What follows is not only a security breach by hackers, it's a breach of faith and what I would consider negligence by the company and investigators that allowed this to go on for almost four months without alerting those affected.

21st Century Oncology, based in Fort Myers, Fla., operates 145 cancer treatment centers in the United States and 36 in Latin America.

The company, 21st Century Oncology Holdings is warning 2.2 million patients that health data and Social Security numbers were stolen from its computer network.

The breach, which was revealed on March 4, occurred last November and included the theft of patient names, Social Security numbers, physicians’ names, diagnoses and treatment information, and insurance information.

21st Century Oncology said it had to delay notifying patients until after an FBI investigation concluded in November. According to the hospital, intruders gained access to its computer network in October.

In a statement, 21st Century Oncology said, there is no indication patients’ actual medical records were accessed. “Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security,” said the hospital in a statement.

James Chappell, Digital Shadows’ CTO and co-founder, said hackers were most likely targeting personal identifiable information for resale on black markets. “The circumstances in these patients’ lives were already pretty tough,” Chappell said. “I’m surprised 21st Century Oncology weren’t better stewards of their patients’ data given their circumstances.”

“21st Century Oncology’s response really misses the mark,” said Ted Harrington, executive partner with Independent Security Evaluators, in an email interview. “They note in their statement that no medical records were lost. But patient names, Social Security numbers and other data were. These are some of the most important aspects of the medical record.”

21st Century Oncology is one of several hospitals have been increasingly targeted by criminals. Last month, the Los Angeles-based Hollywood Presbyterian Medical Center paid $17,000 in Bit-Coin to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.

Independent Security Evaluators concludes that hospitals desperately need to shore up their cyber defenses and are vulnerable to attack.

No comments: