Most Impactful Security Breaches in Healthcare in 2020

Last year we had a post about the most expensive healthcare app security fails of 2018-2019, and it gained quite a lot of attention. Let's take a look at what happened in 2020 with the industry.

Reports show that the coronavirus pandemic slowed data breaches and ransomware attacks at first, but from what we see, the most terrible incidents have happened in the second part of the year.

The topic is also important because the amount of common citizens affected by these attacks grows dramatically. Just take a look:

1. In February 2020, Health Share of Oregon reported about a theft of a laptop containing health data of 654,000 patients. In response, the organization improved its workforce training and audit processes.
2. In April 2020, the Florida Orthopaedic Institute noticed a malware on their servers that was encrypting data. They secured the system quickly, but the data of 640,000 patients could have been compromised earlier.
3. In August 2020, a hacker got access to the web appointment scheduling app of Luxottica of America, the eye care giant. They possibly collected vast data on 829,000 patients, including even credit card info and Social Security numbers of some individuals.

And these are the cases most covered by the press. If you take a look at the number of smaller cases currently under investigation by the Office for Civil Rights, you'll notice that in October alone more than two million patients were affected by the breaches reported.

And now, let's move to the cases we at our web development services company find most disturbing in 2020.

Attacks Related to COVID-19

Miltenyi Biotec is a company with offices in 73 countries. Among other things, it supplies SARS-COV-2 antigens to organizations researching COVID-19 treatments. In November 2020 they reported about a malware attack that caused system outage.

This outage had led to severe troubles with phone and email communications. The business operations were completely restored within a few days.

Also in November, another company, Americold, which has been negotiating with its partners about cold storages for the distribution of COVID-19 vaccines, notified the public about a cybersecurity incident.

And again, actions were taken to contain the incident and the business restored its operations. But in both cases no details have been revealed on the consequences of these attacks.

On December 9, Pfizer, the U.S. drugmaker now known for its COVID-19 vaccine, had reported about the “unlawful access” to the documents revealing details on the vaccine development. This access has become possible due to the cyberattack attempted on the European Medicines Agency.

This time, it looks like no personal data was compromised and the attack won't affect vaccine development. But the compromised documents can help other companies and countries developing vaccines, according to experts.

Moreover, the documents explain how the vaccine works, its risks, possible side effects, and even the parties involved in its supply and distribution. All of that significantly widens the attack surface. So it's not only about stealing the formula, but also about corrupting the Pfizer vaccine.

The details of the attack are also yet to be revealed; we'll update the post accordingly if there are going to be any interesting technical details (to subscribe to the updates of our mobile application development services company blog, scroll to the subscription form at the end of our page).

Three things are disturbing here:

1. We know nothing about those particular attacks to at least prevent them in the future. You can find general recommendations on how to harden your security defenses, but the recent case with SolarWind reveals that the best way to stay protected is to learn from the failures of others.
2. In 2020, the cyberattacks can now cause geopolitical consequences that we might even never find out about since we don't know what kind of data was actually stolen.
3. These attacks should not come as a surprise after alerts from Microsoft and some other US agencies. We don't know whether the above-mentioned companies did not react to these alerts at all, or they took not enough measures, but it looks like we need more than alerts to better protect the industry.

Attacks Aimed At Patients

Generally people don't pay a lot of attention to healthcare security since we rarely know what happens with the data leaked due to the security breach. There are simply not so many reports on that. Some assume such data can be sold to competitors then, and/or then possibly used to spam people (whose data was compromised) with relevant ads and offers. Annoying, but unharmful.

At most, social engineering techniques can be used to fool a person into sending money or bank account passwords. Harmful, yet you can still protect yourself from that by ignoring those scammers and using multi-factor authentication.

However, the thing that happened in Finland in October 2020 has changed that attitude for many. 

Back then, the interior minister of Finland confirmed the cyber attack on Vastaamo computer systems. Vastaamo is a psychotherapy center, so 40,000 patient records contained in a 10 GB data set were compromised.

This data set was then sold in dark web, and a few days later, patients of that clinic started filing crime reports stating that were receiving ransom demands. For permanent data deletion, culprits asked to send them 200-500 Euros — of course, in Bitcoins.

It's important to state those patients weren't the initial targets. At first, hackers requested €450,000 from the Vastaamo clinic, but they “refused to take responsibility for their own mistakes”, according to the letters later sent to the patients.

However, it looks like from the technical point of view Vastaamo wasn't enough concerned about its digital security (and they didn’t have a quality assurance\testing company to perform security checks). Hence, they got hacked every year three years in a row. This became the reason the psychotherapy center CEO was eventually fired.

This case is also causing officials to come up with additional obligations for healthcare organizations to secure their networks (or be accountable for failing to do so).

As it usually happens, the investigation on this case hasn't shown any significant progress as of the end of 2020.

Data Spills That Didn't Require an Attack

 Understanding that you should keep your IT infrastructure as protected as possible to avoid security attacks is not a rocket science. Still, the cases we'll list below show that not everybody still realizes how important is data protection.

On January 2020, TechCrunch found thousands of medical documents were exposed due to the part of Lab corp's website pulling patients files from the backend remained unprotected with a password.

Due to the lack of the password, Google was able to crawl and cache documents from that part of the site. A potential trespasser could then review that cache, but they would only find one file. But the document's URL was containing a number, and changing it would let you review records of other patients.

The other parts of the website were password-protected. Obviously, there was not enough penetration testing to find this vulnerability earlier.

In December, a similar story happened: TechCrunch reported about a site containing 109,000 healthcare documents and files that were not password-protected and were not encrypted. Turned out, this Microsoft Azure-hosted server belongs to Ntreatment. The company used it as a “general purpose storage”.

The scariest thing about these stories is that it's a long-time trend. Literally millions of medical documents get exposed because of unprotected storages monthly; only a slight part of these cases gets attention and forces companies responsible for them to take measures.

In case someone takes advantage of spilled data to, say, request a ransom from a random person, it will be impossible to find out when exactly that data was compromised and stolen, not mentioning the culprits who decided to take advantage of it.

Long story short, there are huge chances your and our medical records are already out there, in the wild, waiting to be used for improper deeds.

Last but not least, no matter how well your servers and data protected, you also need to train your employees against insecure usage of the company systems and keep them up-to-date with the latest social engineering practices. But sometimes the breach can happen because of a simple mistake.

In August 2020, an employee of the Division of Public Health sent two unencrypted emails to an unauthorized user and thus compromised the COVID-19 test results of 10,000 individuals. It was a temporary staff member who is no longer employed there, but human mistakes like these can happen in any circumstances. Surely, that doesn't mean you shouldn't train your employees — even temporary ones — to avoid them. 

Bottom line

When we started this blog on security, software, QA, company management and product strategy, we had a simple thought in mind: to shed the light on the importance of data protection. However, we now see there are three vectors that should get equal attention from business owners and stakeholders:

1. Infrastructure and data protection
2. Quality assurance
3. Staff training

Keep yourself and your data safe, and stay tuned for more blog posts on healthcare and security