Share this article on:
Laurel, Mississippi-based Jefferson Medical Associates, P.A., has reported a hacking incident to the Office for Civil Rights that has impacted 10,401 patients. However, rather than the breach being caused by a hacker, the records were accessed by security researcher, Chris Vickery.
Chris Vickery has previously uncovered numerous healthcare security vulnerabilities that could potentially be exploited by malicious actors. In each instance he has notified the healthcare organizations concerned that their data were exposed.
In this case, the data were stored in a publicly accessible database. The data could be freely accessed via the Internet without the need for a username or password. Vickery discovered the unprotected data while randomly searching for publicly available information online. According to Vickery, the database “was as available as a website is.”
When he discovered that the data set included names, Social Security numbers, and prescription information, he investigated to find out to which healthcare organization the data belonged. He then notified that organization that the data were unprotected and accessible online.
Katie Gilchrist, legal counsel for Jefferson Medical Associates, told WDAM that the data were accessed without authorization. She explained that the data have now been secured and are no longer accessible. She also said that approximately 10% of patients had been affected, although Vickery claims there were approximately 62,000 records in the data set. Some of those records could have been duplicates.
After being alerted to the security vulnerability, Jefferson Medical enlisted the help of an external security firm to conduct a full assessment of its data security controls. The firm confirmed that no other data could be accessed and that this was an isolated vulnerability. Security controls have now been enhanced since this security incident occurred. It is currently unclear whether any data were stolen during the time they were available online, or whether any other individuals accessed the information. The internal investigation is ongoing.
Gilchrist told WBAM, accessing the data was inappropriate, saying “Basically it’s like leaving a window unlocked in your house. You leave the house, and you leave a window unlocked.” Gilchrist went on to say, “These folks out there think that entitles them to come into the house and look around at all your stuff and then take things with them when they leave. That’s just not appropriate.” The breach has been reported to law enforcement, although Vickery maintains no crime has been committed as the server containing the data was not hacked.
As was recently shown by the attacks on healthcare organizations conducted by the Dark Overlord, security vulnerabilities that are left unaddressed can easily be exploited by malicious actors.
Cybercriminals are not concerned whether the accessing of healthcare data is inappropriate. If data are left unprotected, there is a high risk that they will be stolen. The impact those breaches can have on patients is severe, as are the financial implications for the affected healthcare organizations. In the case of The Dark Overlord cyberattacks, healthcare data were stolen and the organizations in question were subject to extortion attempts. Threats were made to publish the stolen data if payment was not made. When the healthcare organizations didn’t pay up, the data were listed for sale on a darknet marketplace, a number of patients had their data dumped for any individual to view, and some records were allegedly sold on. Fortunately in this case, it was a researcher who accessed the data and not a cybercriminal. Other healthcare organizations may not be so fortunate.