[BreachExchange] Genetic Testing Lab Hack Affects 233,000

Destry Winant destry at riskbasedsecurity.com
Tue Apr 28 10:13:45 EDT 2020


A California-based genetic testing laboratory has reported an email
hacking incident that may have exposed medical information on nearly
233,000 individuals. It's the second-largest health data breach posted
to the federal health data breach tally so far in 2020.

The incident that Ambry Genetics reported on March 22 to the U.S.
Department of Health and Human Services also serves as a reminder
about the cyberthreats facing all laboratories and other healthcare
entities that handle sensitive patient information - including medical
testing data related to the COVID-19 pandemic.

"Labs are handling more tests than in normal times, increasing the
amount of patient data stored, processed or transmitted," says Keith
Fricke, principal consultant at tw-Security.

"Criminals may see this as another source of information to steal for
financial gain. Additionally, IT departments continue to focus on the
support needs of a remote workforce and setting up technology
infrastructure for COVID-19 triage and treatment tents. Consequently,
less time may be spent on monitoring network activity, unless a third
party is contracted to monitor network and system event logs."

The Breach Tally

As of Friday, the Ambry Genetics breach was the second largest health
data breach in 2020 on HHS' HIPAA Breach Reporting Tool website, which
lists health data breaches impacting 500 or more individuals.

The largest breach, which involved the theft of an unencrypted laptop,
was reported in February by Health Share of Oregon. That incident
affected nearly 654,400 individuals (see: Breach Report: Sometime
Encryption is Still Overlooked).

So far in 2020, 35 of the 36 largest breaches posted to the HHS tally
were reported as hacking/IT incidents.

"Hacking usually yields the largest access to patient information,"
Fricke notes. "Unprotected portable devices that are lost or stolen
can contain a lot of information, but generally not as much as a
clinical system with a database of patients."

Ambry Breach Details

In a statement posted on its website, Aliso Viejo, California-based
Ambry Genetics, a Konica Minolta company, says its security team
identified unauthorized access to an employee's email account between
January 22 and 24.

"We promptly initiated an investigation, with the assistance of
outside experts. The investigation was unable to determine whether
there was unauthorized access to, or acquisition of, any particular
information from the email account, and we are not aware of any misuse
of any personal information."

The company says it's notifying customers because of the potential of
their personal information being disclosed in the incident. That
information includes customers' names, medical information,
information related to customers' use of Ambry's services and, in some
cases, Social Security numbers, the statement says.

Ambry Genetics provides clinical genomic testing and diagnostic services.

"We have taken steps designed to prevent this type of event from
happening again, including through an ongoing effort to enhance our
security measures and to provide additional training to employees,"
the statement says. The company says it is also offering identity
monitoring services to potentially impacted individuals.

Ambry Genetics did not immediately respond to an Information Security
Media Group request for additional details about the breach, including
whether any genetic information was potentially exposed.

Protecting Sensitive Data

Healthcare entities that handle especially sensitive patient
information need to be vigilant in protecting the security and privacy
of that data.

"Genetic information is considered to be especially sensitive because
it is unique to the individual, cannot be de-identified and will
forever be linked to only one person in the world," says privacy
attorney David Holtzman of the security consultancy CynergisTek.

"Genetic data is used to diagnose manifested disease or disorders as
well as the manifestation of disorders in the individual or other
members of their family," he says. "Federal laws recognize the harmful
effects from the use of genetic information by prohibiting the use of
this data in the offering or underwriting of health insurance and in
employment decisions. Some states go further in prohibiting
discrimination on the basis of genetic data in most circumstances
including housing, education and financial services."

But unauthorized access to "raw" genetic data is not of concern as
much as the interpretation of the genetic test data, Fricke of
tw-Security says. "Mental health data is certainly in the category of
'more sensitive' by way of comparison. In any case, any medical
information subject to unauthorized access and exposure is not good.
What criminals threaten to do with or actually do with any compromised
data, genetic testing-related or otherwise is of concern."

Hacking Surge

Clyde Hewitt, executive adviser at CynergisTek, says the COVID-19
pandemic "has increased directed attacks toward laboratories and
research organizations. There may be several potential motivations to
conduct attacks; some based on a desire to control the virus, but
others based on greed," he says.

All medical laboratories should consider themselves to be high-value
targets, especially now as they potentially have large amounts of data
that could help develop a cure for COVID-19, Hewitt says.

"Responding to these attacks will require a top-down approach, where
the executive leadership team engages with their security staff to
identify all cyber risks, then provide resources to mitigate that
risk," he says.

Susan Lucci, a senior privacy and security consultant at tw-Security,
says the COVID-19 crisis will fuel the threats that have already been
playing out in the healthcare sector.

Hacking "has been trending consistently higher every year since 2012
with no indicators of slowing down," she says. "As we move further
into 2020, evidence shows that hacking of healthcare by any possible
means will continue."

More information about the BreachExchange mailing list