Minnesota state senators grilled the state’s Department of Health and Human Services on Thursday for taking four months to tell 21,000 low-income residents that their personal health data was breached in two separate phishing attacks.
On Oct. 9, DHS began sending notifications to patients of the two cyberattacks. One email compromise occurred on June 28 and the other on July 9. But officials said the IT department didn’t discover the second breach until August.
The compromised emails contained patient names and addresses, along with Social Security numbers, employment details and a host of other identifiable details.
“Can you please try and help us connect why there was such a failure here of four months before folks were notified of the compromising situation of their private data?” State Senator Mary Kiffmeyer asked DHS officials.
“DHS IT is kind of a black hole for this committee, unfortunately,” said one official. “We put a lot of money in and don’t get a lot of answers out.”
Joanna Clyborne, commissioner of Minnesota IT Services, owned the issue, which boiled down to timeliness and what a majority of hospitals and healthcare systems face – a lack of resources. But she also noted one important piece: “We can’t prevent someone from clicking on a link.”
“The breach is indicative of a growing and invasive cyber threat,” Clyborne said in her opening statement. “It requires our constant vigilance, attention and innovation. The fact of the matter is, however, that the [security team] is not resourced fully to address these persistent threats.”
“Regardless of those resource constraints, however, I’m very disappointed and, frankly, angry, that it took us far too long to alert our partners in regards to the DHS potential breach that had occurred,” she continued. “The delay was, frankly, unacceptable.”
In response, Clyborne said she’s since changed the security processes to make sure that “hand-offs” of potential compromises to other agencies aren’t delayed by forensic backlogs. And her team now provides details into all compromised accounts to agency privacy staff to give them the first crack at assessing the potentially exploited data.
Clyborne went on to explain that the onslaught of phishing attacks over the summer made it impossible for her team to “perform deep analysis into the email inbox contents” as they had in the past.
Indeed, the U.S. Department of Health and Human Services and other federal agencies warned throughout the summer of the increase in phishing attacks on both the healthcare sector and government agencies.
In fact, a recent report from Wombat Security confirmed that the the government and retail sectors are currently experiencing the largest increase in phishing attacks. Further HHS warned the healthcare sector that highly targeted phishing campaigns from Ryuk and SamSam were rapidly growing.
For context, in the last nine months, Clyborne said that her department has seen more than 700 security incidents – including more than 150 serious phishing attacks. However, with constrained budgets and resources, attempting to make a dent in the problem is a real challenge.
“We’re doing everything in our power and resources to mitigate and prevent (compromises),” said Clyborne. “Since July alone, over 1,600 phishing messages targeting state employees have been received, averaging 22 per day.”
To Clyborne, advanced threat technologies available on the market could help the state could better protect against these types of threats.
“Absent these tools, however, security operations staff spends much of its time managing and analyzing phishing incidents. This time would be much better spent investigating more sophisticated attacks or implementing additional, preventative controls and capabilities…. It’s critical that we get these tools in place.”
Clyborne also noted her team needs more staff to help with data sharing and notification.
Currently, the state is working to better collaborate between agencies on cybersecurity.
“We also need to think seriously about how we, as a legislature, are going to learn more about our cybersecurity posture,” Benson said. “This is not a problem we’re going to solve. We’re going to have to continually evolve the way we attack we attack the problem of bad actors.”
“Let’s seek ways that we can become more informed and become more effective as policymakers,” she added.