What Happened in the Centric Health Data Breach?

In December 2019, Centric Health, a prominent healthcare provider in Ireland, experienced a significant data breach due to a ransomware attack. The attack affected the Patient Administration System in seven clinics across County Kildare and County Dublin. It likely occurred due to a misconfigured firewall which allowed all inbound and outbound traffic, coupled with an easily guessable password.

The data breach notification concerned a ransomware attack, which resulted in unauthorised access, alteration, and destruction of personal data. Seventy thousand patients were affected, encompassing clinical data (which is special category health data), names, PPS numbers and dates of birth.

The attackers were able to gain unauthorized access to the system, encrypting patient data and demanding a ransom for its decryption. Centric Health ultimately paid the ransom but discovered that crucial data had been permanently deleted before it could be decrypted, affecting around 2,500 patients directly.

How Much Was Centric Health Fined?

As a result of the breach, the Data Protection Commission (DPC) conducted an inquiry and found that Centric Health had failed to implement appropriate technical and organizational measures to protect the data, as required by the General Data Protection Regulation (GDPR). The DPC imposed an administrative fine of €460,000 on Centric Health for violations of Articles 5(1)(f) and 32(1) of the GDPR. These articles pertain to the security of personal data and the obligations of data controllers to implement appropriate measures to safeguard data from unauthorized access and accidental loss.

How It Could Have Been Prevented

The inquiry revealed several deficiencies in Centric Health's cybersecurity practices that could have prevented the breach:

1. Implementation of Multi-Factor Authentication (MFA): The lack of MFA made it easier for the attackers to gain access to the system. Enforcing MFA could have provided an additional layer of security.
2. Regular Security Audits and Patching: The investigation showed that Centric Health had not applied any security patches throughout 2018, leaving their systems vulnerable to attack. Regular security audits and timely patch management could have closed these security gaps.
3. Proper Configuration of Firewalls: The DPC found that the network firewall was not properly configured, allowing all inbound and outbound traffic. A well-configured firewall and intrusion detection systems (IDS) could have prevented unauthorized access.
4. Data Encryption: The data at rest was not encrypted, making it easier for attackers to exploit. Encrypting sensitive data would have minimized the impact of the breach, even if access were gained.
5. Offsite Backups: The breach also highlighted issues with Centric Health’s backup processes, as backups were stored on the local server and were also compromised during the attack. Storing backups offsite and regularly testing restore processes could have ensured data recovery without relying on paying a ransom.

Conclusion

The Centric Health data breach serves as a crucial reminder for Irish businesses about the importance of robust cybersecurity measures. Implementing stronger security protocols, conducting regular audits, and ensuring comprehensive data protection strategies are essential to safeguarding sensitive information.

Concerned about your company’s cybersecurity? Eggers Cybersecurity Consultancy can conduct a thorough audit of your systems to identify and address vulnerabilities before they become a problem. Contact us today to protect your business from cyber threats by clicking here.