Patients' Social Security Numbers Have Been Compromised in a MU Health Care Data Breach

People tend to forget that the most important task after discovering a data breach is protecting the user's privacy. Instead, they often focus on finding out who or what is to blame for the incident. Let's take this approach for a moment and see who is responsible for the breach that Missouri Health Care (MU Health Care) reported last week.

MU Health Care patients’ data was accessed via compromised email accounts

About eight months ago, it became apparent that some University of Missouri students affiliated with MU Health Care had had their email accounts compromised. The "unauthorized individual" first broke in on September 19, 2019, and although MU Health Care learned about the attack on September 21, the breach wasn't sealed until September 26.

Inside the students' inboxes, the cybercriminals found quite a lot of personal information belonging to MU Health Care patients, including names, dates of birth, health insurance data, "limited" treatment and clinical information, and "a small number" of Social Security numbers. The attack was followed by a lengthy investigation during which MU Health Care managed to identify all affected patients. For some reason, however, the announcement fails to mention how many people had their information exposed.

MU Health Care: It was a credential stuffing attack

MU Health Care's announcement was quick to point out that the hackers managed to break into the email accounts because of the students' poor password management skills. According to the press release, they had accounts at a third-party service that got breached. At the said service, they were using identical usernames and passwords to those protecting their emails, and the hackers took advantage of this. In other words, they were hit by a credential stuffing attack.

MU Health Care is trying to explain that its systems were not compromised and that the only reason for the breach is the students' password reuse. Indeed, the whole concept of credential stuffing is made possible by the fact that people use identical passwords for many different services, and this is just the latest of a seemingly endless line of attacks that show just how bad the consequences of this could be.

Many people might jump to the conclusion that the only ones responsible for this breach are the students. A bit of context could change their opinion, though.

This is not the first breach for MU Health Care

In April 2019, several months before this incident, MU Health Care suffered a very similar breach. In that case, the email accounts of some of the organization's employees were compromised, and inside them, the hackers found the personal data of more than 14 thousand patients. When it announced the attack a few months later, MU Health Care failed to say how the criminals managed to break in, and it also didn't tell us what sort of measures it's taking to protect patients against similar attacks.

It might seem logical to introduce two-factor authentication (2FA) for affiliated email accounts in the aftermath of such a breach. Some might even say that enforcing it is the first step towards better protection of patients' data. Unfortunately, MU Health Care decided not to do it, which is a shame because it would have stopped the September 2019 attack in its tracks.