The Target: Huntington Hospital, a New York based medical center.
The Take: Exposure of 13,000 records of Personally Identifiable Information including: name, date-of-birth, phone number, addresses, internal account number, medical record number, diagnoses, and other treatment information.
The Vector: An employee improperly accessed this information without clearance and was not prevented from viewing this data based upon their level of access and role within the firm, exposing the data.
This breach highlights the important concept of Least-Privilege when it comes to system access and authorization. Employees should only have access to the minimum amount of information and privileges they need to do their role. Ensuring this process is applied at all levels of access across a firm is a key component to maintaining a robust Cybersecurity posture.