por
John R. Fischer, Senior Reporter | March 17, 2023
A breach of Zoll Medical's network has put data for over one million cardiac defibrillator patients at risk.
A breach in early February compromised information belonging to one million patients using or in line to receive a Zoll Medical wearable defibrillator.
The size of a paperback book, the lightweight fabric vest for the device is worn under clothes around the patient’s waist or from a shoulder strap. The monitor’s electrodes pick up the person’s electrocardiogram.
The company discovered “unusual activity” on its internal network on January 28, and consulted with a third-party cybersecurity firm and the authorities to mitigate the incident,
reported SC Media.
An investigation tied the breach to current and former patients using the company’s LifeVest device, a wearable cardioverter defibrillator, and found that patient names, dates of birth, contact details, and social security numbers were compromised on or about February 2, though there is no indication that the data has been misused in any way, says the company. No other defibrillators or monitors designed by Zoll Medical were affected by the breach.
“Nothing about this cybersecurity incident affects the safety or operation of ZOLL’s medical devices or related software,” Zoll told HCB News. “We are in the process of notifying individuals whose information may have been affected by the incident, in accordance with all applicable data breach notification laws and regulations.”
Zoll previously encountered a breach in 2019, when an error made by third-party service provider Barracuda Networks during a server migration exposed archived emails, leading to the personal and medical data of 277,319 patients being compromised.
An investigation into the matter showed the exposure was not detected for two months. Zoll filed a lawsuit against Barracuda Networks, tasking it with record retention and maintenance requirements.
In 2021, multiple remote code execution vulnerabilities were found in ZOLL Defibrillator Dashboard, making it possible for a hacker to take control of the system, which streamlines management of defibrillators and allows administrators to monitor devices in real time in their enterprise environment and across multiple sites,
according to SC Media.