The Health Information Trust Alliance had a public web server compromised by an SQL injection on Monday, exposing some test data.
Hacker group Team Berserk claimed responsibility for the attack, publishing 111 records, including some real names, companies, addresses, phone numbers and email addresses, as well as six encrypted passwords. The test database was populated with information from rosters previously made public from planning meetings held in 2008, HITRUST says.
HITRUST called the breach non-critical since the affected server didn’t store any personal health or other sensitive information, but any security compromise to an organization responsible for data security best practices for healthcare organizations should be regarded as serious. Security is so important to healthcare providers that it is usually the main consideration when deciding which hosting or cloud provider to go with.
“We sincerely regret any inconvenience this has created and take data security very seriously. It is our mission to protect information and do so in a manner that is appropriate and practical given the risks. We had not deemed this particular web server and test data to require higher assurances,” HITRUST said in a statement. “We have updated our policies both to non-critical, non-sensitive web servers and our test environments and will secure our test environments and public general information websites to a higher assurance level. The server in question has been addressed and test information deleted. None of our other servers or data centers were involved in this event.”
HITRUST says it maintains its operations in compliance with the Common Security Frameworks and uses CSF Certified environments. Last year, FireHost announced that it had reached CSF-certified status from HITRUST. FireHost said it secured this status based on its commitment to securing clients’ electronic personal health information from cyberattacks.
Do you have HITRUST CSF certification? Do you think this attack damages HITRUST’s reputation? Let us know in a comment.