The healthcare sector is a long-standing target of cyber criminals due to its valuable and often sensitive data exacerbated by internal vulnerabilities and weak human links. Recent reports from the US highlight the legal implications of data breaches and what it means for victims, the patients, whose wellbeing is of utmost importance.
A cyber-attack at the University of Connecticut and its affiliated teaching hospital accessed employee email accounts that could potentially compromise the names, dates of birth, addresses and limited medical information of 320,000 patients and the social security numbers of 1,500 patients.
A class-action lawsuit has been filed against UConn Health over its reported phishing attack and potential data breach. The lawsuit was triggered by one of the patients after a fraudulent charge was made from her bank account and caused an overdraft.
The lawsuit argues that UConn Health failed to:
Given that phishing attacks on healthcare organisations are common and well-known, the breach occurred due to a failure to implement adequate and reasonable cybersecurity procedures and protocols. What's more, UConn Health also failed to exercise reasonable care and to implement cybersecurity training, including, but not limited to, how to spot a phishing emails from unauthorised senders.
Deficiences in data security protocols imply that the breach was undetected for months, allowing intruders to access, view and steal patient data unabated. The incident also raises questions about what else the cyber criminals could do with the compromised PII/PHI, including potential exposure of patients to the risk of identity theft and fraud for the rest of their lives.
Lawsuits based on healthcare data breaches have become more common in recent years, as attacks continue to target the sector. Another good case in point is UCLA Health, which reached a $7.5 million settlement with the 4.5 million patients impacted by its 2015 breach.
Source: Health IT Security, March 2019.