Diabetes WA reveals significant data breach, one of many and increasing number of health data breaches worldwide

April 6, 2024 |

On 2 April 2024 Diabetes WA announced a data breach in a quite cryptic statement. It refers to “some of our contacts” which covered names, addresses and medical number and type of diabetes, amongst other information. Diabetes WA recommend getting replacement Medicare card numbers. It is reported by itnews with Diabetes WA reveals data breach. The breach occurred through a compromised account and Diabetes WA believe the breach involved those persons using the telehealth services.  Even with a limited attack the data available to the intruder was significant.

Data Breach today reports in Health Data Thefts Keep Coming; Millions Affected in 2024 that the US Department of Health and Human Services had 174 health data breaches in the USA involving 16.6 million individuals since the beginning of this year.

Health remains a key focus for attackers because health services collect and store vast troves of personal information.  That said, the level of complacency by hospitals and health services is quite high and the willingness to spend on proper data security, quite low.

The Diabetes WA notification provides:

Diabetes WA recently experienced a cyber incident, which resulted in a third-party gaining access to the personal information of some of our contacts.

This breach was quickly detected and fully contained. It is under investigation through Diabetes WA’s Cyber Security Response Plan.

We can confirm that no detailed medical records or detailed clinical information were accessed.

Diabetes WA has sent a communication to all affected individuals of this incident.  We have also notified the Office of the Australian Information Commissioner of this incident.

Based on our investigation, we understand that personal information may have been affected by the incident including the following details:

Name –  Address – DOB – Email – Telephone number – Marital Status – Aboriginal Status – Medicare Number – Referring doctor – Type of diabetes

We have taken decisive action to protect data we hold in this cyber incident and will further reinforce our technology security measures to protect us from potential future attacks.

We recommend that those affected apply for a replacement Medicare card number from Services Australia. Your replacement card will have a new issue number and expiry date and your old card will no longer be valid. You can do this by:

    • Signing in to your myGov account, selecting “Get a Replacement” and following the prompts; or
    • Calling Services Australia on 132 011.

Some further steps you may consider taking to protect yourself include:

    • Be aware of emails and telephone calls from people requesting your personal details, (especially things like your date of birth, residential address, email address, username or passwords which are often used to verify your identity).
    • Contact IDCare on 1800 595 160 or visit www.idcare.org who can provide you with additional guidance on the steps you can take to protect yourself from identity fraud.
    • If you start to receive unwanted telemarketing calls, consider registering your number with the Australian Communications and Media Authority’s ‘Do Not Call register’ by visiting www.donotcall.gov.au/consumers/register-your-numbers You can also contact your service provider and request to change your number.

The itnews report on the Diabetes WA data breaches provides:

Attack “fully contained” after Medicare numbers compromised.

Diabetes WA has disclosed a data breach affecting people who engaged with its telehealth service.

In a breach notice posted Tuesday, the organisation said a “third party” gained “access to the personal information of some … contacts.”

The personal information possibly exposed in the breach includes name, address, date of birth, email, phone number, marital status, Indigenous status, referring doctor, type of diabetes, and Medicare number.

However, the organisation said detailed medical records and clinical information were not accessed.

A spokesperson for Diabetes WA told iTnews that the information accessed related only to people who had contacted the Diabetes WA Telehealth Service.

“It is likely that a sub-section of those contacts will have been members, but our focus has been on ensuring that every affected contact – whether a member or not – has been notified of the breach in the timeliest manner possible.”

The spokesperson said the breach happened via one compromised Diabetes WA user account, which was “promptly closed, thereby blocking the attacker, and stopping any further access to our system.”

Further investigation “revealed the scope of the attack and that the breach had not spread laterally across our systems,” the spokesperson said.

All affected individuals have been contacted, and Diabetes WA has notified the Office of the Australian Information Commissioner.

Because Medicare numbers were breached, the organisation is advising affected individuals to get a new Medicare card number, either online via MyGov or by calling Services Australia.

