Actually, it is more of a technicality.
The real question is: does it matter?
There is a hacker group based in London that claims to have access to over 250 million iCloud accounts.
This group is trying to hold Apple ransom – they want to be paid in bitcoin – over these accounts.
They are threatening to reset passwords or wipe accounts entirely.
Apple is stating they haven’t been hacked.
This isn’t really the point.
When one study’s this hack data, it is abundantly clear that people are still using painfully simple passwords, or simply re-using passwords.
So, let’s see: hacker A buys a database of user data from a website.
That data only needs to contain an email and a password.
Now, hacker A tries to log into iCloud using these credentials.
Oh, and be confident hacker A has automated this process, so they can still be gaming or eating cheezy poofs and watching tv while this is done.
If they are a small player, once they confirm access to said iCloud account, they can then pull a ransomware attack on you.
This group, being a bigger player, is threatening a ransomware attach on all the users they have, and is trying to get Apple to pay.
Could this be a HIPAA violation?
Do you let your staff put their personal devices on the office network?
Do you put your personal iPad on the office network?
Well, then, a PHI data breach is a real possibility.
What can you do?
Don’t re-use some password you’ve used elsewhere.
Go on, go change it now.
Also, your office computer HIPAA policy should not allow any non-business device on the business network. Period.
Oh, and it wouldn’t hurt to turn on two-factor authentication.