Two Healthcare providers fall victim to data breaches

Executive Summary

Two health care organizations have published data breach disclosures this week.

On November 30th, McLeod Health published a notice that it had an e-mail account illegally accessed by an undisclosed threat actor where the contents of the e-mail account were exfiltrated. Forensic experts are still working to identify whether patients’ personal information was included in the breach. McLeod Health has established a dedicated call center for patients to ask questions regarding the incident. As of writing, no additional details are available regarding the breach.

Also on November 30th, AspenPointe, a mental health provider, announced they fell victim to a data breach that contained patient health information (PHI) and personally identifiable information (PII). The organization is working with the US Department of Health and Human Services and external experts to determine the nature and scope of the event. As of writing, there has been no indication of the information being used for fraudulent activities, but AspenPonte is offering one-year of identity theft protection and a $1,000,000 insurance reimbursement policy for those affected.

Recommendations

Often these attacks are started through phishing attacks or vulnerable exposed remote connections.

Organizations should:

– Provide End-User cybersecurity awareness training, especially regarding phishing and common lures
– Review and establish (if applicable) internal procedures on reporting suspected phishing e-mails
– Implement password complexity policies and Multi-Factor Authentication (MFA)
– Utilize End-Point protection on systems
– Perform vulnerability scanning and secure exposed remote connections
– Apply vendor security patching when released as soon as possible in their organization