14 DAY TRIAL // 21st Century Oncology, a Florida-based cancer treatment center, has announced a data breach incident during which an unknown hacker managed to steal 2.2 million records.
As the medical center explained in its statement released last weekend (embedded at the end of the article), the data breach had taken place on October 3, 2015, but only came to light on November 13, when the FBI contacted 21st Century after it had spotted some of the records exchanged in the wild.
The data stolen in the breach contains information on both staff members and cancer patients who are currently undergoing or have undergone cancer treatment plans.
Leaked information can facilitate medical insurance fraud
21st Century says that the leaked data included patient names, social security numbers, physician names, diagnosis details, treatment information, and insurance plans details.
Details about the data breach have surfaced only now because the FBI told the medical center to keep quiet so it could investigate more leads that might have uncovered the culprit.
With the go-ahead received from the Bureau, the medical center is now notifying employees and cancer patients, who probably had enough other things to worry about, outside tax and medical insurance fraud.
Security experts weigh in on the dangers of medical insurance fraud
"Any business, organization or institution that keeps social security numbers, medical data and other personal information online is a potential goldmine for the cybercriminal because they can get a massive amount of valuable information in a very short period of time," said Paul Jespersen, vice president of Enterprise Business Development at Comodo, a global cybersecurity innovator.
"Hospitals, medical practices, schools and even governments are at particular risk due to the high likelihood of handling private data that criminals would find attractive," Mr. Jespersen also told Softpedia.
"The fact that 21st Century Oncology has been breached should set off alarm bells to other companies in the healthcare industry," said Kevin Watson, CEO at Netsurion, a cyber-security firm also from Florida, and a provider of remotely managed data and network security services for healthcare organizations.
"We know that hackers are in constant pursuit of highly sensitive, personal data and that they are equipped with sophisticated methods to gain access to it," Mr. Watson also added.
"It appears that diagnosis and treatment information might have been exposed, which could unlock the potential for significant medical fraud. And if insurance plan information was stolen along with identity information, data thieves would have a good indicator on which identities hold a higher value, based on the value of the insurance plan," Mr. Watson told Softpedia.
"If thieves focus on the individuals with the highest plan costs, these are likely to be people who are more established in their lives, have families, higher incomes and better credit, meaning their identities are worth even more on the black market," Mr. Watson explained.
"This breach again calls into focus the reality that data security is not limited to the processing of payments and credit cards. Businesses of all kinds and across all industries, must act to protect sensitive information stored in their systems using ongoing efforts, not simple, 'fix it and forget it' methods," he added.
"There needs to be a broad understanding that in order to be truly protected, enterprises must become proactive in securing network access, encrypting data and auditing security methods on a regular basis,” Mr. Watson concluded, putting the focus on a recommendation that has been given many times before by many other security experts.