DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached

Posted on September 24, 2012 by Dissent

How frustrating for everyone: St. Agnes Hospital in Baltimore learned that 40 of its physicians had become victims of ID theft. Hapless victims had their names and Social Security numbers used to create wireless telephone accounts that they knew nothing about until they started receiving overdue notices from creditors.

But despite its best efforts to identify any internal source of the breach, St. Agnes Hospital could not  find any confirmation of a breach. In a letter to those affected, the text of which was submitted to the state last month, they write:

Once the reports were received, we reviewed all of the points of access and storage for this type of information in Saint Agnes systems. The only system that maintained the same information for all physicians making reports was the credentialing system. We conducted a careful access review and interviews and failed to detect unauthorized access, access after normal business hours, or any other suspicious activity in the system. We were unable to determine that there was a breach of any of our systems that allowed disclosure of the physicians’ personal data.

So what do you do when you suspect your organization has suffered a breach and you think you’ve narrowed it down to one part of your system, but you can’t find out how or when it happened? In this case, the hospital notified physicians that despite its inability to confirm any breach, given the seriousness of the problem, it intended to:

  • Review the list of users with access to sensitive personal data and minimize access where possible to only those who have a business need to access or review the information;
  • Refresh HIPAA privacy education in those departments routinely using physician information; and,
  • Investigate disguising or eliminating social security numbers in data systems where they are stored.

That’s nice, but shouldn’t they have been doing all of that already?  And how about running more extensive criminal background checks on employees who could be simply writing down names and SSNs as they access data for their routine job duties?  We’ve seen too many insider breaches in hospitals. Usually it’s patient data being sold, but why not physicians, too?

No related posts.

Category: Breach IncidentsHealth DataU.S.

Post navigation

← Hacktivism skews security trend analysis
Former Howard University Hospital Employee Sentenced For Selling Personal Information About 40 Patients →

4 thoughts on “Ah, less-than-sweet mysteries of life: when you can’t figure out if or how you were breached”

  1. Dave says:
    September 24, 2012 at 11:33 am

    You might wish to change:

    “used to create wireless telephone accounts that they knew about”

    to read:

    “used to create wireless telephone accounts that they knew NOTHING about”

    1. admin says:
      September 24, 2012 at 12:11 pm

      Oops – fixed that pre-caffeine omission. Thanks!

      1. Dave says:
        September 24, 2012 at 12:19 pm

        😀 Welcome.

  2. IA Eng says:
    September 25, 2012 at 12:27 pm

    If it is not obvious how the “breach” happened, it could be alot of different avenues.
    1. Insider Threat
    2. Insider Threat at another institution that all affected are a member of (bank,ISP,phone,ecommerce, even hospital gift shop or a charity they give to).

    The possibilities are endless how this could have happened. They could see if there ARENT any people on the list, meaning, they may have come onboard AFTER the breach was leaked, and can narrow down the potential breach time frame.

    Without knowing all the information, if it was specifically just doctors, or a particular wing or department within the hospital, it could be a sort of revenge tactic where someone simply hand jammed the data on paper and then sold or gave the info away.

    All it takes is one luncheon at a compromised system that everyone (or most) attended, whether it was a lunch, going away party, happy hour or otherwise, and there ya have it.

    Sometimes its not the institutions fault, but they will still have to show face and eventually find out the cause of the leak.

    Again, it seems like this organization is doing its own form of forensics. Its best to bring in the professionals to look for the breach/compromise. It will prevent most potential cover ups and potential evidence remains intact vice being tainted and unusable in the court of law.

    Most hackers KNOW that the off duty hours is probably not the best time to try and gain access to a system. usage is low and network spikes are very evident in the evening hours. Many hackers will try to lay low and attempt “break ins” during the day when a user account and password combo is typically used, and if a few unsuccessful attempts are acceptible.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • McDonald’s McHire leak involving ‘123456’ admin password exposes 64 million applicant chat records
  • Qilin claims attack on Accu Reference Medical Laboratory. It wasn’t the lab’s first data breach.
  • Louis Vuitton hit by data breach in Türkiye, over 140,000 users exposed; UK customers also affected (1)
  • Infosys McCamish Systems Enters Consent Order with Vermont DFR Over Cyber Incident
  • Obligations under Canada’s data breach notification law
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • DeleteMyInfo Wins 2025 Digital Privacy Excellence Award from Internet Safety Council
  • TikTok Loses First Appeal Against £12.7M ICO Fine, Faces Second Investigation by DPC
  • German court offers EUR 5000 compensation for data breaches caused by Meta
  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.