Eye Clinic Notifies Thousands About 2018 BreachPatient Portal Incident Involved Third-Party Vendor
A Utah eye clinic began notifying about 20,000 patients last week about a June 2018 breach involving a third-party appointment reminder portal vendor. Many of the affected individuals had been previous targets of an email scam last year tied to the breach.
The incident offers lessons about what kinds of breaches must be promptly reported under the HIPAA Breach Notification Rule. And it also points to the need for better management of third-party risks.
"It's vital today for healthcare organizations to have a strong vendor risk management program that continually identifies, mitigates and manages the risk the organizations face from sharing data with vendors," says Matthew Sadler, senior manager at the consultancy LBMC Information Security.
In an Oct. 31 statement, the Utah Valley Eye Center, a Provo-based clinic, says that its portal used to send out appointment reminders to patients was hacked last June. A third-party vendor, DemandForce, runs the portal.
"On June 18, 2018, our scheduling reminder portal was hacked, resulting in an email being sent out to many of our patients disguised as a notification from PayPal that they had received a payment," the statement notes.
"Although we believe that only emails were accessed, information including name, address, date of birth and phone number could have been accessed. However, there is absolutely no evidence that any of your personal health or financial information was taken or accessed," Utah Valley Eye Center's breach notification statement says.
The clinic learned of the hacking incident last year after it started to get inquiries from some patients who had received bogus emails about PayPal payments, Michael Clayton, the clinic's office administrator, tells Information Security Media Group. About 5,700 patients received that suspicious email, he says.
"When we were informed of this incident, we immediately sent an email to those recipients notifying them to discard the erroneous email," the clinic's notification statement notes.
"A reportable breach under HIPAA does not always have to include 'health information'."
—Michelle Caswell, Coalfire
The clinic recently learned that one of those patients filed a complaint to the Department of Health and Human Services' Office for Civil Rights about the incident. Until then, the clinic hadn't reported the incident to HHS OCR, Clayton says, noting that "there was no healthcare or financial information hacked."
The incident should have been reported to federal regulators much earlier, some security experts say.
"A reportable breach under HIPAA does not always have to include 'health information.' The association of demographic information - for example, name, address, phone number - to a covered entity, such as an eye clinic, is enough to consider it electronic protected health information," says compliance attorney Michelle Caswell, a principal of healthcare assurance services at security risk consultancy Coalfire.
Under HIPAA, breaches affecting 500 or more individuals must be reported within 60 days. "The clock starts ticking on when 'you should have discovered it,'" Caswell says.
During last month's annual HIPAA conference co-sponsored by OCR and the National Institute of Standards and Technology, OCR leaders emphasized the important of timely breach notification.
"The regs say notification must be made no later than 60 days, but without unreasonable delay," Serena Mosley-Day, an OCR senior adviser for HIPAA compliance and enforcement, said at the conference. "That means if you can notify without unreasonable delay on day five, then you should notify on day five, not day 60, and certainly not on day 65 or day 147," she told the audience.
An investigation into the incident determined hackers got into the portal through a "backdoor," says Clayton, the clinic's office administrator.
Since the breach, the clinic has strengthened the scheduling reminder portal's security, including access controls, he says.
The clinic is not providing free credit monitoring services to affected individuals. "Because of the nature of the information breach, as a precaution we suggest [affected individuals] place a fraud alert on your credit files to protect yourself from the possibility of identity theft," Clayton says.
The Utah Valley Eye Center breach was posted on HHS OCR's HIPAA Breach Reporting Tool website as being reported on Nov. 1 as a hacking/IT incident involving a desktop computer and impacting more than 20,400 individuals. The HHS website lists health data breaches impacting 500 or more individuals.
DemandForce, the vendor providing Utah Valley Eye Center's scheduling reminder portal, did not immediately respond to an ISMG inquiry about whether any of the company's other clients were impacted by the 2018 hacking incident that affected the eye clinic's patients.
Managing Vendor Risk
The eye clinic incident spotlights challenges involving vendor security risk management.
Assessing a vendor's cyber risk posture "is not a once and done activity," Sadler stresses.
A defined process for the identification of new vendors and the ongoing periodic review of existing vendors is critical, he says. "This is not only because of the evolving threat landscape, but because your clients are becoming more educated and want to be assured you have a robust vendor risk management program to protect their data."
Caswell of Coalfire offers a similar perspective. "Too often, the individuals procuring the service or product do so without regard for whether the vendor is safeguarding their [patients'] protected health information," she says. "They like the functionality and efficiency gains and put any security concerns on the backburner until a breach or security incident occurs."
BA Best Practices
Organizations responsible for patient care should ensure that their business associates have implemented security safeguards to protect the patient information being shared, Caswell adds.
"HIPAA does not require that you monitor the actions of your business associates. However, it is a best practice to validate the security of your vendors by requiring them to conduct a formal security risk analysis and obtaining supporting evidence," she says. "Alternately, a SOC report or HITRUST [Common Security Framework] certification could serve as evidence of a strong security program and reasonable and appropriate safeguards."
Smaller healthcare organizations often outsource most of their information technology needs, Caswell adds. "They should involve a risk management professional either in an advisory capacity to assist existing personnel or to perform a vendor risk assessment to help identify any high-risk vendors who may not have the appropriate security built into their software, platform, product, or service."