SAN ANTONIO — Hospitals and clinics across 20 states, including Texas, have suffered a “major hack” according to CBS News. Up to 11 million patients could be affected, and the list of compromised hospitals includes Methodist Hospital Texsan in San Antonio.
At the same time, three San Antonio banks and a local University have also been hacked in just the last four months. According to the Texas Office of the Attorney General, USAA, Generations Federal Credit Union, Texas Partners Bank, and Our Lady of the Lake University have reported data breaches since April of this year.
Experian Global Data Breach Resolution VP Michael Bruemmer told KENS 5 it’s a consistent problem that is only getting worse.
“In terms of the total number of breaches from 2022 to 2023 we are up about 20 percent in terms of the number of breaches. That trend is very recent.”
Bruemmer told KENS 5 hackers can get good money for personal healthcare information on the web and healthcare companies are a common target.
“Your name, your social, your insurance information….the full health care identy on the dark web is about a thousand dollars.”
Bruemmer also said 85 Percent of data breaches are still caused by a combination of social engineering and human error. This means the “hacker” focuses on targeting individuals inside major companies with emails or text messages designed to trick them into disclosing personal information and passwords, or clicking on malicious links, in order to gain access to data.
“It’s clicking on a link that they shouldn’t, putting a nonproduction server into production, answering a suspicious phone call and compromising a voice print, or not having two factor authentication,” Bruemmer said.
In some cases, hackers will stalk suspected IT administrators, or someone else with special access, on social media, email, and text to try to get access to data and use it to access secure information.
Hackers will also attempt to compromise third party software to access data. Bruemmer said Russian operators recently hacked MOVEit Transfer, which was designed to provide secure file transfers. He said there were 2500 customers using that software at the time and some customer data has already surfaced on the dark web. He did not believe any of those companies were local to San Antonio, though some companies operating in Texas have been affected.
“Ransomware has been asked to be paid and companies have been notified. They are fulfilling their legal requirements to notify consumers,” Bruemmer said. “One of the trends that is happening in the industry right now is that hackers are looking for third party software that they can compromise.”
It's also possible for third party companies to simply make mistakes. USAA told KENS 5 Wednesday the breach listed on the Attorney General website was actually the result of improperly shared credentials. USAA provided the following statement:
"A limited number of employees at a third party service supplier of USAA improperly shared their access credentials with unauthorized individuals. This gave the unauthorized individuals access to the personal information of a small number of USAA members. Those members have been notified and offered two years of complementary credit monitoring out of an abundance of caution. The other 99.85 percent of our members were not affected in any way.
USAA systems were not compromised at any time, and in all cases, we have seen no evidence of any misuse of information resulting from this third party incident. The security of our members’ personal information is our top priority."
Bruemmer also said hackers are just as willing to go after individuals and will often pose as contacts for charities or common companies to get your information. He said simply clicking on a bad link can end up exposing you to malware or a virus that steals your information.
“You get a phone call from a number you don’t recognize, someone sends you a link to click on that you are not suspecting, or someone asks you to sign up for a charity you don’t recognize. You need to be suspicious or just say no to that.” Bruemmer said. “Let’s say you are busy, and not paying attention, you might click on a link or sign up for something.”