New analysis from cyber security firm Tenable has found that third-party breaches accounted for over a quarter of the tracked breaches. These breaches accounted for nearly 12 million records exposed in the health care sector.
The firm’s security response team found 237 breaches in the health care sector in 2020. According to Tenable, breaches are set to continue unabated in 2021, with 56 breaches already disclosed through February.
The research found that in a quarter of cases, breaches occurred due to a separate breach at a third-party organization. This happens when hackers breach a third-party vendor that a health care organization uses, giving attackers access to data the health care provider's stores on the third-party system. Its analysis found that third-party breaches accounted for nearly 12 million exposed records.
A single breach accounted for over 10 million of these records. “This breach has been linked back to 61 of their healthcare customers, with the number of exposed records expected to increase as more of these impacted customers disclose their numbers,” researchers said.
Of all the health care breaches disclosed between January 2020 and February 2021, 93% of them included confirmed record exposure. Researchers admitted that one obstacle with accurately tracking breaches is that public disclosures can occur days, months, or even years after the event. Even then, the level of detail available may be scant.
Of these 293 breaches analyzed, 57.34% of the affected organizations have publicly disclosed how many records the breach exposed. The number of records exposed in this period reached nearly 106 million — 76.45% of these were disclosed in 2020.
The research found that ransomware was the most prominent cause of health care breaches, accounting for 54.95%. Other leading causes included email compromise/phishing (21.16%), insider threat (7.17%), and unsecured databases (3.75%).
Boris Cipot, senior security engineer at Synopsys, told ITPro that this research shows that resilience is much more than the deployment of mitigation procedures, and it starts with software design.
“As software is the cornerstone of life today, it is important to apply security during the development process. If not, mitigation techniques will act simply as “band-aids on bullet holes,” Cipot said.
“It is normal to see cybercriminals focused on exploiting known security holes in commonly used software. It is also normal that phishing campaigns are deployed with the intention of gaining information that can help them to further infiltrate critical infrastructure. It is worrying how these things are considered to be normal.”
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
