McKINNEY, Texas (CBSDFW.COM) – Local hospitals are facing a potential cybersecurity nightmare for an unknown number of North Texans, who have apparently had a lot of their personal information stolen by hackers.
McKinney Methodist Hospital and two nearby surgical centers were the target of last month’s attack by a notorious group of Russian hackers.
The hospital sent CBS 11 the following statement:
“Methodist Health System can confirm that Methodist McKinney Hospital (MMH) is currently investigating a cybersecurity issue. Methodist McKinney is still assessing the full nature and scope of this event. Although the hospital bears the Methodist name, McKinney Methodist is a co-owned hospital with physicians that is managed by a third-party hospital and ASC management company that oversees all day-to-day management functions of the McKinney facility.It is understood by Methodist Health System that a preliminary notice, containing additional information regarding the potential data event and providing contact details for a call center – is available on MMH’s website.”
Cybersecurity experts have said that with the right protections in place, this shouldn’t have happened.
Russian hackers known as the Karakurt gang have previously boasted on the dark web of having acquired 367 gigabytes of data from McKinney Methodist Hospital, Allen Methodist Surgical Center and Craig Ranch Methodist Surgical Center.
The hospital released information about the data breach last month, confirming that these files included names, addresses, social security numbers, dates of birth, medical history information, diagnosis information and health insurance information.
“This is a serious security risk to patient privacy, so it’s a pretty significant breach,” said cybersecurity expert Andrew Sternke.
He is a cybersecurity expert who says hackers have several ways to harm patients with information.
“To play with your finances, to blackmail individuals about very private health information… there’s a lot of potential,” he said.
McKinney Methodist is urging patients to watch their credit for fraud and said it has notified law enforcement.
A new law also requires state notification or face a fine of up to $250,000.
The attack is not currently on the Attorney General’s list of data breaches.
The hospital hasn’t said how the hackers gained access, but experts say it’s almost always the result of human error.
“It’s the human element that is often manipulated by one of these hackers to give information, which will then be used for unauthorized access to the system,” Sternke said.
He said it should serve as a reminder for companies to take cybersecurity much more seriously.
There are nearly 500 businesses, city governments, school districts, charities and political action groups on the list.