Diabetes WA said the breach was “quickly detected and fully contained” and is now “under investigation through Diabetes WA’s Cyber Security Response Plan.”

It also advises concerned individuals to seek additional assistance through IDCare.

Diabetes WA provides support services to an estimated 260,000 Western Australians affected by the disease.

The Data Breaches article provides:

What do a California cancer research center; an Indiana ear, nose and throat practice; an Oklahoma ambulance company; and a New York billing firm all have in common? They’re among the latest firms to report data exfiltration breaches, which have affected millions of U.S. patients so far this year.

Those four breaches alone affected the protected health information of more than 2 million individuals and are only a small sample of the recent exfiltration incidents healthcare entities and their vendors are reporting.

“Records theft has morphed from selling them on the dark web to withholding them as an extortion tool, using the threat of class action lawsuits, FTC enforcement of the False Claims Act and increasing regulatory scrutiny, including fines,” said Mike Hamilton, founder and CISO of security firm Critical Insight.

“This is likely an artifact of the glut of records available for sale and downward pricing pressure for their acquisition,” he said. “This is likely to continue as a primary tactic as long as our own regulatory and statutory underpinnings provide this leverage to criminal gangs.”

As of Thursday, the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows a total of 174 major health data breaches affecting more than 16.6 million individuals reported in the first quarter of the year.

Of those, 134 breaches were reported as IT/hacking incidents affecting 16.3 million people – or nearly 98% of individuals affected by major health data breaches so far in 2024.

While the HHS website does not break down hacking incidents by type, many of the largest breaches reported in recent weeks to regulators involved data exfiltration, based on descriptions provided in those entities’ breach notices.

Among the largest such incidents was a breach reported on Tuesday by California-based cancer research center, City of Hope, to the state of Maine’s attorney general as affecting nearly 830,000 individuals, including 166 Maine residents.

City of Hope in a breach notice said it became aware on Oct. 13, 2023, of suspicious activity on a subset of its systems and immediately took measures to minimize and contain any disruption to its operations.

City of Hope’s investigation determined that an unauthorized third party accessed a subset of its systems and obtained copies of some files.

The cancer center on March 25 identified individuals affected by the incident. Potentially compromised information varies among individuals but includes name, email address, phone number, birthdate, Social Security number, driver’s license or other government identification, financial details such as bank account number or credit card details, health insurance information, medical records, medical history and/or associated conditions, and medical record number.

Other large health data exfiltration incidents include:

    • Otolaryngology Associates LLC, an ear, nose and throat practice in Indiana, which reported a data exfiltration breach to HHS on Monday as affecting nearly 317,000 individuals;
    • Emergency Medical Services Authority, an ambulance company in Oklahoma, reporting to HHS on March 22 a data theft breach affecting nearly 612,000 individuals;
    • M&D Capital Premier Billing LLC, a New York-based medical billing firm, reporting to HHS on March 21 a data exfiltration hack affecting more than 284,000 people.

While the City of Hope reported on Tuesday to the state of Maine that its hacking incident affected nearly 830,000 individuals, the cancer center’s breach report filed to HHS on Dec. 12, 2023 includes a placeholder estimate of only 501 people being affected.

Under the HIPAA Breach Notification Rule, PHI breaches affecting 500 or more individuals must be reported to HHS within 60 days of discovery.

Because many entities are uncertain of the exact number of individuals affected by major incidents when that 60-day reporting deadline rolls around, they often initially report to HHS that their breaches affected 500 or 501 people, as it appears City of Hope did.

The number of data exfiltration, ransomware and other hacking incidents reported to federal and state regulators will only climb in the weeks and months ahead. Not yet reported to regulators are breaches likely stemming from the recent cyberattack on UnitedHealth Group’s Change Healthcare IT services unit, which has affected scores of the company’s healthcare sector customers.

