As many as 35,086 Mainers may have lost personal information to computer hackers in a data breach reported Friday – and the incident was just one of hundreds that have struck the state in recent months.
PharMerica Corp., a Kentucky-based pharmacy services company, said the hackers stole names, Social Security numbers, insurance information and medication history from the records of 5.8 million people nationwide. In a May 12 letter, the company said it learned March 14 that an “unknown third party” had illicitly accessed the computerized data and that an investigation was underway.
The report came a day after revelations of another data breach, potentially affecting more than 11,000 Maine residents. Brightly Software, a North Carolina subsidiary of industrial conglomerate Siemens, said Thursday that hackers took the names, phone numbers and employer information of roughly 3 million people from a user database.
The theft occurred April 20, and Brightly discovered it April 28, according to the Office of the Maine Attorney General, which maintains a log of data breaches affecting Maine consumers.
Last month, 20,000 Mainers received a notice that hackers had accessed their Social Security numbers, Medicare member numbers and health plan subscriber numbers from the database of NationsBenefits, a health insurance administrator in Florida.
Sometime in early April, a data breach at California-based NextGen Healthcare exposed electronic health records of more than 1 million people, including 3,900 Mainers.
The data disasters affect what may appear to be unlikely targets.
In December, 785 Maine customers of carmaker Nissan were notified their information had been hacked. A ransomware attack and data breach in January hit almost 800 Maine employees and job applicants at Yum! Brands, which owns Taco Bell, KFC, Pizza Hut and other fast-food restaurants.
The list of such incidents gets longer each day: More than 300 data breaches affecting Maine residents have been recorded over the last six months by the attorney general’s office. During the same period in 2019-20, at the onset of the pandemic, there were 218 breaches.
Information security experts say cybercrime is not only on the rise, but it’s constantly changing, making it harder than ever to protect against.
Nick Knowlton, CEO of Dirigo Technology in Lewiston, said that in today’s technology-driven world, everyone is at risk.
“Unfortunately, we live in a world where the hackers and the bad actors are constantly finding new methods” to steal information, he said. “It’s an ongoing chess game between the bad actors and the security folks.”
HACKING UNDER THE RADAR
In a recent report on information security, IBM found that 83% of businesses it surveyed had experienced at least one data breach. And the damage is getting harder to measure.
Because personal information is stolen, sold and used so frequently and in so many ways, the data can be difficult to trace back and stop from being shared.
In a federal class-action lawsuit against Yum! Brands, plaintiff Christie Stinson said she has been inundated with spam calls, texts and emails since the Jan. 13 data breach. Even getting a new phone number did not solve the problem, according to her complaint.
There’s also been an emotional toll from simply not knowing if or when her Social Security number will be used fraudulently.
As after many such incidents, a lag time before consumers were warned of a data breach may have increased its danger.
Stinson was notified April 7 that her data may have been compromised and “reasonably believes that her Private Information may have already been sold by the cybercriminals,” her complaint says. “Had she been notified of Yum! Brands’ breach in a more timely manner, she could have attempted to mitigate her injuries.”
Over the last decade, large-scale cyberattacks have served as a reminder for businesses and consumers to be cautious about sharing electronic information.
There was the Target data breach in 2013 where 40 million credit and debit card numbers were stolen. A 2017 attack on Equifax compromised personal identifying information of 148 million Americans. Then in 2021, both Microsoft and Facebook fell victim to worldwide hacks.
But countless data breaches occur with little public awareness, and in Maine they’re happening every day.
Knowlton said there are thousands of small businesses being targeted, and they’re often more vulnerable because they lack adequate cybersecurity resources or employee training.
“They say there’s no such thing as a smart criminal, but I think in the cyber case you could argue that they’re pretty smart,” he said.
COSTLY CRIME
Cybercrime can be a lucrative field. Some estimates have cybercriminals earning anywhere from $45,000 to $2 million per year, with the illegal revenue totaling $1.5 trillion annually.
For the people and businesses who are hacked, the costs are substantial.
In the U.S., the average data breach costs $9.44 million – more than twice the global average of $4.35 million, according to the IBM report.
Studies suggest that breaches affecting the health care industry, such as the recent attacks on PharMerica, NationsBenefits and NextGen, are increasing in frequency, cost and profitability.
The average data breach costs the health care industry $10.1 million, up 42% since 2020. That’s the highest of any industry and is more than the national average. More than one-third of all cyberattacks in 2022 targeted the health care industry, according to a report from Black Kite, a cyber-risk intelligence company. Part of that heightened danger, the report said, was due to the pandemic.
“While everyone in the world concentrated on the health center, tremendous data began to pile up within the healthcare realm,” the company wrote. “Lack of budget, remotely shared personal data between patients and hospital systems and outdated software all point to avenues for hackers to infiltrate and gain access to health-related sensitive data.”
That data is valuable – more valuable than even credit card information, according to a November report from the U.S. Senate Intelligence Committee. Hackers can sell stolen medical records for anywhere from $10 to $1,000 per record. The report estimated that 45 million people were affected by cybersecurity incidents in 2021, a 32% increase from the year before. Data for 2022 was not immediately available.
“When it comes to cyberattacks affecting patient care, the question is no longer a matter of if or when, but how often and how catastrophic the consequences,” the committee wrote.
The impact of the pandemic has also increased risk far beyond the health care industry.
With more people conducting business online than ever, and more technology evolving quickly to help remote workers, there are richer opportunities for cybercriminals.
In smaller breaches affecting between 2,200 and 102,000 records, a single record can net $164, according to the IBM report, up from $146 in 2020. The study does not include per-record calculations for larger data breaches.
Knowlton, at Dirigo, said the “way in” for hackers is usually created by an end user, and stressed that businesses should educate employees on what to look for as cybercrime continues to increase. The problem, he stressed, will continue for the foreseeable future.
“It’s not going anywhere,” he said.
Send questions/comments to the editors.