Northwoods Inc. hacked through unauthorized email access

Exploit: Unauthorized email account access
Northwood, Inc.: Provider of medical equipment, prosthetics, and supplies

Risk to Small Business: 1.555 = Severe: On May 6th, hackers gained access to an employee’s email account that contained patients’ personally identifiable information. A forensics investigation determined that hackers accessed company data for three days, and it’s unclear why Northwood waited more than two months to notify the public. In response, all employee passwords were reset, and Northwood encouraged employees to be vigilant about identifying suspicious emails. In addition, the company is upgrading its email security to try and prevent suspicious emails from reaching employees’ inboxes.

Risk to Small Business: 2 = Severe: The hacked email account contained sensitive client data and personally identifiable information. This includes names, dates of birth, dates of service, provider names, medical record numbers, patient identification numbers, and other health-related information. In addition, some clients had their Social Security numbers, driver’s license numbers, and health insurance information exposed. Northwood cannot confirm if this information was viewed or accessed by hackers, so those impacted by the breach need to be especially vigilant about monitoring their accounts for suspicious activity. Moreover, they should acquire identity and credit monitoring services to ensure the long-term integrity of their data.

Customers Impacted: Unknown
How it Could Affect Your Customers’ Business: In today’s interconnected digital environment, small mistakes can have catastrophic consequences. In this case, a single email gave bad actors expansive access to people’s sensitive data. While Northwood is taking all the right steps to recover from the breach, companies that truly prioritize data security will take these actions before a breach occurs, which will not only help protect critical information, but it will save companies the incredible expense and reputational cost associated with a data breach.