The Cost of Complacency: Ethan's Battle with a Data Breach

Back to main Blog
Justin Bonk, CISSP, PCI-QSA, CIA, CISA, CIPP/US

Senior Manager, Freed Maxick Risk Advisory Services

case-study-3

How Ethan’s Thriving Practice Fell Victim to Data Loss from a Cyberattack

Ethan owned and operated an extremely successful Physical Therapy practice. Starting with a single office, Ethan was able to successfully grow the business, opening up nine additional offices over the last decade. His practice was thriving – serving just over six hundred patients each year. Little did he expect that his world would soon come crashing down.

The Call

One evening, Ethan received a call from Jason, one of Ethan’s very first patients. Jason was very aggravated. He had just been informed by a relative that dozens of medical records were available on hacking forums for purchase. The records all came from Ethan’s office and contained very sensitive, personal information. After some choice words, Jason provided Ethan with the URL for the forum. Ethan promptly investigated, and after perusing the site for an hour was able to determine that these were indeed legitimate patient records that had come directly from his office.

The Data Loss: What Happened

Ethan was baffled as to how these records could have been compromised. He asked Josh, his IT Director, to look into it. Immediately, Josh noticed that there was a domain administrator account that he was unfamiliar with. This account had unfettered access to all data within Ethan’s company, and no one knew who it belonged to. Realizing how bad the situation was, Josh informed Ethan he would need to engage a cyber-forensic firm to investigate the full extent of the issue.

The Server Breach

After several weeks and tens of thousands of dollars in fees, Ethan received the bad news. The domain administrator account in question was indeed created by a bad actor over three months ago and had compromised every single medical record in the organization. Names, addresses, social security numbers and private medical information had all been exfiltrated. The initial entry was made by exploiting a vulnerability in the web server they used to host their website and scheduling software. The webserver was running an outdated version of Windows that was easily exploited. From there, the attacker was able to pivot and create a new domain administrator account that gave them full access. The attacker was likely still actively monitoring their network at this very moment. Josh had been telling Ethan for a year that the server was out of date and needed replacement, but each time, Ethan would reject the request, feeling it wasn’t necessary to run the business.

The Aftermath of Data Loss

After the extent of the breach was determined, things got very difficult for Ethan and his company. First, they had to let all of their patients know that their data had been breached. To soften the blow, Ethan provided a year of free credit monitoring for all patients at a significant expense to the organization. Ethan wasn’t too concerned. He had a cyber-insurance policy that would cover the costs, but when he filed his claim, it was denied by the insurer. His policy required he maintain up-to-date systems, and since the breach occurred due to his company’s failure to update its infrastructure, he would not receive any payout. To make matters worse, since the breached data was considered Protected Health Information (PHI), the breach was considered a HIPAA violation. Ethan was contacted by the department of Health and Human Services (HHS), which had launched an investigation into the incident and would likely impose a hefty, five to six-figure fine, pending the results of the investigation. Per the law, if there were more than 500 individuals that were breached, Ethan would have to alert the local media and be listed on the HHS website of breaches.

Lessons Learned and Data Loss Prevention Best Practices

Ethan’s nightmare could have been avoided using several mechanisms:

  • Keep Your Systems Patched – Vendors will continuously develop patches for their software/OS products as new vulnerabilities to the products are identified and fixed. Out-of-date systems, or systems that are ‘end of life’ are an easy way for an attacker to gain unauthorized entry to a company’s system.
  • Data Loss Prevention Software – Many Data Loss Prevention (DLP) software applications exist to monitor and control the outbound flow of sensitive information. Had Ethan’s practice utilized DLP, they may have identified that sensitive data was being exfiltrated.
  • Regularly Perform Vulnerability ScansVulnerability scans analyze your system from outside and inside of your network. These scans will identify unpatched or end-of-life systems like the one utilized by this attacker to gain initial entry to the network. Knowing where the weaknesses are in your system is a vital asset in addressing the gaps.
  • Utilize a Security Information and Event Management (SIEM) Solution – Most SIEMs analyze network activity to identify unusual and/or potentially malicious activity, and alert IT in real-time. If a SIEM was in place at Ethan’s practice, it’s likely that it would have identified the creation of the new Domain Administrator account and notified Josh in time to stop the attack from ever happening.

Ethan’s story serves as a cautionary tale that cyberattacks can come from anywhere, and once an attacker gains access, the damages can be extensive.

Take Control of Your Data and Cybersecurity Today!

If this story resonates with you or leaves you feeling vulnerable, know that you don't have to face these challenges alone. Freed Maxick's cybersecurity experts are here to empower you with the knowledge and solutions to protect your digital world.

Our team, led by experienced professionals, is dedicated to helping businesses like yours fortify their defenses and stay one step ahead of cybercriminals. We understand the unique challenges small businesses face and tailor our solutions to meet your specific needs.

Don't wait until it's too late. Reach out to us today to start a conversation about your cybersecurity concerns and how we can help you build a robust defense against digital threats. Contact Justin Bonk, a member of our team, at justin.bonk@freedmaxick.com and take the first step toward a safer digital future. Remember, in the world of cybersecurity, preparedness is your best asset. Secure your business and protect your future with Freed Maxick.

New call-to-action

 

The scenarios depicted in this blog post are purely fictional and are intended solely for illustrative purposes. Any resemblance to real events or individuals is coincidental. While these stories are not based on actual incidents, they are designed to underscore the potential cybersecurity risks that individuals and organizations may face. It is essential to treat cybersecurity seriously and implement appropriate safeguards. For personalized cybersecurity guidance and solutions, please seek advice from qualified professionals.

Stay up to date