UPS (NYSE: UPS) and Norfolk Southern (NYSE: NSC) said they are looking into whether employee health data was compromised after hackers posted medical records of truck drivers and rail workers to a leak site following an apparent ransomware attack and data breach at a Virginia-based occupational health-care provider.
It was not immediately clear how many UPS and Norfolk Southern personnel were affected by the leak of over 3,000 files from occupational health provider Taylor Made Diagnostics on Jan. 8. But FreightWaves found multiple health records for employees from both firms, in addition to multiple smaller trucking companies, U.S. government agencies and defense contractors from as recently as December 2020.
“The security of our employees’ data is a priority for Norfolk Southern and a requirement for our vendors,” Norfolk Southern spokesperson Jeff DeGraff told FreightWaves in an email Friday. “Norfolk Southern is looking into the issue but has no further comment at this time.”
The railway, which employs nearly 25,000 people and operates in 22 states, would not say if it had been informed about the data breach.
UPS also told FreightWaves it was looking into the breach, but would not discuss how many of its drivers may have been affected.
“The security of employees’ personal information is of the utmost importance,” said UPS spokesperson Matthew O’Connor.
Taylor Made Diagnostics CEO Caroline Taylor did not respond to requests for comment.
The ransomware gang behind the apparent cyber-attack recently leaked data from short-line rail operator OmniTRAX after targeting parent company Broe Group. Conti has also leaked data from multiple healthcare providers since the start of the ye
Taylor Made Diagnostics has two clinics in the Hampton Roads region of Virginia, where Norfolk Southern is headquartered.
According to an informational sheet on its website, Taylor Made’s customers include the U.S. Secret Service and Naval Special Warfare Development Group — better known as SEAL Team Six, the special forces unit responsible for killing Osama Bin Laden.
DOT medical exam, drug and alcohol test reports among leaked data
The leaked data included completed U.S. Department of Transportation (DOT)-mandated medical exams, as well as drug and alcohol testing reports for truckers and rail workers at multiple companies. Many documents contained detailed personal information such as full names, addresses, social security numbers and scans of driver’s licenses.
Ransomware gangs have aggressively targeted the health–care sector in the past year, perhaps more so than transportation and logistics. Increasingly the hackers use double-exhortation attacks, which leverage the threat of posting stolen data to secure payments.
In December alone, 37 U.S. health-care providers reported hacking or unspecified information technology incidents that compromised nearly 1.5 million patients, according to the U.S. Department of Health and Human Services.
The data leak from Taylor Made highlights the additional cybersecurity risks transportation and logistics companies face beyond their own systems and the potential fallout from the leaking of employee data.
Carriers’ obligations to secure truckers’ medical records extend to health providers
The random drug and alcohol testing required of commercial truck drivers also puts carriers in the position of entrusting the safeguarding of sensitive employee medical records to outside providers on a regular basis.
Dave Osiecki, president and CEO of Scopelitis Transportation Consulting and an expert on DOT regulations, said that trucking companies still have to take reasonable steps to ensure that those providers are keeping those records secure.
“If you’re an employer of a CDL driver, you have an obligation to maintain records in a location that’s secure, and that requirement sort of trickles down to third-party agencies,” Osiecki said.
The federal Health Insurance Portability and Accountability Act (HIPPA) provides a baseline standard for how most health providers have to secure patient records. The U.S. Department of Health and Human Services also provides compliance guidelines specifically for ransomware attacks.
But it’s an open question whether HIPPA compliance is sufficient to safeguard for sophisticated ransomware gangs such as Conti, which regularly targets health-care providers.
Brett Callow, a threat analyst with cybersecurity software firm Emsisoft, said these higher-level attacks can make traditional security measures — such as encrypting sensitive data — meaningless.
“In most cases, attackers effectively are in your systems,” Callow said. “They are your new admins. If you can access data, they can access it.”