Protected health information and patient social security numbers were stolen from UT Southwestern as a part of an international hacking incident that impacted more than 400 organizations worldwide.
UTSW confirmed that in late May, a Russian group called Clop took credit for breaching their data by attacking the university’s use of managed file transfer software MOVEit. Shell, the U.S. Department of Energy, American Airlines, and other large organizations were also hacked in May before MOVEit identified the weakness and stopped the breach, resulting in more than 20 million people in two dozen countries whose personal data was stolen.
UTSW says that Clop stole patients’ names, medical record numbers, date of birth, name of medication, medication dosage, prescribing provider, and Social Security information was stolen from some patients for a smaller group of people. When it was notified on May 28 about the breach, the university said it took steps to secure its networks and limit the info stored in the MOVEit software. Massachusetts-based MOVEit said it stopped the breach on May 31.
The university said it is in the process of identifying patients with personalized messages about what data was stolen as it monitors for future suspicious activity. But receiving a message doesn’t mean one’s data was stolen, and UTSW says it has no indication that stolen information has been used maliciously.
“We deeply regret the occurrence of this incident and any worry, distress, or difficulty that it may cause you, “a statement from UTSW reads. “We want to reassure you that the protection of all UT Southwestern data is a top institutional priority and that this incident is being handled in accordance with UTSW policies and related regulations.”
UTSW is not alone when it comes to North Texas healthcare data breaches. Medical City Healthcare’s parent company was the victim of a hack earlier this month, when 27 million records were stolen and put up for sale on the dark web. The City of Dallas and Dallas County Appraisal District have also been victims of data breaches this year.
Matthew Yarbrough is a cybersecurity lawyer for Michelman & Robinson and a former federal prosecutor. He says that information like name and address are less valuable than social security information on the dark web, where it is often sold via an intermediary. “Social Security Numbers, driver’s license numbers, email addresses, credit card numbers, banking and financial information, and passwords are the holy grail of what you want,” he says.
UTSW did not specify how much data was stolen, if a ransom was involved, how many patients were affected, or if it will continue to work with MOVEit in the future. For more information about the UTSW data breach and information about where to ask follow \-up questions, go here.
Author
