The Social Security numbers and personal information of thousands of individuals, including lawmakers, were compromised in a healthcare data breach
There are no industries left that haven’t experienced a cybersecurity incident. Preventing data breaches, phishing scams, and ransomware has become the gloomy routine of our vibrant cybersecurity ecosystem. Many affected entities can quickly recover from cyber incidents and continue working. Yet there are sectors incapacitation or destruction of which may be detrimental to them and the national welfare. These are 16 Critical Infrastructure Sectors whose assets, systems, and networks are especially vital for national security.
At the beginning of March 2023, the U.S. Congress – a part of the 16 Critical Infrastructure Sectors (Government Facilities Sector) – suffered a healthcare data breach. Specifically, a shocking data breach at one of the DC health insurance vendors serving the U.S. Congress has exposed the personal data of hundreds of lawmakers and staffers this March.
Read more about the data breach below and learn why it is essential in the context of national cybersecurity.
The healthcare breach at Congress affected around 56 000 individuals, including top officials and lawmakers. The data stolen included names, Social Security numbers, dates of birth, the names of spouses and dependents, health plan information, home addresses, phone numbers, email addresses, ethnicity, and citizenship status. The stolen data were then put online and made available for sale on the dark web. The hackers also published a sample of data from eleven affected individuals as proof that the data was in their hands.
FBI was investigating the incident and paid an undisclosed amount to the criminals to have the data removed from the dark web. The criminals have since updated the post to indicate the data has been sold. It was not clear, though, whether and how the FBI could guarantee that copies of the stolen data would not be circulating in the cybercrime underworld. Accounting to some security researchers, it is possible that the dark web site operators deactivated the threat actor’s account because they didn’t want undue attention from media and governmental bodies.
FBI estimated the data breach was executed by InterlBroker, a very possibly a Russia-linked criminal group. They claimed responsibility for a breach of multiple US government agencies and advertised the sale of over 2 GB of stolen files on underground hacking forums.
Furthermore, the healthcare data breach at Congress is not the only recent incident of such a scale. Hackers broke into a U.S. Marshals Service – a federal law enforcement agency within the Department of Justice – computer system and activated ransomware on February 17, 2023. The breach compromised sensitive law enforcement information, including returns from legal processes, administrative data, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.
Threat actors can use the data obtained from the healthcare data breach at Congress in a variety of ways:
It’s important to note that the more information a threat actor has, the easier it is for them to carry out malicious activities against systems and networks of national significance. So it is crucial for critical infrastructure to monitor sensitive data and be vigilant for any suspicious activity.
The attacks on the U.S. critical infrastructure prove the necessity to enhance the nation’s cybersecurity. US government agencies are well aware of the threat cybercriminals pose to critical infrastructure. So, they take measures to be at least one step forward from the attackers. The debates on enhancing cybersecurity intensified after the SolarWinds supply chain attack occurred in 2022, triggering an executive order to improve the nation’s cybersecurity.
The order was followed with a line of governmental initiatives to ensure the nation’s cybersecurity. These include the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. CIRCIA’s rulemaking process is still ongoing. Now we are awaiting the director of CISA to publish proposed rules implementing the reporting requirements. Final rules must be published no later than September 2025.
The next initiative is the American Data Privacy Protection Act (ADPPA) as of June 2022 – the draft bill which is aimed to become a comprehensive data privacy legislation by unifying the national data privacy framework and a robust set of consumer privacy rights under one umbrella. The law is expected to be passed soon and enforced by Federal Trade Commission (FTC).
M-22-09 Federal Zero Trust Strategy as of January 2022, which sets a new baseline for access controls and prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied.
Not long ago, we reviewed the 2023 National Cybersecurity Strategy. The document mainly targets critical infrastructure owners, vendors, and software developers, providing them with guidelines regarding how companies in the US allocate roles, responsibilities, and resources in cyberspace.
The new cybersecurity events proved the reasonability and timeliness of strengthening national cybersecurity and making it more resilient. Thus, government and private information security experts should keep their eyes on rising cyber threats to national security to respond to them on time.
Keep reading our blog to stay updated on recent data breaches and cybersecurity legislation topics. Feel free to contact the Planet 9 team for help with your security and compliance challenges. We’ll be happy to assist!