Incident Of The Week: Server Configuration Error Exposes 33K Healthcare Records
In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.
Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.
In this edition of “Incident of the Week,” we examine a misconfigured server within a healthcare organization that led to the potential exposure of personally identifiable information (PII) and protected health information (PHI).
The affected organization: the St. Louis-based BJC HealthCare. The misconfigured server was visible to potential hackers for a period of eight months, between May 9, 2017 and Jan. 23, 2018, according to a release from the nonprofit healthcare organization. BJC notified 33,420 patients about the potential exposure.
BJC HealthCare said that a data server configuration error was discovered during an internal security scan. According to the release, it was “possible for stored images of identifying documents to be accessible through the Internet without the appropriate security controls.”
BJC writes that immediately upon discovery of the flaw, they reconfigured the server to the correct setting and began an investigation into the matter.
The data of interest here includes: driver’s license copies, insurance cards and treatment-related documents collected during hospital visits between 2003 and 2009. Related PII and PHI included name, address, telephone number, date of birth, Social Security number, driver’s license number, insurance information and treatment-specific documentation, according to the release.
BJC writes, “The investigation did not reveal that any personal data was actually accessed.” As a way to further mitigate the threat, BJC offered affected patients free identity theft protection. The organization has also arranged for additional preventative measures to shore up their security controls.
In a statement provided to Cyber Security Hub commenting on this misconfiguration, AttackIQ Chief Revenue Officer, Carl Wright, said, “We continue to see basic security protection failures resulting in data loss for companies both large and small. This trend is disturbing as the cost of recovering from a breach is far more expensive than conducting proactive testing to validate the security products and services which you have already purchased and implemented... Consequently, these types of failures can be easily avoided.”
Affected patients received an explanatory letter which included steps on how to enroll in identity theft protection. The organization writes that it has also complied with U.S. Department of Health and Human Services Office for Civil Rights notification requirements (which, outside of patient letters, includes a public news release and website posting).
In an additional statement provided to Cyber Security Hub, Dome9 Co-Founder and CEO, Zohar Alon, said, “Security-conscious organizations are moving away from periodic, semi-annual internal scans and investing in continuous security and compliance capabilities that allow them to monitor and get alerted on such exposures quickly. Unfortunately, there’s still a large number of organizations that have not made this transition for one reason or another – whether that’s budget constraints or the talent and expertise they have at their disposal."
He continued: “In the public cloud, where attacks are increasingly automated and the window to respond is getting shorter, allowing sensitive data to be exposed for months is inexcusable and can be very costly.”
Be Sure To Check Out: Cloud Is The 'Biggest Cyber Revolution Of Our Age': Tufin CEO Ruvi Kitov