Why somebody else’s data breach crisis might also be yours
The recent hacking of information from a specialist cardiology unit in Melbourne highlights the importance of being prepared in advance for a data breach – potentially even one that doesn’t belong to you.
The January attack “scrambled” the files of some 15,000 patients at the Melbourne Heart Group (MHG) clinic, with a cryptocurrency demand issued for the return of information believed to have been obtained using malware from North Korea or Russia.
Some patients’ information was reportedly still missing weeks later and the situation was made even more intriguing by the possible on-flow of reputational damage to a third party: Cabrini Hospital.
The hospital merely rents space to MHG, which runs totally separate IT systems. But media coverage saw Cabrini mentioned in a string of stories about the hack and the hospital was forced to issue public statements denying its own patient records were at risk.
Mark Luckin, a senior associate and cyber and privacy specialist at leading international brokerage firm Lockton Companies, said the case had “unique” elements when it came to policy design and execution.
“A common aspect of cover found within cyber insurance policies is cover or reimbursement for the engagement of communication and public relations specialists in the event of a breach or incident,” Mr Luckin said.
“However, the likelihood of a traditional cyber insurance policy to respond to a Cabrini-like incident is arguably low, given the insured party itself has not suffered a breach, which is traditionally a required event to trigger the relevant insuring clause in the policy.
“In saying that, there are insurers offering endorsements or extensions I am aware of that could be triggered to provide communications and PR assistance, even if the insured has not itself directly suffered a breach.
“Such clauses are relatively new and rare, however, and certainly not found within standard coverage. This really points to the importance of tailored, bespoke coverage.
“More generally speaking, insured parties should be reviewing their coverage or potential coverage to ensure their cyber insurance is adequately placed to offer professional communications or PR assistance in the event of a cyber/privacy incident.
“This includes checking that such specialists are addressed under their reimbursement and coverage clauses and preferably ensuring this area of coverage is not sub-limited.”
Another key aspect of data breach preparation highlighted by the Melbourne Heart Group attack is the basic human element likely at the core of it.
Despite the strong technological influence in the attack, the suspected trigger for its “success” was profoundly human: it’s likely a staff member inadvertently opening a malicious link on a phishing email was the root cause of the drama.
For those who have been following developments with Australia’s Notifiable Data Breach Scheme since it was implemented in February 2018, this is further reinforcement that breaches are more of a human issue than an information technology one.
In the nine months from April to December 2018, 262 of the 749 notified data breaches were classed as “human error” – a classification that includes scenarios such as emails or mail being sent to the wrong recipients.
But of the 476 breaches classified as malicious (almost 60 per cent of the total figure), close to 70 per cent were “cyber incidents”, a category that includes phishing, malware or ransomware, brute-force attacks, compromised or stolen credentials, and social engineering or impersonation.
In the second half of 2018, phishing was easily the most prevalent cause of cyber incident breaches.
It’s yet more proof that no matter what information technology protocols you put in place, data is always vulnerable when humans are involved.
Cannings Purple Director of Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.
You can also download our Data Breach Whitepaper
More from Jamie: