A data breach at Yale New Haven Health (YNHHS) has exposed data belonging to millions of people – and lawsuits have already been filed.
YNHHS runs more than 360 locations across Connecticut, New York, and Rhode Island, and is notifying patients that their personal data might have been affected.
According to an entry on the US Department of Health and Human Services breach portal, the data breach impacted 5,556,702 patients.
"The information involved varied by patient, but may have included demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number," said YNHHS.
"YNHHS’ electronic medical record and treatment information were not involved or accessed, and no financial account or payment information was involved in this incident."
The breach was first discovered on March 8th when YNHHS spotted unusual activity affecting its IT systems. The organization took steps immediately to contain the incident and began an investigation with the help of external cybersecurity experts from Mandiant.
It also reported the incident to law enforcement. However, patients weren't notified of the breach until late April.
It's now offering complimentary credit monitoring and identity protection services, but only to those whose Social Security number was involved.
Yale New Haven Health faces legal action
Legal action has already been launched. Hartford law firm Cicchiello & Cicchiello has filed two identical lawsuits in the Connecticut District Court on behalf of Michael Liparulo of New London and Jon Nathanson of Fairfield.
The lawsuits allege YNHHS failed to protect personally identifiable and health information, and took too long to notify patients.
Similarly, the cases claim IT practitioners failed to encrypt files, train employees on data security, or implement basic security measures such as multi-factor authentication.
They’re calling for damages, free lifetime identity protection, and major changes to the health system’s cybersecurity practices.
Healthcare in the crosshairs
Healthcare organizations are a prime target for hackers thanks to the vast amount of highly personal data that they hold. According to recent research from Trustwave, for example, 21% of all ransomware attacks worldwide are targeted at public health and government healthcare organizations.
The study found that 45% of attacks exploited public-facing applications and 56% of public-facing applications exploited were against Log4j, with 9% of all attacks coming from the threat group RansomHub.
Third-party threats within supply chains continue to pose 'significant' risks, the researchers found.
"Healthcare artificial intelligence and technology adoption presents a spectrum of risks that few other industries need to navigate. The risk is not just incredibly sensitive data privacy, but human life and quality of patient care," said Kory Daniels, CISO at Trustwave.
"Complex supply chains, lapses in patches and credential management all have consequences too serious for anyone in the healthcare industry to ignore".
MORE FROM ITPRO
- Healthcare systems are rife with exploits — and ransomware gangs have noticed
- Healthcare organizations need to shake up email security practices
- More than 300,000 US healthcare patients impacted in suspected Rhysida cyber attacks
-
How to implement a four-day week in techIn-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businessesIn-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
-
Supplier hack leaks UBS data – including CEO's phone numberNews Chain IQ incident could hit Swiss banking sector hard in "grim reminder" of risk of third-party breaches
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
-
US healthcare firm postponed procedures after cyber attack knocked systems offlineNews The incident at Kettering Health disrupted procedures for patients
-
US healthcare data breaches are out of control – over 400 million patient records have been exposed in the last two yearsNews There's been a huge surge in the number of healthcare data breaches in recent years
-
Healthcare organizations are turning a blind eye to phishing attacksNews A survey reveals that most attacks go unreported, putting patient data at risk
