A hacker group called Pravvy Sector reportedly accessed and leaked a massive 150GB data trove from the Central Ohio Urology Group on Twitter today, Motherboard reports. It’s unclear how many patients were affected, but the health care organization boasts that it has the "largest concentration of experienced urologists in Ohio."
The dump contained financial spreadsheets, human resource documents, and patient records. Within those records were patients’ names, addresses, phone numbers, dates of birth, and treatments received, including sperm count, semen analysis, and renal ultrasounds.
Little is known about how the group obtained this information, but medical hacks of this kind have become distressingly common. So far in 2016, there have been 49 hacking-related US medical data breaches affecting at least 500 people each. More than 2 million Americans were impacted, and these are only the breaches that have been discovered and reported. Most attacks on the health care sector typically rely on a simple spear phishing email. An employee is often duped into clicking on a malicious link or attachment, and from there, hackers maneuver through the compromised system.
There are bigger, more technical hacks, too. For instance, Anthem and CareFirst BlueCross BlueShield were victims of massive attacks in 2015 that relied on more sophisticated hacking and possibly the use of several zero day exploits. Hackers could even gain entry to a health care network through medical devices, but that's usually unlikely and unnecessary. Generally, medical institutions handle a whole lot of sensitive information and lack the money and resources to build out a full security team. Think of a small hospital in rural America. Its regular IT administrator is already dealing with general tech issues, let alone advanced security. Thwarting hackers requires patched software, updated devices, and live monitoring of networks. And to add to all that, there’s a shortage of cybersecurity professionals.
The reality is that human employees are often the weakest link in security infrastructure and phishing emails are easy to deploy in massive numbers. The Central Ohio Urology Group isn’t the first attack or last attack. Patients are more or less left to hope their health care provider takes security seriously and will actually reports breaches if any are detected.