Over the past few years, the healthcare sector has been a victim to numerous breaches. More than 113 million medical records were hacked in 2015 alone, according to data compiled by The U.S. Department of Health and Human Services (HHS). In 2016, the industry averaged more than one data breach per day, resulting in over 27 million compromised patient records. Out of the 450 breaches which occurred that year, information was available online for 380 of these breaches. 2017 saw fewer massive health data breaches than 2016, but the rate of breaches was still at least one per day.
You’d think these staggering numbers would make healthcare organizations more aware of these issues, yet it’s rather easy to find exposed or easily accessible databases, if you just know where to look. Here is an example we found of a Texas clinic, and the exposed data is rather alarming.
Notable 2018 Healthcare Breaches
2018 has been no different in terms of healthcare data breaches. Here are some notable attacks that occurred in just the past few months:
- Ransomware attack on The Fetal Diagnostic Institute of the Pacific breached almost 41,000 patient records
- 4 million patient records were breached in UnityPoint Health phishing attack
- LifeBridge’s breach compromised health data of 500,000 patients
- 38,000 patient records were breached at Legacy Health
- LabCorp network was breached, putting millions of patient records at risk
- A hack on Albany-based Med Associates may have breached the patient records of more than 270,000 patients
These are only a fraction of the breaches that have occurred in 2018.
Why Attack Healthcare Organizations?
In the world of cybercrime, any time you can access sensitive data, there’s usually an opportunity to make money. Healthcare organizations are highly targeted because they typically hold specific medical, personal and financial information, including full names, addresses, birthdates, work places, credit card numbers, bank numbers, SSN numbers, phone numbers and past medical history. This data often has a long shelf-life too, as its difficult (or impossible) for victims to change this information once compromised (e.g. address, date of birth, SSN number). Furthermore, it likely takes someone years to even realize their information has been compromised; unlike when their credit card number is stolen, they will typically see a fraudulent charge and can change their number quick.
Medical records are probably one of the most extensive records of a person’s identity. This information can be exploited in identity, insurance and even tax frauds. In addition, medical records could be used for blackmail, extortion and for damaging a person reputation.
Our team recently published a new report, Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry. Below is a graphic that summarizes some of our team’s key findings from that research. As you can see, there is a huge financial opportunity for cybercriminals to target medical records.
When patients go to the doctor, they expect to have their privacy kept. Unfortunately, as more data has moved into our increasingly digital and connected world, it’s become easier for cybercriminals to steal medical data, and many people are finding their most intimate information is being bought and sold on different dark web forums.
Recent Example: Texas Healthcare Clinic
Oftentimes, healthcare breaches don’t require any hacking at all. Below is a recent example we discovered of a Texas outsourcing company that provides administrative services for doctors. Recently, we noticed a post on a popular underground forum, in which a hacking group named “KelvinSecTeam” posted a link to the company’s management console that was exposed (probably by the threat actor who posted it). The threat actor indicated that no password was required.
A screenshot of the original post containing access to the database
When we checked the link, we were surprised to find out that the website’s management console was left completely open.The console contained information of about 6,000 patients from different doctors in Texas, and was completely accessible to anyone who knew the direct link. Even worse, not only was the information left exposed and accessible, but anyone with the link had admin privileges, meaning they could delete or add information to any and all records.
A screenshot of the Texas medical company’s database that was exposed
The console contained records from 2010 up until the very day that we discovered the site. They included the name of the designated doctor, name of the patient, their address, phone number, SSN number, date of birth, date of injury (when relevant), exam date, employer information, treating physician information, exam location information, the patient’s insurance company information and claim adjuster information.
A screenshot of a patient record within the exposed database
Many of the health records were for injured employees. The doctors were designated doctors that had been selected by the Texas Department of Insurance, Division of Workers’ Compensation (TDI-DWC) to make a recommendation about those injured employees’ medical conditions. The records included examinee information, medical history (and injury history when relevant), summary of treatment / review of medical records, diagnoses and conclusion.
The records also included different forms, such as:
- W-9: Request for Taxpayer Identification Number and Certification
- DWC-32: Texas Department of Insurance Division of Workers’ Compensation - Request for Designated Doctor Examination
- DWC-73: Texas Workers’ Compensation Work Status Report
- DWC-68: Instructions for Completing the UB-04
- DWC-69: Report of Medical Evaluation
- Health Insurance Claim Form
A screenshot of a patient’s Health Insurance Claim Form
In addition, some records included billing information and many of them included scanned medical documents that were sent by fax to the examinee’s insurance company. One of them contained over 103 pages of a patient’s medical history, examinations, treatments, and even medical prescriptions.
A screenshot of a patient’s prescription that was sent by fax to the Insurance company
It took more than two months for this Texas outsourcing company to fix this breach.
This is an alarming example of how easily healthcare records containing sensitive personal information are left exposed on the Internet, but it’s not just limited to this organization in Texas. Our research team recently conducted a deeper investigation of exposed healthcare databases, and found over a million records exposed in just a few days of searching.
Healthcare organizations need to take a better approach to managing their data, as the effects (and the fines!) can be crippling to an organization. Not only do healthcare organizations need better process around how they are setting up and implementing their databases, but they need to have tools in place to continuously monitor for areas of data leakage or exposure.
Download our research report to learn more about this epidemic facing the healthcare industry.