NEWPORT NEWS, Va. (WAVY) – A data leak is impacting thousands of patients of healthcare systems around Hampton Roads, including the Sentara Health system.
Credit Control Corporation, otherwise known as R&B Corporation, fell prey to hackers, according to a report published by the Attorney General’s Office of Maine. Hackers accessed files that included patients’ personal information, including names, addresses and Social Security numbers.
Included in the breach are Children’s Specialty Group, Dominion Pathology Laboratory, Emergency Physicians of Tidewater, Medical Center Radiology, Mary Washington Healthcare, Riverside Health System, Sentara Health and Valley Health.
“We classify it as third-party risk,” said Greg Tomchick, CEO of Valor Cybersecurity. “It’s a risk of working with someone who’s working with your business, and at the end of the day, that brings a risk.”
While the origins of the hack aren’t made public, Tomchick said that 85% of cyber incidents occur through email. Commonly, bad actors monitor employees, learning their names and roles. They make email accounts nearly identical to people the employee corresponds with. They send a link, pretending to be a colleague or someone known to the victim. The victim, by clicking on the link, can open the door of the company wide open, Tomchick said.
Tenilces Adams of Norfolk said she’s a patient in the Sentara Health System. She told 10 On Your Side she was disturbed to learn that she is a victim of the attack.
“It’s not acceptable,” Adams said. “I was real upset when I first found out. I was worried about what information do they have. It can mess up your credit or whatever. Somebody can get your identity or something like that.”
Adams said that she intends to regularly check on her credit score through a bureau such as Credit Karma or Equifax.
Victims of the data breach are offered a year of complementary credit monitoring through Kroll. Adams said she would not accept the services because she has already lost trust in CCC.
She said that she is disturbed her information was shared through an avenue intended to make her safe.
“I thought my information would be protected. You go to the doctor, you think that your information would be protected you put all your information out there to them,” she said.
Tomchick said the best way to defend against attacks like this is to train employees to recognize attempts to sneak into networks.
“It all starts with training and awareness,” he said. “So, making sure that that person who potentially clicked on the link is now trained to be able to recognize that. I think that’s really the starting point,” if the leak originated through a phishing scam. He also said that many companies are moving to advanced monitoring to filter suspicious emails before they hit employees’ inboxes.
Sentara Health released a statement through spokesman Dale Gaulding.
“Sentara is one of many CCC customers in health care and other businesses affected by this breach. CCC is providing mailed written notices of the incident and the steps they are taking to mitigate it. The security of Sentara patients’ and members’ personal information is important to us. We encourage patients or health plan members who received a letter and have additional questions to contact CCC in the manner described in the letters,” Gaulding wrote.