If any doubts remained that oncology practices were not going to be specific targets in the hacking of medical data, a breach at Central Ohio Urology Group (COUG) has set the record straight. The practice notified the Department of Health and Human Services in September that 300,000 patient records were accessed in a hacking incident involving its network server. Reportedly, a half-million documents from the cache were posted to Twitter and to a Google-based cloud storage unit.
It was the second major hacking incident connected with an oncology practice reported this year. In March, 21st Century Oncology, which manages a large string of oncology practices, announced that a breach of 2.2 million patient records had occurred the previous year and that it was working with federal authorities to resolve the problem.
Whereas many medical data thefts are motivated by the black market value of the data stolen, what was unusual in the COUG case was the group that claimed responsibility and its motives. Reports said a right-wing Ukranian hacking group named Pravvy Sector pilfered 156 gigabytes of data from COUG.
The data reportedly included highly sensitive employee and patient data—names, addresses, dates of birth, medical procedures performed, health insurance information, dates of service, and medical histories. According to the HIPAA Journal, the stolen information also included detailed communications data, login details to various servers, internal hospital documents, payment details, as well as X-rays and ultrasound scan images, among many other highly sensitive details.
Also this summer, Pravvy Sector attempted to extort $50,000 in bitcoin from the Polish government, threatening to post sensitive military data if the ransom payment were not made.
Medical records are considered far more valuable to thieves than credit card numbers because patient identifying information can be exploited in many ways, and whereas a credit card account can be canceled, patient identifying information is permanent and there is little communication between medical facilities, meaning it may be a long time before fraudulent activity, such as the misuse of somebody’s identity or insurance, is detected.