All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.
In the Meadow, the residents are generally healthy. At times, we have issue requiring surgery and later rehabilitation. Based on the injury, this could be a short or long journey. Regardless of the length of rehabilitation, the patient does need to provide certain data and information to the facility where the treatment will take place. This data is personal, confidential, and should be protected with all appropriate levels of security. Unfortunately, a rehabilitation center in Michigan system was compromised.
This affected the Sacred Heart Rehabilitation Center. As noted, this is located in Michigan in Macomb County (Richmond) on Stoddard Road. The facility provides HIV/AIDS care. There is also substance abuse treatment services. This operates as a non-profit, beginning in 1967. As this is a non-profit, the last thing they needed was the expense of a compromise, incident response, and placing new controls and policies in place. This is only on the internal administrative side. There will be more issues with the US Department of HHS, as this involved HIPAA data and information.
The tool the attackers used is too familiar. This unfortunately has a great ROE (return on equity), and ease of use, which makes it a favorite choice. This successful compromise shows the phishing attack is alive, well, and works well. The compromise was due to a simple, yet successful phishing campaign. The estimated attack period was between April 5-7, 2018. From the forensic work already done, it appears as though one employee’s email was compromised.
This significant, deep compromise is another example of what can go wrong when one employee’s email is compromised. All it takes is the right person in the right position and department to click once.
The compromised employee’s email account unfortunately contained the patient’s information. This included the patient’s full names, addresses, health insurance information, medical treatment information, medical diagnosis, and/or social security number. This is just the right combination of data to make someone’s life even more interesting. As the patients are exceptionally sick, they and their families did not need this stress. On the other side of the coin, the data and information is very valuable to the attackers, and could be sold in a lot, or divided into sections and sold to many persons.
Once the administration learned of the issue on November 16, 20118, the rehabilitation center began an investigation, which is a great idea. The rehabilitation center contracted with third parties to complete the cybersecurity forensic work. The Sacred Heart Rehabilitation Center noted the affected parties. The forensic work indicated the affected parties, thankfully, were limited. Letters were mailed to the affected parties on January 9, 2019. With the patients whose social security numbers were exposed, they were offered a credit monitoring service and identity theft restoration for a year, free of charge. The patients also have been give a best practices document to show them how to best defend their data. The rehabilitation center is also providing additional training for the staff.
The compromise itself brings up many issues. Since the successful attack and compromise took place in April, why did it take seven months for them to figure it out? If there was a SIEM in place, and being monitored, it seems as though this should have not taken nearly this long. Even if there was not a SIEM in place, which sounds odd, there should have still been a periodic log review. Surely the mass amount of data flowing to an odd IP address would not indicated something odd or unique was going on.
The credit monitoring sounds good to the consumer and patient, however, a year does not mean much. The data exfiltrated for the unfortunate patients is static for that point in time, and some of this is permanent. If the attackers were to attach a disclaimer onto the data as they sell it to the many people and organizations interested to wait one year and one week to do anything with it, the defensive measure would be an epic fail.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Brown, B. (2019, January 10). Sacred heart rehabilitation center breach exposed patients’ information. Retrieved from https://nbc25news.com/news/local/sacred-heart-rehabilitation-center-breach-exposed-patient-information
Fox News. (2019, January 10). Breach exposes some michigan patient’s personal information. Retrieved from https://fox17online.com/2019/01/10/breach-exposes-some-michigan-patients-personal-information/
Laine, C. (2019, January 10). Security breach involved patients’ names, medical, information, social security numbers. Retrieved from https://www.whem.com/news/security-breach-involved-patients-names-medical-information-social-security-numbers/
Jordan, H. (2019, January 10). Security breach exposed patient information at sacred heart rehabilitation sites in michigan. Retrieved from https://www.mlive.com/news/saginaw-bay-city/2019/01/security-breach-exposed-patient-information-at-sacred-heart-rehabilitation-sites-in-michigan.html
Midland Daily News. (2019, January 10). Sacred heart rehabilitation center reports online security incident. Retrieved from https://www.ourmidland.com/news/article/Sacred-Heart-Rehabilitation-Center-reports-online-13523247.php
Voice News. (2019, January 10). Patient info breach at sacred heart rehabilitation center in richmond township. Retrieved from http://www.voicenews.com/news/patient-info-breach-at-sacred-heart-rehabilitation-center-in-richmond/
WWJ. (2019, January 10). Security breach exposes some michigan patients’ personal information. Retrieved from https://wwjnewsradio.rdio.com/articles/security-breach-exposes-some-michigan-patients-personal-information
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!