21st Century Oncology, a Florida based cancer treatment center chain got that knock on the door that every CEO fears.
The FBI came to them to tell them that hackers accessed a database of 2.2 million clients. The data includes names, Socials, physicians’ names, diagnosis, treatment information and insurance information.
As I say all the time, one of the challenges of a cyber theft is that there is much less evidence than in the brick and mortar world. In the physical world, if someone breaks into a store, for example, there might be a smashed front window and for sure, the merchandise that was taken is missing when the store owner opens the store in the morning.
In the cyber world there are clues, too, but they are much more subtle. After all, the data you had before the breach is still in your computer after the breach. There may be log file entries that can provide clues but often the data that would be needed to detect the attack is not even being collected and if it is collected it is not being examined. Typically, access occurs using stolen or phished credentials, so the access appears to be from a legitimate user.
The FBI visited 21st Century last November but asked them to keep quiet until this week as they investigated the incident. This could mean that they are looking into other breaches as well.
As more medical data is stored online, these breaches continue to rise and until the healthcare industry improves security, the hackers will continue to win.
Even at this early stage, the company is saying, in their 8-K filing with the SEC, that they likely do not have enough insurance to cover the costs. This is pretty typical. An incident like this could possibly cost them between $250 and $500 million when all is said and done. Even if they have $100 million in insurance – and they have not said how much insurance and of what type they have – that still leaves them writing a large check.
The fact that the way that they found out about the incident was by law enforcement telling them is actually more typical than you might think.
According to Kurt Long, CEO of Fairwarning, in nearly 70 percent of breaches involving protected health information the company finds out when law enforcement comes knocking on their front door.
From a brand reputation perspective, that is NOT how you want to find out.
Data for this post came from Data Breach Today.