Medtronic’s cyberattack apparently contained. The company reported in a corporate statement on 24 April that an unauthorized party accessed data in certain Medtronic corporate IT systems. Medtronic has not identified, to date, any effects on, as specified: products, patient safety, patient needs, connections to customers, manufacturing and distribution operations, or financial reporting systems. They are determining any intrusion into patient information. According to their most recent SEC filings, Medtronic does not anticipate any effect on its business or financial needs.

The criminal hacker organization taking credit for it is the interestingly named ShinyHunters (what, not Shiny Stockings?) which claims it exfiltrated 9 million patient records with personally identifiable information (PII), 38 million records in total, as well as “terabytes” of internal corporate data. This immediately contradicts Medtronic’s anodyne corporate statement. However, the leak is no longer published on their dedicated leak website, according to Cybernews reported in TechRadar, which may indicate that some negotiations are going on. We’ll see if Medtronic will be changing their statement.

ShinyHunters is indulging in some chest beating, bragging on its leak website that they’ve stolen data from primarily consumer companies such as Zara, Carnival, 7-Eleven, Pitney Bowes, The Canada Life Assurance Company, and Hallmark. 

This fits a pattern of major healthcare hacking. Orthopedic medical device and robotics company Stryker was caught in a massive breach, wiping tens of thousands of systems and servers across the company’s network including applications such as Intune Company Portal, Teams, and VPN clients often used on personal devices. The perpetrator, Handala, is “linked to Iran’s Ministry of Intelligence and Security (MOIS) that targets Israeli organizations with destructive malware designed to wipe Windows and Linux devices.” This makes it political as a primary reason, economic secondary. [TTA 20 Mar]

Corporate IT is more vulnerable than production or patient-facing systems, according to Ensar Seker, chief information security officer at threat intelligence platform SOCRadar, quoted in MedCityNews. Corporate systems have high-value data but are less rigorously segmented and protected. MedTechDive

Another breach with international repercussions is that of UK Biobank. UK Biobank is a non-profit research database with information on 500,000 British citizens who volunteered their history and data. That data was found for sale on three separate listings on the Chinese e-commerce website Alibaba. Apparently no entity purchased the data. Unusually, the Chinese government assisted in the listings’ removal. (See below for the embarrassing reason why.)

Last Thursday (23 April), science minister Ian Murray told the House of Commons that the charity had informed the government about the data breach last Monday and thanked the Chinese government for assisting with the removal from Alibaba. Biobank has referred itself to the Information Commissioner’s Office. The hacker is not identified.

Dame Chi Onwurah, the Labor chair of the science, innovation and technology committee, scored her own Government, saying that it was “another blow to public confidence”, adding that it showed “little progress had been made” in protecting public data. Mr. Murray had assured her back in February that standards of public sector information security and data hygiene would improve.

The subjects joined the study over four years, 2006-2010, and at that time were between 40 and 69 years old. The information could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples. The deidentified  information did not include names, addresses or contact details but what was included–genome sequences, hospital diagnoses, and biological measures–could be cross referenced and re-identified in experts’ view.

According to the Independent (via Yahoo UK), UK Biobank is the world’s most comprehensive dataset of biological, health and lifestyle information. It is used internationally and has been used to achieve improvements in the detection and treatment of dementia, cancers and Parkinson’s. DataBreaches.net

Update: the breach was apparently an Inside Job. The data was leaked dozens of times via GitHub. Three Chinese research institutions with legitimate access violated their data-sharing agreements. FTA: “It was not a hack. It was a contract violation by trusted researchers, and that distinction makes it worse, not better, because it exposes a vulnerability that no firewall can fix: the entire model of open research data sharing assumes that everyone who receives the data will follow the rules.” TheNextWeb