Ohio Living, The Newest Victim of Cyber Attack

SME’s, also known as Small Medium Enterprises are the most exposed companies when it comes to cyber attacks, virus infection and other forms of cybercrime. Very recently, Ohio Living, a property management group originating from Columbus has been a victim of data breach. Its employee’s email accounts have been penetrated by 3rd parties, which cost patient records to be stolen.

Ohio Living has admitted that the following information from its customers is stolen:

1. Fullname
2. Social Security Number
3. Birthdate
4. Financial Information
5. Contact details
6. Medical record number
7. Patient identification number
8. Medical Diagnosis and therapy information
9. Health Insurance details

Ohio Living has not disclosed how many patient records were actually involved in the data breach, but the company claims to be a non-profit giant in the sector of life plan services. From the data taken from their own claims, the company supports 73,000 senior citizens per year. This includes healthcare services and home, outpatient support. “We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward,” said Ohio Living’s representative.

It took the company until July 10 to discover the data breach, a full nine days late. Data logs show that someone outside accessed the patients’ data; the corporate email accounts are disabled pending further investigation. “Is it possible they were using a private device and maybe hooked it into the system, was it a compromise on a mobile device? So many different factors. It’s incumbent on organizations to have strict protocols about device access, two-factor authentication, and others. Email is definitely a way in. Our email is rapidly becoming the equivalent of our Social Security numbers; our address is everywhere and can be a user ID number, and passwords are simple. Companies should be very vigorous when it comes to monitoring their systems.” explained Adam Levin of CyberScout, a cybersecurity company.

The company has emphasized that a sophisticated retraining of all its employees will be conducted at the soonest possible time. This will help prevent a future data breach, as employees become more circumspect. Phishing messages are very easy to be treated as legitimate email, with just one wrong click on a malicious web link are enough for a cybercriminal to take over a user’s machine. Other 3rd party security professionals have recommended Ohio Living to use VPN, this is to create a secure tunnel when connecting with the internal LAN of the company instead of an unencrypted connection. Patients affected by the issue have been contacted by the company on a case-to-case basis to address their individual requirements. Focus on cybersecurity defense is not a cost for the company, but rather an investment to prevent cyber attacks.