Three US-based small business security breaches were reported last week: Graeter's Ice Cream, Valley Hope Association and Lebanon, Pennsylvania's VA Medical Center.
Graeter's Ice Cream was hit with malware, malicious code that was inserted into the company's website checkout page. The malware has the ability to copy any data entered during the checkout process, including personal and financial data. With this data in hand, hackers are able to conduct payment fraud or build data profiles that can be sold on the Dark Web.
The company had to notify over 12,000 customers that their information may have been compromised.
Valley Hope Association, a Kansas-based group of 16 addiction treatment centers, suffered from a breach of data from a phishing attack. The organization hired forensic specialists to determine the nature and scope of the incident, and on November 23rd, research confirmed that a data breach occurred on either October 9th or 10th, after an intruder gained unauthorized access to an employee's email account.
Access to email messages and file attachments stored in that employee's account contained personal information of approximately 70,000 patients.
Valley Hope Association is notifying patients about the compromise, which may have included patient names, addresses, medication/prescription information, Social Security numbers, financial account information, driver’s license or state identification card numbers, patient claim/billing information, dates of birth, health insurance information and medical record numbers, and doctor’s names.
Aside from dealing with disgruntled patients, the association must implement new security measures and offer free credit monitoring and identity protection services.
The third security incident was a result of an employee error at Lebanon VA Medical Center in Pennsylvania. A staff member had intended to send a patient's family member a document that listed all nursing homes that work with the U.S. Department of Veteran Affairs. Instead, the medical center employee inadvertently emailed the individual a historical list of nursing home residents, constituting a violation of HIPAA. The document included protected health information (PHI) of over 1,000 elderly patients such as patient names, abbreviated Social Security numbers, nursing homes where they had been admitted, diagnoses and service-connection disability rating percentages.
Although this was an isolated incident with limited risk, the center will be encrypting files that contain historical information and notifying all patients that may have been affected.
These events demonstrate the ease at which a breach, however innocent, can occur. By implementing encryption and other additional layers of protection, organizations can showcase their commitment toward data security for their patients or consumers, which also serves as a reflection of their services and care.
It's only February and already small businesses are the target in 2019. We anticipate this trend to continue. The cost of a breach is far more expensive than the cost to protect your business. Don’t wait until it’s too late.
If you’d like to discuss the security of your business and how IT Solutions can help keep you protected, contact us today.