Did you hear the one about the medical centre in Texas that’s had more data breaches than you can shake a stick at? UT Southwestern Medical Center, it’s called. Their record’s a bit less than stellar, I must say. They’ve had four major breaches since way back in July of 2023. And would you believe the US Department of Health and Human Services (HHS) hasn’t launched a proper investigation yet? It certainly puts your own boo-boos into perspective, doesn’t it?
Let me give you a quick rundown of the shenanigans. In 2023, someone nicked the health information of nearly 100,000 patients from good ol’ UT Southwestern. That cack-handed handling of patient data turned out to be the mother of all breaches that year! It seems this lot called ‘Clop’ spotted some weaknesses in the system and seized their chance.
And then – would you Adam and Eve it – things went pear-shaped for them again in 2024. A bit of rogue software allowed – heaven and Saint George! – unauthorised chaps to access patient data. We’re talking things like addresses, birth dates, medical status, health insurance data. You can just imagine the shambles it caused, right?
Then, it happened again in the same year. This time, a cheeky so-and-so got into the patient registration information at their Frisco office. Seriously, what a circus! All sorts of private data like names, addresses, Social Security numbers, and even medical and financial details of 778 patients were potentially peered at by prying eyes – tickety-boo, yeah?
But wait, there’s another act in this circus! Sometime later, there was yet another breach. This time, for whatever reason, the UT Southwestern didn’t give individual notices to all the 40,668 affected patients. One can only hope they’re just a bit slow to catch up. Anyway, it seems their workforce let a third-party calendar tool have access to some calendars that contained patient information. Name, date of birth, phone number, medical records, lab results, insurance information, and some Social Security numbers…the whole hog. Only thing not leaked was the patients’ credit card numbers and other financial account information, thank heavens!
And so, it begs the question: How does their system have such a blunder? How long have they been letting this tool have access to patient’s data? And, if they’re using this online system that holds sensitive patient information, is it even safe? Does it have like a serious multifactor authentication or something, you know, to keep the chancers at bay?
Perhaps it’s high time the HHS whipped out their magnifying glasses and have a good, long squizz at how UT Southwestern does its risk assessment and how it complies with the HIPAA Security Rule (that’s a law in the states about medical information security). After all, plenty of undesirables on the internet are chuffed to make off with login details and, would you believe, some folks even reuse ones pinched in previous attacks.
So far, HHS’s public breach tool doesn’t show any closed investigation into any of these farcical fiascos. Makes you wonder what it takes to get investigated, doesn’t it? Well, it’s not our cup of tea for sure, but it does make for quite a riveting tale, wouldn’t you agree? There we have it, my friends, a cautionary tale about healthcare cybersecurity for all of you. Be sure now to keep your data locked up nice and tight, alright?
by Parker Bytes
