Cyber Incident Victim: City of Portland
Date:
May 2022
Location:
United States of America
Summary
A cyber incident occurred at Aesto Health, a company that provides solutions for healthcare enterprises. An unauthorized actor accessed the company's internal IT systems, copying files from a backup storage device, including radiology reports from Osceola Medical Center (OMC). The breach impacted 17,400 OMC patients, exposing their names, dates of birth, radiology report findings, and physician names. The incident did not affect OMC's data systems or medical records, which remained secure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A cyber incident occurred at Aesto Health, a company that provides solutions for healthcare enterprises, enabling them to exchange, organize, and protect patient information. The incident involved unauthorized access to Aesto Health's internal IT systems, resulting in the compromise of sensitive patient data. The breach impacted approximately 17,400 patients of Osceola Medical Center (OMC), a healthcare organization that utilizes Aesto Health's services.
According to reports, the unauthorized actor accessed Aesto Health's systems and copied files from a backup storage device. The compromised data included radiology reports, which contained sensitive patient information such as names, dates of birth, radiology report findings, and physician names. The breach did not affect OMC's data systems or medical records, which remained secure. Aesto Health stated that the incident did not occur at OMC, and the data systems and medical records maintained at OMC were not affected by the incident.
Aesto Health discovered the incident when they noticed disruptions in their IT operations. Further investigation revealed that the unauthorized actor had accessed their systems between December 25 and March 8. The company began mailing letters to the affected OMC patients on May 20, notifying them of the incident. Aesto Health assured the patients that they did not need to take further action in response to the incident.
The incident highlights the importance of robust cybersecurity measures in the healthcare industry. Healthcare organizations handle sensitive patient data, making them attractive targets for cyber attackers. Aesto Health's incident demonstrates the potential consequences of a data breach, including the compromise of patient confidentiality and the potential for identity theft. The incident also underscores the need for healthcare organizations to have incident response plans in place to quickly respond to and contain data breaches.
Aesto Health's response to the incident appears to have been prompt, with the company notifying affected patients and providing them with information about the breach. However, the incident raises questions about the company's cybersecurity controls and their ability to prevent similar incidents in the future. The fact that the unauthorized actor was able to access Aesto Health's systems and copy sensitive data without being detected for several months is concerning.
The incident also highlights the potential risks associated with third-party vendors in the healthcare industry. Aesto Health provides services to healthcare organizations, including OMC, and the breach at Aesto Health had a direct impact on OMC's patients. This incident demonstrates the need for healthcare organizations to carefully vet their third-party vendors and ensure that they have robust cybersecurity controls in place to protect sensitive patient data.
The breach at Aesto Health is not an isolated incident in the healthcare industry. There have been numerous high-profile data breaches in recent years, including the Anthem breach, which affected over 78 million patients, and the Premera Blue Cross breach, which affected over 11 million patients. These incidents demonstrate the ongoing threat of cyber attacks in the healthcare industry and the need for organizations to prioritize cybersecurity.
The Aesto Health incident serves as a reminder of the importance of robust cybersecurity controls in the healthcare industry. Healthcare organizations must prioritize the protection of sensitive patient data and ensure that they have incident response plans in place to quickly respond to and contain data breaches. The incident also highlights the need for third-party vendors to have robust cybersecurity controls in place to protect sensitive patient data.
The incident at Aesto Health is a significant concern for the patients who were affected by the breach. The compromise of their sensitive patient data has the potential to lead to identity theft and other malicious activities. The incident also raises questions about the company's ability to protect sensitive patient data and the potential consequences of future data breaches.
The Aesto Health incident demonstrates the ongoing threat of cyber attacks in the healthcare industry. Healthcare organizations must prioritize cybersecurity and ensure that they have robust controls in place to protect sensitive patient data. The incident also highlights the need for third-party vendors to prioritize cybersecurity and ensure that they have robust controls in place to protect sensitive patient data.