the ransomware off the network in the first place, which often hinges around a well-implemented identity program built on a zero trust philosophy.”
Moving forward, it’s likely ransomware groups will successfully go after larger and larger health care organizations, Dunne said.
“Recent ransomware attacks demonstrate that larger companies can be penetrated, regardless of their perceived sophistication or level of security,” he said. “The larger organizations provide the dual benefit of larger ransoms as well as more notoriety for these ransomware groups.”
Jack Kudale is founder and CEO of Cowbell Cyber. He said cyber incidents are always just a step or two away from generating physical incidents or life-threatening situations.
“This is a reminder that there is a digital component rooted in every aspect of our lives,” he said. “Health care services need to meticulously activate simple protection measures such as multifactor authentication (MFA), systematic backups and cybersecurity awareness training for all employees.”
Robert Prigge is CEO of Jumio. He said this breach highlights health care organizations have yet to implement proper security that can protect employee and patient identities.
“It’s highly likely that PII was accessed or obtained in this breach, placing victims at risk of fraud or identity theft, ” he said. “Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions. It’s also possible the exposed information is already circulating on the dark web where it can command a high value since there’s more personal information in health records than any other electronic database.”
As the health care sector shifts toward telemedicine and remains a lucrative target for cybercriminals, it’s critical that institutions trust their patient is who they claim to be, Prigge said.
“Leveraging biometric authentication (using a person’s unique human traits to verify identity) confirms patient identity, which allows health care organizations to approve or deny online accounts, appointment requests and attempted purchases, while safeguarding employee email accounts against phishing attempts,” he said.
Robert Prigge is CEO of Jumio. He said this breach highlights health care organizations have yet to implement proper security that can protect employee and patient identities.
“It’s highly likely that PII was accessed or obtained in this breach, placing victims at risk of fraud or identity theft,” he said. “Fraudsters can leverage the medical records, lab results, Social Security numbers and government identification numbers to impersonate legitimate patients and commit insurance fraud, seek covered medical care and refill unauthorized prescriptions. It’s also possible the exposed information is already circulating on the dark web where it can command a high value since there’s more personal information in health records than any other electronic database.”
As the health care sector shifts toward telemedicine and remains a lucrative target for cybercriminals, it’s critical that institutions trust their patient is who they claim to be, Prigge said.
“Leveraging biometric authentication (using a person’s unique human traits to verify identity) confirms patient identity, which allows health care organizations to approve or deny online accounts, appointment requests and attempted purchases, while safeguarding employee email accounts against phishing attempts,” he said.
The latest high-profile health care cyberattack is UC San Diego (UCSD) Health. It has disclosed a data breach involving unauthorized access to employee email accounts.
An undisclosed number of patients, employees and others connected to the facility may have had protected information compromised in the breach. The event didn’t affect patient care, the health system said.
In addition, there’s no evidence that other UCSD Health systems were impacted. The health system said there’s also no evidence of information misuse at this time.
Long List of Potential Stolen Data
Between Dec 2, 2020 and April 8, 2021, the hacker(s) may have been accessed or acquired personal information. That includes full name, address, date of birth, email, fax number, claims information, laboratory results, medical diagnosis and conditions.
In addition, medical record numbers and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password may have been accessed or acquired.
“Once the forensic review has concluded, UC San Diego Health will send individual notices to those students, employees and patients whose personal information was contained in the accounts, where current contact information is available,” the health system said, “In addition to notifying individuals whose personal information may have been involved, UC San Diego Health has taken remediation measures which have included, among other steps, changing employee credentials, disabling access points, and enhancing our security processes and procedures. While we have a number of safeguards in place to protect information from unauthorized access, we are also always working to strengthen them so we can stay ahead of this type of threat activity.”
Scroll through our gallery above for reaction from cybersecurity experts.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like