Family offices have recently been caught up in at least two major data breaches — involving Corewell Health, a major health care provider in Michigan, and the Real Estate Wealth Network — potentially exposing some of their most private information to hackers and criminals. Since the breaches involve a third party, family offices are left with few options except to harden their cybersecurity procedures and keep an eye out for suspicious activity, security experts say.
At the end of last year, cybersecurity breaches at both a health management platform and a software company contracted by Corewell affected in total more than 2 million residents of Michigan. The data revealed included name, address, date of birth, medical information such as diagnosis and mental/physical condition, prescription information, as well as insurance and billing information.
And of late December, it was revealed that 1.5 billion records containing information on property owners, sellers, investors and internal logging data were leaked in a data breach of the Real Estate Wealth Network. Among those affected were a slew of wealth investors such as Elon Musk and celebrities such as Kylie Jenner and Dave Chappelle.
Family offices affected by the Corewell breach have reached out to security experts to assess the extent of the damage, sources tell Crain Currency. The average cost of a data breach is nearly $4 million globally and individual family offices are at risk of losing up to $500,000 in ransom.
Yet not many family offices are prepared to manage such cyber risks — less than half (44%) of them have specialist cybersecurity controls.
Not that there’s much to do in the case of a third-party breach such as that involving Corewell, said Mykolas Rambus, the CEO and co-founder of Hush, an AI cybersecurity and privacy company. “At this point, the medical records are out there,” he noted, adding that “the issue is to be prepared for what’s next.”
Leaks of health records can be particularly risky for wealthy families because they involve such sensitive information — such as a cancer diagnosis or a terminated pregnancy — and can be used for extortion. “These groups will then take that information and combine that with other things they’ll find and then try to extort the family,” Rambus said. “There are lots of reasons why someone would rather pay $50,000 than have a medical diagnosis of their child’s condition in the public domain.”
Other potential risks include fraud, said Chris Pierson, the CEO of BlackCloak, a cybersecurity company. Pierson gave the hypothetical of Larry, the head of a family office in the Detroit area, whose records on a recent thyroid problem are leaked to a cybercriminal in a data breach of a hospital.
“They could reach out to Larry at [email protected] and tell him: ‘Your payment to the hospital for the thyroid thing did not go through. We’ve tried contacting you 10 times. Your collection amount is now up to $22,000. Remit payment now.’ And so now you’re able to perpetrate scams because you have the relevant information.”
Unlike other types of data, where family offices can exercise some control over what vendors they use, medical records present a challenge because even wealthy people depend on health care services and providers in their area, and it’s difficult to assess their vulnerability to a cyberattack, Pierson said. Even for a family office that has a concierge physician, the clinic they’re associated with will likely have fewer controls than a large hospital system.
Here’s what you can do if you’re the victim of a data breach:
- Put a credit freeze on your account so that nobody can use your name or information to commit identity theft.
- Make sure your information is off data websites and monitor the dark web so that it’s harder for cybercriminals to track you down.
- Protect all your personal devices, and make sure that your social media accounts are not public.
- Put a PIN on your IRS account so that no one can file tax returns in your name.
As for a family office’s own data, the most effective ways to minimize the costs of data breaches are through cybersecurity operations and employee training, investments in security artificial intelligence and the establishment of robust incident response protocols, wrote Alex Ivanov, the CEO of FundCount, an accounting and investment analysis firm that works with family offices.
Basically, it comes down to controlling what you can and taking away from the threat actor what you can out there in the public or on public databases, Rambus said. “The less chance they have of being successful, then they have more incentive to look somewhere else and move on.”