UnitedHealth Group last week admitted that data was “taken” in the attack and said the company is analyzing the information potentially compromised (see: UnitedHealth Admits Patient Data Was ‘Taken’ in Mega Attack).

Change Healthcare says it handles 15 billion transactions annually, touching 1 in 3 patients. Meanwhile, ransomware-as-a-service gang BlackCat/Alphv has claimed it stole 6 terabytes of data in the attack. So, the potential victim tally in that one incident alone could reach millions of individuals.

2023 was a record-breaking year for health data breaches in terms of the number of incidents reported to HHS – 737 – and the total number of people affected – nearly 144.6 million (see: How 2023 Broke Long-Running Records for Health Data Breaches).

But 2024 could potentially shatter last year’s records, Hamilton predicted.

“2024 is on track to be a record year for records theft, not only for the number of records exposed, but the number of covered entities and business associates that are compromised,” he said.

Threat analyst Brett Callow of security firm Emsisoft said he suspects that the number of breaches and the number of people affected by them will remain fairly steady this year. But, “I certainly see no reason for a significant decrease in the short term. Achieving that would likely require a significant policy shift,” he adds.

“What I do think we’ll see is threat actors – and especially ransomware operators – make more use of exfiltrated than they did in the past. By that, I mean leveraging it more to try to force victims to pay,” Callow said. For example, ransomware gangs threatening to use information stolen from a hospital to swat its patients. “Unfortunately, I think we’ll see more and more of these tactics.”

In defending against criminal organizations that are highly resourced, skilled and motivated, these organizations have essentially no defense despite the regulatory frameworks and standards of practice that are recommended for adoption by the sector, Hamilton said.

In the absence of much more aggressive action by the federal government and international cooperation to secure our respective logical borders, this trend shows no sign of stopping, Hamilton warned. “The gap between the public harm done by these acts and the private responsibility to ensure they don’t happen must be closed.”

In the meantime, healthcare sector organizations should implement certain critical security controls and practices to help avoid falling victim to data exfiltration by cybercriminals, Hamilton said.

“Good network monitoring should include alerting on large outbound data transmissions, the detection of abnormally large encryption keys and behavioral anomalies, and should be in place 24/7/365 with human analysts combined with response automation playbooks,” he said.

Th itnews report on the Diabetes WA data breaches provides:

Attack “fully contained” after Medicare numbers compromised.

Diabetes WA has disclosed a data breach affecting people who engaged with its telehealth service.

In a breach notice posted Tuesday, the organisation said a “third party” gained “access to the personal information of some … contacts.”

The personal information possibly exposed in the breach includes name, address, date of birth, email, phone number, marital status, Indigenous status, referring doctor, type of diabetes, and Medicare number.

However, the organisation said detailed medical records and clinical information were not accessed.

A spokesperson for Diabetes WA told iTnews that the information accessed related only to people who had contacted the Diabetes WA Telehealth Service.

“It is likely that a sub-section of those contacts will have been members, but our focus has been on ensuring that every affected contact – whether a member or not – has been notified of the breach in the timeliest manner possible.”

The spokesperson said the breach happened via one compromised Diabetes WA user account, which was “promptly closed, thereby blocking the attacker, and stopping any further access to our system.”

Further investigation “revealed the scope of the attack and that the breach had not spread laterally across our systems,” the spokesperson said.

All affected individuals have been contacted, and Diabetes WA has notified the Office of the Australian Information Commissioner.

Because Medicare numbers were breached, the organisation is advising affected individuals to get a new Medicare card number, either online via MyGov or by calling Services Australia.

Diabetes WA said the breach was “quickly detected and fully contained” and is now “under investigation through Diabetes WA’s Cyber Security Response Plan.”

It also advises concerned individuals to seek additional assistance through IDCare.

Diabetes WA provides support services to an estimated 260,000 Western Australians affected by the disease.

Leave a Reply





Verified by MonsterInsights