third party breachIt is important to think about what could happen if one of your vendors is the reason you become another business listed in data breach statistics. Third-party data breaches can impact your business even when it doesn’t involve your data.  These stories show how many different angles you should use when reviewing their impact on your business.

HIPAA For MSPs by David Sims 2 Third Party Breach Stories
00:00:00 00:00:00

Each of these stories tells you a different angle to consider when reviewing just how many ways a third party breach could impact your business.

Saddest breach notification letter

Our first third-party breach story involves an article I spotted on this week.  I have to say it involves maybe the saddest sounding data breach notification letter I have ever read.  It is likely sad because it provides all the details in a way we don’t usually see.

A CPA firm in California sent out a notice to their clients and the State Attorney General about a data breach that occurred in their office. The firm, Martin, Hutchison & Hohman, CPAs, isn’t a huge firm in a highrise downtown somewhere.  They are a small firm in a nice little building that has been around for decades in Eureka, CA.  There are three partners and one of them has retired.  The kind of small businesses small business. You know, like the phrase a man’s man.

Here are the parts of the notification letter that was both upfront and sad to me, simultaneously.  Highlighting is all mine, not theirs.

It starts like this:

February 19, 2019

My Dear Tax Clients,

It is with deepest regret that I send this letter to you in order to inform you of a recent event in our firm.

Right away, if I was a client I would be saying something like “Oh no! What happened?”.  I don’t even know them but I am concerned about them.  I know that any time a tax accountant has written a letter starting with deep regrets about something happening in February it cannot be good at all!  This is their peak season ramping up.

What Happened?

On Friday, February 15, 2019, while trying to resolve an email failure with our email host, Suddenlink, I was directed to a website that gave a phone number to call for immediate assistance. When I called this number, the technician stated he could certainly help. He requested access to my computer to understand the issue with the email. After I installed the software necessary to give him remote access to my computer, he pulled up some IP addresses on my computer screen and stated that this was the reason for the email failure. He then insisted that in order to fix the problem and prevent viruses from attacking, I would need to allow him to install a program on our office’s network server. I told him no and that our local computer technician would be contacted to deal with this. At that point, he stated that only a Microsoft Tech such as himself would be able to do this. This was a red flag as I thought I was dealing with a Suddenlink technician. At that point, I quickly disconnected my computer from the internet and from our office network. I then uninstalled the remote access software I had just allowed him to install, and turned the computer off. This entire interaction lasted less than eight minutes. 

It looks like he was actively trying to solve a problem and somehow their email provider, Suddenlink, got him redirected to one of the fake Microsoft Tech Support sites.  At least, he didn’t fall for them calling him up and saying they needed to connect.  It seems he honestly thought he was working with the proper provider.

However, we have to say that this is why you need professional IT support.  We know about those tricks.  Not to say techs would never fall for them but they are much less likely to fall for one to the point they let in someone they don’t know.

The letter continues by explaining they called in the “local computer technician”.

Our local computer technician was contacted immediately. They indicated that this was a known scam and that they try to copy information that exists on the computer they are given access to and, to their knowledge, are not able to move beyond that initial local hard drive quickly, if at all.

What Information Was Involved?

The information that was most at risk of being breached were those documents in the “My Documents” folder on my computer as well as those saved on my computer. On my desktop, I kept a folder of items that had been emailed. If I have emailed a copy of your tax returns or other document, which contains your personal data, in the recent past, your data was most at risk of being compromised. We also discovered that older years of our tax program saved on my computer were not encrypted. At this time, it is unknown what, if anything, was taken from my computer in the short amount of time that the breach occurred.

This is the really bad part.  Why was all that stuff on his computer?  Why is he emailing tax returns to anyone and then putting them in a folder on his desktop?  If the email is properly secured – and we will assume that to be the case – storing it on a desktop that may not even be encrypted kind of opens you up in a bigger way.   Also, “older years” of their tax program were saved on his computer and not encrypted.

They feel good that it was only 8 minutes and hope they couldn’t get stuff that quickly.  Maybe but not really.  The letter then includes the details about how they are handling the problem.

What Are We Doing?

The computer was immediately taken to our computer technician’s shop for a virus check and cleaning. I learned the next morning that the computer was infected with a sophisticated virus that could not be prevented by normal virus protection software. The hard drive was then replaced in order to prevent any risk of further infection. It is still unknown if any client information on our computer network was compromised. At this time, there is no indication of further infection involving our computer network.

