Did members of the royal family go under the knife at an upscale London plastic surgery clinic? A recent hack at London Bridge Plastic Surgery may reveal the answer to that—and many other questions you never thought to ask.
Setting aside the obvious follow-up questions (Do you care? Is it any of your business?) and regardless of your curiosity about seeing the picture proof of royal rearrangements, you should be paying attention. The hack speaks to our collective vulnerability when it comes to protected health information (PHI).
The hacker collective known as The Dark Overlord took responsibility for the royal family’s data grab. The group’s responsibility was confirmed by The Daily Beast after a reporter at the site reviewed both in-progress and before-and-after photographs of family members’ physical enhancements.
You may remember The Dark Overlord: it was behind an October hack that featured threatening texts sent to parents of school-age children in several states and voicemails left by victims being dumped online. The group was also behind a notorious Netflix-related hack. It memorably stole the fifth season of Orange Is the New Blackfrom Larson Studios and released the first episode even after having received about $50,000 in Bitcoin to not do so.
As reported by Variety, The Dark Overlord had decided that its victims were in breach of contract. Specifically, “Larson Studios was in great delinquency of the agreement after sources confirmed law enforcement cooperation,” the group claimed. “Our agreement provides us the right to execute harmful action against any client who defrauds our agreement.”
Why It Matters
Did you notice how The Dark Overlord called the studio its “client”? I have long said that while we have day jobs, all of us collectively are hackers’ day job. Their sole objective in life is to seep their way into the assets of our identity. Always remember that your personal information is an asset with real, assignable value.
The Dark Overlord is not alone in viewing its victims in this transactional way. Hackers are in it for the money. Bigger operations offer customer service–style communication to make the ransom/payoff part of the process a high-touch consumer experience.
You may think, “This can’t happen to me.” But how do you know? Consider how your medical provider stores your PHI. Have you ever seen a physical file? Do you know where it’s stored and who has access to it? That sort of physical information is vulnerable. It could easily be stolen or
duplicated. What about electronic data? Everyone knows that just because an entity stores information digitally doesn’t make it secure from compromise.
5 Steps for Keeping Your PHI Safe
Security is complex and requires constant maintenance. Here are five steps you should take to keep your personal health information safe from hackers and other no-do-gooders.
- Ask if your medical provider implements a data security solution. While it may seem like a simple question, many providers don’t have a clue about data security. The only way to find out if yours does is to ask.
- Find out if your medical provider uses a vendor. If your medical provider uses a vendor, get the name and check out its reputation online.
- Ensure that your medical provider double encrypts your PHI. Your doctor may not know whether your PHI is double encrypted—especially if they use a vendor as their data security solution. Either way, push the point. The only way we all become more secure is if we all demand a high data-security IQ from our peers and service providers.
- Inquire about who has access to your PHI. By asking this question you may be pointing your provider to safer records. Only your doctor and other medically trained staff with a reason to be looking should have access to your PHI.
- Locate where your PHI is stored and how it moves around. Does your medical provider use a cloud server or onsite hardware to store your PHI? How are the servers connected to the network? Is there a secure network used solely for PHI and another for less sensitive traffic or smart devices used in the office?
We All Have Something to Lose
Granted, you may not have had any work done at a fancy plastic surgery clinic, but you’ve probably been to a doctor—and most likely at least once for an ailment that you’d rather not have broadcast to others. The victims of the data breach at London Bridge Plastic Surgery are just like you and me for that reason, even if they are royal. We all have something to lose: our privacy.
The sensitive data theft lottery definitely discriminates—high-end targets pay upper-class ransoms—but you can’t rely on your relative obscurity to protect your PHI.
As far as plastic surgeons getting compromised goes, this isn’t the first time a high-profile doc has gotten rolled for photographs and other PHI. And it probably won’t be the last, which should be reason enough to get you to call your doctor and ask how your information is protected.
Adam Levin is chairman and founder of CyberScout and co-founder of Credit.com, where this article originally appeared.