A cyber attack has resulted in the theft of personal information of Stanford University employees and postdoctoral students, along with their dependents. Officials have confirmed that the breach occurred earlier this year and involved Brightline Inc., which provides virtual mental health services for the children of benefits-eligible employees and postdoctoral students across Stanford’s group of health plans.
The breach has reportedly affected only health plan participants with dependents under the age of 18 and involved “mostly demographic” information, including subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates. No Social Security numbers or financial accounts were exposed in the data breach, and the stolen files did not contain anything related to medical services, conditions, diagnoses or claims. However, the incident raises concerns about the vulnerability of the healthcare industry to cyber attacks.
“Healthcare providers are among the most highly regulated organizations in any market. The reason for this scrutiny is obvious: they collect and handle some of the most sensitive personal data about an individual, information that goes beyond contact and financial data. And by that very reason, the healthcare industry is among the most lucrative targets for threat actors," says Erfan Shadabi, cybersecurity expert with data security specialists comforte AG.
While it appears that a third party may be culpable, this does not absolve a primary organization from ensuring that all sensitive data is fully protected at all times, Shadabi adds. He suggests that companies should prepare for such eventualities by deploying data-centric security and having a robust backup strategy. “The bare minimum of data security includes fortifying the perimeters around this type of data. However, more effective data protection methods are readily available in the marketplace, including data-centric technologies such as tokenization and format-preserving encryption. These measures guard the data itself instead of the environment around it by replacing sensitive information with representational and innocuous tokens. This data-centric protection travels with the data, so even if hackers circumvent perimeter security or information is inadvertently exposed, any sensitive data subsequently accessed will be worthless, thereby averting the worst repercussions of a breach or leak," he says.
Brightline said in a statement that it is offering two years of complimentary identity theft and credit monitoring to impacted individuals. The company has also set up a toll-free number to share additional information about the breach. ###