The Dental Center of Northwest Ohio provides
dental services and is based in Toledo, OH. In order to focus on dentistry, the
practice contracted with Arakyta to manage their IT services.
Breach
The
Dental Center of Northwest Ohio’s vendor experienced a breach. Arakyta was
breached on September 1, 2018. Arakyta contracted with a third party to
investigate the issue. They found that an unauthorized person had accessed
their server. They may have viewed and copied their patient data. This also
affected employees.
Attack
The attackers
used ransomware to attack the dental center’s vendor. This infected the
vendor’s computer systems. During this time it appears the systems were open to
the attackers. It is notable that there were security measures in place, however,
these were avoided by the attacker, much like a football player avoiding a
tackle. The center is not sure how many patients were affected by this breach.
Data
As an additional issue for the practice, it
appears the data may have been accessed. The disclaimer is there, as of January
2019, no evidence the data had been used in a malicious manner. While this is
intended to calm the waters, there may not be signs for months or a year later.
The data potentially accessed would be excessively useful for identity theft, fraud,
and other nefarious uses. The data included the patient’s name, address, date
of birth, social security number, state ID number, driver’s license number, medical
treatment, medical history, diagnosis, clinical treatment information, medical
record number, patient number, health insurance, and benefits information, and
financial account information. The data could be used in several different ways by
different parties for many malicious purposes.
Remediation
Dental Center of Northwest Ohio is offering free credit monitoring and ID
theft restoration services to the possibly affected parties and staff. While
this is great and a step in the right direction, this does not solve the
overall issue. People are not allowed to change certain information about
themselves, i.e. social security number, and historical static data won’t
change, i.e. medical treatments. These data points will available for unauthorized
use indefinitely. The Dental Center of Northwest Ohio and Arakyta are also
reviewing policies and procedures and implementing additional security
measures.
Comments, Concerns, Etc.
There are teachable moments to share with most things. This would be one
of those occasions. Granted this would not be shared until the issue would be
resolved, however, this would have still been a lesson for others in the industry.
Of course, the CISO/CTO does not want to have further light cast on the
oversight, however, the issue once resolved should be documented and put in the
past.
Resources
Barth, B.
(2019, January 3). Dental center of NW ohio feels bite of ransomware attack on
IT vendor. Retrieved from https://www.scmagazine.com/home/security-news/dental-center-of-nw-ohio-feels-bite-of-ransomware-attack-on-it-vendor/
Bratton, M.
(2019, January 2). Data breach puts personal information at risk for patients,
employees, of dental center of northwest ohio. Retrieved from https://www.13abc.com/content/news/Data-breach-puts-personal-information-at-risk-for-patients-employees-of-Dental-Center-of-Northwest-Ohio-503811171.html
Data Center
of Northwest Ohio. (2018, December 28). RE: Dental center of northwest ohio,
notice of data privacy event. Retrieved from https://www.prnewswire.comp/news-releases/re-dental-center-of-northwest-ohio-notice-of-data-privacy--event-300771300.html
HIPAA. (2019,
January 2). Vendor of dental center of northwest ohio suffers ransomware
attack. Retrieved from https://www.hipaajournal.com/vendor-of-dental-center-of-northwest-ohio-suffers-ransomware-attack/
No comments:
Post a Comment