Last month, the Georgia Supreme Court began hearing arguments in reference to the 2016 data breach suffered by Athens Orthopedic Clinic. The breach involved the leak of personal details such as the Social Security numbers and health insurance information of approximately 200,000 individuals. A hacker who went by the pseudonym The Dark Overlord issued a ransom demand, threatening publication of the stolen data. Athens Orthopedic did not pay the ransom.
According to reports, The Dark Overlord gained access to Athens Orthopedic systems via an external cyberattack on their electronic medical records using the credentials of a third-party healthcare information vendor. Additionally, several databases with patient information had been allegedly put up for sale on the dark web. Soon afterward, the data breach victims filed a class-action lawsuit in the Georgia Supreme Court to determine whether they are entitled to recover damages. The victims sought compensation for the time spent protecting their identities and reimbursement of legal fees and costs of previous and future credit and monitoring services.
However, the case was dismissed by the Trial Court and the Georgia Court of Appeals, as the plaintiffs could not prove financial loss or damage as a direct result of the attack. Consequently, they are not entitled to claim damages under Georgia law. This decision was appealed and is being determined for compensable injuries as of this writing.
Healthcare in the crosshairs: Why is healthcare being targeted by hackers?
In the past decade, attackers have regularly targeted the retail and financial sectors. But now they’ve cast their nets over other industries, showing that even the most unlikely victims and most formidable of institutions could easily be preyed upon by online crooks. Enterprises and small- to medium-sized businesses (SMBs) have all become targets, making customers feel uneasy about the security of their data, such as their critical healthcare information.
It’s all about the data. Healthcare service providers have huge databases that serve as repositories of customer information that cannot be easily replaced. When credit card data is stolen, cardholders can quickly cancel their cards and ask their banks to issue new ones. Information related to healthcare, such as Social Security numbers and laboratory exam results, is drastically more difficult and more costly to replace. There are other reasons why PHI is kept private. For instance, illnesses and conditions carry with them a social stigma that can make it harder for people to find (and keep) jobs and feel welcome in their communities.
Given the attack strategies employed in the mentioned incident, it goes to show that attacks on the healthcare industry show no signs of slowing down. The numbers back it up; according to the latest breach barometer report, almost 32 million patient records were breached in the first half of 2019. This reflects a huge spike from 2018’s breach records.
How can you secure your healthcare data?
With sophisticated schemes at play, all providers must invest in measures and solutions built to keep up with the threats that come their way. Protecting the healthcare information of your customers should involve covering all the bases of cybersecurity, including guarding patient portals, proactively preparing against data loss, detecting breaches, auditing for compliance, safeguarding medical equipment and devices, securing legacy systems, and watching for possible endpoints that may be attacked. It is also important to engage all staff in basic security training to ensure that human error will not lead to system vulnerabilities.
The ability to carry out contingency strategies such as a strong data backup and recovery plan can be a critical factor in how well you can respond and recover from a cyberattack like the Athens Orthopedic incident, including extortion attempts.
If you’re looking for a cost-effective way to prioritize your cybersecurity protocol and patient data, Athens Micro can provide a robust security strategy for your business. As the leading managed IT services in Athens, it is our responsibility to look out for businesses that handle critical data and ensure that they remain secure and protected, always. Call us today for a thorough assessment.