The target: Premier Patient Healthcare, a Texas based accountable care organization.
The take: Exposure of 38,000 records of Personally Identifiable Information including: name, age, sex, race, county, state of residence, zip code, and Medicare beneficiary information.
The attack vector: The data was illegally accessed by a former terminated employee of the firm, who used their still active access to view, download and steal the files from a third-party vendor that had a contract with Premier Patient.
This breach highlights two important lessons for firms. Access control around terminated employees is paramount to maintaining a secure environment for sensitive data. Furthermore, while Patient Data may have followed these steps for their own systems, the attack took place on a third-party vendor, showing that access control must also be applied across all platforms to be fully effective.