Breach Report 2019 – July

by Sarah Harvey / July 31st, 2019

Regardless of the size or industry of organizations, every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during July and the lessons we can learn from them.

Maryland Department of Labor

What Happened?

On July 5, 2019, officials from the Maryland Department of Labor announced that they had experienced a data breach earlier in April that impacted nearly 78,000 individuals who used the department’s unemployment benefits in 2012 or enrolled in the Literacy Works Information System in 2009, 2010, or 2014. The cause? Malicious hackers gained unauthorized access to the Department of Labor’s systems, allowing them to steal personally identifiable information such as names, Social Security Numbers, and dates of birth. In an interview with The Washington Post, Fallon Pearre, a spokeswoman for the Department of Labor said that “the state does not believe any of the information was misused.”

Lessons Learned

Maryland’s Department of Labor breach is just another example of the dire need for municipal governments to implement robust cybersecurity strategies. When a government entity becomes compromised, critical systems can be shut down and citizens’ livelihoods can be greatly impacted. It is up to city officials to ensure that information security best practices are followed by all employees and that effective cybersecurity policies are in place to locate and remediate any vulnerabilities that can be exploited by malicious hackers.

Los Angeles County Department of Health Services

What Happened?

Yet another municipal government agency experienced a data breach after one of its contractors, the Nemadji Research Corp., fell victim to a phishing attempt. The Los Angeles Times reported that a malicious individual was able to gain access to a Nemadji’s email account that included encryption keys, allowing the hacker to access the PHI, including names, Social Security Numbers, and addresses of nearly 14,600 patients.

Lessons Learned

Like Maryland’s Department of Labor data breach, Los Angeles County Department of Health Services’ also underscores just how important having robust cybersecurity strategies are for municipal governments, especially when it comes to working with third-party vendors. It also points to the need for municipal governments to perform thorough risk assessments of third-party vendors in order to mitigate and risk-rank the potential threats associated with working with third-party vendors.

Northwood – Equipment Benefits Administrator

What Happened?

According to HIPAA Journal, a Michigan-based business associate, Northwood, Inc., reported that it discovered that an employee’s email account had been compromised. After investigating the incident, Northwood was not able to determine which emails were viewed or opened by the hacker, but they did determine that patients’ PHI had been exposed, which included addresses, dates of birth, provider names, dates of service, medical record numbers, patient ID numbers, diagnosis and diagnosis codes, medical device descriptions, treatment information, and health plan membership numbers.

Lessons Learned

It is no secret that phishing attempts are amongst the largest threats to the healthcare industry. Nearly every month, there are data breach reports highlighting new covered entities and business associates that fell victim to phishing attacks. It is paramount that all healthcare organizations, regardless of services offered or size, to implement security awareness training for all employees. When employees know how to effectively identify and report suspicious emails, links, and attachments, they are less likely to fall for the increasingly advanced phishing attacks malicious hackers are so likely to use.

Sprint

What Happened?

In mid-July, Sprint announced that the “add a line” feature on Samsung’s website was breached, putting users at risk for a plethora of security concerns. While the exact number of impacted individuals still remains unknown, the malicious hackers were able to access PII including names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, subscriber IDs, account numbers, account creation dates, upgrade eligibility, and add-on services.

Lessons Learned

According to Verizon’s 2019 DBIR, web applications are the top hacking vector in breaches. This means that securing web applications must be made a top priority amongst organizations, especially those that handle such critical information like Sprint. To combat the advancing cybersecurity threats facing web applications, organizations should consider undergoing regular penetration tests, like those offered by KirkpatrickPrice, to ensure the security of their web applications.

Capital One

What Happened?

Perhaps one of the most startling data breaches announced this month comes from Capital One, where a malicious user, identified as a Seattle-based woman, Paige Thompson, illegally accessed and downloaded the PII of 106 million Capital One users. According to a statement released by Capital One earlier this week, that data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers. Capital One explains that it has been determined that no credit card account numbers or log-in credentials were compromised; however, the investigation is still ongoing. Thompson has since been arrested by the FBI.

Lessons Learned

This massive data breach highlights a few critical takeaways. The first two being the very real risk of insider threats, especially once employees are terminated or resign, and the dire need to implement effective incident response plans to mitigate data breaches and notify effected parties as soon as they are discovered. KrebsOnSecurity reported that Thompson was a former employee of the web hosting company involved and “allegedly used web application firewall credentials to obtain privilege escalation”. However, because Capital One has an established outlet for receiving potential data breach intel, they were able to move quickly and respond to the breach once they learned about it. In addition, this breach underscores just how vulnerable cloud environments are to malicious hackers. While many organizations who migrate their data to the cloud, either out of ignorance or lack of understanding of the technology, believe that their cloud service provider is solely responsible for protecting their sensitive assets, they aren’t. Both the cloud service provider and the entity using the cloud must work together to ensure internal controls are in place and operating effectively.

Update: AMCA Data Breach

While we reported on the AMCA data breach last month, developments continue to arise as more and more organizations come forward to report how their clients have been impacted by the breach. According to  ISMG Network, “At least nine more companies in the last few days have revealed that have been notified by AMCA that the data on a combined total of nearly 1 million of their patients was potentially exposed by a data breach the debt collector discovered on March 21.” The organizations with the highest number of patients impacted includes American Esoteric Laboratories, CBL Path, Inc., Laboratory Medicine Consultants, and Austin Pathology Associates.

Whether it’s municipal governments or a private healthcare collection’s agency, at KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.