nTreatment, a provider of electronic health and patient records to medical professionals, exposed thousands of patient records due to a failure in cloud storage security. In fact, the exposure began with a cloud server with no password protection whatsoever.
First discovered and reported by TechCrunch, the cloud server contained 109,000 files, including lab results from third-party providers, medical records, doctors’ notes, and insurance claims. This information is protected under HIPAA compliance rules, which can result in serious fines. According to TechCrunch, none of the data had encryption protection; virtually all of it was viewable in the browser.
Since the report, the cloud server has been secured, although it remains unclear how long the database remained exposed.
Several cybersecurity experts reached out to us with their thoughts on the nTreatment Leak. Here’s what they said.
nTreatment Leak: Expert Commentary
Robert Prigge is CEO of Jumio.
“NTreatment’s exposure of thousands of private medical records confirms healthcare organizations need strong authentication to protect sensitive data (or any data for that matter). Fraudsters can leverage the exposed medical records, lab results, doctors’ notes, insurance claims, and internal company documents to impersonate legitimate patients and commit insurance fraud, seek covered medical care, and refill unauthorized prescriptions. Although the cloud server was secured, it’s very likely the exposed information is already circulating on the dark web – where it’s likely to command a high value since there’s more personal information in health records than any other electronic database. With the increase in healthcare breaches and the industry’s shift towards self-service and telemedicine, it is critical to know your patient is who they say they are in order to avoid catastrophic impact. Leveraging biometric authentication (using a person’s unique human traits to verify identity) confirms patient identity, which allows healthcare organizations to approve or deny online accounts, appointment requests, and attempted purchases.”
Vinay Sridhara, CTO, Balbix
Vinay Sridhara is CTO of Balbix.
“Unfortunately, this is an example of what happens when a company leaves a server and critical information unsecured without any password protection. This breach illustrates the challenges of securing increasingly complex digital ecosystems, particularly in sensitive industries like healthcare. We are continuing to see companies compromise sensitive data and suffer costly breaches due to exposed, unsecure databases left open and accessible to anyone online without basic protection such as a password.
To mitigate vulnerabilities across an organization’s entire IT infrastructure and safeguard databases, it is vital that healthcare organizations achieve clear and comprehensive visibility over all assets, threats, and risks across their networks. Effective security strategies that actively monitor for and quantitatively assess all possible vulnerabilities will enable companies to easily and quickly identify and secure unsecure databases before it’s too late.”
Mark Bagley is VP of Product of AttackIQ.
“The healthcare industry has become a primary target for cyber-criminals due to protected health information (PHI) being extremely profitable on dark web marketplaces. Healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come. Healthcare organizations that manage large amounts of PHI must take proactive approaches to protect their data. In addition to the usual control-centric approach, holders of PHI need to add continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses, with a special eye to validation of the third-parties they work with given the sensitivity of the information.”
Thanks to these experts for their time and expertise. For more, check out our Identity Management Buyer’s Guide.
Latest posts by Ben Canner (see all)
- Identity Management Experts’ Commentary on the Pixlr Data Exposure - January 21, 2021
- User and Non-User Identities in Your Network: Securing Both is the Key - January 19, 2021
- Solutions Review Releases 2021 Buyer’s Guide for Biometric Authentication - January 13, 2021