The Florida-based healthcare provider 21st Century Oncology, which operates 145 cancer treatment centers in the U.S. and 36 in Latin America, recently announced that it’s investigating an unauthorized intrusion into its network that may have exposed patient information (h/t Reuters).
In a regulatory filing, the company said approximately 2.2 million current and former patients are being notified that their names, Social Security numbers, physicians’ names, diagnoses, and treatment and insurance information may have been copied and transferred.
On November 13, 2015, the FBI notified the company that a third party had illegally obtained its patients’ information. 21st Century then hired a forensic firm to conduct an investigation, which determined that the attacker may have accessed the database on October 3, 2015.
“The FBI asked that the company delay notification or public announcement of the incident until March 4, 2016 so as not to interfere with its investigation,” 21st Century stated in a press release. “Now that law enforcement’s request for delay has ended, the company is notifying patients and regulatory agencies as quickly as possible.”
While there’s no indication at this point that any of the information was misused, 21st Century is offering all those affected one free year of access to identity theft protection services. Patients with questions are advised to contact (866) 446-1405.
Kunal Rupani, director of product management at Accellion, told eSecurity Planet by email that it’s likely the hackers were targeting the patients’ healthcare data. “Unlike credit card numbers and other financial data, healthcare information doesn’t have an expiration date,” he said. “As a result, a patient’s records can sell on the black market for upwards of fifty times the amount of their credit card number, making hospitals and other healthcare organizations extremely lucrative targets for cybercriminals.”
And Twistlock chief strategy officer Chenxi Wang said by email that for those affected, the breach unfortunately adds insult to injury. “Not only they have to deal with their health crisis, their critical information such as social security numbers, medical insurance record, and diagnosis information are all stolen,” she said.
“The fact that many of these breaches are reported by the FBI, rather than discovered by the company that holds the data, speaks to the heart of the problem — many organizations do not have sufficient technical expertise and capabilities in place to protect data and respond in a timely manner in the event of a breach,” Wang added. “This is becoming an increasingly pressing problem for the entire industry.”
According to the latest findings of Gemalto’s Breach Level Index, 1,673 data breaches last year led to the compromise of more than 707 million data records. Malicious outsiders accounted for the largest percentage of data breaches (58 percent), followed by accidental loss or exposure of data records (36 percent) and malicious insiders (14 percent).
“In 2014, consumers may have been concerned about having their credit card numbers stolen, but there are built-in protections to limit the financial risks,” Gemalto vice president and CTO for data protection Jason Hart said in a statement. “However, in 2015 criminals shifted to attacks on personal information and identity theft, which are much harder to remediate once they are stolen.”
“As companies and devices collect ever-increasing amounts of customer information and as consumers’ online digital activities become more diverse and prolific, more data about what they do, who they are and what they like is at risk to be stolen from the companies that store their data,” Hart added. “If consumers’ entire personal data and identities are being co-opted again and again by cyber thieves, trust will increasingly become the centerpiece in the calculus of which companies they do business with.”
A recent eSecurity Planet article examined the healthcare industry’s susceptibility to cyber attacks.