web analytics

Hack on Defunct Ambulance Firm Affects 912,000 People – Source: www.databreachtoday.com

hack-on-defunct-ambulance-firm-affects-912,000-people-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Cybercrime
,
Fraud Management & Cybercrime
,
Healthcare

Archived Data Stolen 2 Months After Sale of Business Affects Patients, Employees

Marianne Kolbasuk McGee (HealthInfoSec) •
January 3, 2024    

Hack on Defunct Ambulance Firm Affects 912,000 People
A data theft involving archived records of defunct firm Fallon Ambulance has affected nearly 912,000 patients and employees. (Image: Fallon)

A defunct ambulance company is notifying nearly 912,000 patients and employees that their archived records were compromised in an early 2023 data theft hack. The firm previously provided emergency care in the Boston region and administrative services to affiliated transportation companies.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

In a report to Maine’s attorney general on Dec. 29, Transformative Healthcare said its Fallon Ambulance Services subsidiary – which ceased operations in December 2022 – had experienced a hacking incident that was discovered on April 21, 2023, but appears to have started months earlier, extending from Feb. 17 to April 22.

Affected files contained information such as name, address, Social Security number, medical information – including COVID-19 testing or vaccination information – and information provided to Fallon in connection with employment or application for work, Transformative said.

While Fallon was no longer operating, the ambulance firm maintained an archived copy of data previously stored on its computer systems “to comply with legal obligations,” Transformative said in the breach notice.

“While Fallon currently has no evidence of identity theft or fraud related to consumer information as a result of this matter, the company is also offering two years of identity protection services at no cost to affected individuals,” the Transformative breach notice said.

Transformative was acquired in December 2022 by Coastal Medical Transportation Systems, a privately owned nonemergency transportation company based in Hyannis, Massachusetts.

Neither an attorney representing Transformative Healthcare in its breach report to Maine regulators nor Coastal Medical Transportation System immediately responded to Information Security Media Group’s requests for additional details about the Fallon Ambulance hacking incident.

Risks of Archived Data

Transformative reported the hacking incident to the U.S. Department of Health and Human Services on Dec. 31 as affecting 911,757 individuals and involving electronic medical records and a network server. In its report to Maine’s attorney general, Transformative said the incident had affected about 20,486 Maine residents.

“This incident should serve notice to other organizations that may have the same issue – not necessarily going out of business, but in a position to retain data that are no longer in use, but which contain regulated elements: personally identifiable health or financial information,” said Mike Hamilton, co-founder and CISO of security firm Critical Insight.

“A good practice would be the use of off-site storage or encryption when records are no longer needed for operational purposes yet pose a risk to the business if subjected to unauthorized disclosure,” Hamilton said. Another technique would be to separate elements of the records, such that their accurate recombination would be difficult and the aggregate devalued, he added.

Dave Bailey, vice president at privacy and security consultancy Clearwater, said a recommended approach for a healthcare-related entity that is no longer operational is to conduct a thorough security risk analysis for archived records.

That analysis should involve evaluating and vetting whether the organization responsible for storing data has reasonable and appropriate controls in place, he said.

“If there is no essential business requirement for the data to be accessible or exposed to an online user base, it is advisable and good practice to limit its exposure to mitigate potential risks. Align decisions with the business case, and restrict access only to those with a genuine need,” he said.

It is also good practice to safeguard records from unnecessary risks regardless of the system in use, Hamilton added.

“The key is to minimize access, emphasizing the importance of restricting it to individuals essential for the business case. Bottom line is to prioritize minimizing exposure, keeping the archived systems up to date and current, and conduct testing to ensure you can access the data when needed. The overarching principle is to establish and enforce reasonable and appropriate controls, securing the data and validating that only authorized personnel can access it.”

While it is relatively uncommon for a business that has ceased operations to be pillaged for records, the Fallon Ambulance incident underscores the value of those patient and employee records, whether in production or not, Hamilton said.

“The types of records stolen lend themselves to financial and health fraud but also extortion. Having knowledge of an event such as domestic violence may be used to threaten individuals with disclosure of that information to employers or the community at large, and many may pay to keep that information confidential.”

Although major hacks on defunct companies appear to be fairly uncommon, other data security incidents involving nonoperational entities have occurred previously.

In 2021, security researcher Jeremiah Fowler, co-founder of consultancy Security Discovery, reported finding an unsecured database belonging to apparently recently defunct firm GetHealth.io that exposed 61 million records of wearable health and fitness device users on the internet (see: Researchers: 61M Health IoT Device User Records Exposed).

In 2018, HHS’ Office for Civil Rights signed a $100,000 HIPAA settlement with Filefax, a defunct Illinois-based medical records storage company, for a 2015 breach involving a Filefax dumpster discovered filled with medical records of about 2,000 patients that should have been shredded or destroyed before disposal.

