Zoll Medical, a medical device and software manufacturer, has announced that the personal and health information of over a million people, including patients and employees, may have been compromised in a data breach in January. The company detected unusual activity on its internal network on January 28 and confirmed the intrusion on February 2. Potentially accessed or exfiltrated data includes names, addresses, birth dates, and Social Security numbers of current and former employees and patients. Additionally, the affected individuals may be identified as users or potential users of Zoll's LifeVest wearable cardioverter defibrillator.
Zoll, owned by Japanese multinational chemical company Asahi Kasei, stated that there is no indication that the exposed information has been misused. The company collaborated with third-party cybersecurity experts to respond to and remediate the incident and notified law enforcement and regulatory agencies as required by law. The nature of the attack, whether information was exfiltrated or a ransom demanded, and the methods used to infiltrate the company's internal network remain unclear.
This is not the first data breach Zoll has experienced. In late 2018, a configuration error during a server migration by third-party vendor Barracuda Networks exposed the health and personal data of over 277,000 patients, leading to a lawsuit. The incident exposed some of Zoll's archived emails from November and December that year.
Stuart Wells, CTO of Jumio, shared how this most recent Zoll Medical security incident emphasizes the need for strong biometric authentication measures to keep end-users and their data safe:
“Major breaches like this one can have a devastating impact on organizations and users alike. With personal details like names, birth dates and Social Security numbers compromised, one million patients, current and former employees, as well as their families, find themselves at risk of phishing attacks, insurance fraud, identity theft and account takeover attacks. This incident further proves that healthcare organizations must be placing more stringent security measures to protect their users, in addition to their own reputation. For instance, biometric authentication (which leverages a person’s unique human traits to verify identity), liveness detection and anti-spoofing technology are safe, secure security measures that can be used to ensure data is only accessed by authorized users, keeping data protected and out of fraudsters’ hands.” ###