Practice Hub Data Breach

A story from last month that Practice Hub, an online service for Chiropractors and other practices, was breached.

Details emerged in May about a serious incident involving the Practice Hub data breach. We have been working to find out exactly what has happened and what we do know. This information is what Practice Hub has told us.

practice hub said

They said, “Thank you for your ongoing patience with this ongoing incident – we know this is causing disruption to your business and we are working as hard as we can.  I just wanted to make you aware of disrupted support times, as we are currently receiving a huge number of support requests quicker than we can respond.  I expect this to slow down, but it’s likely support times will be disrupted moving into next week. Me and my team will get back to each and every request as soon as we can and really appreciate your support and understanding whilst we deal with this situation.  To make things as clear and easy as possible, we’ve put together a list of questions that we have been getting asked which will help you craft your own personal response to this situation.”

what is going on?

We have asked about the personal data lost or stolen. Initially Practice Hub claimed that attachments only had been deleted and not copied. Later correspondence stated that the data may have been copied or stolen. A confused picture has emerged. There has been no press release on their web site as of 23:21 1st May 2021 UK time. The alarming part of this is that they claim that the ICO has told them to inform to inform the data controllers for whom they process data of the breach. This they have done including the governing the body, the GCC.

However, there are a great many chiropractors out there who have entrusted Practice Hub with their data. The chiropractors and other practices now have the unpleasant task of informing their clients that data has been lost. Why should they have to? But, the chiropractors have done nothing wrong face reputational damage. Therefore, we are being asked whether the GDPR is failing the people it is supposed to protect?

We built our business on guidance and helping business keep data safe. So, what is the lesson here?

They said

Practice Hub said this to their clients:

Notify any patients affected as soon as possible and make them aware they may need to be vigilant for phishing scams etc due to the nature of the breach     Turn on IP address restriction for your accounts – https://learn.practicehub.io/article/13-ip-restriction-an-overview·         Reset account passwords Turn on 2 Factor Authentication – https://learn.practicehub.io/article/142-setting-up-2-factor-authentication· Maintain independent data backups Take the opportunity to review your own internal security procedures

The section above offers Chiropractors the opportunity to review their own internal security procedures. Perhaps the suggestion should be that chiropractors should review their choice of data processors, if indeed that is what Practice Hub actually is.

Where does the blame lie?

They also state that the ICO is aware of the breach and has said:

We have made the ICO aware of the data breach, and are in direct communication with the ICO team to help them with their investigations.  This is an ongoing process. There does seem to be some confusion as to whether we are required to report a data breach incident – as a data processor. The ICO has notified us that we are not required to report a data breach incident as this is the responsibility of the data controller (you as a client).  As such, we do not currently have an ICO reference but continue to help them with their queries. The ICO has confirmed it is aware of the breach.

Is there are real problem here?

The data within RDS was encrypted in transit and at rest in respect of their AWS set up according to PracticeHub .Their web site states that AWS is rated as a sub processor. Further details on RDS were not available at the time of this report. However, they have not explained what exactly their AWS set up is. The practices now have to tell their clients that the trust they placed in PracticeHub was mis-placed.

So, are you sick of the techno legal gabble and want a straight answer to a simple question? So why not call us? We are human, we don’t have a contact centre and we are in the UK on 03333 22 1011. Alternatively, You can contact us here.

When selecting a processor of this type it is vital you carry out checks to ensure that they are compliant. It is important you check that measures are in place to keep your data safe. PracticeHub has been unfortunate if that there is no doubt. However, the problem of telling clients the bad news stays with the Chiropractors and other practices using the services.