A phishing attack that took place in September 2017 has exposed data of around 417.000 patients from the leading US healthcare organization (HCO) . There was a second attack (July 11) but this time the company didn't give any details and it's just known this attack was much smaller in scope.
Among this data, it's included: addresses, dates of birth, medical record numbers, medical, treatment and surgical info, diagnoses, lab results, medications, insurance information and — for a small percentage of patients — even their Social Security and driver’s license numbers. This type of data could be used in further attacks like fraud attempts or even to blackmail individual patients.
The hospital claims to have taken several steps to improve its cybersecurity posture since, including creating a VP of compliance and risk management, implementing MFA (Multi-Factor Authentication) and revising its email policies.
Many experts say that a lack of encrytion is most of the time a common pitfall for many companies who suffer these breaches. It's not about if a company will be a victim of a cyber attack anymore, but rather a matter of time.
When dealing with patient's data, the encryption should be the highest priority as a basic security practice.