720-891-1663
Return to list of client alerts
Note: this is not about a breach at Comstar, this is about you, so please be a little patient.
On or about March 26th US ambulance billing billing service Comstar discovered that they had been breached sometime in the past according to a press release announcing the big event.
Comstar doesn’t say when the the breach happened, but they do say that about a month later that they decided that “some systems were subject to unauthorized access”. How’s that for vague?
The press release came out on June 14th, about two and a half months after the breach was discovered. Remember that current laws require you to announce this, in many cases, within 3-4 days. This timeline does not meet that requirement.
It says that the investigation was unable to confirm what specific information those systems was accessed.
What they discovered is that the systems, not surprisingly, contained patient data like name, date of birth, social, financial information, health insurance information, medical assessment and other sensitive information.
Why did they have to do a press release?
Because their systems are not robust enough to tell them what happened and so, the lawyers told them that, to minimize the legal liability, they had to assume the worst. Which could be close to what happened. They just don’t know.
So here is the part that affects you. If you were hacked, could you figure out when the hackers got in? How long would it take you do discover the hack? Could you determine how the hackers compromised your systems? Could you tell how many back doors the hackers left behind? Would you know what specific systems and databases the hackers touched? More importantly, would you know who’s personal data they touched? And, would you know what specific data was taken?
If the answers to these questions are no then you, too, might have to issue a press release announcing the event. Don’t want to have to do that? Then you need to get some technology and processes in place.
Call us.
Credit: Portswigger