Breach Notification , Healthcare , Industry Specific
Heart Device Maker Says Hack Affected 1 Million PatientsPHI of Former and Current Patients Using Wearable Cardiac Defibrillator Compromised
Emergency medical device provider Zoll Medical is notifying more than 1 million individuals - including employees, patients and former patients - of a hacking incident that compromised their personal information.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The company told Information Security Media Group that the cybersecurity incident affects current and former users of the company's LifeVest device - a wearable cardioverter defibrillator worn by patients at high risk of sudden cardiac death. The incident does not affect the operation or safety of the product or any other Zoll medical device or related software, a company spokesperson said.
Massachusetts-based Zoll, a subsidiary of Japanese technology firm Asahi Kasei Group, reported the incident on Friday as affecting more than 1 million individuals.
The incident illustrates how deeply networked connectivity has penetrated the medical device market, a development that has created new opportunities for hackers to steal personal information in an industry historically unaccustomed to fending off threat actors.
Information potentially disclosed in the cybersecurity incident includes individuals' names, addresses, birthdates and Social Security numbers. "It may also be inferred that you used or were considered for use of a Zoll product," the company says in a sample breach notification letter.
"More and more medical devices are becoming connected to the network and internet and, in almost all cases, the manufacturer is gaining access to device and patient information," said security researcher Jason Sinchak, who leads cybersecurity firm Level Nine's medical device product security practice.
"What was previously an embedded medical device manufacturing organization becomes a software-as-a-service and managed service organization," he said.
Zoll said that on Jan. 28, it detected unusual activity on its internal network. "We consulted with third-party cybersecurity experts to assist with our response to the incident, and we notified law enforcement," the company said. It determined on Feb. 2 that individuals' information may have been breached in the incident.
Zoll is offering 24 months of complimentary credit and identity monitoring for patients whose Social Security numbers were affected and 36 months of coverage for current and former employees and their dependents.
Medical device manufacturers eager for the personal identifiable information generated by patients' use of their products must reevaluate their threat model and ensure the organization has the security controls in place to protect sensitive data, said Sinchak.
When wearable medical devices used by patients are set up - even for temporary use or exploration, that process puts sensitive PII and PHI in the hands of a device manufacturer, Sinchak said.
"The nature of these devices is such that they require PII to uniquely identify the device and patient; that information is registered with the manufacturer and linked to the device," he said.
"The manufacturer maintains this data and linkage in order to, at a minimum, contact the patient upon recall. For connected devices, the linkage is further employed to send prescriptions or enable the device remotely or identify the patient when a device reports status over the internet," he said.
The hacking incident is not Zoll's first major health data breach. In March 2019, it reported to the U.S. Department of Health and Human Services a breach affecting 277,000 individuals involving a third-party vendor migrating a server containing Zoll's archived email (see: Email Server Migration Incident Impacts 277,000).