Two Hospitals Learn They Had Been Hacked When FBI Visited
Recently, the FBI has been knocking on businesses doors.
First we heard about Scottrade. In October the FBI came visiting Scottrade. Hi. How ya doin’? Oh, by the way, we found files on 4.6 million of your customers on the dark web. Have a nice day.
In September it was Owensboro Health in Kentucky. The FBI visited them and said that they found their data on the web. AFTER the FBI visit, Owensboro, now called OH Muhlenberg after a merger, found keystroke loggers on some of their computers. They think they may have been there since 2012. The computers with the keystroke loggers were used to enter patient financial data and health information. Information potentially taken includes name, address, phone number, birth date, social security number, drivers license number, health plan information, diagnoses, treatment, bank account numbers, credit card information and other data. In other words, anything and everything.
This is an example of what can happen if you don’t do cyber due diligence. Owensboro bought Muhlenberg and got a free, full blown data breach at no extra charge.
In December, Maine General announced that they too had been visited by their friends at the FBI to tell them that they had been breached. This breach seems a little less worrisome in that no financial data was taken – or at least they don’t think so.
The good news is that the FBI is telling businesses that they are finding their data on the web. The bad news is that the FBI is telling businesses that they are finding ….
At that point, the cat is kind of out of the bag.
After the shock wears off, the CEO gets to call up his Chief Information Security Officer and tells him or her to bring his documented and tested incident response plan over cuz we need to use it. Like now. What? You don’t have a Chief Information Security Officer? Or an Incident Response Plan? And that means that it has not been tested. Oh-Oh!
Needless to say, this is NOT the way the CEO wanted to spend his or her day. Or the next few years as he or she deals with regulators and lawsuits. Not much fun at all.
The time to plan is before the FBI pays you a visit.
Information for this post came from Data Breach Today.