It has been reported by Jeffrey Roman on DatabreachToday.com that the group that manages the world famous Cedars-Sinai Medical Centre, Cedars-Sinai Health System in Los Angeles, has suffered a data breach potentially affecting 33,000 patients.
The data was on an unencrypted laptop that was stolen from the home of an employee. Roman reports that the laptop had been used in “troubleshooting clinical laboratory reporting software”, and held “some combination of medical record number, patient identification number, lab testing information, treatment information and diagnostic information, the health system reports.”
The report goes on to say that a small percentage of the files, perhaps about 1,500 or so patient details, also contained Social Security numbers.
There are no details of whether this theft was specifically targeted at an employee of the Cedars-Sinai Health System, or whether the information lost was the intended target, but it is unlikely that its value will go unnoticed by either the thief or whomever came into possession of the laptop subsequently.
It may not be immediately obvious why such information, as in the patient records including diagnostic and treatment information, would be valuable. But the recent change in hacker activities toward pure profit motives has revealed a particularly heinous form of fraud.
The likes of Sophos’ James Lyne and our own Paul C Dwyer, have uncovered scams whereby such medical information is stolen only to be used by scammers. The scammers contact the sufferers of severe or terminal conditions, everything from cancers to motor neurone disease, and offer them new, uncertified or purely miraculous cures, in return for serious sums of money.
These scammers take great lengths to appear legitimate and often use documentary evidence from clinical trials or pioneering work by supposedly respected researchers on the fringe of mainstream medicine. However, some are less careful and simply cite ancient medicines from Egypt/India/China/Atlantis.
These scammers prey on the desperation, reduced critical faculties and last hope tendencies of sufferers to extract money for research, early batches of drugs or consultation fees. The money always disappears. However, the scammers are always very careful to keep going until the sufferer is, in a financial sense, exsanguinated.
But there is an even darker side to this and that is where the scammers target the parents of terminally ill children. As one can only imagine the agony of a parent faced with the prospect of an untreatable condition that threatens a child’s life, the scammers again craft careful offers with a hint of credibility that are just enough to make these desperate people in desperate situations go to extraordinary lengths to find money with which to buy these miracle cures.
In this context, the Cedar-Sinai breach is most worrying. The first duty in such instances is not to question why such information was on an unencrypted machine, in clear violation of the group’s policy, or even why it was off-site at an employee’s home. But rather, it must be to those patients whose diagnosis details are potentially in the hands of scammers. That duty is to make these patients aware of the dangers that lie in the offers that could be made that appear as a miracle cure or secret breakthrough or ancient wisdom. The group must now ensure that these patients are adequately educated and protected from this most heinous fraud practices.