The Garrahan Front, one of the most important pediatric hospitals in the region.
Cybercriminals claim they did patient data, treatments, medical staff files and even the login credentials of the Garrahan Pediatric Hospital in the city of Buenos Aires. The information appeared in the middle of last week in a specialized forum, where leakers buy and sell packets of sensitive information that can be used for multiple purposes. criminal.
“These are several critical databases that add up to a total of 5 and a half gigabytes of information and some 12 million records. The incident is not in response to a ransomware attack, but simply to a leaked news published for marketing and currently evaluated $ 1,500”, He explained to Clarione Mauro Eldritch, IT security architect. It is what is known among cyber attacks as data breach.
The test uploaded to the forum contains sensitive information: “According to the samples published by the seller, the 12 million records are distributed in information of patients and their legal guardians (DNI, employment status, personal and work addresses and telephone numbers, medical conditions, health coverage affiliations), technical information on medical treatments and its follow-up and medical staff files, ”he detailed.
The names that appear in the sample are consistent with the health care personnel who worked or work in the hospital. There are also credentials for access to IT systems, that is users and passwords.
Clarione contacted Garrahan Hospital, but the institution did not deny or confirm the incident.
The lot with proof of the information for sale. Photo Mauro Eldritch
Unlike cyber attacks that have occurred with large companies like Mercado Libre, Globant, or Osde, where cybercriminals steal information, they encrypt it and ask for a ransom in exchange, data leaks are crimes in which there is no request for money from the victim: the stolen information is sold online to the highest bidder.
This is what happened with the Renaper case in October last year, in which, through unauthorized access, a user uploaded a database with identity documents of 60,000 Argentines.
In the case of Garrahan, the information would compromise the data of minors: “We remember that being a pediatric hospital many of the patients are minors. Not only is information about children and their families on display for sale treated, but also about their medical conditions and treatments, information that must be treated according to standards of confidentiality, “warned Eldritch.
As for how these leaks are produced, there are more entrance doors. “There can be many situations that facilitate filtration, but it all can be summed up in this someone had too many privileges that I shouldn’t have, nor necessary, ”he explains.
“Someone who has been able from the outside, as a ‘visiting user’, to consult the system from a vulnerable interface, or that from the inside he had access to read all the system logs, or even someone who leaked them internally. The possibilities in this case are many, but they can be reduced to something avoidable by managing a simple principle such as giving the minimum access necessary for their task to those who work with data, “he says.
Garrahan Hospital: how serious is the escape and who is responsible
Patients, doctors, care: the sample has sensitive information. Photo Enrique Garcia Medina
When there are data leaks and cyber attacks, those tasked with protecting people’s privacy must answer for incidents.
“The exfiltration of personal data that occurs in a data breach it has an absolute, expansive and insurmountable detrimental effect on the security, privacy and trust that must be preserved in the processing of personal data “, explains Clarín Johanna Caterina Faliero, Doctor of Law in Personal Data Protection.
“When the physical protection of personal data is lost, especially when it comes to sensitive data such as health data from patient medical records, the criticality is even greater. because they are the most intimate and very personal data that a person owns, ”adds the specialist, who is Director of the UBA Law School’s Postgraduate Update Program in Cybersecurity.
“Data breaches are becoming more serious in recent years. The health area is one of the most affected areashave the highest escape cost from the industry and the highest average time to identify and contain a data breach, so for this industry information is its greatest strategic asset and it must invest in cybersecurity to contain these contingencies “.
As to who should be responsible for this type of leak, Article 9 of the data protection law (25,326) defines “that the manager or user of the archive must adopt the technical and organizational measures necessary to guarantee the security and confidentiality of personal data, in order to avoid alteration, loss, consultation or unauthorized treatment“remembers Daniel Monastersky, a lawyer specializing in cybercrime.
It is also recalled that according to Resolution 47/2018 of the Agency for Access to Public Information (AAIP), the entity concerned must report the incident: “One of these recommendations involves reporting security incidents to the AAIP along with sending a report containingat a minimum, the nature of the information, the category of personal data concerned, the identification of the users concerned and the measures taken to mitigate the incident “.
Which, it is worth remembering, is almost never done, since institutions not only do not communicate them habitually but deny them or do not make statements.
Personal data in Argentina, at risk
Garrahan Hospital is a historic medical institution, located in Parque Patricios. Photo: Luciano Thieberger
The case of Garrahan Hospital adds to the long list of state institutions that suffer cyber attacks.
This is not the first time that a state agency has been the victim of a cyber attack. In 2020, the National Directorate of Migration suffered a cyber attack that published thousands of personal data of Argentine citizens.
Last year, unauthorized access managed to extract data from the Renaper and sold it to a forum for buying and selling personal data. And in January of this year, the Nation’s Senate suffered a ransomware attack that released sensitive data on Upper House workers, bills, and even fingerprints of senior officials.
“Argentina is positioned at a level 2 of 5 of the Cybersecurity Capability Maturity Model for Nations (CMM) and is not having a good time in terms of cybersecurity, privacy or personal data protection. In this soft scenario in critical technical areas, a systemic state of inaction and inoperability in the face of the threats and advances we are experiencing, such as the data breach that concerns us that hit the Garrahan ”, Faliero closes.
In June of this year, the Organization of American States initiated a program with Argentina to review cyber security practices.
Garrahan will be another case to consider in this challenge that the country faces in terms of how personal data is processed and, moreover, how to communicate this type of error when it comes to protecting the sensitive information of Argentine citizens.