“Archived systems are occasionally treated differently from production systems, lacking the same day-to-day controls,” Bailey said. “However, this distinction should not undermine their significance, as they still pose potential exposure.”

It is crucial to apply consistent practices to both archived systems and those designated for long-term data storage, demanding identical levels of monitoring and protection as their everyday counterparts, he said. “These systems have to have the same protections in place.”

Original Post url: https://www.databreachtoday.com/hack-on-defunct-ambulance-firm-affects-912000-people-a-24022

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Cybersecurity Talent Crisis Today and Tomorrow by Codrut Andrei
Cybersecurity Talent Crisis Today and...
SCYTHE
Better Cybersecurity Metrics – SOC Metrics – Threat Hunting Metrics – Cyber Threat Intelligence (CTI) Metrics – Incident Response (IR) Metrics for CISOs by SCYTHE
Better Cybersecurity Metrics – SOC...
ACSC Australia
Personal Cyber Security First Steps by Australian Government – ACSC
Personal Cyber Security First Steps...
Joas Antonio
100 Security Operation Tools for SOCs by Joas Antonio
100 Security Operation Tools for...
Joas Antonio
Guide for Multi-Cloud Read Team AWS – GCP – AZURE by Joas Antonio
Guide for Multi-Cloud Read Team...
SANS
SANS Faculty Cybersecurity Free Tools – SANS Instructors have built more than 150 open source tools that support your work and help you implement better security.
SANS Faculty Cybersecurity Free Tools...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

New York State
Cybersecurity Program Template A resource to help individual licensees and individually owned businesses develop a cybersecurity program as required by New York State’s Cybersecurity Regulation 23 NYCRR Part 500
Cybersecurity Program Template A resource...
Apress
Cyber Security on Azure An IT Professional’s Guide to Microsoft Azure Security
Cyber Security on Azure An...
CyberJA
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL COMPONENT OF CYBER RISK MANAGEMENT
ASSET IDENTIFICATION & CLASSIFICATION-A CRITICAL...
SOSAFE
CybercrimeTrends 2024 The latest threats and security best practices
CybercrimeTrends 2024 The latest threats...
Routledge
Cyber Security Politics Socio-Technological Transformations and Political Fragmentation
Cyber Security Politics Socio-Technological Transformations...
Hidaia Mahmood Alassouli
Common Windows, Linux and Web Server SystemsHacking Techniques
Common Windows, Linux and Web...
Cigref
Surviving a Massive cyber-attack by Cigref
Surviving a Massive cyber-attack by...
Splunk
SPLUNK® AND THE CIS CRITICALSECURITY CONTROLS Mapping Splunk Software to the CIS 20 CSC Version 6.0
SPLUNK® AND THE CIS CRITICALSECURITY...
SOC SIEM Use Cases
SOC SIEM Use Cases
safecode
Six Pillars of DevSecOps- Collaboration and Integration
Six Pillars of DevSecOps- Collaboration...
SentineOne
WatchTower I ntelligence-Driven Threat Hunting
WatchTower I ntelligence-Driven Threat Hunting
CNIL
Security of Personal Data
Security of Personal Data

More Latest Published Posts

CISA | Cybersecurity and Infrastructure Security Agency
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
UNDERSTANDING AND RESPONDING TO DISTRIBUTED DENIAL-OF-SERVICE ATTACKS
McKinsey & Company
Transforming risk efficiency and effectiveness
Transforming risk efficiency and effectiveness
Arnold Antoo
Zero Trust Security Model
Zero Trust Security Model
Richea Perry
Your Cybersecurity Toolkit
Your Cybersecurity Toolkit
IGNITE Technologies
Wireless Penetration Testing
Wireless Penetration Testing
Joas A Santos
Windows API for Red Team #101
Windows API for Red Team #101
Economic Research Working Paper
Artificial Intelligence and Intellectual Property
Artificial Intelligence and Intellectual Property
CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN UN SIEM
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of AI Risk and Impact Assessments
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity planning
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat Huntingand Detection
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES
Project Management Institute
Building Resilience Through Strategic Risk Management
Building Resilience Through Strategic Risk Management
DATA LOSS PREVENTION (DLP)
DATA LOSS PREVENTION (DLP)
AICSSolutions
Cybersecurity Red Team
Cybersecurity Red Team
cisco
Cyber Incident Response
Cyber Incident Response
CSR Cyber Security Council
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
EVERY BUSINESS HAS DUTIES OF CARE IN THE FIELD OF CYBER SECURITY
SYBEX
Cybersecurity ESSENTIALS
Cybersecurity ESSENTIALS
Agency for Digital Government
Cyber security in supplier relation ships
Cyber security in supplier relation ships
RINKU
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
Curso de introducción KALI LINUX PARA HACKERS ÉTICOS
CNIL
PRACTICE GUIDE GDPR
PRACTICE GUIDE GDPR