As we have said in our blog posts many times, the healthcare industry is one of the top targets for cyber attackers. Malicious attackers frequently target these organizations hoping to get their hands on some patient records or internal information. Patient records can be quite valuable within the black market. An attacker can sell them to quickly profit, or they can employ them in phishing attacks upon patients. As for internal organization data, this can be stolen or encrypted and then ransomed back to the organization. Although, not all information like this gets into attacker’s hands through a direct attack on the organization. Sometimes, it can be the fault of the organization itself as a result of improper data handling. Unfortunately, this was the case in a recent breach of Premier Medical Associates in Monroeville, Pennsylvania.
Premier Medical Associates is Highmark Health’s largest community physician practice. According to a statement from Premier officials, the breach involved around 900 people. They said that an unauthorized third party may have accessed protected or personal health data that was submitted to the group’s public website. On August 9th, Premier had been alerted to an issue with the “contact us” section of their website, and it was discovered that data submitted here was able to be accessed by visitors. This included information about appointment requests and job inquiries, which could have contained personal or health data entered by visitors. Apparently, the breach had stemmed from an error made by the website vendor on July 24th. Afterward, some people received emails from third parties purporting themselves to be Premier representatives. Premier had rapidly shut down the parts of their site where the problem stemmed from and posted an alert.
Premier had apologized within their statement, but there does not appear to be much further information as to how they are addressing the breach for those affected. They said that “appropriate corrective” actions have been taken to secure the site and strengthen protocols to prevent future incidents. This is all well and good, but they also need to ensure that those affected are taken care of. Given, much of the data accessed by the unauthorized third party was likely quite harmless, but as has already been displayed, some of it can be employed for malicious purposes like phishing attacks.
Data breaches resulting from a third party vendor continue to occur quite frequently. Some organizations attempt to use this as a scapegoat to brush off their responsibility, but this does not absolve them. The direct breach may result from the contracted third party, but peripherally affected organizations were the ones that decided to do business with that party. Anytime an organization is looking to do business with a separate vendor, they need to adequately review that third party’s security. The organization needs to know that their data will be secure in the hands of that vendor.
Data breaches can be one of the most hellacious occurrences to befall an organization. They result in immediate monetary and data loss, as well as trust and reputation damage down the line. Realistically, a significant data breach can cause an organization to fail if they do not rapidly employ data breach solutions. Numerous factors come under this heading, such as plugging the hole, removing data from the web, notifying those affected, bolstering security, and tracing a perpetrator. Negligence in any of the above can lead to much further resultant damage from a breach. Massive Alliance offers comprehensive data breach solutions that can help an organization to properly address a breach.