The attacker would like to portray itself as providing a service, but ransom and blackmail are better words.
CBC News says a person or persons is demanding a payment from CarePartners, an Ontario home care provider, after apparently stealing thousands of detailed digital patient medical records.
“We requested compensation in exchange for telling them how to fix their security issues and for us to not leak data online,” CBC says an attacker told it.
To show it actually has data the attacker sent some files to the CBC, which says they include phone numbers and addresses, dates of birth, and health card numbers, as well as detailed medical histories including past conditions, diagnoses, surgical procedures, care plans and medications for patients across the province. It also included employee data. The attackers claimed the sample was a part of hundreds of thousands of patient records and related materials they have going back to 2010.
CarePartners issued a press release June 18 saying it “has become the victim of a cyber-attack by sophisticated actors.” Patients and staff have been notified.
Later someone claiming to be an attacker contacted the CBC. The attackers said that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed.”
“This data breach affects hundreds of thousands of Canadians and was completely avoidable,” the group told CBC News. “None of the data we have was encrypted.”
Waterloo, Ont. police and the Ontario privacy commissioner are investigating.
The incident is another example of how any organization of any size that holds personal health data can be a target for data thieves and ransom. This data has to be protected with sophisticated methods. Among other things that could include network segmentation, encryption and multi-factor authentication for those allowed access to that data.
CBC News points out that under Ontario’s Personal Health Information Protection Act, health-care providers are required to “take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information” and ensure that health records are retained securely.