FBI Alerts Hospital to Malware IncidentBreach Affected Nearly 85,000 Patients at Kentucky Provider
A security incident involving keystroke logging malware that apparently started at a Kentucky hospital three years ago - but was only recently discovered after a tip from the FBI - offers a reminder of the urgency of keeping anti-malware protection and mitigation efforts current.
After being notified by the FBI on Sept. 16 of "suspicious network activity involving third parties," Owensboro Health, a not-for-profit healthcare system also known as OH Muhlenberg LLC that earlier this year acquired the former Muhlenberg Community Hospital, says it launched an investigation and discovered the breach.
The Department of Health and Human Services' "wall of shame" website listing major health data breaches describes the breach as an "IT/hacking incident" affecting almost 85,000 patients.
In a statement, Owensboro Healthcare says that after it received notification from the FBI, "we took immediate action, including initiating an internal investigation, and we also engaged a leading forensic IT firm to investigate this matter."
Based upon the review, Owensboro confirmed that "a limited number of computers" were infected with keystroke logger malware designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012, according to the statement, which notes the breach potentially compromised data of patients as well as employee-related information.
The affected computers were used to enter patient financial data and health information; information about who is responsible for a patient's bill; employee/contractor data; and provider information, including patient names, addresses, telephone numbers, birthdate, Social Security number, driver's license/state identification number, medical and health plan information. Health plan information includes health insurance number, medical record number, diagnoses and treatment information. Also potentially exposed was patients' payment information, such as financial account number, payment card information, employment-related information and credentialing information.
"We also believe that the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals," Owensboro Health says in its statement. That affected data includes Drug Enforcement Administration number, National Provider Identifier and state licensure numbers.
On July 1, OH Muhlenberg LLC acquired the hospital operations of Muhlenberg Community Hospital, which is now operated under the name Owensboro Health Muhlenberg Community Hospital. As part of the acquisition, OH Muhlenberg, LLC acquired substantially all of the assets of Muhlenberg Community Hospital, including its computer systems, patient records and other records.
"Regrettably, we are providing notice of a security incident involving some of that information. As a result, we are providing this notice whether or not you were a patient, employee or provider prior to July 1, 2015, and whether or not particular data was transmitted prior to that date."
Owensboro Health says that while there is no indication that any of the data compromised by the incident has been used inappropriately, it is offering one-year membership in identity theft protection services to those affected by the breach.
In a statement to Information Security Media Group, Owensboro Health said, "the privacy and safety of our providers', patients' and employees' information is a top priority, and we are continuing to enhance the security of our systems moving forward." The FBI declined to comment.
Security expert Mac McMillan, CEO of the consulting firm CynergisTek, says breaches caused by keystroke logging malware are usually preventable.
"Up-to-date anti-malware solutions can usually detect the malicious software so that mitigation efforts can be implemented before a data breach starts or escalates," he says. "With proper anti-malware protection, most keystroke logging software can be stopped before it's installed or quarantined and eliminated quickly."
Owensboro Health's findings that the malware infection may have started more than three years ago is a potential sign that proper anti-malware software wasn't applied at the community hospital acquired by OH Muhlenberg LLC, McMillan says.
"This is troubling because most keystroke logging software isn't very sophisticated, especially three years ago. This software going undetected since 2012 speaks volumes potentially about [the hospital's] attitude toward security practices," he says.
Also, the keystroke logging breach potentially could have gone on even longer, had the FBI not tipped off Owensboro Health of the sophisticated activity the agency noticed, likely while investigating other recent cyberattacks in the healthcare sector, McMillan says.
"It's becoming more common for the FBI to notify organizations if the agency comes across something like this. If you get notified by FBI or law enforcement of a cyber issue like this, it's generally because they've come across the same thing during another investigation."
On Regulators' Radar
HHS' Office for Civil Rights appears to be taking seriously the importance of covered entities and business associates implementing malware protection and updating software patches in the effort to prevent health data breaches.
In December 2014, OCR signed a resolution agreement, which included a $150,000 financial penalty, with Anchorage Community Mental Health Services in Alaska for a HIPAA investigation involving a malware-related breach.
OCR said it opened an investigation after receiving notification in June 2012 from ACMHS regarding a March 2012 incident involving malware compromising the security of the mental health provider's information technology resources.
The agreement settled "potential" HIPAA violations related to a breach case involving failure by the non-profit mental health services provider to update its IT resources with available patches and running outdated, unsupported software, OCR said. The data breach at the center of the OCR investigation affected more than 2,700 individuals.
In a statement at the time the resolution agreement was announced, OCR Cirector Jocelyn Samuels said, "Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
The resolution agreement included a corrective action plan in which ACMHS was to "correct deficiencies in its HIPAA compliance program," by, among other things, conducting an annual, thorough risk assessment, documenting the security measures it implements to address the issues identified and requiring the organization's workforce to attend HIPAA security training.