Edgepark Medical Supplies (EMS) discovered on May 13, 2019 that an unauthorized person access the account of some of its customers accounts and altered their addresses causing a redirection of their orders to different delivery addresses. Upon disovering the potential breach, EMS promptly disabled the impacted online accounts.
The investigation showed that the unauthorized access to the accounts was made possible through brute force tactics, which is also called a password spraying attack. The attacker employed automated, uninterrupted attempts to guess the password and access the accounts by inputting common passwords and words from the dictionary.
When the account password is guessed correctly, the attacker changes the shipping addresses to redirect orders. It’s possible that the attacker placed the orders unbeknown to the account holders of the Edgepark.com. The investigation of the breach is still ongoing. EMS will issue refunds to customers who were charged for fraudulent purchases.
Besides making fraudulent orders using the accounts, the hacker may have viewed or obtained the following information: name of the customers, address, birth date, products ordered via the website, and medical insurance data.
The HHS’ Office for Civil Rights breach portal reported that the breach affected 6,572 Edgepark.com customers. EMS is reviewing its security measures and will implement extra steps to avoid the same breaches later on.
Including this incident, EMS already reported three large breaches in the last 5 years. In 2014, malware was installed on EMS’ network and was detected only after 9 months. 4,230 patients were affected by this breach. In January 2018, there was impermissible disclosure of PHI of 4,586 patients because of a mailing error.
Data Breach at Cancer Treatment Centers of America
Cancer Treatment Centers of America’s Eastern Regional Medical Center discovered an email account breach on June 6, 2019 after noticing unusual activity in the email account of an employee. The treatment center’s IT department changed the account password immediately to block further access, then an internal investigation was started. The first unauthorized account access occurred on May 4, 2019 and went on until May 15.
It is unknown if the attacker accessed the email messages in the account or duplicated any patient data. There is also no evidence of data theft or misuse of patient data found.
A review of the compromised email account confirmed that it contained 3,904 patients’ protected health information (PHI). The exposed information of the patients differed from one patient to another but may have included their names together with one or more of these data elements: telephone number, address, birth date, other patient identifiers, medical record number, health data and medical insurance data.
Eastern Regional Medical Center gave its employees more HIPAA training on awareness of prevalent security risks. The center also examined its technical controls and will improve its email security.