*Details have been removed from this account to protect personal and corporate identities.
It was one of those messages that you know is bad news: “Important information about your personal health information”
The letter used my formal name and wasted no time in outlining the point of communication. “We recently became aware of a security incident…ransomware cyberattack on systems…investigation has revealed that some of your information was removed from our servers….”
I had become the victim of a data breach at a chain of private clinics. And while the access sounded minimal – just five per cent of clients – that amounted to 60,000 patient records. And mine was one of them.
Like everyone else, I’ve heard about the growing threats of cybersecurity. But it always seemed like something that someone else would be affected by. Or that someone else should be preparing for. In this case, I had assumed that my clinic would have been fully aware of the risks and taken all necessary precautions.
The letter outlined the facts and the next steps that they were planning to undertake. Their response to this very serious situation included paying ransom, notifying the authorities, and providing affected patients with five years of cybersecurity protection.
Within minutes of reading those words, I felt incredibly shaken and vulnerable. Personal health information, private details that were confidential to myself and my doctor, were now in the hands of someone I didn’t know, who didn’t care about me, and who certainly didn’t have the best of intentions. I was concerned about the possibility of future repercussions to the security of my identity. And the message had come a full month after the incident had taken place – I was the last to know.
I did believe that the clinic had followed expert advice to manage the situation and was truly sorry for the breach. But offering cybersecurity protection to help alleviate future risk didn’t do anything to calm my nerves about what had already happened. My confidence in the clinic was shaken and my feelings of security, in general, suffered for a long while.
I can imagine that the clinic sustained a significant negative impact financially and reputationally. The cost of cybersecurity protection for 60,000 clients was probably hundreds of thousands of dollars. And that’s before considering that the clinic would have incurred a great deal of cost to manage their response to the breach, the ransom they paid, the cyber expert and legal fees, and the long-term business impact. All of these costs resulted in a situation that may have cost the clinic well over a million dollars, perhaps into the millions…
While the circumstances of how the breach occurred were not revealed, as a patient and a victim, I am left wondering if appropriate cybersecurity training could have prevented the entire scenario.