Nebraska-based CBS Consolidated Inc., operating as Cornerstone Business & Management Solutions, completed a routine audit of system logs on July 10, 2017 and found an unfamiliar account on the server. Closer inspection of that account showed it was being used to download sensitive data from the server, including the protected health information of patients that used its medical supplies.
21,856 people who received durable medical supplies from the group through their Medicare coverage have potentially been affected. The types of data taken by the hacker included names, addresses, dates of birth, insurance details, and Social Security numbers. While personal information was breached, the hacker was not able to obtain details of any medical conditions suffered by patients, nor details of any items purchased or financial data.
It is not yet obvious how the account was created, although a review into the incident is ongoing. CBS says following the discovery of unauthorized access, the server was isolated and access to data was secured. Since the incident was detected, CBS has been carefully monitoring its systems and has uncovered no further evidence of unauthorized access or data theft.
Due to the sensitive nature of information stolen by the hacker, all individuals impacted by the breach have been offered 12 months of credit monitoring and identity theft protection services for free. CBS is also reviewing its security procedures and will be introducing new administrative safeguards, providing additional training to staff members on security, as well as improving technical safeguards to stop future hacking incidents from happening.
This is one of the worse data breaches reported by a HIPAA business associate so far in 2017, just behind the 56,000-record breach revealed by Enterprise Services LLC in June.