Last December, a ransomware infection of Albany, New York-based accounting firm BST & Co. CPAs LLC exposed the confidential data of their customers, causing a data breach for one of their health care customers as well as other clients of the firm.
Some of the data has shown up on the publicly accessible website of ransomware gang Maze, which "names and shames" victims into paying ransoms, says Brett Callow, a threat analyst with the security firm Emsisoft.
BST in its statement says the investigation into the attack determined that "certain personal or protected health information for individuals may have been accessed or acquired without authorization, including individuals' names, dates of birth, medical record numbers, medical billing codes and insurance descriptions. Patient medical records and Social Security numbers were not impacted by this incident."
Exfiltrated Data
The accounting firm says its investigation "did not confirm" that an unauthorized individual obtained individuals' personal information. However, Callow observed that BST data apparently exfiltrated in the December attack was visible on a Maze ransomware gang website by January.
"Some of what's been posted is database backup files," Callow notes, including an image of a check made payable to a BST unit.
Escalating Threats
"In the past, it was often said that backups were the best protection against ransomware. However, the risk of data exfiltration means that is no longer the case," Callow says. "While backups remain critically important, it is also critically important that organizations focus on detection and prevention in order to prevent data leaks."
Third-party Vendor Risk
Healthcare organizations need to be aware of the security risks posed by their service providers, including accountants, Callow says.
"Healthcare organizations cannot simply assume that service providers' security is as it should be; they need to ask questions and perhaps even require that providers have periodic security audits," he adds.
Vendors providing professional services have been implicated in other large health data breaches - including the largest incident in 2019 - a hack on American Medical Collection Agency, which affected more than two dozen of the firm's clients and 20 million individuals.
"The FBI and others have been alerting covered entities that hackers are shifting their attention to third-party vendors," CynergisTek's Hewitt notes. "This avenue allows hackers to leverage the one-to-many relationships and gather data / then extort many different companies."
Managing Third-party Vendor Risk is getting to be a major part of the security puzzle. KnowBe4 can help you with the new KCM Vendor Risk Management module. Get a demo here.
Full story at GovInfosecurity:
https://www.govinfosecurity.com/hacking-accounting-firm-affects-medical-group-a-13746
