Tens of thousands of patients' data shows up on the dark web from two U.S. hospitals. Extensive patient data is exposed in this hack attack.
The Leon Medical Center (that has eight locations in Miami) and Nocona General Hospital in Texas (three locations) were hacked. Extensive patient data was stolen, including patients' names, addresses, dates of birth, and medical information, including their diagnosis. Last week a massive leak of this data was posted to a blog on the dark web to pressure the hospitals to pay a ransom.
According to NBC News, "The files also include at least tens of thousands of scanned diagnostic results and letters to insurers. One folder contains background checks on hospital employees. An Excel document titled 2018_colonoscopies, has 102 full names, dates, and details of the procedures, and a field to mark "yes" or "no" to whether the patient has a 'normal colon.'"
In 2020 more than 560 medical providers, including hospitals, were hacked or hit with ransomware to extort funds. The trend of hackers targeting medical services is still in high gear, as this latest attack illustrates. The danger is when systems are debilitated due to an attack or ransomware; patient care suffers as doctors and nurses are unable to access records and data necessary to save lives. At least one death was attributed to an attack on a U.S. hospital last year.
How Did the Hospitals Handle It?
In November 2020, The Leon Medical Center announced that it had been hacked, but they did not reveal the extent of the damage at that time. Officials for the organization stated that "certain files stored within Leon Medical's environment that contain personal information had been accessed by the cybercriminals."
Their public announcement did say that the breach included "name, contact information, Social Security number, financial information, date of birth, family information, medical record number, Medicaid number, prescription information, medical and/or clinical information including diagnosis and treatment history, and health insurance information."
They first assumed that the breach only affected about 500 customers. However, in a statement yesterday from Yolanda Foster, a Leon Medical spokesperson, "We are working diligently with third-party forensic experts to complete an investigation into the matter. As soon as possible, we will provide direct notifications to any affected individuals."
Since Leon Medical Center was not the victim of ransomware and their files were not encrypted, it is unclear why the hackers chose to expose the information online.
Nocona has provided no information as to whether or not they were affected by ransomware or what information was stolen from their organization.
HIPAA and Data Breaches
HIPPA laws strictly regulate the collection, storage, and privacy of medical information. When hospitals or medical practices are violated in this way, and then the data is leaked to the public, there is no way to rebound from this. Once the information is out there, it is out there. The process of recovery for identity theft is contained to financial records, but medical records cannot be changed or removed once they are exposed.
Unfortunately, data breaches and leaks don't follow HIPAA rules, and innocent victims' personally identifiable information is being exposed on the web in incidents like these.
How to Protect Your Medical Information
Before providing information to any medical provider, ask questions about how the information will be stored, who has access to it, and if it will be kept on a computer with outside (online) access. You have the right to privacy. Share as little as possible with providers and ask for copies of your files so you can keep them safe at home. You may even ask for the provider to destroy your records once your treatment is complete.