We are performing virus scans of all computers; upgrading virus software as needed. In addition, we are changing physical controls which include storing more, if not all, of our client data in an encrypted form. The majority of our client data has been maintained in encrypted form for some time. However, we are working to review all of our data storage to ensure that everything possible is stored this way.

In addition, we will no longer allow an outside technician to remotely access any computer on our network. Lastly, and most importantly, we are sending out this notification as quickly as possible to all those potentially affected.

Here is the perfect example of why we ask where you store everything.  EVERYTHING even the old stuff.  A complete analysis of their systems would at least defined this as a problem.

Also, all the security work they are doing now in the middle of tax season cannot be helpful to their business or any of their clients.  These are all things that should have been done.

At this point, he goes through the standard info about credit reports and credit freezes but puts in more details about how that works when you sign up.  That has to do with the fact he is an accountant, you know how they do.  Plus, he seems to be concerned about watching out for all clients.

I recommend that you closely monitor your credit activity and financial accounts. Please notify me at once if there is any irregularity so that I may assist you in taking corrective action and can notify other clients of the breach.

In closing, he makes what again seems to be an honest and upfront mea culpa.

I am so sorry this happened and for any inconvenience and anxiety this may cause you or your loved ones. I appreciate the trust you put in me and I will do everything possible to continue to warrant that trust.

This story brings up a long list of points.  The most important things to think about here are asking yourself these questions:

  1. What if this were your accountant?
  2. What if you gave them PHI as part of doing business with them and this is how you found out they were not really following HIPAA security requirements?
  3. What if you didn’t give them PHI but now you have enough information potentially out in the wild that your likelihood of being targeted when from Low or Medium to High at least for a while?

Third party breach exposed by automation

The next story was actually passed along by a friend of mine.  She was interviewed for the article about a breach that occurred when the CPA Consultants’ Alliance website was hacked.

The CPACA members, a group of consultants who advise CPA firms about technology, marketing and business development, realized the hack had occurred when an automatically generated email newsletter arrived in their inboxes during an annual meeting. They scrambled to remove the posts, which touted marijuana and products made from CBD, short for cannabidiol, an oil derived from the cannabis plant that has become a booming market in recent years.

“Unfortunately, the CPA Consultants’ Alliance website was hacked, fake blog posts were added and an email was generated and sent to you,” said the Feb. 13 email. “We are addressing this issue with the hopes that it will not happen again. In the meantime, we apologize for any inconvenience or confusion.”

The blog posts were likely only on the CPACA website for a single day, but the timing couldn’t have been worse since they were posted on the site shortly before a previously scheduled newsletter was set to go out to the mailing list.

Here is the deal.  The CPACA group has an active blog that is then sent out periodically in a newsletter to their contact list of members and clients.  It is super cool that you can automate a lot of that stuff now.  You post blog posts and MailChimp is scheduled to periodically make those posts into a newsletter to send to email accounts.

That is so cool until you have posts that you did not post and they land their just before the newsletter is about to be sent to your entire mailing list.  That is what happened to these folks.  Turns out someone hacked a user account apparently because they used a weak password or reused passwords.  The hacker got in a posted blog posts promoting their products.  Then, CPACA sent that information out to every one of their contacts.  Boom, I bet their click rate went way up due to the WTF clicks.

This also underlines the need to protect and secure your website. Your website should be considered as you conduct your Security Risk Analysis and take appropriate measures to have regular backups and site security in place.

It was interesting that the CPACA group was in their annual meeting when the newsletter went out.  Everyone got to really freak out together!

Now, think about this:

  1. What if this was a consultant that worked for you to market to your patients or even better to potential referring providers?
    1. Maybe the hacker would send something way more embarrassing than some cannabis oil treatments.  Before you hand over a mailing list or access to your mailing list you should be certain there are controls in place.  If someone uses the same password for every site all it takes is one data breach for them to leave you wide open.
  2. What if it happened and you were with the folks that got the hacked information?  Too much fun, right!
  3. What if your website gets hacked and someone starts making blog posts on your site and it takes days, weeks, or months for anyone to notice?
    1. That is a lot of indexing out on the web now tied to you

Third-party breaches are often not even part of a risk analysis for many businesses until we start reviewing these kinds of stories.  It is sometimes terrifying to realize just how interconnected we are and how much rely on vendors.  Take the time now to evaluate what vendors would have the biggest impact on your business if they couldn’t provide services to you for an extended amount of time.  You should ask about their contingency plans for providing services to you. If you aren’t comfortable with their ability to respond appropriately it may be time to look for a vendor that is worried about the same things that you are like remaining in business.