Morning Read: UNC Health Care Informs 1,300 Prenatal Patients of Possible Data Breach
Welcome to the Morning Read, a daily post where I recommend and discuss a white paper, blog post, chapter of a book, or some sort of text I find useful for DFIR analysts.
Today’s Morning Read has been making the rounds of various data breach sites, and is from a press release that came out two days ago, on March 20, 2017. Here’s the release from UNC Health Care:
UNC Health Care notifies prenatal patients of possible information breach
Contact: Courtney Mitchell, 919-843-4927, Courtney.Mitchell@unchealth.unc.edu March 20, 2017 CHAPEL HILL, N.C. - UNC…
You can find a couple of sample articles below:
UNC Health Care Informs 1,300 Prenatal Patients of Possible Data Breach
The Chapel Hill, N.C.-based UNC Health Care is notifying patients of a potential data breach where personal information…
Data breach may involve hundreds of UNC Health prenatal patients :: WRAL.com
UNC Health Care said Monday it has begun notifying patients of a potential breach where personal data provided by…
On March 20, 2017, UNC Health Care released that it has begun notifying a select group of patients of a data breach. However, this is not a typical announcement where the organization then discusses how they got breached due to XYZ means by external hackers. Instead, this data breach occurred because sensitive data was accidentally sent to local county health departments.
I appreciate that UNC also restated that the county health departments who have received the data are subject to federal and state privacy laws — even with that in place, this is still being called a data breach.
The data breach affected approximately 1,300 patients who completed Pregnancy Home Risk Screening Forms between April 2014 and February 2017. This data included SSNs, physical/mental health, as well as HIV and STD statuses. This is extremely sensitive data that could not only lead to identify theft, but also cause embarrassment for folks who thought that what they were sharing was private.
- The breach of data was due to a mistake transmission — not an external attack. For some, this would not be constituted as a data breach. Just a “I’ll call Johnny over at the office and get him to fix it”. I agree with UNC in this case — this is a data breach, and that needs to be common.
- The data impacted was collected from April 2014 — February 2017. That’s close to three years of data! I’m curious if this was on ongoing issue, or if a bulk transfer of data at the end of February/beginning of March wiped away nearly three years of good practices.
Suggestions for Analysts
This is an interesting take on a data breach. I’m sure it is not the first of its kind, however I find it interesting that a data breach results from transmission of data between two health “organizations”. For folks working internal security, make sure that data transfers of this kind are included in your monitoring and/or recovery plans.
I have some family members who work in the medical field, and I’ve unfortunately heard countless stories of how data has been mishandled. There is a LOT of data transfer taking place in healthcare fields, especially as patients feel that choosing a practice/doctor is similar to a Golden Corral buffet line and health “problems” pop up almost weekly. If data transfer of this kind is a normal part of business, then there needs to be monitoring in place.