Glidewell Laboratories Reports Breach of Employee Data
An unauthorized individual has been discovered to have stolen the personal information of a number of employees of James R. Glidewell, Dental Ceramics, Inc., according to a breach notice submitted to the California Department of Justice.
The breach notice does not specifically mention whether the security breach was the work of a malicious insider or outsider, although the breach notice hints that the breach was caused by a former Glidewell employee. Glidewell has told employees “we are continuing to explore all available means of legal recourse and plan to pursue civil and/or injunctive relief, as may be appropriate.”
Upon discovery of the data breach, law enforcement agencies were notified and Glidewell enlisted the help of external data security experts to conduct an internal forensic investigation. The investigations into the data theft are continuing.
Patient data were not exposed in the incident, although confidential data of employees have been stolen. The information that has been compromised includes employee names, addresses, financial account information related to direct deposit accounts, and Social Security numbers. The investigation has not uncovered any instances of misuse of employee information, although there is a strong probability that the data were taken with identity theft and fraud in mind.
Consequently, all employees have been informed to be vigilant for any signs of fraudulent activity and have been advised to place credit freezes on accounts, to monitor statements for any irregularities and to also place fraud alerts on their credit files. Credit freezes carry a cost, typically up to $20 for each action taken with credit reporting agencies (Experian, Equifax and TransUnion). This cost is not being covered by Glidewell, although all affected employees have been offered a year of complimentary fraud resolution and identity protection services.
The data breach has also prompted Glidewell to revise its policies and procedures to prevent similar security breaches from occurring in the future.
Small Healthcare Providers are being Targeted by Worldwide Hackers
Large healthcare organizations are big targets for foreign government-backed hackers and other malicious outsiders; however, according to a recent report from WFAA news 8, small hospitals are far from immune to cyberattacks.
Hackers have been targeting smaller hospitals and healthcare providers with increasing frequency in recent years. Small hospitals tend to have small budgets to devote to improving cybersecurity defenses, and consequently their defenses often lack robustness. Without the large resources available to bigger healthcare organizations, security vulnerabilities are likely to persist for longer, allowing hackers easy entry points into hospital computer networks. All that is required is for the hacker to succeed in penetrating a hospital’s firewall and an entire database of patient data can be stolen.
Even a little patient data can be used to run up huge debts in the names of victims. Hackers can use this data to fraudulently obtain all the necessary documentation to enable them to steal identities, and the data can be sold on to any number of individuals to do the same. A full set of patient data can fetch big prices on the darknet, and sums of $200 per set is not unheard of. Small healthcare providers may have tens or hundreds of thousands of current and former patients, and the potential rewards for a successful cyberattack can be immense.
The term hacker tends to suggest an individual working hard at chipping away at security defenses, but oftentimes it is robots (bots) that initiate the attack. The bots are downloaded onto computers around the world, which are then used by the hackers to co-ordinate their attacks, bombarding hospital computers and healthcare networks. According to the report, Smaart Medical Systems’ 50-hospital network receives approximately 15,000 separate attacks per day, with individuals from around the world targeting the company’s healthcare clients.
With such a high volume of attacks experienced every day, any healthcare provider that fails to invest in robust cybersecurity controls is likely to eventually succumb to a cyberattack. Without robust cybersecurity defenses, that is likely to happen sooner rather than later.