What we can learn from Smollett’s medical record breach

When ‘Empire’ star Jussie Smollett reported a racist and homophobic attack in Chicago, no one suspected that he’d end up charged with orchestrating the assault against himself. Now, Smollett has some company in suffering blowback from the affair. According to NBC, more than 50 staff at Northwestern Hospital have been fired for accessing Smollett’s medical records from when he was admitted to the facility following the alleged attack.

The firing is being disputed by some of the dismissed staff, who claim that termination is an overly-harsh reaction. The hospital, though, insists it’s following the strict requirements of the Health Insurance Portability and Accountability Act (HIPAA).

The Smollett case isn’t unique. ProPublica records several incidents where hospital workers chose to look through the records of celebrities for no legitimate reason. In one disturbing incident, UCLA Medical Center staff perused Britney Spears’s psychological evaluation in 2008. Other victims include Michael Jackson, George Clooney and Kim Kardashian.

A few of these breaches came to light when someone tried to sell the stolen medical data or give it to the media. In most cases, however, the breaches seemed to be driven by nosiness, and were discovered by medical centers’ internal systems.

In some ways, this shows the success of HIPAA, the US law which includes strong privacy requirements for patient medical data. In the cases above, healthcare providers detected the breaches and did the responsible thing.

However, on the other hand, it’s hard to gauge what you might not know. If we only know about these breaches because they were responsibly reported, then perhaps there are others that were never detected or were quietly covered up by a hospital or doctor.

We also don’t know about the breaches that aren’t due to medical staff snooping, but due to hackers getting round the standard access systems and exfiltrating private data.

In July 2018, an enormous hack in Singapore’s government health database gave attackers access to 1.5 million patient records. The government called the attack “deliberate, targeted and well-planned”, perhaps hinting that a nation-state could be responsible. Details concerning outpatient prescriptions for 160,000 patients were exposed, and Singapore’s cancer-survivor Prime Minister Lee Hsien Loong was “specifically and repeatedly targeted”.

Similar attacks have become common in the US. The “Obamacare” enrolment website Healthcare.gov was breached and 75000 records were accessed in October 2018. In a few cases, a breach was found several months after the fact, again raising the question of how many thefts could have been missed.

Celebrities have been directly targeted by hackers, too. In late 2014, it emerged that a large number of celebrities had their Apple iCloud storage hacked, allowing the theft of their private photographs. The data was stolen via a vector that the victims probably hadn’t considered; they were taking photos on their phones or sending them to friends, but their phones were automatically sending those photos to cloud storage too. It was accessed through a combination of social engineering, password guesswork and weak account security — for example, a lack of two-factor authentication (2FA).

The three attack vectors discussed above — celebrity hacks, celebrity healthcare snooping and healthcare hacks — all come together to make one virtual certainty: hackers, fraudsters and phishers want to get hold of celebrities’ medical data — whether to sell to the National Enquirer, for blackmail, sheer curiosity, or even for the purposes of insider trading.

You might expect a hospital system to be more secure than a celebrity’s iPhone, but in reality it’s more complicated. Apple iCloud, for example, is a highly secure system and Apple has an enormous cybersecurity department to keep it that way.

The systems that make up a modern doctors’ office, hospital or small insurer are likely to a lot LESS inherently secure than iCloud.

Healthcare networks usually involve multiple systems from different vendors mixed with old legacy systems. They also often have to be connected to other healthcare providers, creating a bigger ‘attack surface’. And it’s not just traditional computers and servers. More and more smart medical devices are network-enabled, collecting patient data in real time and often sending it unsecured to hospital servers. All of this makes modern healthcare infrastructures very porous and difficult to secure. There are just too many ways in and out.

Enormous data breaches of hundreds of thousands of patients are commonplace but perhaps the headlines generated by celebrity privacy breaches are what will encourage healthcare providers to properly secure their networks and patients.