Homewood Health Data Breach

Blog / Homewood Health Data Breach

How NOT to handle a data breach.

The other day I received an article about a data breach impacting a number of Albertans. Homewood Health had a large amount of its data stolen and sold on an internet marketplace. It took some digging but I eventually found a bit more information about the situation, but there doesn’t seem to be a lot out there so I’ll try to summarize what’s known about the situation so far.

1) Homewood Health runs clinics across Canada and the US.

Homewood Health operates a number of private clinics across North America treating mental health problems, with a specific focus on addiction and PTSD treatments.

2) They serve multiple companies in Alberta.

Although Homewood Health’s website does not specify clients by name, various news articles about this breach indicate their clients include Fortis Alberta, WCB of Alberta, City of Spruce Grove, and many others both in and outside of Alberta.

3) The data appears to contain Personally Identifiable Information (PII).

Several articles from different news sources include redacted samples that show the data includes contact and identification data as well as medical information. This wasn’t a database dump and includes work documents of patient records. This means someone would need to manually go through the files and pull out information on each person, like their name, phone number, address and other details that can be found.

4) There’s a lot of data.

183GB worth of data, if the criminals are to be believed.

That’s about it. There’s not a lot to go on, sadly. There might be an official public acknowledgement of the breach on the Homewood website but their page has multiple loading issues and couldn’t not be confirmed at the time of publication. Google doesn’t seem to have indexed a statement, but that’s not definitive. Articles about the situation don’t help a whole lot either, as it seems that Homewood Health is being tight lipped with news outlets, other than to say they have involved law enforcement and IT security experts.

As a side note, I also wonder if Homewood Health took down their website intentionally. There are no connection errors or timeout issues; many of the pages just fail to load or are blank. That’s not generally normal behavior even when there’s an error. However, without some kind of internal information about the situation, that’s just speculation.

Also, it may seem like an obvious idea for Homewood Health to contact any patient records they believe were tampered with, but they may not even know how this attack occurred. There’s been so little information provided that very few know anything for sure. There’s also been no talk of services being impacted so it seems unlikely to be ransomware, but regardless, without more information, there’s little else to comment on except to say their response has been dismal.

No matter how good or bad the situation there’s always the takeaway of something that can be learned from it. But at this point, nobody can really learn anything except that an addiction treatment chain with clinics across the country suffered a data breach. That makes this a great example of how NOT to handle a situation. Be open and communicate information quickly. If you recall what happened recently with Kaseya, communication is something I feel they did very well. Their handling of an otherwise grave situation likely generated a great deal of customer goodwill despite the situation.

Breaches happen all the time, and I know since it’s my job to find them (and I find them all the time). But this breach annoys me to no end because it showcases a very closed mentality. Their approach seems to be avoidance, possibly because they don’t want to potentially admit to some additional liability, but regardless of the reason t’s a terrible stance to take; it demonstrates that the only people the organization really cares about protecting is themselves and their bottom line, not the people that come to them for help.

Being open about this breach could help everyone, not just those who were impacted. Releasing information about how the attackers got inside (and got the information out) would allow other organizations to compare their setup and improve their security. Keeping all of this secret is only beneficial to hackers who can try to pull the same tricks on others.

For today’s slice of Shakespeare I’ll pull a bit from Hamlet in Act 3 scene 1 where the titular character remarks “God has given you one face, and you make yourself another.”

If you have any questions about managing a data breach, please reach out to your TRINUS Account Manager for some stress-free IT.

 

By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.

/Partners /Systems /Certifications

TRINUS is proud to partner with industry leaders for both hardware and software who reflect our values of reliability, professionalism and client-focused service.