Healthcare is one of the sectors that has the most sensitive information about us. At the same time it’s one of the worst at keeping them secret.
Because of its access and storage of our personal health information (PHI) and other personally identifiable information (PII), the healthcare sector should be one of the most secure ones, but due to lack of funding and other resources, it is not.
One of the most impactful data breaches last year was of Change HealthCare, which impacted an estimated 190 million people.
In recent news, security researcher Jeremiah Fowler, who specializes in finding unprotected databases, uncovered a non-password-protected database that contained over 1.6 million records belonging to DM Clinical Research.
DM Clinical Research is a Texas-based clinical trial network that conducts studies in 30 research centers across the US. The company connects patients with physicians to conduct studies for new or alternative medicines, providing clinical trials as a treatment option to patients.
Although the records belonged to DM Clinical Research, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before Fowler discovered it or if anyone else gained access to it.
The unprotected database contained 1,674,218 records which included names, dates of birth, phone numbers, email addresses, vaccination statuses (including specific vaccines received), current medications, and other health conditions that the survey recipients may have.
Insurance companies have shown that their interest in buying specific medical information, like prescriptions that identify medical conditions—such as HIV, cancer, or psychiatric disorders. And data brokers that can get a hold of that type of information will gladly sell it to them.
Cybercriminals can use PHI against affected individuals to phish or extort them. But a breach can also have dire financial consequences for the healthcare organization in question.
As Health Net Federal Services (HNFS) and its parent company, Centene Corporation found out. HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families. To make things worse, the Defense Health Agency of the US Department of Defense accused HNFS of falsely attesting compliance on at least three occasions.
HNFS denies all the allegations and maintains that no data breaches or loss of servicemember information occurred, but they still agreed to pay $11,253,400 to settle the allegations.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Check your digital footprint
Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.
