Officials at the United States Postal Service (USPS) have revealed that a breach originally reported in November may have compromised the health information of 485,000 employees.
The potentially exposed data was stored in “a file relating to injury compensation claims,” said USPS Chief Human Resources Officer Jeffrey Williamson last month.
That file, along with employees’ Social Security Numbers and other personal information, was compromised back in September after hackers exploited a USPS server’s weak default password. Officials then waited two months to report the breach.
Ken Westin, Senior Technical Marketing Manager and Security Analyst at Tripwire, notes how the announcement made by USPS testifies to the diversification of data breaches more generally: “With several recent breaches, we are seeing not only the traditional ‘Steal My Identity’ types of data such as names, Social Security Numbers, addresses of customers and employees, but also other more sensitive data sources such as credit card numbers and medical records.”
This may be because of how lucrative such data is among cyber criminals. According to a report by EMC Corporation, whereas a credit card goes for one dollar on the black market, health insurance credentials go for $20.
Westin explains that this trend of compromising medical data should scare businesses and government agencies, not just because the data is compromised but also because of the risks of storing such data on corporate networks without proper security controls in place, as required by regulatory compliance directives for PCI and HIPAA.
If employees’ healthcare information is not property protected, corporations and government agencies risk incurring additional fines and greater legal risk.
“Many IT organizations may not even be aware that data subject to strict regulatory compliance is stored on their networks,” says Westin. “Indeed, one of the first places to look for this type of data is the Human Resources Department. We must ask ourselves a number of questions. Are there any records kept regarding medical procedures? Are any credit card numbers stored on laptops for health savings plans or corporate cards?”
Westin goes on to explain that organizations need to be able to show that they at least attempt to comply, for if there is a breach, anyone will be able to see what types of data exist on their network.
In addition to instituting other security measures, USPS has announced that it will institute changes to employee policies and procedures, as well as make upgrades to systems and equipment, in an attempt to better protect employees’ personal and healthcare information.