Another massive security health care records hacking incident now shows that providers beyond hospitals and insurance companies must also be on alert. This time intruders struck cancer-care provider 21st Century Oncology.

The breach may have led to a leak of data on as many as 2.2 million patients. The Florida-based company has 145 U.S. cancer treatment centers and another 36 in Latin America. Its database held personal information of patients, including names, social security numbers, physicians' names, diagnoses and treatment information, and insurance information.

"We have no evidence that patients' medical records were accessed," the company said in the public announcement news of the incident earlier this month. It further clarified that at this time, "We have no indication that the information has been misused in any way."

The FBI first alerted the company in November, 2015, but requested the firm keep the information private until early March, while it investigated. The case is ongoing.

"Upon learning of the intrusion, we immediately hired a leading forensics firm to support our investigation, assess our systems and bolster security. Based on this investigation, 21st Century has determined that the intruder may have accessed the database on October 3, 2015, the company noted.

The company will offer "one year of free identify theft protection services to potentially affected patients," it stated.

This latest case just underscores the security challenges — and expense — faced by a growing number of types of firms housing health care data.

“The attack on 21st Century Oncology Holdings shows that large health care networks remain under constant and sophisticated attack,” Carl Wright, executive vice president of TrapX Security explained to Infosecurity magazine. “Beyond hospitals as the obvious targets of choice, the attack on 21st Century Oncology Holdings also shows the broad-scale emerging threat to many other types of health care institutions and providers."

He added that this latest case just underscores that “sophisticated attackers continue to overwhelm legacy cybersecurity defenses and IT teams.” The cyber-expert noted to the magazine that as best practices for IT advance, these new cat-and-mouse challenges need to be faced with bolder pre-emptive strategies, such as drawing out hackers by the use of "fake medical devices and access to fake patient databases."

Health care data is among the information most prized by thieves. Unlike other personal material, it tends to have a much longer shelf life, which explains the growing popularity for hackers of sites such as 21st Century Oncology, Kunal Rupani of enterprise productivity provider Accellion told the magazine.

“Unlike credit card numbers and other financial data, health care information doesn’t have an expiration date. As a result, a patient’s records can sell on the black market for upwards of fifty times the amount of their credit card number, making hospitals and other health care organizations extremely lucrative targets for cyber-criminals.”

Business Affairs Homepage