The reports of pwnage on this Monday morning continues.
Kaiser Permanente, a major U.S. nonprofit health plan operator, has announced a data breach potentially affecting 13.4 million patients across multiple states. This incident involves unauthorized sharing of personal information through third-party trackers on Kaiser’s websites and mobile apps.
The healthcare giant, which operates 40 hospitals and 618 medical offices in regions including California, Colorado, and Washington, D.C., identified the breach through an internal investigation. The trackers in question, associated with entities such as Google, Microsoft Bing, and Twitter, were transmitting personal data when patients accessed Kaiser’s digital platforms. This data included IP addresses, names, and details indicating whether a user was logged into Kaiser services, as well as their navigation and interaction behaviors on the site.
Though Kaiser reported the unauthorized access to its networks in an April 12 filing with the Dept. of Health and Human Services, the notice was reportedly made public on Thursday.
Importantly, the exposed data did not include usernames, passwords, Social Security Numbers, financial data, or credit card numbers. However, the breach did lead to the exposure of sensitive information such as full names, medical records, dates of service, and lab results.
In response to the breach, Kaiser Permanente has removed the implicated trackers and enhanced their data security measures to prevent similar incidents in the future. Kaiser told Reuters it has not identified any misuse of the data. The breach is part of a broader issue highlighted by the FTC regarding the use of third-party trackers in healthcare and other sensitive areas.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“Healthcare apps often process and store highly sensitive data, including personal health information (PHI), which requires protection beyond the standard security measures provided by mobile operating systems. The incident with Kaiser Permanente illustrates the vulnerabilities that can arise from mobile applications with inadequate security and improper API usage.
“Healthcare apps frequently use APIs to interact with other apps and services, including cloud-based storage and third-party analytics. Securing these APIs is crucial as they can be exploited to access sensitive data. Solutions that manage API keys and monitor API gateways can provide an added layer of security by ensuring that only authorized users and systems can access the APIs. This data is a prime target for cybercriminals due to its value on the black market.”
The fact that the healthcare sector continues to be such a “soft target” for threat actors should concern everyone. Action needs to be taken to change that ASAP. Because as it stands right now, threat actors are having a field day at our expense.
Like this:
Like Loading...
Related
This entry was posted on April 29, 2024 at 10:16 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Kaiser Permanente Reports Data Breach Affecting 13.4 Million Patients
The reports of pwnage on this Monday morning continues.
Kaiser Permanente, a major U.S. nonprofit health plan operator, has announced a data breach potentially affecting 13.4 million patients across multiple states. This incident involves unauthorized sharing of personal information through third-party trackers on Kaiser’s websites and mobile apps.
The healthcare giant, which operates 40 hospitals and 618 medical offices in regions including California, Colorado, and Washington, D.C., identified the breach through an internal investigation. The trackers in question, associated with entities such as Google, Microsoft Bing, and Twitter, were transmitting personal data when patients accessed Kaiser’s digital platforms. This data included IP addresses, names, and details indicating whether a user was logged into Kaiser services, as well as their navigation and interaction behaviors on the site.
Though Kaiser reported the unauthorized access to its networks in an April 12 filing with the Dept. of Health and Human Services, the notice was reportedly made public on Thursday.
Importantly, the exposed data did not include usernames, passwords, Social Security Numbers, financial data, or credit card numbers. However, the breach did lead to the exposure of sensitive information such as full names, medical records, dates of service, and lab results.
In response to the breach, Kaiser Permanente has removed the implicated trackers and enhanced their data security measures to prevent similar incidents in the future. Kaiser told Reuters it has not identified any misuse of the data. The breach is part of a broader issue highlighted by the FTC regarding the use of third-party trackers in healthcare and other sensitive areas.
Ted Miracco, CEO, Approov Mobile Security had this to say:
“Healthcare apps often process and store highly sensitive data, including personal health information (PHI), which requires protection beyond the standard security measures provided by mobile operating systems. The incident with Kaiser Permanente illustrates the vulnerabilities that can arise from mobile applications with inadequate security and improper API usage.
“Healthcare apps frequently use APIs to interact with other apps and services, including cloud-based storage and third-party analytics. Securing these APIs is crucial as they can be exploited to access sensitive data. Solutions that manage API keys and monitor API gateways can provide an added layer of security by ensuring that only authorized users and systems can access the APIs. This data is a prime target for cybercriminals due to its value on the black market.”
The fact that the healthcare sector continues to be such a “soft target” for threat actors should concern everyone. Action needs to be taken to change that ASAP. Because as it stands right now, threat actors are having a field day at our expense.
Share this:
Like this:
Related
This entry was posted on April 29, 2024 at 10:16 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.