The current HIPAA business associate data breach underscored the value of examining system activity logs. CBS Consolidated Inc. based in Nebraska, which operates in business as Cornerstone Business & Management Solutions performed a regular review of system logs on July 10, 2017 and found an existing unknown account on the web server. Upon more detailed evaluation of the account, it was found that the account was used for downloading sensitive data from the web server, which include the protected health information (PHI) of patients that utilized its healthcare supplies.
The company supplied durable medical products to 21,856 patients through the Medicare coverage. The PHI of these patients were potentially affected. The information that may have been hacked included names, birth dates, addresses, insurance information, and Social Security numbers. Although personal data was compromised, the hacker did not obtain any information about the patients’ medical conditions, nor information on items they bought or financial data.
It is presently uncertain how the unknown account was made, though the matter is still being investigated. CBS states after discovering unauthorized access that the web server was singled out and data access was blocked. From the time that the incident was found out, CBS has been cautiously checking its systems and has found no other proof of unauthorized data theft or data access.
Because of the very sensitive nature of information that the hacker stole, all persons affected by the breach were given one year free credit monitoring and identity theft protection services. CBS is likewise checking its security protections and is going to be implementing new administrative safety measures, giving extra training to employees on security, along with enhancing technical controls to avoid future breaches from happening.
This CBS Consolidated breach is the second worst breach that a HIPAA business associate reported in 2017. The fist is the 56,000-record breach Enterprise Services LLC reported in June.