Fashion merchant Forever 21 has informed the Maine Attorney General about a data breach wherein the health plan information of 539,207 present and past employees was compromised. Forever 21 sent breach notification letters to all people possibly impacted by the breach. Nevertheless, the notification letters did not reveal much regarding the nature of the cyberattack or what particular information was compromised.
Based on the notice posted on the Maine Attorney General web page, Forever 21 encountered an “external system breach” from January 5 to March 21, 2023. The breached data included names or other personal identifiers combined with Social Security numbers. Forever 21 offered identity theft services to potentially impacted individuals.
The notification likewise contains a website link that leads to Forever 21’s breach notification letter to possibly impacted persons. The letter gives minimal data concerning the nature of the cyberattack or what particular information was compromised, mentioning that an unauthorized third party got access to selected Forever 21 systems and acquired certain files from the selected Forever 21 systems.
Concerning what these chosen files could have included, the letter says the files included a number of personal data, for example, names, Social Security numbers, birth dates, bank account numbers (not including pin or access code), and data relating to your Forever21 health plan, such as enrollment and premiums paid.
There are More Questions than Answers
Forever 21 states in the data breach notification letter that it has done what’s needed to make sure that the unauthorized third party doesn’t access, copy, retain, or further expose the information. This has resulted in the thinking that Forever 21 paid the unauthorized third party its ransom demand, which, in the past, didn’t help guarantee that the information wouldn’t be further exposed.
Furthermore, though the notification letter consists of information about the credit monitoring and identity theft services offered to possibly impacted persons, there’s no information about getting a copy of Protected Health Information (PHI) from each healthcare company to make sure that no one could use the stolen information to acquire healthcare or health services (such as prescription medications) using the affected individual’s names.
This may show that no PHI was exposed during the data breach, or that Forever 21 has disregarded this critical piece of advice for impacted persons. The latter is likely if the information exposed in the external system breach contained particulars of how to calculate the premiums or what the health plan paid for individuals’ healthcare services.
During publication, Forever 21 did not report the security breach to HHS’ Office for Civil Rights. Nevertheless, since the date of the breach discovery is listed as August 4, 2023 on the Maine Attorney General web page, the company needs to inform the agency on or before October 3, 2023, if PHI was compromised and the external system breach is considered as a HIPAA data breach.
Pollfish Survey Revealed 78% of Healthcare Companies Encountered a Cyberattack in 2022
A new survey involving healthcare specialists shows that 78% of healthcare companies have encountered at least one cybersecurity occurrence in the last year. 60% of those incidents had a moderate or substantial effect on the provision of care, 15% experienced a serious effect, and 30% concerned sensitive information. PHI was compromised or stolen in 34% of cases in North America.
Pollfish conducted the survey on behalf of the cybersecurity company Claroty on 1,100 people in South and North America, Europe, and APAC. Participants worked regularly in the healthcare industry in IT, cybersecurity, networking, or engineering. The survey shows that 26% of companies that encountered a cyberattack gave a ransom payment to either stop the exposure of stolen information or to get the decryption key for the encrypted files. The costs of these cyberattacks are usually $100,000 to $1 million; nevertheless, over a third of respondents who encountered a cyberattack mentioned the recovery expenditures were over $1 million. The largest expenditure because of the attacks however was in the APAC area operational downtime.
61% of participants in North America stated they were very or relatively troubled concerning cyberattacks on their systems. The main issues in this area were insider threats (47%), supply chain and privilege escalation attacks (41%), ransomware attacks (38%), and denial of service (DoS) attacks (39%). Most organizations (78%) stated they have a clear leadership setup for medical device protection, which is most often the duty of IT security groups, and cybersecurity plans generally include sensitive information for example PHI, EHRs, endpoints, IT systems, BMS like elevators and HVAC equipment, and medical devices. If questioned concerning the security specifications, regulations, and rules, the NIST and HITRUST Cybersecurity Frames were found as the most essential in North America then HIPAA and 405(d).
The survey shows that healthcare companies have a clear idea of the components of security that must be enhanced. The greatest gaps in protection were reported as the patching of medical device vulnerability, asset inventory administration, and medical device network segmentation. 60% of participants said their company’s security posture is better during the last year and 51% stated their security funds were increased in 2022; nevertheless, efforts to enhance cybersecurity were being affected by the global scarcity of cybersecurity experts. Over 70% of participants stated they were seeking to employ extra cybersecurity personnel and 80% mentioned that finding competent candidates was hard.
Security difficulties in the healthcare industry still increase as the number and types of linked assets develop and the attack surface grows. Over and above the financial significance organizations in any industry can experience after a successful attack, in healthcare the stakes are increased because of the danger to patient outcomes. With good security leadership, outstanding security programs, and the observance of guidelines and frameworks from regulating entities, healthcare companies are on target to making sure cyber and operational strength. Realizing there is a lot more work that must be done, they are likewise making investments in people, processes, and technologies a priority to develop further resilience and ensure compliance while providing continuous patient care.