Healthcare Roundup: Pandemic-Fueled Drug Diversion, Walgreens’ Pharmacy Data Breach, and More

September 15, 2020

Healthcare Roundup: Pandemic-Fueled Drug Diversion, Walgreens’ Pharmacy Data Breach, and More

Every month, we compile the most compelling healthcare privacy and security-related news stories. Below, you’ll learn about pandemic-fueled drug diversion, a new Walgreens pharmacy data breach, the top target for credential theft, and more.

FBI investigating COVID-19 patient data breach

According to an open FBI investigation, South Dakota residents who tested positive for COVID-19 may have had their personal information exposed. Netsential, a database used to minimize the chances of law enforcement officers and medics contracting coronavirus, was breached when a third-party vendor obtained access to personal information stored on the server. The database host added labels to files that identified individuals, including names, addresses, birthdates, and COVID-19 status. While the breach did not include financial information or Social Security numbers, the Department of Public Safety (DPS) did inform affected patients that their data may be available on various internet sites that link to the Netsential files.

Will the pandemic fuel cases of drug diversion?

Healthcare facilities may be focused on fighting a pandemic, but that doesn’t mean putting the opioid epidemic on hold, experts warn. According to the Federal Office of National Drug Control Policy’s Overdose Detection Mapping Application Program (ODMAP), drug diversion is on the rise. The ODMAP reports that overdose deaths have increased due to COVID-19, and suspected overdoses grew 18% in March, 29% in April, and 42% in May.

Experts are concerned about unreported cases, particularly because drug diversion in healthcare settings is often undetected and underreported. Hospitals are vulnerable to drug diversion given the large number of drugs available, the focus on COVID-19 patients, and the increase in temporary medical workers.

Fortunately, drug diversion doesn’t have to be complicated; using a monitoring solution and educating staff can significantly reduce drug diversion, particularly during a time when health and safety are at unprecedented risk.

Walgreens data breach caused by looting

Walgreens, the second-largest pharmacy chain in the United States, recently reported a breach that exposed the protected health information (PHI) of nearly 72,000 customers. The breach occurred when looters broke into about 180 Walgreens stores and stole items with personal health data; namely, prescriptions. Walgreens stated that financial information or Social Security numbers were not included in the breach. Still, the exposed data contained names, addresses, birthdates, prescription names and strengths, and insurance information. Customers were notified and instructed to monitor their health benefit statements and insurance summaries for unusual activity that may indicate fraud.

This breach offers a powerful reminder that data breaches are not always technological – physical attacks are still a vulnerability that must be considered for PHI privacy and security.

93% would choose companies that prioritize data privacy

The vast majority (93%) of Americans agree they’d make the switch to organizations that prioritize and enforce responsible data privacy, according to The Data Privacy Feedback Loop 2020, with 91% preferring to patronize companies that guarantee consumers access to their information. Almost two in five respondents would spend more money if it meant they were choosing a business that puts privacy first. Along with the push for privacy legislation and regulation, these findings demonstrate the importance of privacy to consumers and lawmakers worldwide. In fact, 94% of people agree that data privacy will be more critical in the next five years as privacy awareness and data management practices evolve. If businesses want to maintain a loyal customer base, transparency and ethical data management are key.

“What stood out most urgently to us was that as privacy becomes an ever-more-important concern, it becomes an ever-more-important part of consumer decision-making. Consumers are ready to align their loyalty and purchasing decisions with companies that prioritize their data rights.”

– Ben Brook, Co-Founder and CEO, Transcend

Medical software database breach exposes 3.1M patients’ data

3.1 million patients had their information exposed after a medical software company’s database was left unprotected online. Security researcher Bob Diachenko discovered the database, which contained patient data, including names, addresses, phone numbers, marital status, and other information commonly used for fraud. While it’s unclear whether cybercriminals accessed the data, it was destroyed ten days after discovery, indicating it may have been stolen by a bot that attacks unprotected databases.

Research shows that it takes just eight hours to breach unsecured and misconfigured databases, which has been a recurring problem in the healthcare industry – around one-third of healthcare databases are leaking patient data. Breaches such as this are avoidable with the proper security measures and administrative controls like proper authentication, the principle of least privilege, and defense-in-depth architecture.

Spoofed login pages increasing; top target is healthcare industry

Researchers are reporting a significant increase in the number of spoofed login pages, particularly for organizations like Microsoft, Google, and LinkedIn. Hackers use authentic-looking login pages to trick users into entering their account credentials, giving hackers access to users’ private information. The study from IRONSCALES found that the healthcare industry is the most targeted sector, likely due to the value of information contained in medical databases.

According to the report, spoofed login pages succeed because they bypass technical controls through social engineering, and they utilize inattentional blindness – failing to notice a change that’s hidden in plain sight. Organizations can combat credential theft and other social engineering tactics with routine security training and monitoring user activity for suspicious behavior that may indicate a hacked account.

“We see fake login pages being used for one very good reason: they work. As long as users fall for this trick, the bad actors of the world will continue to use them.”

– Chris Hauk, Consumer Privacy Champion, Pixel Privacy