Russian hackers hit DoD: PHI at risk?

Tom Sullivan, Editor-in-Chief, Healthcare IT News

We saw with the Sony hack that when attackers find health data they’re likely to steal it

The Pentagon confirmed late Thursday that Russian hackers penetrated the Defense Department’s IT networks and gained access to Joint Chiefs of Staff email servers.

As has become the norm for government and private sector institutions immediately following an attack, the DoD labeled this incident “a sophisticated cyber intrusion” that was “clearly the work of a state actor” employing “new and unseen approaches” and the agency reacted by shutting down email. The system has been offline for about two weeks.

Multiple news outlets are reporting DoD claims that the hackers did not crack into any classified networks but did manage to steal approximately 4,000 records.

Was any protected health information, personally identifiable information or other health data in there? Too soon to tell.

It might seem a stretch to think that Russian attackers, whether a government team sanctioned by President Vladimir Putin or as some reports suggest the hacking group APT29, would infiltrate the DoD in search of health data rather than military secrets but that’s not to say they couldn’t have stumbled onto PHI or PII.

A quick look back at the Sony hack, in fact, demonstrates how that is a real possibility. That incident was also originally branded as sophisticated and undertaken by a nation-state, in Sony’s case, Korea. It’s reasonable to believe the attackers did not set out in search of health data. That was ostensibly tied to the Christmas release of The Interview, a controversial film depicting Korea’s supreme leader Kim Jong-un in an unflattering light.

But in the aftermath of the Sony attack, we learned that the cyberthieves tucked health data of more than three dozen Sony employees under their arms on the way out the virtual door. Personally identifiable information included, among other documents, a spreadsheet carrying birth dates, gender, health conditions, and medical costs for 34 employees and their families.

Could the same thing that happened at Sony, wherein attackers went in for one reason but found and stole health data anyway, happen at the DoD? Absolutely possible.

We’re talking about criminals and, with the World Privacy Forum estimating health records to be worth as much as 50 times the value of financial records on the black market, it’s not at all a stretch to envision attackers stealing that data for money or other nefarious purposes.

The new reality: Any organization that offers health benefits to its employees and communicates about them via email is susceptible to a cyber attack on health data – it’s not just HIPAA Covered Entities anymore.