An email compromise incident in April allowed attackers to obtain access to confidential user credentials. On April 5, Kaiser Permanente had a data breach as a result of an email hack, which could have exposed the medical records of roughly 70,000 patients, the firm announced earlier this month.
According to a letter sent to affected clients on June 3, attackers got access to an employee’s emails at Kaiser Foundation Health Plan of Washington, which contained “protected health information.” According to the letter, the attacker had illegal access for several hours before Kaiser ceased the activity “and swiftly launched an investigation to identify the breadth of the issue.”
Even Kaiser wasn’t sure if the hack gave attackers access to clients’ personal health information, admitting that it’s “impossible to entirely rule out the potential.” So far, no evidence of “identity theft or misuse of protected health information” has been found as a result of the breach, according to the business.
In addition to Kaiser’s inquiry, the US Department of Health and Human Services’ Office for Civil Rights is also looking into the breach, according to a listing on its website that states 69,589 people were affected.
While Kaiser Permanente was “proactive” in notifying such a large group of clients about the breach, one security expert believes the company’s confusion over whether data was stolen or not indicates a lack of adequate incident response.
In an email to Threatpost, Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel, said, “It underscores the necessity for enterprises to have effective auditing measures to quickly identify what data was accessed by attackers during an event.”
He also stated that the corporation might have acted more quickly to tell anyone who may have been affected, as three months is plenty of time for attackers to exploit the breach.
“During this period, attackers might have used any specific information stolen in convincing social engineering campaigns to target the impacted individuals,” Clements said. “It’s vital that firms include analysing their capacity to quickly determine the magnitude of a possible compromise in risk analysis or tabletop exercises as part of their bigger cybersecurity culture.”
Human Error Still a Security Plague
The event also highlights what has always been and continues to be the most significant security risk that businesses face: human mistake. According to Verizon’s 2022 Data Breach Investigations Report (DBIR), which takes a complete look at data breaches from the previous year, 82 percent of the intrusions studied last year featured “the human element,” which can mean a variety of things.
“Whether it’s the use of stolen credentials, phishing, misuse, or simply an error,” researchers noted in the paper, “humans continue to play a very major part in incidents and breaches alike.”
The threat of business email compromise (BEC), which appears to have occurred in the Kaiser incident, is particularly serious. Socially designed phishing and other harmful email campaigns, which lure unwary employees into giving up credentials to their business email accounts, have gotten increasingly sophisticated.
Once a threat actor has secured early access to a firm network, this might lead to more malicious operations, such as ransomware or other financially driven cybercrimes.
In fact, BEC has become a big financial drain for businesses, with the FBI recently reporting that companies spent $43 billion on this type of attack between June 2016 and December 2021. In fact, there was a 65 percent increase in BEC schemes between July 2019 and December 2021, which the FBI ascribed to the epidemic requiring most economic activity to take place online.