Everything We Know About the UConn Health Data Breach
UConn Health announced a large data breach, and as is often the case, not many details were made available about it. In the hours after the announcement, two local news stations turned to Kelser to fill in the blanks.
Here’s what we did know immediately after the breach:
- Data was breached via unauthorized access to employee email accounts
- The breach was discovered on December 24, 2018, but not announced until February 22, 2019
- The breach affects approximately 326,000 individuals whose names, dates of birth, addresses, billing, and appointment information may have been compromised
- Approximately 1,500 individuals may have had their Social Security numbers exposed in the breach
- UConn Health is notifying those affected and offering identity protection
That leaves so many questions unanswered, so news outlets reached out to Kelser for perspective. One of the main subjects they wanted to discuss was what folks who may have been affected should do now to protect themselves.
My advice to anyone who may have been affected by this breach is to take the following steps.
- Freeze your credit (always a good idea - you can unfreeze it at will)
- Monitor your credit (hackers may use data obtained to open accounts in your name)
- Be extra suspicious of unexpected emails and phone calls
The last one is easy to miss. On the surface, one might wonder what the big deal is about having your address, phone number, appointment and payment information stolen by hackers. These data points are pretty harmless in and of themselves, but hackers can use them in spear phishing attacks to trick you into giving up more valuable information.
For example, now that hackers know what doctors you see and when you last saw them, they could call, write, or email you posing as your doctor’s office. Perhaps they’ll say there was a problem with your payment. Maybe they even have the last 4 digits of your credit card—they just need the rest. Since everything seems so real and so specific to you, you might not think twice about giving up your full credit card number, expiration date, and security code.
Another huge question here is, “How could this happen?”
In the absence of confirmed information we can only speculate. Since the UConn Health data breach originated with employee email accounts, it’s possible that the source was an employee. A very high percentage of cyber attacks start with social engineering (a hacker tricking someone) or deliberate sabotage. In all likelihood, an employee received a phishing attack like the one described above, only the target was his or her login credentials instead of a credit card number. Another possible scenario is that someone wanted to do damage and purposefully caused the breach.
(3/20/19 Update - UConn Health has confirmed that the breach was related to a phishing attack. More coverage in the video below.)
It’s scary stuff, and it leaves one wondering, “How could this have been avoided?”
Kelser works with massive organizations like UConn Health to design their IT systems and one strategy we look to implement is compartmentalization. We make sure that if one employee’s email account is compromised, the damage will be contained. Each user in the system is able to access the data they need to do their job, but limits are placed on accessing or exporting extraneous data. With over 300,000 individuals potentially affected by this breach, it would appear that perhaps sufficient measures were not in place to limit the scope of a breach.
Another key preventative strategy we use is cybersecurity training. If indeed the UConn Health data breach stems from an employee who was tricked into providing access to hackers, awareness would have been the primary defense layer that could have prevented this breach. Hackers’ tactics are always evolving and it’s easy to get complacent, so frequent cybersecurity training is a vital part of any comprehensive cybersecurity strategy.
Finally, tools such as Cisco Umbrella—which scans all traffic and links—can be a useful failsafe against phishing attacks. Even if an employee doesn’t recognize a phishing attack for what it is begins to take the bait, the system will stop him or her from accessing phony websites often to capture account data.
Our hearts go out to everyone involved in this situation. The last thing anyone wants when they go to the doctor is to worry about the safety of their data. Unfortunately, the healthcare industry is a particular target of hackers. It’s up to healthcare businesses large and small to do all they can to put multi-layered cybersecurity in place to prevent and contain incidents like the UConn Health data breach.
3/20/19 Update - Added updated information and additional video from NBC Connecticut coverage .