Remember when Britton White and DataBreaches discussed employees having their work credentials compromised by infostealers and how employers might want to require employees to notify them whenever an employee’s device was compromised if the device had stored login credentials?
University of Miami Health posted a breach notice this week that caught my eye. From the notice (emphasis added)
This notice is to inform the public that the University of Miami investigated a security incident that affected a limited number of UHealth – University of Miami Health System patients. While we have no reason to believe your information has been or will be utilized inappropriately, we want you to understand the steps we have taken to address this issue and additional steps you can take to protect your personal information.
An employee experienced identity theft that included an intrusion into their work-associated UM email account. Following a thorough investigation, we discovered that emails containing the name and medical record numbers of some patients were forwarded to a third-party email account.
Did the employee notify their employer promptly upon discovering that they were the victim of identity theft? Had they discovered any compromise before then and if so, had they informed their employer immediately? And does this mean that U. Miami Health did not have two-factor or multifactor authentication required for the employee to access their UM email account, or did they have it but the other factor was a text message and the employee’s phone had been compromised too?
DataBreaches wrote to U. Miami Health to ask them about any policy requiring employees to disclose any breaches involving personal devices and if this incident would alter any of their policies or practices. No reply has been received by publication, but the risk from infostealers and other nasties is increasing, not decreasing. While we do not know how this ID theft occurred, the risk is real. As part of required risk assessments, how many entities have reassessed or considered the growing risk that personal devices containing stored login credentials to work are increasingly likely to be compromised these days?