No end in sight for outsourced leaks

The scourge of third-party data breaches is only going to get worse since organizations are becoming increasingly reliant on external service providers for critical aspects of their day-to-day operation.

Chris Vickery, director of cyber risk research at UpGuard, made the warning about third-party breaches following a recent announcement that the US healthcare sector had been hit by yet another major data security incident.

Last month, Atrium Health released details of a breach that resulted in the personal information of more than 2.5 million people being compromised.

North Carolina-based Atrium, which operates more than 40 hospitals and 900 healthcare facilities in the US, said the breach was the result of attackers gaining unauthorized access to a patient database hosted by AccuDoc Solutions, a third-party provider of payment processing solutions.

The incident hit regional headlines and was widely reported by specialist security and healthcare outlets. However, one aspect of the incident that was somewhat overlooked was the fact that this breach impacted not one, but two organizations.

“AccuDoc had two clients affected,” a company spokesperson told The Daily Swig via email last month.

“In addition to Atrium Health, AccuDoc’s client BaylorScottWhite Medical Center - Frisco was also affected. Atrium had 2.65 million patients affected, and Baylor-Frisco had 40 thousand patients affected.”

The information that may have been accessed included patient names, addresses, date of birth, insurance policy information, medical record number, invoice number, account balance, and – in some instances – Social Security numbers.

While the AccuDoc spokesperson was quick to note that “no usable data was downloaded and no banking or credit card information was involved” in the databases, the incident serves to highlight the risks organizations face when entrusting their data to external service providers.

Unfortunately, however, there’s little chance of third-party data security incidents disappearing any time soon.

“Third-party data breaches are currently a very large concern for companies and organizations of all sizes,” Vickery told The Daily Swig.

“We are going to see more and more complications and liability uncertainties surrounding the growing calamity of third-party data breaches as time goes on.”

Of course, third-party breaches are not isolated to the healthcare sector. Security incidents of this type have been reported across multiple sectors over recent months, impacting retailers, airlines, events ticketing firms, fitness apps, and genealogy sites.

Vickery and the UpGuard Cyber Risk team have themselves continued to highlight the ongoing security risks associated with third-party service providers.

Recent research from the security firm revealed that the sensitive information of more than 123 million American households was exposed after Experian partner Alteryx failed to secure an Amazon S3 cloud storage bucket.

And in September, the personal information of as many as 14 million Verizon customers was leaked following similar cloud security oversight on behalf of the US telco’s partner, NICE Systems.

“An unfortunate reality of today’s interconnected business environment is that the average entity is forced to rely on third-party vendors for many critical aspects of operation,” said Vickery.

“Sometimes this is coupled with an incentive to save money overall through the process, but often times it is due to a company’s lack of internal resources with a certain piece of software or business process.”

Although it’s impossible for an organization to ensure their customers’ data is 100% secure once it has been shared with a third party, certain steps can be taken to help minimize the risks.

These include the full vetting of (potential) partner firms; ensuring that you only share the data that’s required to fulfil a certain task; and the use of tokenization, particularly when it comes to handling credit card details.