3rd Party Risk Management , Breach Notification , Governance & Risk Management

Elekta Health Data Breach Victim Count Grows

Swedish Vendor's Recent Cyber Incident Leads to More Notifications
Elekta Health Data Breach Victim Count Grows

The number of U.S. healthcare entities affected by a recent cyber incident targeting a Sweden-based provider of oncology radiation systems and related services is growing.

See Also: Gartner Market Guide for DFIR Retainer Services

Some security experts say this points to the additional risks offshore business associates can pose to their clients.

"HIPAA does not require any special terms for contracting with BAs outside of the U.S.," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "The Department of Health and Human Services' Office for Civil Rights guidance suggests that your risk analysis consider whether there are increased risks related to the BA being overseas, such as whether the BA operates in a country with a known higher prevalence of hacking or malware attacks."

In recent weeks, several U.S.-based healthcare organizations have reported that some of their patients' protected health information was potentially compromised by a data security incident first disclosed in April by their business associate Elekta, which provides cloud-based oncology related data services.

Among the latest Elekta clients notifying patients of breaches are Utah-based Intermountain Healthcare, New Jersey-based Saint Peter's University Hospital, Alaska-based Fairbanks Cancer Center, Oklahoma-based Cancer Centers of Southwest Oklahoma, and Illinois-based Northwestern Memorial HealthCare.

Northwestern Memorial's data breach was among the largest Elekta-related incidents reported so far to U.S. federal regulators. The Chicago-based healthcare provider reported the incident to HHS OCR on June 25 as affecting more than 200,000 individuals.

Recent Notifications

As of Tuesday, Intermountain Healthcare's breach involving the Elekta incident was not yet posted on HHS OCR's HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

But a July 16 breach notification report Intermountain Healthcare provided to Maine's attorney general indicates the Elekta incident affected nearly 29,000 Intermountain patients, including two Maine residents.

In a breach notification statement, Intermountain says that on April 6, it received notice from Elekta that the vendor experienced a data security incident.

"On May 17, Elekta reported that a server with some data relating to Intermountain Healthcare patients was affected. … Elekta’s investigation determined that the data present on their impacted systems at the time of the incident included your name and scanned image files. The scanned image files could have included medical images, and information on medical intake forms," Intermountain's notification says.

An Intermountain spokesman tells Information Security Media Group that as a result of the Elekta incident, some patient appointments needed to be rescheduled at four specialty clinics in Nevada. "Intermountain assured that any patient who was identified as high-risk had appointments rescheduled with one of our treatment partners," the spokesman says.

Other Affected Entities

Meanwhile, in its July 9 breach notification statement, Saint Peter's Hospital says that on May 13, it was informed by Elekta about a PHI breach affecting 585 patients, involving the Elekta electronic prescription platform, eRx, used by physicians in the hospital's radiation oncology department.

Other Elekta clients in the U.S. that were earlier identified as being affected by the vendor's incident included Yale New Haven Health in Connecticut, Southcoast Health in Massachusetts and cancer care facilities of Lifespan Cancer Institute in Rhode Island (see: Attack on Radiation Systems Vendor Affects Cancer Treatment).

Those entities also reportedly had to postpone some patients' scheduled cancer treatment because of the Elekta security incident.

Elekta Statement

Elekta, in a statement provided to Information Security Media Group on Tuesday, says its recent data security incident "was limited to a subset of Elekta’s customers in North America" and involved the company's first-generation cloud-based storage system.

"As soon as we became aware of the event, Elekta partnered with leading cybersecurity experts and law enforcement, including the FBI, to investigate what had happened and mitigate any possible harm," the statement says.

"Offshore vendors usually lead to somewhat additional front-end diligence, but in general, I am just as worried about a breach in Seattle as I am about a breach in Sweden."
—Kirk Nahra, WilmerHale

"We have migrated our cloud-based applications to Elekta’s Axis Cloud, which was not impacted by the incident and operates on the Microsoft Azure environment, which employs the latest and most stringent cloud and security technologies. Elekta also implemented additional security enhancements to prevent future incidents.

All affected customers have been notified, Elekta says, noting that it's not disclosing details of the incident "for the safety and security of our customers and their patients."

Elekta did not respond to ISMG's inquiries about the total number of Elekta clients and their patients affected by the incident or whether the incident involved ransomware.

Off-Shore PHI Risk Considerations

"U.S. organizations also should be aware that U.S. regulators may not have jurisdiction to directly enforce HIPAA against overseas BAs with respect to noncompliance occurring overseas, with foreign regulators instead having jurisdiction with respect to any applicable foreign privacy and security laws," says Greene, the attorney.

"Accordingly, you may have a business associate agreement, but not the same level of HIPAA protection as with respect to a U.S. BA."

Regulatory attorney Paul Hales of Hales Law Group says: "It's a huge mistake to try to address offshore business associate issues in a business associate agreement."

The correct way to address offshore BA issues, he says, "is by due diligence and a well- written service-level agreement. Due diligence must confirm that the BA complies with all HIPAA BA requirements, has a legal presence in the U.S. that makes it subject to U.S. law … and has assets or insurance that that are accessible and sufficient to pay damages arising from its negligence or breach of contract."

The service-level agreement "should specify jurisdiction and venue in the event of a breach and include customary protective clauses, like indemnification and minimum insurance requirements," Hales says.

Commenting on the Elekta incident, privacy attorney Kirk Nahra of the law firm WilmerHale says: "I view this as a supply chain issue more than an offshore issue."

U.S. law "does not distinguish between in-country business associates and out-of-country ones - at least HIPAA does not," he says. "There certainly can be a perception difference with some customers and others - and many hospitals actually preclude their vendors from storing or accessing information from offshore."

A business associate agreement with an offshore vendor "obligates them to follow the contract and informs them of their obligations directly under HIPAA," Nahra notes. "A company that is offshore could try to say to HHS if they were investigated that they are not subject to HIPAA, but that position would mean … that no U.S. business would work with them," he says.

"Offshore vendors usually lead to somewhat additional front-end diligence, but in general, I am just as worried about a breach in Seattle as I am about a breach in Sweden."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.