On March 4th, cancer treatment center 21st Century Oncology Holdings shared details of a breach that affected over 2 million patients. The investigation conducted by the Federal Bureau of Investigation and a cyber forensics firm revealed that the theft of patient information—including names, Social Security numbers, physicians’ names, treatment and insurance details—took place in November after malicious parties gained access to the center’s database in October.
In a statement, the Florida-based center stated, “The FBI asked that we delay notification or public announcement of the incident until now so as not to interfere with its investigation. Now that law enforcement’s request for delay has ended, we are notifying patients as quickly as possible. We continue to work closely with the FBI on its investigation of the intrusion into our system.”
Based in Fort Myers, the company operates 145 cancer treatment centers in the United States and 36 more in Latin America. The care provider furthered that no evidence of the misuse of the exposed patient information has yet to be seen. While the FBI’s advice for discretion has been already lifted, investigations on the security incident are still in progress to study the breadth and gravity of the breach.
In a separate incident last week, City of Hope, a research and treatment facility in Duarte, California, reported a phishing email attack that occurred in January 2016. The attack led to the unauthorized access to email accounts of four staff members, including three that contained protected health information like patient names, medical record numbers, dates of birth, addresses and other patient and clinical information.
While the methods involved in the City of Hope incident might differ, this incident is just one of the many attacks on the healthcare industry, and it's unlikely to be the last. According to an analysis of publicly disclosed data breach incident reports from the last ten years, almost 27% of all recorded breaches hit the healthcare industry.1
The attacks on the healthcare industry can be explained by the fact that it holds profitable types of information. Mined data and customer information from healthcare companies are considered to be as good as gold for cybercriminals, as the personally identifiable information that be pulled from these records can easily be used to open accounts using stolen identities, sold in black markets, and even used for blackmail and other extortion schemes. Furthermore, the number of incidents that involve the theft of medical data shows that this data isn't as secure, making for an even more ideal target.
In Setting the Stage: Landscape Shifts Dictate Future Threat Response Strategies, healthcare was identified as the industry that was most affected by data breach incidents in 2015. Among the most notable cases last year, 90 million patient records, which included social security numbers, clinical data, and even financial information, were accessed by cybercriminals.
Trend Micro Global Threat Communications Manager Christopher Budd notes, “Healthcare data represents the ‘holy grail’ in terms of data theft. When credit card data is stolen, the criminals can use that only until the credit or debit cards are canceled. But how do you ‘cancel’ your social security number? You can’t.”
As of this writing, affected patients have already been duly notified by 21st Century Oncology, and have been provided with a free year-long credit protection services. A dedicated call center for patients has also been set up for the affected parties. The company vowed to bolster security by adding an extra layer of protection on their internal security protocols.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.