Health Data Breach Tally Shows Mistakes That Lead to TroubleOrganizations Need to Avoid Mishaps That Can Make Matters Worse
Recent additions to the federal health data breach tally shine a light on some of the mistakes that contribute to breaches - and in some cases, make situations worse.
Breaches added to the Department of Health and Human Services' HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - in recent weeks range from a ransomware attack that involved a mishap when attackers were paid a ransom to unlock encrypted data, a mismailing of medical information by a health plan and a file containing protected health information that was accidentally uploaded to the internet.
A Sept. 25 snapshot of the wall of shame website, which lists reported health data breach impacting 500 or more individuals, shows a total of 263 breaches affecting a total of nearly 7.3 million individuals have been added to the tally so far in 2018.
"IT people tend to have a 'fix it quick' mindset, and in their hurry to restore systems, missteps often happen."
—Tom Walsh, tw-Security
Since 2009, a total of 2,445 breaches have been posted to the wall of shame impacting more than 184.4 million individuals.
Ransomware Recovery Mistake
Among the largest breaches recently added to the list was a ransomware attack reported on Aug. 23 by Jupiter, Florida-based Health Management Concepts, also known as HCM Healthworks.
The breach, reported as impacting more than 502,400 individuals, is among the largest hacking/IT incidents reported so far this year.
As of Sept. 25, 107 hacking/IT incidents impacting a total of 5.4 million individual have been posted to the federal tally in 2018.
When HMC learned about the incident on July 16, the company says it took immediate steps to decrypt data, including promptly obtaining decryption keys from the attackers.
HMC discovered, however, that during the process, the attackers were inadvertently provided a file that contained personal information of some members, including Social Security numbers, according to a notification letter sent to the New Hampshire state attorney general's office.
In another recent incident involving blunders, health plan Blue Cross & Blue Shield of Rhode Island on Sept. 13 reported an unauthorized access/disclosure breach impacting 1,567 individuals stemming from a vendor mistake.
In that case, explanation of benefits summaries were inadvertently mailed to the wrong members who are residing in the same household or are on the same family plan, according to the Providence Journal.
Similar mailing mishaps by health plans and other organizations have also resulted in breaches. For example, that includes an incident last year involving letters mailed to about 12,000 Aetna health plan members in which information about HIV medications was visible through windowed envelopes. That incident resulted in a costly enforcement action by regulators as well as class action litigation.
To avoid mistakes that can lead to breaches, "double-checking work is always a good idea," says Keith Fricke, principle consultant at tw-Security.
"Some vendors that have been through these unintentional disclosure errors put additional check points in place to ensure that the right information is being sent to the right recipients, especially when automated electronic data feeds are involved," he notes.
But other kinds of errors also continue to result in breaches. Recently, a mistake at another health plan - Independence Blue Cross of Pennsylvania - resulted in a breach impacting more than 16,700 individuals.
In a notification statement, the insurer says the breach occurred when an Independence employee uploaded a file containing "limited member information" to a public-facing website that was publicly accessible between April 23 and July 20, 2018.
"After thorough investigation, we are unable to determine if PHI was accessed, and are unaware of any actual or attempted misuse of this information."
Other Hacker Incidents
Successful phishing attacks are often at the center of many hacking incidents, and most phishing schemes depend on users making mistakes, such as opening infected attachments.
For instance, on Sept. 1, Massachusetts-based healthcare provider Reliable Respiratory reported a phishing attack that occurred in July resulting in a breach impacting more than 21,300 individuals.
"Through the investigation, Reliable determined that, as a result of the phishing event, an unauthorized actor gained access to the employee email account between June 28 and July 2, 2018," the notification letter says.
The investigation determined that the emails affected by this incident contained a range of healthcare and financial information, including Social Security numbers.
Also among other hacking/IT incidents posted on the federal tally in recent weeks was a ransomware attack affecting 40,800 individuals reported by the Fetal Diagnostic Institute of the Pacific, which occurred on June 30.
The Hawaiian-based healthcare provider says in a notification statement that it engaged a cybersecurity firm and was able to successfully remove the malware and restore data using backup files maintained for such a contingency.
Ransomware attacks - including those involving phishing and other social engineering schemes - will continue to be a leading cyber threat to healthcare, some experts predict.
"Ransomware makes cybercrooks a lot of easy money. Most healthcare organizations pay the ransoms because they don't have procedures and processes in place to quickly restore a network or system that has been locked by ransomware," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Humans are gullible to the social engineering tactics that ransomware crooks use. As long as humans can be exploited, cybercrooks will use them as pathways to plant ransomware."
No Good Quick Fixes
As for other mistakes, organizations need to ensure their employees and vendors are mindful about actions that can not only lead to privacy and security incidents - but also potentially make breaches worse.
"IT people tend to have a 'fix it quick' mindset, and in their hurry to restore systems, missteps often happen," says Tom Walsh, president of tw-Security.
"A breach has legal ramifications. Therefore, there needs to be a well thought out, systematic response process. Often this is written down in the form of a 'playbook' - a way to describe work process flows and steps to take in the moments and days following a breach."
Conducting a combined cybersecurity and breach response tabletop exercise can help reinforce the systematic response process, Walsh says. "Practice makes perfect."