Medical records are known to be a treasure trove for hackers. Once cyber-criminals have access to these, they can sell them on the black market for up to $10 (£7.67) per record, according to Anthony James at U.S. security firm, TrapX.
But it seems cyber-criminals don’t have to hack into computer systems to access records as a ‘huge trove’ of confidential U.S. medical records were found on an unsecured server; accessible to malicious hackers and cyber-security professionals.
Gizmodo reports that tens of thousands – if not millions – of medical records were contained within a database that was readily accessible to anyone who gained access to it. The information that was online included New York patients’ demographic information, social security numbers, records of medical diagnoses, and treatments. There were also large amounts of other highly-sensitive records accessible. The files were reported to have originated from Bronx-Lebanon Hospital Centre in New York.
Malicious hacker or mistake of the hospital?
NBC News highlighted that the Bronx Lebanon Hospital said the medical records were the “target of an unauthorised hack by a third party”. This conclusion was drawn from the hospital’s third party vendor, iHealth Solutions. According to the hospital, iHealth took immediate steps to protect the medical records and both parties are “cooperating fully with law enforcement agencies”.
According to Kromtech Security Centre, a German security software development firm, the hospital and their vendor had in fact lied about it being as a result of a malicious cyber-hack. Instead, Kromtech’s analysis contends that the medical records were left unprotected on a backup storage device that wasn’t password protected. They also say that the records weren’t protected by an active firewall. A firewall can establish a barrier between a trusted, secure and internal network and another outside network which is considered as unsecure and untrusted. Without an active firewall, this can make thousands of patients vulnerable i.e. through identity theft and blackmail.
A big mistake for a hospital to make.
The leaked files have been secured now, but the data contained a number of intake forms for those who were enrolling onto the chemical dependency programmes for substance abuse. The security researchers who found the data told Gizmodo:
“… [the data] paints a full picture of the patient’s drug use, medical history and suicidal thoughts.”
This is most certainly private and sensitive information and would fall under a breach of the Data Protection Act (DPA) in the U.K.
Violation of HIPAA
Kromtech were the first cyber-security firm that discovered the cache when they conducted an independent security audit. Though the hospital and iHealth maintains that they were a victim of a cyber-attack, forensic evidence from Kromtech’s investigations give a different story. If Kromtech’s findings are true, iHealth may be in serious violation of laws that govern the security standards for the protection of electronic health information.
Many data laws require healthcare providers to implement mechanisms to encrypt confidential medical data; protect it from alteration or destruction; and to “guard against unauthorised access to electronic protected health information that is being transmitted over an electronic communications network“.
The hospital and iHealth action/inaction may breach this provision if they failed to encrypt the hard drive. Thus we can see why the hospital and iHealth may want to ‘cover up’ their failure to protect their patient’s records; if, indeed, that is what happened.