Healthcare Data Breach Exposes 1.3 Million Patients

Do you make use of the “MyChart” portal to refill prescriptions, contact your healthcare providers or make appointments?

If so, you should know that recently, the healthcare giant Novant disclosed a data breach that impacted more than 1.3 million patients.  Impacted patients had their personal information collected by a Meta Pixel ad tracking script.

Meta Pixel, which was formerly known as Facebook Pixel, is a mostly innocuous tracking script used by Facebook advertisers to track the performance of their ads.

According to Novant’s disclosure, the unauthorized access of patient data began in May of 2020 when the company ran a promotional campaign that involved Facebook advertisements.  In a bid to track the effectiveness of those advertisements, Novant utilized the Meta Pixel code.

Unfortunately, the code was not configured correctly on the Novant site, and the company’s “MyChart” portal began transmitting personal information to Meta and its advertising partners.

The patient information that may have been exposed includes:

  • Patient Email address
  • Patient Phone number
  • Patient Emergency contact information
  • Appointment type and date
  • Patient physician
  • Portal menu selections
  • IP address
  • And any content typed into the “free text” boxes

Unfortunately, the MyChart portal is not a Novant specific technology.  It is utilized by a total of 64 different healthcare service providers around the country. So even if you don’t use Novant to meet your healthcare needs, your personal data may have been compromised due to the misconfiguration of the tracker.

If there’s a silver lining to be found in all of this, it lies in the fact that the company has now identified all  the patients whose data was compromised and has already reached out to them.  If you haven’t received a notification, then you can breathe a sigh of relief as your data was not compromised.

OpenSea Warns Users Of Phishing Attacks From Data Breach

Are you a fan of NFTs?  If so, you’ve probably heard of OpenSea, which is the largest marketplace for non-fungible tokens.

If you have an account there, be aware that recently the company disclosed that their network had been breached and they issued a warning to their clients urging them to be on the lookout for possible phishing emails.

Cory Hardman is OpenSea’s head of security. According to Hardman, an employee of Customer.io, which is the company’s email delivery vendor, downloaded a file containing email addresses that belong to OpenSea users and newsletter subscribers. The precise number of email addresses the attacker made off with was not disclosed.

Mr. Hardman said:

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement.”

This is not the first time OpenSea users have been targeted.  Last year, threat actors impersonating fake support staff successfully absconded with roughly two million dollars (USD) worth of NFTs. Last September (2021) the company addressed a security flaw that allowed attackers to empty an OpenSea user’s cryptocurrency wallets by luring them to click on maliciously crafted NFT artwork.

Although the industry is still in its formative stages, it has grown at a blistering pace. OpenSea is the largest marketplace in the NFT industry. They boast more than 600,000 users and total transactions that surpass $20 billion (USD) which make it a prime target for hackers.

Sadly, this will almost certainly not be the last time OpenSea and other NFT markets find themselves in the crosshairs.

If you have an account there, be on high alert.  Odds are good that the attacker will try to put your email address to malicious use.

One Of The Largest US Banks Discloses Data Breach

Do you have an account with Michigan-based Flagstar Bank?  As one of the largest banks in the United States, it’s quite possible that you do.

If so, be aware that the company recently issued a breach disclosure notification relating to a security incident that occurred in December of 2021 when unknown attackers breached the company’s network.

The notification reads in part, as follows:

“…Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement. 

We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”

The company also announced that they would be offering two free years of identity monitoring services to impacted individuals.

That’s good because based on information that Flagstar submitted to the Maine Attorney General’s office, there are a lot of impacted individuals.  More than a million and a half, in fact.

While there’s nothing outwardly wrong with the breach notification that the company sent out, there are two key pieces of information that are conspicuously absent.

First, there’s no explanation as to why it took the company half a year to realize that the breach had occurred.

Second, the notification gives no information about exactly what types of information that the attackers made off with.  Is it enough for a hacker to steal one’s identity?  Based on Flagstar’s offering identity monitoring protection, that would seem to be the case. However, there are no particulars provided, so we are left to guess.

In our view, this could have been handled better.  Here’s hoping that Flagstar is more forthcoming in the days ahead.

Data Breach Hits One Of America’s Largest Healthcare Providers

Do you receive healthcare of any kind from Kaiser Permanente?  If so, be aware that they recently published a data breach notification indicating that an unidentified attacker accessed an email account that contained personal health information on April 5th, 2022.

Based on the investigation to this point, it appears that sensitive health information belonging to more than 69,000 individuals was exposed.  For context, Kaiser Permanente provides a wide range of health care services to more than 12.5 million customers spanning eight states, plus the District of Columbia.  While it’s true that a breach of any size is a bad thing, this one only impacted a tiny slice of the company’s patient base.

Kaiser’s breach notification reads in part as follows:

“This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022.

The specifics of the unauthorized access were provided to individuals affected in a letter sent by Kaiser Permanente on June 3, 2022.

Sensitive info exposed in the attack includes:

  • The patients’ first and last names
  • Medical record numbers
  • Dates of service
  • Laboratory test result information”

If there’s a silver lining to be found here, it lies in the fact that Kaiser’s notification stressed that no Social Security or credit card numbers were exposed.

While this event will no doubt damage trust, the data that was stolen is not likely to be sufficient to allow the attackers to steal your identity. If you are one of the impacted customers, then you should have already received a notification from the company.

We wish we could say that this will be the last data breach of the year but sadly, that’s not going to be the case.  Stay tuned for the next, and guard your personal data closely!

Medical Service Provider Data Breach Affects 2 Million Users

Depending on where you live, you may have received medical care from the Shields Health Care Group (Shields), or from a provider associated with them.

If so, be aware that the Massachusetts-based medical provider specializing in PET/CT scans, MRIs, radiation oncology, and ambulatory surgical services has been hacked.

The unknown hackers gained access to their network and stole data relating to more than 2 million users.

According to the breach notification that the company published on their website, Shield first became aware of the attack on March 28th of this year (2022).  Immediately after, they retained the services of third-party cybersecurity specialists, engaging them to assist in determining the scope and scale of the incident.

While that investigation is ongoing, here’s what we know so far:

A currently unknown group attacked the network and gained access from March 7 to March 21, 2022.

Consequently, they were able to steal database records of more than two million users, which included the following information:

  • User full name
  • Social security number
  • User date of birth
  • User home address
  • Provider information
  • Patient diagnosis
  • Billing information
  • Insurance number and related information
  • Medical Record Number
  • Patient ID
  • And other assorted treatment information

This is serious and more than enough data was exfiltrated to allow the hackers to steal people’s identities.  Whether they do it themselves or sell the information on the Dark Web remains to be seen. Either way, if your information was stolen because of this breach, you are very much at risk.

If you’re not sure, it’s worth your time to head to the Shields website.  There, you’ll find a complete listing of all the impacted medical facilities.  If you received treatment from any facility on the list, be on the alert and watch your credit and banking statements closely.