How far can cybercriminals go?
Can they breach your home network?
Could they get through your work computers?
What about big organizations? What if they climbed all the way up to the United States government?
That’s not a hypothetical. In recent years, data breaches have consistently plagued individuals, organizations and governments of all sizes, all over the world. Recently DC Health Link, a dominant health insurance marketplace in Washington DC, announced a data breach that potentially affected the PHI of over 56K customers — many of whom work in or around Congress.
What Is PHI?
To understand the scope of this attack, first you need to know what PHI is. Protected Health Information encompasses all health-related information that is collected, stored and shared. All workers in the healthcare industry are duty-bound to protect the privacy of your PHI by the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which established the first regulations about how to safeguard digitized PHI from unauthorized access.
Much like personally identifiable information (PII), PHI includes personal information like your name, address and Social Security number. Unlike PII, however, your protected health information also encompasses things like your medical records, insurance, X-rays and scans; all data that medical professionals need to conduct their business, but you wouldn’t want in the hands of someone you don’t know.
If you’re in a position of authority — like say, a sitting United States Congressman — concerns only multiply. Not only could the leaked PHI help a criminal impersonate or victimize you, but your public service only amplifies your name…and the target on your back.
What Happened to Congress?
Out of the 100K members who carry insurance through DC Health Link, over 10% are Congress members or staff. This is a twofold concern; firstly for the physical and digital safety of the those who had their information leaked, and secondly for how an attack weaponizing that information could impact national security.
Private information leaked in the breach includes Social Security numbers, birthdays, health plan information, employment details, citizenship status, race, gender and contact information. In mid-May, any or all of that data was exposed, affecting at least 56,415 customers. Thus far, 17 former or current Congressmen have been confirmed to have had data exposed in the leak and more are expected to join that number. Some Senators have potentially been exposed as well.
Many of the leaked records have already appeared for sale on the Dark Web. DC Health Link has offered its customers three years of dark web, identity and credit monitoring services that track all three credit bureaus. Despite this, a class action lawsuit has been brought against them seeking to increase audits, automate better security provisions, and improve their internal cybersecurity posture.
Do you handle others’ PHI in the course of your workday? It’s not just healthcare professionals who have to pay attention; business associates of these providers could also manage client data while they’re undergoing their own operations. Think about lawyers investigating medical malpractice suits, the third-party services a hospital uses to back up its data, and even traveling medical professionals coming in and out as needed.
Organizations must have stringent security measures in place! This includes securing networks and databases, encrypting systems for storing PHI, and establishing various access levels that protect it from unauthorized eyes. Of course, that’s only the tip of the iceberg.
PHI must be kept secure and only accessible to those who need it in order to provide care or perform administrative tasks related to health care services. Understanding the regulations surrounding PHI is important for healthcare organizations in order to ensure compliance to HIPAA and other data privacy regulations.
This leak of information on Congress members and staff is worrisome, but not new. Attacks on major databases, like your healthcare provider, are an efficient means to steal private information on a lot of people at once. The authoritative position these particular victims carry was simply an added draw for the threat actors at fault.
Insufficient cybersecurity has major consequences: Reputational, financial and legal. This incident demonstrates just how deep the damage can go.
Who’s in charge of your PHI? Do you know how well-protected it is within their systems? It’s not too late to better secure your protected health information and your personally identifiable information. The more you know about the threats posed to your data, the smarter decisions you can make about it.