An Alabama hospital is officially informing more than 61,000 patients that their personal data was accessed by a miscreant during a cyberattack in October 2023.
Lawyers representing the 74-bed facility based in Eufaula – the largest city in Barbour County – said in a letter that names, dates of birth, home addresses, health insurance information, medical information, and driver’s licenses or state IDs may have been pored over by the unauthorized intruder.
For an unfortunate “smaller subset of individuals,” Social Security numbers, passport information, and financial data may also now be in the hands of miscreants.
The information comes after Medical Center Barbour (MCB) filed a data breach notification with Maine’s attorney general on Tuesday, although the details in the sample letter included in that filing were much sparser.
MCB has a more comprehensive document [PDF] on its website, which is served to visitors via a large popup when they visit the homepage. It explains that the attack was detected on October 29, 2023, but does not specify when the attack began or any of its finer details.
With its network promptly secured, the next key date was December 8, at which point the hospital confirmed, with the help of an outside cybersecurity biz, that documents had been accessed.
MCB said, following its own review of events, that it engaged a specialist data mining company in May this year to help with “the time-consuming and detailed reconstruction and review of the data” to determine who was affected.
This process concluded in July, which goes some way toward explaining why the affected individuals have only now been told, nearly a year after the original incident.
“MCB takes this event and the security of personal information in its care very seriously,” the letter to those affected reads. “Upon learning of this event, MCB moved quickly to investigate and respond to the event and notify potentially affected individuals.
“As part of its ongoing commitment to the security of information, MCB is reviewing and enhancing its existing policies and procedures related to data privacy to reduce the likelihood of a similar future event.”
Among these enhancements, it says, was the deployment of additional monitoring tools and the promise to continually improve the security of its systems.
As ever, victims are encouraged to take up the offer of the usual 12 months of credit monitoring and identity protection services from one of the three major credit bureaus. Placing a freeze on a credit report is another option.
The break-in is just the latest in a seemingly endless string of cybersecurity incidents targeting healthcare sites in the US, UK, and elsewhere of late.
There were the high-profile cases such as Qilin’s attack on Synnovis – a pathology services provider to London hospitals – and ALPHV’s attack on Change Healthcare, both of which led to catastrophic consequences.
There are so many smaller incidents and breaches that The Reg doesn’t have the capacity to cover them all in their entirety. For example, upwards of ten breaches at healthcare or healthcare-adjacent organizations were reported to Maine’s AG in the past two months alone.
Ransomware and other forms of disruptive cybercrime will always be an acute threat to healthcare given the need for operational uptime, placing it alongside other critical sectors as prime targets for data security incidents. And when attacks are successful, they often cause vast damage.
It’s difficult to imagine an intruder being able to walk into Microsoft’s HQ and make off with an armful of sensitive folders, but in the UK’s NHS, a series of security failures allowed this to happen less than a year ago.
And when it’s not CCTV installers allowing staff to turn off the cameras like vacuum cleaners, it’s the poor medical students – in both senses of the word – getting the rap.
Sometimes it’s not even a case of resource scarcity, just egregious negligence.
Despite the fact that medical sectors will most likely remain a prime target for criminals, there is work going on behind the scenes to help secure their systems further.
Earlier this year, the US government’s Advanced Research Projects Agency for Health (ARPA-H) announced a $50 million injection into research that could help automate IT security at healthcare sites, making them less susceptible to attacks facilitated by unpatched software bugs. ®
