Union Benefits Administrator Says Data Deleted in HackService Employees International Union 775 Benefits Group: PII and PHI Deleted
A Seattle-based benefits administrator for unionized home healthcare and nursing home workers has reported a hacking incident affecting 140,000 individuals that involved deleting certain data.
In a May 27 breach notification statement, Service Employees International Union 775 Benefits Group says IT personnel on April 4 "detected certain anomalies."
SEIU 775 Benefits Group says an investigation by third-party forensics experts determined that unknown individuals appear to have gained access to its data systems, deleting certain personally identifiable information and PHI.
The incident is at least the second reported to federal regulators in recent weeks by a health benefits administrator that involves the deletion of protected health information.
On May 28, 20/20 Hearing Care Network, a Florida-based vision and hearing benefits administrator, said it was notifying nearly 3.3 million individuals that their personal and health information contained in an Amazon Web Services cloud storage bucket was accessed or downloaded - and then deleted - by an "unknown" actor in January.
SEIU 775 Benefits Group says information that was potentially compromised includes individuals' names and addresses, Social Security numbers and health plan eligibility or enrollment information.
Upon detecting the incident, SEIU 775 Benefits Group says it immediately took action to secure the affected systems and contain the incident. The organization also notified federal law enforcement authorities and relevant regulators.
"In the aftermath of the incident and on an ongoing basis, SEIU 775 Benefits Group internal teams continue to work diligently with third-party cybersecurity consultants to further fortify SEIU 775 Benefits Group systems," the statement says.
The benefits administrator is offering affected individuals free identity and credit monitoring for one year through Kroll.
SEIU 775 Benefits Group did not immediately respond to Information Security Media Group's request for additional information, including whether the organization has been able to restore or recover the deleted data through backups or other means and whether attackers demanded a ransom.
"A breach by deletion of data can adversely impact an entity from a business perspective, whether it be an impact on daily operations or reputation and loss of confidence," says Cathie Brown, a vice president at privacy and security consultancy Clearwater.
"Data deletion breaches are not as prevalent as those where data is exfiltrated or held for ransom, but can still be very costly."
What steps can organizations take to help prevent falling victim to similar incidents?
"Integrity of system and data backups is the most fundamental of security best practices, yet it is often the security control that is put in place and not tested," Brown says.
Entities must not only ensure backups are executing as expected, but are also recoverable, she notes. "That means testing restores of backups on a regular basis. Having the discipline to ensure backups are good when they are not needed will pay off when they are needed, such as a deletion breach or ransomware attack."
Keith Fricke, principal consultant at privacy and security consultancy tw-Security, offers a similar assessment.
"It is important for organizations to be in the position of restoring data from backups, regardless if the reason is because systems crash, data is corrupted, data is encrypted with ransomware, or data has been deleted - accidentally or intentionally," he says.
The majority of breaches occur because organizations fail to take basic security measures, he says. Those include conducting regular vulnerability scans; patching and securing servers, networks and workstations; implementing advanced malware protection; and maintaining and testing data backups.
Another area of focus for entities when building strong cybersecurity programs is asset inventory and management, Brown notes. "Entities should know where data is stored, especially PHI and PII. This is not as easy as it may sound, but it is imperative to know what data may be compromised when there is a breach."
In terms of hacking incidents that affect the health and personal information of healthcare workers, such as in the SEIU 775 Benefits Group breach, "this data has the same value to criminals as patient data, namely to commit identity theft, hold it for ransom, or extort money in exchange for not exposing the data," Fricke says.
"Healthcare is the number one target because of the lack of strong cyber programs across the industry," Brown says. "Entities are improving on the security of customer or patient data, but do not always put the same level of controls around employee data."