Eye Care Practice: Vendor Paid Ransom for Return of DataHackers Stole Patient and Employee Data of 2 Healthcare Organizations
A California-based eye care provider – which also handles billing and other administrative services for a separate local surgery practice – says its online storage vendor was recently hit by hackers and paid a ransom for the return of patient data stolen from both entities.
In a statement, Harvard Eye Associates says its unnamed storage vendor – "after consulting with cybersecurity experts and the FBI" – decided to pay the hackers in exchange for returning the data pertaining to both its practice and Alicia Surgery Center, both based in Laguna Hills, California.
Harvard Eye Associates provides billing and other administrative services for Alicia Surgery Center, both entities note in their breach notification statements. "Harvard Eye uses some of our patient information in order to provide services," Alicia Surgery Centers says.
The statements do not specify whether the vendor incident involved ransomware.
Neither Harvard Eye Associates nor Alicia Surgery Center immediately responded to Information Security Media Group's request for additional details, such as the name of the vendor involved.
The FBI has repeatedly made statements advising organizations to never pay hackers a ransom, saying such payments don't guarantee data decryption or the return of stolen data and also help encourage more cybercrime.
Hackers Stole Data
Harvard Eye Associates says in its statement that on Jan. 15, its online storage vendor notified the practice that hackers had accessed its computer system and stolen some of the eye practice's data.
"The vendor informed us that the hackers had demanded money to return the data they had taken," Harvard Eye Associates says.
"After consulting with cybersecurity experts and the FBI, the vendor made the payment. The hackers then returned the data and told the vendor that they had not disclosed the data or kept any copies," according to the statement.
The vendor determined, through its investigation, that the hackers might have been able to access Harvard Eye’s data as early as Oct. 24, 2020. "The vendor’s cybersecurity experts have been monitoring the internet and have not found any evidence that the hackers used or disclosed any of the data," Harvard Eye Associates says.
Data stolen by the hackers included patients’ names, addresses, phone numbers, email addresses, dates of birth, medical history, health insurance information, medications and information about treatment, Harvard Eye says in its statement.
"For some patients who have had eye surgery at Alicia Surgery Center, the data might also include medical information related to their surgeries," Harvard Eye says.
The data accessed by the attackers also included certain personal information about current and former employees of Harvard Eye Associates and Alicia Surgery Center, and, in some cases, their family members and beneficiaries, the two organizations note.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals shows that on Feb. 8, Harvard Eye Associates reported a hacking incident affecting nearly 30,000.
As of Friday, the HHS website did not show any health data breaches reported by Alicia Surgery Center.
Some security experts question whether the breach of the storage vendor affected other clients.
"Without knowing the intricacies of the breach, it’s easy to say that it’s possible that there could have been a larger breach," says Tony Cook, head of threat intelligence at GuidePoint Security.
"What we find more often than not is that the security controls on individual storage vendors … were not properly configured," he says. "These types of improper security controls can quickly lead to unauthorized access to the data stored."
To mitigate the risks of such vendor breaches, "we suggest a focus on identity/access management with a strong multifactor authentication solution as a starting point," Cook says. "Next, ensure that there are granular access controls with proper logging and additional security controls based on a chosen security framework for defense in depth."
To Pay, or Not to Pay
Although the FBI advises against paying ransoms to hackers, "paying a ransom is always a risk-based decision," Cook says. "However, in certain circumstances it may be the only decision that can get the business back up and running. In this case, it was most likely a business decision made with the advice of their incident response firm laying out the possibilities and the business making the decision to pay."
Law enforcement agencies "are very proactive in gaining more insights into the actors' activity during the breaches," he says. "One piece of evidence which they always try to ascertain is the bitcoin address, which may be of great assistance in attempting to track these actors down."
Former healthcare CIO Drex DeFord, strategic healthcare executive for security vendor CI Security, notes that when the victim of a cyberattack is a “critical infrastructure” organization - or a vendor who supports those type of customers - there’s little tolerance for downtime.
"The pressure from business operators is often such that paying the ransom is 'the best of the bad options available,'” DeFord notes. "Law enforcement is clear-eyed as to all the pressures a critical infrastructure organization faces, and they do their best to help victims sort through the options, bringing tons of experience to the discussion."
Nonetheless, paying attackers a ransom does not provide a guarantee against further data compromises, DeFord says. "These are proven cybercriminals. They’ve taken your data, held it hostage and collected ransom. How much would you trust what they say?"
In the last six months of 2020, nearly 75% of all breaches reported to the HHS were tied to business associates/third-party vendors, DeFord says.
"Now’s the time to dig in on those contracts and business associate agreements, to make sure you’ve done your best to protect your organization, and your patients," he says. "The time to renegotiate those agreements is now - not during or after the breach."