Zoll Medical, a company that builds hardware and software for the medical industry, filed a report with the Maine Attorney General’s Office earlier this month detailing the hack that led to the data theft.
As reported by Spiceworks, the company filed a document on March 10 claiming to have discovered the breach on January 28. Additionally, the report says the company cut off attackers from accessing sensitive data five days later on February 2.
During the incident, hackers stole confidential data belonging to both company employees and consumers. More than a million people seem to have been affected by the hack.
The police were notified
The company further explained that the stolen data included names, addresses, dates of birth, as well as social security numbers. In addition, some details regarding the purchase of Zoll products were also obtained, such as whether customers used or planned to purchase a LifeVest wearable cardioverter defibrillator.
“We consulted with third-party cybersecurity experts to help us respond and remediate the incident, and notified law enforcement and federal and state regulatory agencies as required by law,” the company wrote in the filing.
The details of the events that led to the data exfiltration are unclear. We don’t know if any malware was involved or if the company actually fell victim to a ransomware attack. The company did not specify whether cybercriminals used phishing or other social engineering methods to break into the network and its endpoints.
For hackers around the world, personal data is a goldmine that can be easily monetized by selling it on dark online forums or using it for phishing and identity theft attacks. It’s no wonder that healthcare companies store huge amounts of sensitive personal information and are among the most frequently attacked organizations in the world.
“Understanding and tracking the Personal Health Information (PHI) they hold is a priority for all healthcare organizations,” commented Jocelyn Houle, Senior Director of Data Management at Securiti.
“Techniques such as data masking can enable key business users to leverage patient data while minimizing the damage caused by a security breach. Equally important is the implementation of automation to determine what patient data is stored, where and for what purposes it is used in order to respect patient privacy rights and understand the regulatory implications of the unfortunate data breach.”
By: spiceworks (opens in a new tab)