Inside a Common Data Breach
In most of our briefings we take looks at incidents affecting large corporations or entire countries. But what does a common data breach look like to a small-to-medium organization? In this briefing, we will take a look at a recent notification sent by a Kentucky-based healthcare company to find out.
The incident affecting and published by Kentucky Counseling Center was selected for analysis solely because it is public and very typical. In our assessment, the company handled the incident adequately, quickly and comprehensively.
In a notification released by Kentucky Counseling Center in late February, the company describes the following sequence of events:
On December 6th 2018, a staff member took a file containing patient information from the company’s computer systems. The exact mechanism of removal is unclear but the file ended up on a file sharing service.
A link to the file was then sent to a former staff member by email on January 4th. The former staff member notified his/her former employer of the breach. According to additional reporting provided by healthitsecurity.com, 16440 patients were affected by the breach.
Why is this breach typical?
Most coverage of large-scale breaches is about malicious attackers breaking into computer systems and either publishing the data to the general public or attempting to sell it. These breaches are the most dangerous, but they do not represent the average data breach. On the other hand, the breach experienced by Kentucky Counseling Center combines three of the most common elements of everyday incidents: Insider action, unclear intent, and ambiguous consequences.
Let’s look at them one by one.
The person ultimately responsible for the breach - the employee that took and shared the file - was a staff member at the time of the incident. While he or she was not authorized to upload the file, it appears that they at least had access to the file as part of their work routine.
While malicious attackers cause the most damage, careless staff members cause the highest number of data breach incidents. For the average small-to-medium organization, a breach caused by a careless staff member is much more likely than one caused by an external attacker.
The notification states that “we do not believe the individual took the list to cause harm to individuals on the list”. While the incident notification does not provide details, it is entirely possible that the entire incident was caused by a combination of mistaken employment status and poor data-handling skills. Many employees lack the training to fully understand that uploading data to public file-hosting services by itself conducts a breach. And in an industry heavy on consultants, it can be difficult to notice that a contract relationship between the main company and a provider has ended. Nonetheless, this doesn’t make the breach any less valid. HIPPA reporting guidelines do not distinguish between breaches happening due to malicious intent and those happening due to poor choices.
Apart from the individual uploading the file, everyone else in this story acted correctly. The former staff member immediately informed Kentucky Counseling Center which in turn investigated the breach, fired the leaker, informed the public, and offered a range of monitoring services to the affected patients. Although not reported, it is also highly likely that the file was removed from the file-sharing site in this process.
Depending on the nature of the file-sharing site and the intent of the leaker, it is entirely possible that none of this information has been accessed by anyone outside of the immediate parties.
Still, in the end it is only the breach itself and not the spread of it that counts in the eyes of the law. This is in stark contrast to the practical and legal handling of such incidents just a decade ago.
While breaches happening due to malicious intent and third-party attacks receive the most media coverage, a majority of data breaches happen due to poor data-management by staff members. In cases where the breach happens due to poor choices and not malicious intent, adequate training of staff members can prevent breaches, and this saves organizations money, reputation, and time in the long run.