Connecticut-based Starling Physicians, which operates 32 locations in the greater Hartford area, announced a data breach this month linked to a cyber attack dating back to February.
When we first learned of this breach, we were discussing it around the office and quickly learned that three Kelser employees are parents of kids who are patients at a Starling practice. NBC Connecticut stopped by our office both to hear from these parents and for insights on cybersecurity from me.
What data was stolen and what can parents do?
When the story was filmed, neither of the parents had been notified that their kids were affected by the breach. Thankfully, they still have not. Starling says that only .01 percent of their patients’ data was stolen. What was stolen included names, addresses, dates of birth, passport numbers, Social Security numbers, medical information and health insurance or billing information.
While the portion of patients affected is small, with 32 locations, the number could be in the hundreds or even thousands, and the type of data breached poses a serious security risk to the individuals affected.
As we’ve covered before, medical data is one of the most valuable types of information on the black market. It can be used not only in identity theft, but also insurance fraud. One of the main questions from NBC Connecticut was what can be done to protect or monitor a child’s identity.
Though kids don’t have a credit report, you can still register them with credit monitoring services such as Experian. In fact, a while back, I was able to see and shut down a suspicious activity on one of my kids’ Social Security numbers using this service.
How could this have been handled better or even prevented?
The 9-month delay between when the breach occurred and when it was announced is surprisingly common. Hackers often get into systems undetected and stay there to continue gathering data. While we know the date the cyber attack occurred (February 8), I have not seen it publicly stated when Starling learned of the attack. That is a crucial detail, likely omitted because no one wants to admit that hackers had access to their data for any period of time.
Breaches sometimes can’t be made public immediately because there’s work taking place to track what was stolen, figure out who is responsible, and close the gap. However, this shouldn’t take 9 months. By comparison, Wizards of the Coast, the company that makes Magic: The Gathering, recently experienced a breach and disclosed it three days later. Capital One learned of their breach earlier this year about 3-4 months after it happened, and disclosed the breach within two weeks of its discovery (after the hacker was arrested).
The Starling breach occurred as a result of a phishing attack. Phishing techniques are getting more sophisticated every year, so it’s possible that hackers very convincingly posed as a Starling employee to gain access to a server or perhaps to a service of some kind that Starling uses to manage records (not unlike the phishing attack we recently simulated for one of our clients). The main way to prevent phishing attacks is through regular cybersecurity awareness training for all employees.
There are also technologies, such as Cisco Umbrella, that can automatically prevent many phishing attacks by blocking suspicious URLs. In addition, cybersecurity monitoring likely could have detected the breach sooner.
Ultimately, it’s fortunate that this breach affected relatively few people (certainly fewer than the massive UConn Health breach last spring). Nonetheless, the issues the Starling Physicians breach brings to the forefront—such as protecting the identity of kids as young as one—underscores the importance of a strong cybersecurity posture for healthcare organizations.
