With the NTreatment data breach issue, it appears that none of the data was encrypted. Furthermore, the security protocols were such that nearly all of the sensitive files were viewable in the browser. It is also apparent that some of the medical records belonged to children.
The data was secured on November 30, 2020, after industry website TechCrunch contacted the company In a response email, NTreatment co-founder Gregory Katz told TechCrunch that the server was “used as a general purpose storage,” but did not say how long the server was exposed.
These types of data breach issues are an on-going concern, especially given how much more data is now digital and the number of services that people need to interact with and to provide personal data to.
Looking into the issue for Digital Journal is Mark Bagley, who is the Vice President of Product at AttackIQ.
According to Bagley, this issue has a concerning context in relation to the general spate of cyberattacks and interest from hackers. He notes: “The healthcare industry has become a primary target for cybercriminals due to protected health information (PHI) being extremely profitable on dark web marketplaces.”
The reason for this interest, Baglely states, is because: “Healthcare data usually contains fixed information, such as dates of birth and Social Security Numbers, which hackers can use to commit identity theft for years to come. Healthcare organizations that manage large amounts of PHI must take proactive approaches to protect their data.”
Expanding on the matter of preventative actions, Bagley recommends: “In addition to the usual control-centric approach, holders of PHI need to add continuous evaluation of their existing security controls to uncover gaps before a hacker finds and exploits any weaknesses, with a special eye to validation of the third-parties they work with given the sensitivity of the information.”