Hacking, insider actions 81 percent of healthcare data breaches: Protenus

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn

Data breach fail at AnthemHealth: an inadvertent ‘inside job’ (updated)

US health insurance giant AnthemHealth, which had a data breach of reportedly up to 80 million beneficiaries [TTA 6 Feb], was an inadvertent ‘inside job’. The Associated Press reported that the credentials of at least five employees were used to access information, at least one of whom was an administrator who viewed his credentials being used to query the data warehouse. It’s easier than you think to get them. In an analysis published by security firm Tripwire and also in MIT Technology Review, the writer Ken Westin outlines how easy it is to find that the Anthem warehouse is TeraData, and to match up employees engaged with it, through using public employee profiles on places like LinkedIn and job postings. Then it’s deductive to find exact email addresses (find the pattern–lead generation companies building business contact lists do this all the time) and send these key employees phishing emails  (more…)