People tend to visit their doctor every now and again for the annual check-ups, scrapes, and other issues. As the patients visit their respective doctor, the office requires certain information and the doctor have their notes from the visit. This information is important to us and have value. Most of the time, securing this is not an issue. This was not the case for Navicent Health. Navicent Health is based in Macon, GA. This is one of middle Georgia’s largest employers and healthcare providers. This is also the second largest hospital.
The attackers focused on the hosted staff email system. This, fortunately, did not include the EHR system or network. The staff email system did however contain the patient’s private personal information. This included the patient's name, data of birth, address, limited medical information, and a portion of the patient also had their social security number exposed. To top off the list, there was also billing and appointment scheduling data.
The successful attack occurred in July 2018. Curiously, this was detected on January 24, 2019. Navicent did notify law enforcement of the attack and breach. The breach affected 278,016 patient’s PHI and PII. The patient’s data was located on the compromised email server. Navicent was not completely sure I the attackers viewed or downloaded the patient’s data. To be conservative, it is presumed the attackers had.
The company contracted with a third party forensics firm to investigate the issue. They also notified the affected parties. They were offering, in response to the breach, free ID theft protection. This was limited to the patients with their social security number exposed. The patient recommendation is for them to monitor their credit report and account statements. To alleviate the potential for this to happen again, the management is reviewing additional staff education and adding other technology.
There were a number of issues with this successful attack. First, there needed to be additional training for the staff. Also as a significant issue, there was a rather significant time lag from the attack date to the detection date. The successful attack was in July 2018. The detection occurred on January 24, 2019. This was a rather long time to detect a rather significant issue. There has been no comment as to why this took so long.
Abrams, L. (2019, April 17). Navicent health data breach exposes patient’s personal info. Retrieved from https://www.bleepingcomputer.com/news/security/navicent-health-data-breach-exposes-patients-personal-info/
Corley, L. (2019, March 22). Navicent health announces cyber attack targeting its email system. Retrieved from https://www.macon.com/news/local/crime/article228281814.html
Davis, J. (2019, March 25). Navicent health reports data breach from july 2018 cyberattack. Retrieved from https://healthitsecurity.com/news/navicent-health-reports-data-breach-from-july-2018-cyberattack
Dissent. (2019, March 22). Navicent health announces cyber attack targeting its email system. Retrieved from https://www.databreaches.net/navicent-health-announces-cyberattack-targeting-its-email-system/
Drees, J. (2019, April 16). Update: Data breach exposes 278,000 navicent health patients’ information. Retrieved from https://www.beckershospitalreview.com/cybersecurity/update-data-breach-exposes-278-000-navicent-health-patients-information.html
HIPAA Journal. (2019, March 25). PHI exposed in three recent email security incidents. Retrieved from https://www.hipaajournal.com/phi-exposed-in-three-recent-email-security-incidents/
Inforisktoday. (2019). Cyberattack exposes PHI in email attacks. Retrieved from https://www.inforisktoday.com/cyberattack-exposes-phi-in-email-accounts-a-12349/
Marlin, L. (2019, March 26). Email breaches in three states expose protected health information. Retrieved from https://privaplan.com/blog/email-breaches-in-three-states-expose-protected-health-information/
McGee, M.K. (2019, April 5). Cyberattack exposes phi in email accounts. Retrieved from https://www.careersinfosecurity.com/cyberattack-exposes-phi-in-email-accounts-a-12349
Navicent Health. 92019). Notice of data security incident. Retrieved from https://www.navicenthealth.org/notice-of-data-security-incident.html
Spamfighter. (2019). Navicent health reported data breach due to a cyberattack. Retrieved from https://www.spamfighter.com/news-22140-Navicent-Health-reported-Data-Breach-due-to-a-cyberattack.htm
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!