On February 25, Pasquotank-Camden Emergency Medical Service in North Carolina reported a breach to HHS that affected 20,420 patients. A notification sent to the Vermont Attorney General’s Office explained that sometime in late December, 2018, the county became aware of an unauthorized intrusion from outside of the U.S. Investigation revealed that the intruder was able to access files with protected health information, but they found no evidence that data was exfiltrated or misused. The county notified all those potentially impacted and offered them 12 months of credit monitoring and credit restoration services, should they be needed.
A few days later, however, Jon Hawley of the Daily Advance reported on the incident, but reported that it was 40,000 patients affected as per the county’s most recent statement that week. Hawley also provided additional details, including the facts that the hack had occurred on December 14, that the hacker had erased files, and there had been no ransom demand.
Of special note:
Hammett said the hacker exploited a vulnerability in the county’s billing software, provided by the company TriTech, and tricked it into considering the hacker a normal user. That allowed the hacker to access records as far back as 2005, though most dated back to 2010, Hammett said.
Some of the text files the hacker viewed were thousands of pages long, Hammett said, making it a long process to review what information had been compromised, who should be notified, and how.
“Russy,” a regular reader of and contributor to this site, notes that in 2018, TriTech merged with Superion to form CentralSquare. Superion/CentralSquare is the company behind Click2Gov, the billing software many municipalities use. But unless I’m misuinderstanding something, this does not appear to be the same vulnerability involved in Click2Gov breach reports, as Hawley cites the county manager Sparty Hammett as telling him that TriTech “was not aware of the vulnerability, and has closed it. ”
Hammett also informed the paper that the county may move EMS data to TriTech’s cloud, rather than store it locally, or switch to another software entirely.
EMS Director Jerry Newell said the data breach did not hinder ambulance response, and the agency was able to quickly restore the lost data. It sounds like the county had learned important lessons from a previous and severe attack in May, and was now better prepared in a number of ways.
Read more on The Daily Advance.