In another cowardly Friday afternoon data breach disclosure, Chapel Hill, N.C.-based Central Dermatology Center said that one of its servers was breached by hackers back in August of 2012, but that it has just become aware of the breach.
The company said that on September 25, 2014 it became aware that one of its servers had been compromised by malware, sparking them to immediately call in forensic experts to identify the malware and resulting fallout.
In addition to not discovering the breach until roughly two years later, the company acknowledged that they are not sure exactly what data the attackers may have gotten their hands on.
“The information on the server that may or may not have been accessed included patients’ name, address, phone numbers, date of birth, social security number, billing and diagnostic codes, insurance company, insurance co-payment information, healthcare provider, employer information, sex, treatment date, account balance, email address, and race,” the company said in a breach disclosure announcement Friday afternoon.
“The investigation revealed that the attack occurred on or about August 9, 2012 despite safeguards in place, including software on the server designed to prevent such malware,” the company said.
Contacted by SecurityWeek, a company spokesperson declined to comment on the type of malware discovered or the security software that was installed on the server.
The announcement continued:
“Based on Central’s forensic investigation to date, it is believed that patient bank account and payment card information were not compromised and electronic medical records were not on this server as they were encrypted by Central prior to the malware being placed on the server.”
While this incident stemmed from a malicious attack, a study recently released by security firm Bitglass on healthcare data breaches showed that 68 percent of the breaches since 2010 occurred because devices or files were lost or stolen. Only 23 percent were due to hacking, the study found. In the breaches analyzed, 48 percent of the incidents involved a laptop, mobile device or desktop.
According to Mandiant’s 2014 M-Trends report, Mandiant’s investigations found that breaches were discovered in 229 days on average in 2013 vs. 243 in 2012. While these improvements are a positive, it still means attackers are still spending 2/3rds of the year inside an organization’s network before being discovered.