Hackers obtained personal information for some 1,100 people through an email account of an employee of a growing Peninsula biotech company.
The phishing incident in July was revealed Thursday by Guardant Health Inc. in its filing for a $100 million initial public offering, and it showcases the vulnerability of health care companies, including biotech companies, hospitals and others that hold personal and precious health and financial data on millions of people.
In the attack on Redwood City-based Guardant, which builds so-called “liquid biopsy” tests that can detect cancer from a simple blood draw, hackers over a five-day period in July got access to data, including “protected health information,” for about 1,100 people. The stolen information included patients’ names, contact information, birth dates, medical diagnosis codes and — in “a very limited number of cases,” the company said in its IPO filing — Social Security numbers.
A company spokesman said in an email Monday morning to the San Francisco Business Times that the incident remains under investigation and “we can’t comment further at this time.”
Guardant plans to provide “timely notices” of the attack to the U.S. Department of Health and Human Services, certain state regulators and patients. But the company did not say in its filing when it will tell cancer patients that their personal information was compromised.
Guardant said it hired an unidentified cybersecurity firm to conduct an investigation.
“We continue to analyze the information that was accessed and intend to take additional steps to prevent future unauthorized access to our system and the data we maintain,” the company said in its IPO filing, “but we cannot guarantee that additional incidents will be avoided.”
Phishing typically occurs when an electronic communication tries to get someone to open an infected file or link that uploads malware that opens a door to the employer’s computer system.
Guardant’s breach could have financial implications at a critical time when various companies are staking out space in the liquid biopsy field. Those companies are developing tests to identify cancer so doctors can adjust the treatment regimen of current cancer patients and working on tests that, eventually, could detect cancer even before symptoms appear.
Besides Guardant, those companies include Roche-owned Foundation Medicine Inc., Menlo Park-based Grail Inc., San Carlos’ Natera Inc. (NASDAQ: NTRA) and giant Illumina Inc. (NASDAQ: ILMN).
Investors have pumped billions of dollars into a liquid biopsy quest that faces all the same risks of drug and medical device development: cash, scientific, clinical trial, regulatory and data security.
To be sure, Guardant isn’t alone when it comes to phishing attacks. Cybersecurity experts and others in the biotech industry say that virtually all health care providers, including those that compile clinical trial data, face such attacks.
The breadth and depth of the information those companies collect makes them targets. Guardant, for example, collects health data as well as credit card and other financial information. It stores it in a combination of on-site systems and cloud-based data centers.
The company, led by CEO Helmy Eltoukhy and President AmirAli Talasaz, uses external security and infrastructure vendors to manage parts of its data centers, the company said in its SEC filing.
A report earlier this year by Verizon found 750 data breaches, including 536 where data disclosure was confirmed. Most of those breaches were internal and the result of miscellaneous errors, crimewave and misuse of privileged access to data, the study found, with financial gain as the largest motive. In 79 percent of cases, medical data was compromised, personal data in 37 percent and payment data in 4 percent.
The broad attacks, however, don’t make them any less costly.
Violations of the federal Health Insurance Portability and Accountability Act, or HIPAA, for example, can lead to civil fines of up to $55,910 per violation, not exceeding $1.68 million per calendar year, and criminal penalties of up to $250,000 per violation and/or imprisonment.
California’s patient privacy laws outline penalties for violations of up to $250,000 and could open the company to individual lawsuits.
Guardant, which has raised $550 million in its six years and has nearly 350 employees, has introduced two liquid biopsy tests for advanced stage cancer. Its four-year-old Guardant360 test, with a list price of $7,800, has been ordered 70,000 times and used by more than 5,000 oncologists, sold to more than 40 biopharmaceutical companies and all 27 National Comprehensive Cancer Network centers.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.