Data breach hits Advocate Aurora Health exposing personal information of 3 million patients
October 23, 2022 |
While the media in Australia is in hyperdrive over the Optus data, My Deal and Medibank Private data breaches it is relevant to put them into perspective. Data breaches are a worldwide phenomenon.
The Advocate Aurora Health network, with 26 hospitals in Wisconsin and Illinois are in the process of sending out notifications of a data breach involving 3 million patients. To put it even more into perspective itGovernance has undertaken an analysis of data breaches in the 3rd quarter of 2022. On its calculations, between July and September 2022 there were 285 publicly disclosed security incidents involving 232,266,148 compromised records. The numbers are eye watering but the greater concern is that there has been a rise in both the number of incidents, of over 20%, and a massive increase, of 134%, in the number of compromised records. By a wide margin cyber attacks are the most prevalent form of data breach. The public sector was the most vulnerable followed by the health sector.
The itGovernance article provides:
Welcome to our third quarterly review of security incidents for 2022, in which we take a closer look at the information gathered in our monthly list of data breaches and cyber attacks.
In this article, you’ll find an overview of the cyber security landscape from the past three months, including the latest statistics and our observations.
This includes year-on-year comparisons in the number of publicly disclosed data breaches, a review of the most breached sectors and a running total of incidents for the year.
Overview
IT Governance identified 285 publicly disclosed security incidents between July and September 2022, which accounted for 232,266,148 compromised records.
This represents a sharp increase (20.5%) in the number of security incidents compared to Q2 2022 and an even steeper rise in the number of compromised records (134%).
It brings the annual running total of security incidents to 788 and number of compromised records to 406,385,597.
We are on pace for over 1,000 publicly disclosed data breaches for the second year running, but in more positive news, the projected number of disclosed incidents (541 million) is well below 2021’s total (5.1 billion).
How security incidents are occurring
In compiling our monthly lists, we distinguish between breaches caused by an organisation leaking data by mistake (‘data breaches’) and those that are the result of criminal hacking (‘cyber attacks’).
We also place ransomware in its own category, due in part to the frequency of attacks and in order to differentiate it from intrusions that may be harder to detect, such as password breaches.
Separating security incidents in this way reveals more about how security incidents happen and who is to blame, as you can see in this chart:
Cyber attacks continue to be the most common type of security incident. In Q2 2022, we found 172 cyber attacks, which represents 60% of the publicly disclosed incidents that we detected.
Phishing and malware are among the most common types of cyber attacks, but in many cases the breached organisation doesn’t disclose how it fell victim.
That’s often a deliberate strategy as it doesn’t want to publicise its vulnerability – particularly if it’s still working on a solution.
Part of the reason that these attacks account for such a high percentage of the total is the way organisations address ransomware attacks.
After a huge spike in ransomware last year, with the number of publicly disclosed incidents increasing from 289 in 2020 to 401 the following year, the number has shot back down. Our figures project that there will be fewer than 250 publicly disclosed incidents.
However, if you speak to any cyber security researcher or professional, you’ll know that ransomware remains as much a threat as ever. But with the notoriety of the threat and the widespread discussion of the damage it can cause, organisations have prioritised ransomware prevention and are implementing more effective defences.
Some of the steps that organisations can take include regularly backing up sensitive information, which can be restored rather than negotiating with the attackers to receive a decryption key.
They can also adopt business continuity plans to better equip themselves to deal with disruptive incidents.
Organisations’ ability to prevent ransomware attacks hasn’t suppressed the threat of cyber crime altogether, though. Cyber criminals continue to launch attacks and using different techniques.
We have seen, for example, a renewed interest in more traditional attack methods, such as phishing.
How many records have been compromised?
As we often note, it’s hard to know definitively how many records have been compromised, because few publicly disclosed breaches contain this information.
However, in the incidents where this information was revealed, there were 232,266,148 breached records in total.
The incidents with the most breached records in Q3 2022 were:
-
- Neopets (69 million)
- Shanghai COVID-19 app (48.5 million)
- Unknown credit agency (28.5 million)
- Mangatoon (23 million)
- Swachhta City Platform (16.4 million)
Which sectors were the most vulnerable?
The public sector was the most vulnerable to compromise in Q3 2022, accounting for 60 breaches. This represents one in five publicly disclosed security incidents.
It replaces the healthcare and health science sector (52 incidents) atop the list. Between them, they represent almost 40% of all breaches.
The other big contributors were the education sector (39 incidents), technology (33) and retail (25).
The article about Advocate Aurora provides:
Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients.
The incident was caused by the improper use of Meta Pixel on AAH’s websites, where patients log in and enter sensitive personal and medical information.
Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.
However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.
This privacy breach has taken the U.S. by storm, as Meta Pixel is used by many hospitals in the country, exposing millions of people to third parties and sparking class action lawsuits against the responsible organizations.
In August 2022, U.S. healthcare provider Novant Health disclosed its improper use of Meta Pixel in its implementation of the ‘MyChart’ portal, exposing 1.3 million patients.
The ‘MyChart’ patient portal is also used by AAH, along with another platform named ‘LiveWell,’ both of which had active Meta Pixel trackers.
“When patients used Advocate Aurora Health patient portals available through MyChart and LiveWell platforms, as well some of our scheduling widgets, certain protected health information (“PHI”) would be disclosed in certain circumstances, particularly for users concurrently logged into their Facebook or Google accounts.” – AAH.
AAH’s data breach notification says that the following information may have been exposed via Meta Pixel:
-
- IP address
- Dates, times, and locations of scheduled appointments
- Proximity to an AAH location
- Medical provider information
- Type of appointment or procedure
- Communications between MyChart users, which may have included first and last names and medical record numbers
- Insurance information
- Proxy account information
AAH reported that the breach affected 3 million people to the U.S. Department of Health, which listed it on its breach report portal.
The healthcare provider has disabled the Pixel tracker on all systems and is implementing safeguards to prevent a similar exposure from happening again.
Patients are advised to use their web browsers’ tracker-blocking features or use incognito mode when logging in on medical portals. Those with a Facebook or Google account should review their privacy settings.
AAH has also compiled a FAQ page to help patients find answers to common questions about the data breach.