A data breach at Yale New Haven Health (YNHHS) has exposed data belonging to millions of people – and lawsuits have already been filed.
YNHHS runs more than 360 locations across Connecticut, New York, and Rhode Island, and is notifying patients that their personal data might have been affected.
According to an entry on the US Department of Health and Human Services breach portal, the data breach impacted 5,556,702 patients.
"The information involved varied by patient, but may have included demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number," said YNHHS.
"YNHHS’ electronic medical record and treatment information were not involved or accessed, and no financial account or payment information was involved in this incident."
The breach was first discovered on March 8th when YNHHS spotted unusual activity affecting its IT systems. The organization took steps immediately to contain the incident and began an investigation with the help of external cybersecurity experts from Mandiant.
It also reported the incident to law enforcement. However, patients weren't notified of the breach until late April.
It's now offering complimentary credit monitoring and identity protection services, but only to those whose Social Security number was involved.
Yale New Haven Health faces legal action
Legal action has already been launched. Hartford law firm Cicchiello & Cicchiello has filed two identical lawsuits in the Connecticut District Court on behalf of Michael Liparulo of New London and Jon Nathanson of Fairfield.
The lawsuits allege YNHHS failed to protect personally identifiable and health information, and took too long to notify patients.
Similarly, the cases claim IT practitioners failed to encrypt files, train employees on data security, or implement basic security measures such as multi-factor authentication.
They’re calling for damages, free lifetime identity protection, and major changes to the health system’s cybersecurity practices.
Healthcare in the crosshairs
Healthcare organizations are a prime target for hackers thanks to the vast amount of highly personal data that they hold. According to recent research from Trustwave, for example, 21% of all ransomware attacks worldwide are targeted at public health and government healthcare organizations.
The study found that 45% of attacks exploited public-facing applications and 56% of public-facing applications exploited were against Log4j, with 9% of all attacks coming from the threat group RansomHub.
Third-party threats within supply chains continue to pose 'significant' risks, the researchers found.
"Healthcare artificial intelligence and technology adoption presents a spectrum of risks that few other industries need to navigate. The risk is not just incredibly sensitive data privacy, but human life and quality of patient care," said Kory Daniels, CISO at Trustwave.
"Complex supply chains, lapses in patches and credential management all have consequences too serious for anyone in the healthcare industry to ignore".
MORE FROM ITPRO
- Healthcare systems are rife with exploits — and ransomware gangs have noticed
- Healthcare organizations need to shake up email security practices
- More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacks
-
HPE's new Cray system is a pocket powerhouseNews Hewlett Packard Enterprise (HPE) had unveiled new HPC storage, liquid cooling, and supercomputing offerings ahead of SC25
-
High performance and long battery life: How Dell AI PCs offer the best of both worldsUnlocking the true potential of on-device AI requires a perfect balance between software and hardware
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
-
Red Hat reveals unauthorized access to a GitLab instance where internal data was copiedNews Crimson Collective has claimed the attack, saying it has accessed more than 28,000 Red Hat repositories
-
Google warns executives are being targeted for extortion with leaked Oracle dataNews Extortion emails being sent to executives at large organisations appear to show evidence of a breach involving Oracle's E-Business Suite
-
Harrods rejects contact with hackers, after 430,000 customer records stolen from third-party providerNews The luxury department store has denied any link to a failed attack on its systems in May
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
-
Air France and KLM confirm customer data stolen in third-party breachNews A spokesperson told ITPro the airlines are investigating "fraudulent access" to customer data following a third-party breach.
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
