Cancer clinic's customer data stolen

Yet another breach on a medical organisation has meant the theft of names, diagnoses, treatments and social security numbers.

This may be yet another in what looks like a long line of medical hacks
This may be yet another in what looks like a long line of medical hacks

A cancer treatment company is the latest medical organisation to be the victim of data theft. 21st Century Oncology Holdings, which runs 145 treatment centres around America, alerted over two million patients and customers on 4 March that their information may have been stolen.

21st Century Oncology Holdings released a statement to SCMagazineUK.com saying that the company “is currently investigating an unauthorised third party intrusion into our network”.

On 12 November last year, the FBI contacted 21st Century Oncology Holdings alerting the company to the fact that patient information had stolen by an unauthorised third party. The company told SC that after being notified of the intrusion “we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security”.

The forensic team soon determined that in early October, an intruder had accessed the database which contained the names and social security numbers as well as diagnosis and treatment data of patients.

The company added, ”We have also taken additional steps to enhance internal security protocols to help prevent a similar incident in the future. 21st Century remains committed to maintaining the privacy and security of our patients' personal information.”

In a separate, publicly released statement the company said, “We deeply regret any concern this may cause our patients, and we want to emphasise that patient care will not be affected by this incident.”

The 2.2 million patients who may have been affected were told on 4 March this year, after the FBI's request for a three-month delay was lifted.

21st Century Oncology Holdings was keen to point out in the statement that “we have no indication that the information has been misused in any way”.

The fact that there is no proof, however, is not quite an assurance that such sensitive patient information has not been used illegitimately. Such information might fetch a nice price in the murky bazaars of the deep web.

Medical records are worth a lot, George Kurtz, CEO of CrowdStrike told SC: “Medical records are worth up to 10 times the value of credit card data. You have a lot of information there that can be used for fraud and identity theft. I've even heard of attackers buying mobility scooters and medical equipment on behalf of the people they impersonate, and the target only finds out weeks later when the bills arrive. Bottom line, the data is valuable to anyone with criminal intent.”

Recently, Independent Security Evaluators (ISE) released a report, collating research on the information security of several medical bodies. The results were not encouraging and the problems many fold. Where researchers did find security policies, they were often ineffective and often suffered from a lack of trained staff or a lack of funding to train those staff.

Ted Harrington, executive partner of ISE, had harsh words for 21st Century Oncology. He told SC, “Notably absent from 21st Century Oncology's statement is any mention of patient health.  Our research showed that the healthcare industry is focused on the wrong security mission: prioritising protecting patient data over protecting patient health. That finding is reinforced here.”

Harrington also took issue with the fact that “21st Century Oncology notes in their statement that no medical records were stolen, yet also notes that patient names, social security numbers, treatment information, and other patient data were stolen. This is puzzling, because the pieces that were stolen were some of the most important aspects of the medical record.”

The prophecies of cyber-security professionals, like those outlined in ISE's report, are looking increasingly true as yet another clinic falls victim to cyber-crime. This news is the latest in a series of worrying cyber-attacks on medical facilities that have marred the last few months.

In mid February, the Hollywood Presbyterian Hospital was hit with ransomware, paralysing the hospital's day to day running for nearly two weeks before the ransom was finally paid, albeit at a lower price than the demanded 9000 bitcoin (nearly £2,600,000). A week later, ransomware was found in two German hospitals, similarly holding up day to day operations. A week after that, York Hospital in Maine revealed that a breach on its network had led to the theft of the information of 1400 employees.

For anyone who has been listening, warnings of these kind of attacks are far from uncommon. In fact, they're near constant in the cyber-security industry.

Perhaps beginning with the infamous insulin pump hack, presented to the world in 2011, security researchers have repeatedly shown healthcare technology to be wide open to those with a little ability and lot of bad intentions.

Late last year an FOI request by Accellion showed an ‘alarming' lack of cyber-security and awareness within the NHS. At Kaspersky Lab's recent Security Analyst Summit, researcher Sergey Lozhkin exhibited the ease with which one could hack into a Moscow hospital and find thousands of internet connected medical devices via simple Shodan searches.

“As much as it saddens me to say, it really isn't a surprise that we're starting to see more hacks against the medical industry. The only surprise is that it's taken this long before it's started to become a more common occurrence”, David Flower, managing director for EMEA at Carbon Black, told SC.  

Unfortunately, said Flower, “The healthcare industry doesn't seem to have acknowledged the threat by putting in place the defences to keep patient data secure. Those responsible for IT security need to take steps to ensure that they have always-on, continuous monitoring on any endpoint device, such as a server or laptop where patient data is stored.”