A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.
The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.
The breach, first reported by WIRED, involved PII, such as patient names and addresses, but also sensitive information like audio and video recordings of therapy sessions, detailed psychiatric intake notes and comprehensive medical histories.
The article showed how horrifically compromising some of the information was: “One seven-page psychiatry intake file… details issues with alcohol and other substances, including how the patient claimed to have taken… narcotics from their grandparent’s hospice supply before the family member passed away,” according to the article. “In another document, a mother describes the ‘contentious’ relationship between her husband and son, including that while her son was using stimulants, he accused her partner of sexual abuse.”
IBM’s 2024 Cost of a Data Breach report highlights that 46% of breaches involved customer PII. The report also notes a significant increase in the cost per record for intellectual property (IP) data, jumping from $156 to $173.
But the level of exposure in the Confidant Health incident represents a significant escalation in the potential harm to affected individuals, far surpassing the risks associated with mere PII breaches.
The unique threat of sensitive data exposure
Cyber attackers and bad actors prize sensitive data, including medical data, because it can be used for social engineering attacks, targeted blackmail or even selling to unethical competitors or adversaries. The information’s sensitive nature is precisely what makes it valuable for malicious exploitation.
To be clear, the exposure of sensitive data like medical details is a risk not only to the target but also to their employer. The data can be used to blackmail the employee into providing passwords and other data that can help them in a breach of the employee’s company.
Potential attack vectors include:
- Targeted phishing: Crafting highly convincing phishing emails using knowledge from therapy sessions.
- Blackmail: Threatening to expose sensitive information unless a ransom is paid.
- Corporate espionage: Exploiting personal vulnerabilities of key employees revealed in therapy sessions.
- Identity theft: Combining sensitive data with PII for more convincing identity fraud.
Read the Cost of a Data Breach Report
How to approach data protection
The recent breach serves as a stark reminder of the critical need for robust data protection measures, especially in healthcare settings. The keys are comprehensiveness and constant vigilance.
Protecting sensitive information in healthcare and other settings demands a comprehensive approach.
Authentication
Implementing robust access controls and authentication is crucial. This includes deploying multi-factor authentication for all user accounts and building role-based access controls to limit data access based on job functions. (Regular audits and reviews of user permissions should be conducted to ensure proper access management.)
Encryption
Encryption plays a vital role in safeguarding sensitive data. It’s essential to encrypt data both at rest and in transit, using end-to-end encryption for all communications and data transfers. Device encryption should be implemented for mobile devices and laptops to protect data in case of loss or theft.
Network security
Network security is another critical aspect of data protection. Deploying next-generation firewalls and intrusion detection/prevention systems helps defend against external threats. Network segmentation can isolate sensitive data, while virtual private networks provide secure remote access.
Data loss prevention
Data protection measures should include the implementation of data loss prevention solutions to monitor and control data movement. Data masking and tokenization can be used to protect sensitive information, and regular backups with tested restoration procedures ensure data availability in case of incidents.
Endpoint security
Endpoint security is important for protecting against malware and other threats. Maintain up-to-date antivirus and anti-malware software, implementing endpoint detection and response solutions and using mobile device management for company-owned devices.
Data protection policies
From an organizational standpoint, developing and enforcing comprehensive data protection policies is fundamental. This includes implementing a formal incident response plan and establishing clear data retention and disposal procedures. Regular security awareness training for all employees, with specialized training for those handling sensitive data, helps foster a culture of security consciousness throughout the organization.
Risk management
Risk management is an ongoing process that involves conducting regular risk assessments and vulnerability scans. A formal risk management program should be implemented, with regular updates and patches applied to all systems and software.
Third-party risks
Managing third-party risks is equally important. This involves implementing strict vendor risk management procedures, ensuring all third-party contracts include data protection clauses and regularly auditing third-party access and data handling practices.
Compliance
Compliance and auditing are critical components of a robust security program. Organizations must ensure compliance with relevant healthcare regulations, such as HIPAA. Regular internal and external security audits should be conducted, and detailed logs of all data access and system activities should be maintained.
Data governance
Data governance is essential for effective data protection. This includes implementing a formal data classification system, establishing data ownership and stewardship roles and regularly inventorying and mapping all sensitive data.
Incident response
Incident response and recovery capabilities are crucial for minimizing the impact of security breaches. Organizations should develop and regularly test an incident response plan, establish a dedicated incident response team and implement automated threat detection and response capabilities.
Physical security
Physical security measures should not be overlooked. Securing physical access to data centers and sensitive areas, implementing proper disposal procedures for physical media and using surveillance and access control systems in critical areas are all important aspects of a comprehensive security strategy.
Keep sensitive data safe
By implementing these measures, organizations can significantly enhance their data protection posture. However, it’s important to remember that cybersecurity is an ongoing process that requires constant vigilance. Regular assessments and improvements to the security program are essential to maintain robust protection of sensitive information in the ever-evolving landscape of cyber threats.
As we navigate an increasingly digital landscape, this incident highlights the urgent need for a paradigm shift in how we view and protect sensitive data. It’s no longer enough to focus solely on safeguarding PII. Organizations must adopt a holistic approach that recognizes the unique value and vulnerability of sensitive personal information.
The post Why safeguarding sensitive data is so crucial appeared first on Security Intelligence.