I’ve continued to add updates to a post about the Netgain Technology breach. Keep in mind that the ransomware incident occurred in November, 2020, and since January, we have seen entities disclosing the incident. But one disclosure today is somewhat frustrating to read — and not just for the delay in notification, but for the fact that Netgain had the data at all at the time of the incident.
Caravus is an independent health care insurance broker based in St. Louis, MO. From their press release today:
Though Caravus was formally informed that its data was not impacted by this incident, we recently learned that Netgain failed to destroy some legacy Caravus data on an old server following a data migration it oversaw in 2015.
… Our investigation determined on April 26, 2021 that this incident may have involved some individuals’ personal information that Caravus maintained on behalf of their employers in or before 2016 being accessed and/or acquired by an unauthorized individual. This information could include names, addresses, Social Security numbers, and/or health information, as well as financial account information and/or driver’s license numbers for a limited number of individuals. The information impacted is not the same for everyone affected.
So for more than 5 years, that data sat on an old server and Netgain never securely deleted it or encrypted it at rest?
Unfortunately, this is not a particularly rare occurrence. DataBreaches.net has reported on other incidents where data was left unencrypted on old servers that were acquired during corporate takeovers or other changes. How often it happens is unknown to this site, but it is probably just a matter of luck that more entities haven’t had major breaches of this kind.