County 911 Service Alerts 180,000 People About July Data Breach

The Muskogee City County Enhanced 911 Trust Authority in Oklahoma is in the process of notifying approximately 180,000 individuals about a data breach involving health information, which may have originated from a ransomware attack. This incident reportedly impacts patients who received emergency medical services as far back as 2011.

As part of its obligations, the agency reported the breach to the U.S. Department of Health and Human Services on September 20, confirming that a network server was compromised. The organization discovered the ransomware attack on July 25, while an investigation revealed unauthorized access potentially spanning from April 4 through July 31, affecting a wide range of emergency medical service recipients in Muskogee County dating from January 2011 to April 2023.

The prolonged exposure of sensitive data raises concerns about the potential vulnerabilities in the 911 service provider’s backup systems or records management framework, as noted by cybersecurity experts. Mike Hamilton, founder and CISO of Critical Insight, observed that it is likely that cybercriminals gained access to the record management system rather than exploiting backup vulnerabilities, given the record retention practices typically employed.

Information potentially exposed in the breach includes names, addresses, dates of birth, Social Security numbers, medical diagnoses, treatment history, and health insurance details. Following the discovery of the breach, MCC911 undertook immediate remedial actions, such as taking certain systems offline, resetting passwords, alerting federal authorities, and enlisting cybersecurity professionals to assist in containment and mitigation efforts.

In the wake of this incident, the 911 Authority has implemented significant improvements to its cybersecurity posture, including enhancing endpoint security, upgrading firewalls, introducing geolocation restrictions, and reallocating resources to bolster system defenses. However, as of this writing, further details regarding the compromised systems remain unaddressed.

This incident is part of a broader trend in which emergency medical services (EMS) are increasingly targeted by cybercriminals. The Acadian Ambulance Service breach earlier this year, which affected nearly 3 million patients, highlights the rising profile of EMS organizations as prime targets for data theft. Ransomware groups, such as Daixin, have claimed responsibility for many significant breaches and actively publish stolen data on dark web forums.

Cybersecurity experts emphasize that EMS organizations often serve as critical infrastructure and handle sensitive health records, making them attractive targets. The threat posed by disruptions in EMS capabilities can have dire public safety implications. Although such entities may struggle with adequate cybersecurity funding, experts recommend that they implement effective controls to bolster their defenses, particularly against common attack vectors like social engineering and phishing.

In view of this incident and others within the sector, it is vital for EMS providers to adopt comprehensive cybersecurity measures, including user training, robust credential management systems, and proactive vulnerability management, following the guidelines set forth in the MITRE ATT&CK framework. This approach can help significantly mitigate the risks of falling victim to similar attacks in the future.