The Week in Breach-BBH
Exploit: Unsecured business associate portal
BBH: Mental health service provider based in Missouri
Risk to Small Business: Severe: BBH has sent letters to patients notifying them of a breach that occurred in August of last year. Potential attackers would be able to infiltrate a business associate’s portal to access electronic protected health information (ePHI) and compromise sensitive records. The mental health service provider noted that there was no evidence of unauthorized access, but will be providing free identity monitoring, protection, and reporting from agencies including Equifax, Experian, and TransUnion. Along with the direct costs associated with offering such services to patients, the organization will have to pour funds into reputation management.
Individual Risk: Severe: The exposed records included names, addresses, contact information, DOBs, medical history information, driver’s license numbers and SSNs. Given the amount of time that has lapsed, patients are at high risk and should immediately begin monitoring their identity and credit reports.
Customers Impacted: 67,493 patients
How it Could Affect Your Business: As breaches continue to become more commonplace, companies are being held accountable for providing free identity protection for their customers and employees. Such damage can be disabling for small businesses, especially when combined with the costs that come with managing public relation.
In Other News:
Celebgate 2.0: attacks on the Apple accounts of musicians and athletes
A Georgian man has confessed to hacking the Apple accounts of NFL and NBA players, along with famous musicians. By creating fake accounts and impersonating Apple’s customer service, Kwamaine Jerell Ford was able to send phishing emails that coaxed victims into providing their login credentials as early as 2015. Once he had taken over the accounts, he would change the email addresses and passwords, and proceed to purchase air travel, hotels, and furniture.
With credit card information from Apple in hand, he was also able to transfer money to his own online payment accounts. Ford has pleaded guilty to one count of computer fraud and one count of aggravated identity theft. He will be sentenced on June 24.
Such an incident serves as a strong reminder of just how much damage can be inflicted through phishing. To prevent this highly effective form of cyberattack, small businesses and security providers invest in solutions that are specifically designed with customers and employees in mind, and able to proactively stop phishing campaigns in their tracks.