I’ll spin the wheel again — Swoosh! “Round and round she goes. Where she stops, only hackers know!” Click, click, click … click … click. Ding! Ding! Ding! We have a loser! Today’s report about yet another major cyberattack landed on the “Medical ID Theft” slice of the wheel. Congratulations to the nearly 20 million people affected. You never know where the wheel lands: banking, online shopping, travel companies. Could be anything at any time. Today, and yet again, it’s healthcare.
It’s true that I only write for you once each week. Even though writing on a weekly basis engages, challenges, and even entertains me, it might not be that way. If I were to write every week about an even more focused subject than I do now, which regularly surrounds information security or privacy, I would go nuts (more so, that is). I could, regrettably, write every week or even every day with another report of a major hack, breach, or data leak. Every stinking hour, it seems, there is another story to tell about how criminals use and attack the same, dear technologies that we rely upon. Their targets are any size. They prance around all industries and sectors. They attack governments, children, businesses, unemployed, and you-name-it otherwise. I can’t always write about these incidents. I would lose faith to all degrees.
Here I am though. This time I felt it necessary to share about the breach that both LabCorp and Quest Diagnostics described to the Securities and Exchange Commission last week. One after the other reported about the same hack. A vendor they both use, American Medical Collection Agency, was attacked and the laboratories’ patient information was compromised. I know that many of our readers and your neighbors use the services of those laboratory companies. None of us, I presume, knew too much about where our data went from their offices. Now we do. It goes to AMCA.
The breach occurred at AMCA when 12 million Quest Diagnostic customers and almost eight million more LabCorp customers had their precious, private information stolen by online criminals. Here are just a handful of data points that were reportedly disclosed, soon made if not now available to other criminals on the dark web: full names; addresses; dates of birth; Social Security numbers; account balances; bank and credit card numbers; and personal, medical information. It’s a true treasure trove for cybercriminals. Added penalty points given to LabCorp, Quest, and AMCA for keeping this all mum since the attacks occurred as early as August 2018.
What’s the risk? There are many. The textbook example goes like this. A cybercriminal has some patients’ stolen information in front of them. Say they bought the records on the dark web from the original hackers. One tactic is to “phish” for more useful, rewarding information. Phishing is a fraud tactic whereby the bad guy sends you a phony email message. Within the message there’s a web link for you to click on. It all seems bona fide to you. Maybe it’s a medical article, or it appears to be a website that gives better prescription prices. You click on it. The most savvy phishing scams then actually take you to the website or article. Meanwhile, in the background where you can’t tell what’s going on, by clicking that link you also launched malicious software that was embedded in the link. That malware loads onto your phone or laptop doing further damage.
Knowing intimate details about one’s medical health makes phishing tactics even more effective. Imagine if hackers knew that my blood tests reflected someone with cancerous cells who is being treated through immunotherapy. They could then customize my phishing emails with related information, claims about that type of treatment, or other so-called click bait that may entice me to use their supplied link and ultimately have their malware payload dump onto my machine. Then, that software could give them access to my machine, my passwords, bank accounts, and anything else that I’ve handled online.
While phishing represents modernized criminal activity, good ol’ extortion is on the table as well once a scofflaw knows about your medical history. Despite the Affordable Care Act’s protections of preexisting conditions, they are still part of the insurance environment, and they’ve been threatened politically so no one can guarantee against your preexisting condition maybe again becoming part of an insurer’s decision making process. The federal government has published reports that surmise up to half of us live with a preexisting condition. How does extortion come into play? With a little additional information your asthma or high blood pressure becomes a weapon. The criminal contacts you and threatens to disclose that to your insurance company, or perhaps to a potential employer who, likely illegally and definitely immorally, may base incredibly important decisions on that intel.
My questions about the hack are many. The one question that I have is along the same lines as those I’ve shared with you upon news of the Equifax hack, which affected 145 million, and the Marriott breach, which compromised 500 million personal records: Why wait so long to report it?! Here, nine months or so have passed since it occurred. I’ll admit that once it happens, it may seem futile to try and manage it. Sure, we can sign up for the credit monitoring. Guess what has happened there? You’re right, now your personal information exists in that online database. Another response is to be wary of odd looking emails. You can hover your mouse over the web link and see if it is sensible or is a website that ends in “.ru,” which indicates a Russian website, not that they’re all malicious. We all react somewhat differently when these things happen. I’d say, however, that we all act identically when we’re left in the dark.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.