October 29, 2024 By Mike Elgan 4 min read

A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.

The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.

The breach, first reported by WIRED, involved PII, such as patient names and addresses, but also sensitive information like audio and video recordings of therapy sessions, detailed psychiatric intake notes and comprehensive medical histories.

The article showed how horrifically compromising some of the information was: “One seven-page psychiatry intake file… details issues with alcohol and other substances, including how the patient claimed to have taken… narcotics from their grandparent’s hospice supply before the family member passed away,” according to the article. “In another document, a mother describes the ‘contentious’ relationship between her husband and son, including that while her son was using stimulants, he accused her partner of sexual abuse.”

IBM’s 2024 Cost of a Data Breach report highlights that 46% of breaches involved customer PII. The report also notes a significant increase in the cost per record for intellectual property (IP) data, jumping from $156 to $173.

But the level of exposure in the Confidant Health incident represents a significant escalation in the potential harm to affected individuals, far surpassing the risks associated with mere PII breaches.

The unique threat of sensitive data exposure

Cyber attackers and bad actors prize sensitive data, including medical data, because it can be used for social engineering attacks, targeted blackmail or even selling to unethical competitors or adversaries. The information’s sensitive nature is precisely what makes it valuable for malicious exploitation.

To be clear, the exposure of sensitive data like medical details is a risk not only to the target but also to their employer. The data can be used to blackmail the employee into providing passwords and other data that can help them in a breach of the employee’s company.

Potential attack vectors include:

  • Targeted phishing: Crafting highly convincing phishing emails using knowledge from therapy sessions.
  • Blackmail: Threatening to expose sensitive information unless a ransom is paid.
  • Corporate espionage: Exploiting personal vulnerabilities of key employees revealed in therapy sessions.
  • Identity theft: Combining sensitive data with PII for more convincing identity fraud.
Read the Cost of a Data Breach Report

How to approach data protection

The recent breach serves as a stark reminder of the critical need for robust data protection measures, especially in healthcare settings. The keys are comprehensiveness and constant vigilance.

Protecting sensitive information in healthcare and other settings demands a comprehensive approach.

Authentication

Implementing robust access controls and authentication is crucial. This includes deploying multi-factor authentication for all user accounts and building role-based access controls to limit data access based on job functions. (Regular audits and reviews of user permissions should be conducted to ensure proper access management.)

Encryption

Encryption plays a vital role in safeguarding sensitive data. It’s essential to encrypt data both at rest and in transit, using end-to-end encryption for all communications and data transfers. Device encryption should be implemented for mobile devices and laptops to protect data in case of loss or theft.

Network security

Network security is another critical aspect of data protection. Deploying next-generation firewalls and intrusion detection/prevention systems helps defend against external threats. Network segmentation can isolate sensitive data, while virtual private networks provide secure remote access.

Data loss prevention

Data protection measures should include the implementation of data loss prevention solutions to monitor and control data movement. Data masking and tokenization can be used to protect sensitive information, and regular backups with tested restoration procedures ensure data availability in case of incidents.

Endpoint security

Endpoint security is important for protecting against malware and other threats. Maintain up-to-date antivirus and anti-malware software, implementing endpoint detection and response solutions and using mobile device management for company-owned devices.

Data protection policies

From an organizational standpoint, developing and enforcing comprehensive data protection policies is fundamental. This includes implementing a formal incident response plan and establishing clear data retention and disposal procedures. Regular security awareness training for all employees, with specialized training for those handling sensitive data, helps foster a culture of security consciousness throughout the organization.

Risk management

Risk management is an ongoing process that involves conducting regular risk assessments and vulnerability scans. A formal risk management program should be implemented, with regular updates and patches applied to all systems and software.

Third-party risks

Managing third-party risks is equally important. This involves implementing strict vendor risk management procedures, ensuring all third-party contracts include data protection clauses and regularly auditing third-party access and data handling practices.

Compliance

Compliance and auditing are critical components of a robust security program. Organizations must ensure compliance with relevant healthcare regulations, such as HIPAA. Regular internal and external security audits should be conducted, and detailed logs of all data access and system activities should be maintained.

Data governance

Data governance is essential for effective data protection. This includes implementing a formal data classification system, establishing data ownership and stewardship roles and regularly inventorying and mapping all sensitive data.

Incident response

Incident response and recovery capabilities are crucial for minimizing the impact of security breaches. Organizations should develop and regularly test an incident response plan, establish a dedicated incident response team and implement automated threat detection and response capabilities.

Physical security

Physical security measures should not be overlooked. Securing physical access to data centers and sensitive areas, implementing proper disposal procedures for physical media and using surveillance and access control systems in critical areas are all important aspects of a comprehensive security strategy.

Keep sensitive data safe

By implementing these measures, organizations can significantly enhance their data protection posture. However, it’s important to remember that cybersecurity is an ongoing process that requires constant vigilance. Regular assessments and improvements to the security program are essential to maintain robust protection of sensitive information in the ever-evolving landscape of cyber threats.

As we navigate an increasingly digital landscape, this incident highlights the urgent need for a paradigm shift in how we view and protect sensitive data. It’s no longer enough to focus solely on safeguarding PII. Organizations must adopt a holistic approach that recognizes the unique value and vulnerability of sensitive personal information.

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today