McKinney hospital, surgical centers targeted by group of Russian hackers
McKINNEY, Texas (CBSDFW.COM) - Local hospitals are dealing with a potential cyber security nightmare for an unknown number of North Texans, who apparently have had a lot of their personal information stolen by hackers.
McKinney Methodist Hospital and two nearby surgical centers were targets of the attack last month by a notorious group of Russian hackers.
The hospital sent CBS 11 the following statement:
"Methodist Health System can confirm that Methodist McKinney Hospital (MMH) is currently investigating a cybersecurity issue. Methodist McKinney is still assessing the full nature and scope of this event. While the hospital carries the Methodist name, Methodist McKinney is a jointly-owned hospital with physicians that is managed by a third-party hospital and ASC management company that oversees all day-to-day management functions at the McKinney facility. It is Methodist Health System's understanding that a preliminary notice, containing additional information regarding the potential data event and providing contact information for a call center - is available on MMH's website."
Cyber security experts said that with the right protections in place, this should not have happened.
Russian hackers known as the Karakurt gang have already boasted on the dark web about acquiring 367 gigabytes of data from Methodist McKinney Hospital, Methodist Allen Surgical Center and Methodist Craig Ranch Surgical Center.
The hospital posted about the data breach last month, confirming that those files included names, addresses, social security numbers, birth dates, medical history information, diagnosis information and health insurance information.
"That's a serious privacy security risk for the patients, so this is a pretty large breach," said cyber security expert Andrew Sternke.
He is a cyber security expert who says the hackers have multiple ways to harm patients with the info.
"To mess with your finances, to potentially blackmailing individuals regarding very private healthcare information...there's a lot of potential," he said.
McKinney Methodist is urging patients to monitor their credit for fraud and said it has notified law enforcement.
A new law requires notification to the state as well or face a fine up to $250,000.
The attack currently is not on the attorney general's data breach list.
The hospital has not said how the hackers gained access, but experts say it's almost always the result of human error.
"It's the human element that often get social engineered by one of these hackers to give up information, which will then eventually be used for unauthorized access to the system," Sternke said.
He said this should serve as a wake up call to corporations to take cyber security much more seriously.
There are nearly 500 businesses, city governments, school districts, charities and political action groups on the list.
