Skip to main content

Attack On Health Firm Speaks To Real Threat For Everyone

By April 10, 2017March 1st, 2023Cybersecurity

On March 22, Urology Austin became the second medical company to suffer from a major breach. It was a particularly nasty one, combining data theft with a ransomware attack that impacted more than a quarter million users.

To its credit, the company took immediate, decisive action. It ensured that no one’s care was impacted and notified affected users, offering them a year’s worth of free credit and identity monitoring. Unfortunately, the breach underscored a weakness that often goes unnoticed.

When the company announced the breach, they indicated that the hackers were able to get their hands on a large amount of legacy data. That is data pertaining to patients who had not received care from the facility in years, but which was still stored on company servers.
This raises a delicate and troubling question.

Once a company has completed a given course of treatment for a patient, how long should it keep the digital records? A year? Seven years? Forever?

There are currently no standards in place, but given how cheap bulk storage has become, companies have simply defaulted to the position of keeping every scrap of data forever, and that can have unfortunate consequences as this latest breach demonstrates.

Some security experts have put forth the notion that one thing companies could do if they’re inclined to keep data for extended periods of time is to “de-identify” it. That means they should strip out any and all data that could conclusively pair it to a specific individual, but keep the treatment data itself for research purposes.

This is not widely done anywhere at this point, but it’s an idea that makes sense, if companies insist on keeping data long term.

There are no easy solutions here. On one hand, the day will surely come that a company deletes some information only to find out that it has a pressing need for it and no way to recover it. Or, on the other hand, a company will suffer a catastrophic breach that impacts years, or even decades’ worth of data with ruinous financial consequences.

How long do you keep client data, and do you have a well-defined policy that covers the subject? If you don’t, now is the time to change that.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.