Well, it seems we’re in the cyber-soup again, chums. Let’s talk about something that happened back in March 2024, when those villains at LockBit3.0 decided to target poor old Redwood Coast Regional Center (RCRC). They posted a leak on May 3, reporting that 500 poor souls had their data compromised in a breach that actually took place as far back as March 6.
It’s a bit like getting a letter in the post telling you your house was robbed several weeks ago, isn’t it? It leaves you rather flummoxed, doesn’t it? But it gets worse. Now, after all this time, they’ve updated that number from the initial 500 to an alarming 24,937. That’s almost 25,000 individuals whose postal services must’ve been tardy, not hearing a thing about the fact that very sensitive stuff like medical history, diagnosis information, and even their financial details might be floating around on the web!
It’s a shambles. But RCRC isn’t alone in this debacle. They’re hardly pioneers of terrible record updating and late letter-sending. Earlier this year, Protenus pointed out in their 2024 Breach Barometer Report that over 50 incidents had been reported to the HHS during 2023 with the affected patients number standing at a meagre 500 or 501. Want to guess how many of these reports had been updated by year-end? You’ve guessed it: zilch. Nada.
The thing is, this isn’t just a matter of cyber Sue at the paper mill being a bit careless, it’s really rather grave. Could we think, just for a moment, about all those patients who had their protected health information (PHI) breached and never got wind of it?
Right, let’s talk about Protenus’s recent update. On September 12, 2024, the whole Change Healthcare mess was still being marked as a “500” case on HHS’s public breach tool. It later ballooned up to a colossal 100 million. Enough to cause palpitations, really!
The nugget of truth in all of this is simple: we all need to know if the people we trust to safeguard our health are doing a proper job of protecting our privacy too. We are not mushrooms, to be kept in the dark and fed on fertiliser!
Now, a bit of sleuthing. As of this morning, DataBreaches has dug deep and found that there are still 34 reports from all of 2023 that are persistently showing the 500 or 501 markers. That’s quite a lot of information still up in the air, wouldn’t you say? Of those 34, two were due to unauthorised access, one due to improper disposal, and the remaining 31 were hacking or IT incidents. 33 open, ongoing investigations.
So, despite a few updates here and there, we are still looking at three dozen incidents from 2023 and an additional 54 from 2024 that have the magic “500” or “501” markers. And we can’t ignore the elephant in the room: how has all this leaked data been used? Are there unsuspecting folk out there who are living with their private information exposed on the dark web like their knickers on a washing line?
Wouldn’t it be lovely if the Department of Health and Human Services took up the baton here? We’d all sleep easier if they could ensure entities to report and update these snafus in a timely and efficient manner.
What’s clear is too much information is still being kept from patients who have been affected by these breaches. It’s high time something changed, don’t you think? Maybe the new government will take the lead. We can but hope. With or without them, I am confident that we can continue to demand more transparency and responsibility in handling our information. And so we should.
So, dear friends, let’s keep our eyes, and our mailboxes, open. Onto brighter days, shall we?
by Parker Bytes
