Hackers are starting to target law enforcement agencies who maintain mountains of personal data on individuals in their communities. In June it was announced that sensitive data from more than 200 police departments and the FBI was leaked by a group known as Distributed Denial of Secrets, or DDoSecrets. Some believe that law enforcement agencies are becoming a prime target for hackers, given recent civil unrest and protests against policing activity.
DDoSecrets describes itself as a whistleblower group, intent on bringing private information into the open for the public to see, similar to WikiLeaks. Whether one agrees with the core mission or not, is the collateral damage to individuals whose private data is published worth the cause? Privacy laws in the U.S., at the state and federal level are designed to protect individuals’ right to privacy, but cyberthieves can sweep away the protection with a few keystrokes.
The hackers succeeded by attacking a web development company, Netsential, a third party vendor to many law enforcement customers. Netsential failed to protect the data it held, and its customers failed to require better security measures. A similar scenario happens in healthcare all too often.
Medical Information Revealed
In a continuation of the BlueLeaks saga, last week a South Dakota law enforcement agency announced that sensitive data containing individuals’ COVID-19 status was leaked. The data also contained names, addresses, and birth dates. Although the agency is not covered by HIPAA – it’s not a covered entity – the parallels to healthcare are clear.
Third-Party Vendors are a Weak Link
Healthcare covered entities commonly use third-party vendors (business associates) to support their organizations. Both are required to comply with HIPAA.
When a covered entity performs its HIPAA Risk Analysis, it needs to do “due diligence” concerning its business associates. This means taking an inventory of all its business associates, and asking questions like “do you comply with HIPAA?” and “when did you last perform a HIPAA Risk Analysis”. The questions and answers must be documented, and there should be a HIPAA compliant business associate agreement in place.
Cybertheft on the Rise During COVID-19
The BlueLeaks event described here, while not covered by HIPAA, is a stark warning for covered entities and business associates in healthcare. Dealing with urgent COVID-19 problems can seem more important than maintaining cybersecurity hygiene. Criminals know this. They identify organizations stressed by COVID-19 and target them with automated probes and socially engineered phishing attacks. If you’ve let your guard down you’re in trouble, and patient data is at risk. Don’t let it happen to you, and if you need help, we have answers at The HIPAA E-Tool®.