Maternal & Family Health Services (MFHS), a US-based non-profit health and human services organization, has reported that it was hit by a ransomware attack between 21 August 2021 and 4 April 2022. An investigation revealed that the attack may have exposed sensitive information, such as names, addresses, dates of birth, social security numbers, driver's license numbers, financial account and payment card information, usernames and passwords, and medical and health insurance information, to an unauthorized individual. MFHS only started issuing letters to potentially impacted individuals on 3 January 2023, and is offering credit monitoring and identity theft protection services to individuals whose personal data may have been involved in the incident. Avishai Avivi, CISO, SafeBreach, shared his thoughts on the timeline of breach disclosure and called for more strict regulations for breach notification:
“This latest breach and subsequent press release by Maternal & Family Health Services is deeply concerning. It highlights the fact that HIPAA and HITECH are not sufficient to protect patient privacy. Another worrying sign is that it took almost 8 months from discovery of the breach (April 4th, 2022), before the organization started reaching out to individuals potentially impacted (January 3rd, 2023).
I believe regulations must be tightened to follow the lead from the financial industry. This includes shorter notification windows, as well as stronger defenses. The fact that a ransomware attack was able to impact patient data would indicate that Maternal & Family Health did not validate their controls against such attacks.” ###