4.3m impacted by latest healthcare data breach

Key Points

• Health Equity breach affected 4.3 million people due to compromised partner credentials.
• Exposed data included names, addresses, SSNs, and payment information.
• Healthcare industry faces the highest average data breach costs at $9.77 million per incident.
• Third-party risk management and rapid detection are critical to preventing such breaches.
• Finance leaders should prioritise data protection and stay informed on emerging threats.

How did the Health Equity breach happen?

The breach stemmed from unauthorised access to an unstructured data repository outside Health Equity’s core systems. Threat actors exploited a partner’s compromised credentials, gaining entry on 9 March 2024. However, the breach wasn’t verified until 26 June, following an internal investigation.

What data was exposed?

The compromised information varied per individual, but included:

• Full names
• Home addresses
• Telephone numbers
• Employer and employee IDs
• Social Security Numbers (SSNs)
• General dependent information
• Payment card information (excluding numbers)

How has Health Equity responded?

Upon discovery, Health Equity took swift action:

• Secured the breached repository
• Terminated unauthorised sessions
• Blocked associated IP addresses
• Implemented a global password reset for the compromised vendor account

The company is offering affected individuals two years of credit monitoring and identity theft protection through Equifax. Health Equity has also advised customers to remain vigilant and review their account statements for suspicious activity.

Healthcare remains #1 breach target

According to the IBM Cost of a Data Breach Report 2024, healthcare remains the costliest sector for data breaches, averaging $9.77 million per incident. While this represents a 10.6% decrease from 2023 ($10.93 million), it’s still significantly higher than other industries – finance comes in second, averaging $6.08 million.

The Health Equity incident is part of a concerning pattern of data breaches in the healthcare sector. In Australia alone, healthcare had the highest number of data breaches between July and December 2023, reporting 104 incidents – 22% of all breaches reported during this period. This doubles finance, which came in second with 49 reported breaches (10%).

Recent high-profile cases in Australia, such as the MediSecure and Medibank breaches, underscore the severity and complexity of these cyber threats.

MediSecure breach: In May 2024, MediSecure, a major e-prescriptions provider in Australia, fell victim to a ransomware attack. The incident likely originated from a third-party vendor, highlighting the vulnerability of supply chain relationships. The breach put private personal and health information of millions of Australians at risk, prompting a whole-of-government response. The full extent of the damage is still being assessed, but the incident has already shaken trust in electronic health systems.

Medibank breach: In late 2022, Medibank, Australia’s largest health insurer, suffered a devastating cyber attack that compromised the data of 9.7 million current and former customers. The breach involved sensitive medical and financial information. Hackers initially demanded a $15 million ransom, which Medibank refused to pay. Subsequently, the attackers began leaking customer data on the dark web. The fallout has been significant:

• Medibank faced a potential $1.4 billion class action lawsuit
• The company reported a $25 million cost impact in the first half of 2023
• A joint police operation linked over 11,000 subsequent cybercrime incidents to this breach

These cases illustrate that the healthcare industry remains a prime target for attackers looking to exploit valuable medical data which can be sold on the dark web to facilitate identity theft and other lucrative cybercrimes.

What does this mean for finance leaders?

In the aftermath of the Health Equity breach, finance leaders should keep the following takeaways in mind:

1. Third-party risk management is crucial: The Health Equity breach, like many others, originated from a compromised partner account.
2. Rapid detection and response are essential: The 3-month gap between breach and discovery highlights the need for improved monitoring systems.
3. Prepare for knock-on effects: As seen with previous breaches like Medibank, stolen data often fuels subsequent scams and cyber incidents.
4. Prioritise data protection: Implement strong access controls and consider data-centric security measures like encryption and tokenisation
5. Stay informed on emerging threats: The cybersecurity landscape is constantly evolving, requiring ongoing education and adaptation.

Potential risks to prepare for:

• Financial fraud and account takeovers enabled by compromised customer data
• Business email compromise (BEC) scams exploiting exposed details
• Misdirected payments to fraudsters impersonating legitimate suppliers
• Regulatory penalties for lack of payment verification and know-your-customer (KYC) controls

How finance teams can defend against post-breach scams

When a data breach occurs, finance teams need to stay informed on the latest updates to ensure they’re on guard during periods of heightened suspicious activity. Consider these two key areas:

1. Employee awareness: Regular training and updates on the latest breaches, risks, and scam tactics.
2. Anti-fraud processes: Implement automated and centralised controls, such as segregation of duties, to intercept scam attempts.

The Health Equity breach shows that even large, established organisations in highly regulated industries remain vulnerable to cyber attacks. As the healthcare sector continues to digitise processes, finance leaders must remain vigilant, continuously updating their cybersecurity strategies to protect sensitive data and maintain stakeholder trust.