[BreachExchange] Data breach at third-party provider exposes medical information of US healthcare patients

[Sophia Kingsbury]

https://portswigger.net/daily-swig/data-breach-at-third-party-provider-exposes-medical-information-of-us-healthcare-patients

A data breach at a third-party provider has potentially exposed the private
medical information of patients at Northwestern Memorial HealthCare (NMHC)
providers.

Unknown actors gained unauthorized access to a database owned by Elekta,
which provides a cloud-based platform that handles legally-required cancer
reporting to the State of Illinois.

In a security advisory, the healthcare provider, based in Chicago, said
that the attackers made a copy of the datasets, which include patient
names, dates of birth, Social Security numbers, health insurance
information, and medical record numbers.

The database also contained clinical information related to cancer
treatment, including medical histories, physician names, dates of service,
treatment plans, diagnoses, and/or prescription information.

Those potentially affected are patients of Northwestern Medicine Central
DuPage Hospital, Northwestern Medicine Delnor Community Hospital,
Northwestern Medicine Huntley Hospital, Northwestern Medicine Kishwaukee
Hospital, Northwestern Medicine Lake Forest Hospital, Northwestern Medicine
McHenry Hospital, Northwestern Memorial Hospital, Northwestern Medicine
Valley West Hospital, and Northwestern Medicine Valley West Hospital.

NMHC said that no financial information was accessed. Any patients believed
to have been affected will be notified by post. NMHC will also be offering
free credit monitoring services to those whose Social Security numbers were
exposed.

“Patients are encouraged to review statements from their health insurer or
healthcare provider, and to contact them immediately if they see any
services they did not receive,” the statement reads.

“We regret that this incident occurred and are committed to protecting the
security and privacy of patient information.”

NMHC also said it was “re-evaluating its relationship with Elekta”.

The Daily Swig reached out to NMHC, which directed us to their statement.

Third-party perils

The attackers did not access NMHC’s systems, networks, or health records,
the company confirmed.

Rather, the incident was a stark reminder about the risks of using
third-party software or services.

The notorious Blackbaud incident is a good example of what can happen as a
result of a cyber-attack at a service provider.

Hundreds of charitable organizations and fundraising initiatives were
affected by the ransomware attack, which exposed the personal details of
financial donors.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210708/d5de55ed/attachment.html>