While a lot of the cybersecurity incidents that I’ve been tracking here could have been prevented by the entities that suffered them, this is an exception. And also a reminder.
Patient information was exposed in a cyberattack that affected the Harris Health System and other industries worldwide, officials said Friday in a news release.
The attack, which came to light last month, involved a Russian ransomware group that gained access to the file transfer software MOVEit. The compromised information at Harris Health varied by patient but may have included Social Security numbers, immigration status and information related to treatment, such as procedure information, treatment cost and diagnosis. The information did not involve Harris Health medical records or patient financial information, the release said.
The health system has started sending letters to affected patients with additional information on steps to monitor and protect their personal information. The system also offers complimentary credit monitoring and identity theft protection services to patients whose Social Security numbers were compromised.
Patients are encouraged to review statements from their health insurer and healthcare providers and to contact the insurer or provider if they notice any services they did not receive.
Harris Health learned about the breach on June 2 and launched an investigation with a third party, the release said. The investigation found that the breach occurred on May 30.
The incident did not affect all Harris Health patients — only those whose information was included in the files downloaded from the MOVEit server, the release said. The Harris Health network remains fully operational and there has been no impact to patient care or services, the release said.
As the story notes, lots of companies and government entities were victimized by this attack, which was similar to the Accellion breach from 2021; indeed, the same attacker was responsible for both. MOVEit, like Accellion, is a SaaS application, so it is operated and maintained by the vendor. As the customer, you are relying on them to keep the barbarians from the gate. Sometimes you lose. That’s how it is with cybersecurity – you can do everything right on your end, but you’re still vulnerable because you’re dependent on partners, vendors, contractors, and so on. It just is what it is. Anyway, since I’ve blogged so much about this stuff I wanted to mention this one as well.