It’s not a huge breach in terms of numbers compared to other breaches we’ve seen, but an incident reported by Crossroads Health in Ohio caught my eye because once again, it was old (legacy) data that was accessed and exfiltrated.
In an undated statement on their website, Crossroads explains that an unauthorized party gained access to their systems from November 21, 2021 to January 18, 2022 and removed some files.
Crossroads does not indicate why they only first identified the incident on January 18 instead of months earlier when it began, but less than one week after identifying that there was an incident, they determined that the exfiltrated files were from a legacy system that held information on clients of Beacon Health, a behavioral health facility that merged with Crossroads.
Beacon Health had provided services to adults with mental illness and addiction disorders, and the merger took place in July, 2019. Alt
hough Crossroad’s notification doesn’t give any indication of how far back the data on the Beacon Health system might extend, they reported to HHS that 10,324 patients were being notified.
Analysis of the files in the compromised system found that they contained: names, contact information, dates of birth, Social Security numbers, driver’s license numbers, treatment and diagnosis information, and/or health insurance information for the Beacon Health patients.
Concerned individuals can read the rest of the notice on Crossroads Health’s website.
But the point of including this incident on this blog is to point out that legacy data or old data continues to pose a risk of significant breaches. This site has reported on a number of incidents in the past year from both the education sector and the healthcare sector where there was old — and in some cases, really, really old data on systems that were attacked.
If you don’t need the data for current operations, then why not encrypt it and take it offline (if you are not legally permitted to purge it)? It’s often cheaper to prevent breaches than to respond to them. What would it cost you to do secure and take old data offline versus what it would cost you to investigate an incident, track down ten thousand or more patients — many of who may have moved or passed on — send notifications offering mitigation services that also cost you, and then defend an almost inevitable lawsuit? And then, of course, there’s also the issue of an investigation by HHS OCR and/or state attorneys general.