Governance & Risk Management , Incident & Breach Response , Security Operations
Hospital Cyberattack Compromises Data From Decades AgoOntario Entity Says Patient, Employee Information Affected
A cyberattack detected in December at a Canadian healthcare entity has compromised a wide range of data, including some patient information dating back to 1996, as well as employee vaccination records from last year. Some of the affected data belonged to a nonprofit group of affiliated clinicians.
Arnprior Regional Health, which includes a hospital, long-term health facility and other healthcare services in Arnprior, Ontario, Canada, says in a statement posted recently on its website that on Dec. 21, 2021, it learned of unauthorized access to its IT system in which data was "taken."
"This was a sophisticated attack, similar to countless incidents that are happening across North America," ARH says in a frequently asked questions document about the incident.
An investigation determined that data connected with ARH, including personal information of some current and former employees and patients, had been taken in the incident, the statement says.
ARH says 13 different - but some overlapping - categories of data were affected in the incident, including various groups of information pertaining to colonoscopies, COVID-19 and flu vaccinations, emergency room and in-patient satisfaction surveys, and patients on waiting lists.
Data compromised ranged from records dating back to 1996 through early 2022. Depending upon the category of data affected, individuals' personal and health information that was potentially compromised included name, date of birth, health card number, time of visit, procedure and diagnosis, and demographics.
Some of the data compromised in the incident was information pertaining to patients and doctors of Arnprior and District Family Health Team, an affiliated nonprofit organization of physicians and other clinicians that is governed by a volunteer board.
In a May 19 statement about the ARH incident, ADFHT says it purchases IT services from ARH and "houses" its files on ARH's network.
Arnprior and District Family Health Team says that it was initially told by ARH that its data had not been affected by the incident. But the ongoing review of the ARH incident determined on April 1 that some of the nonprofit's data had been compromised, ADFHT says.
EHR System Not Compromised
In its statement, ARH says its electronic health record system was not compromised and that the organization did not experience any disruption to the delivery of healthcare or other services in the incident.
"The records impacted by this incident were used for administrative purposes, such as reporting and patient satisfaction surveying, and are not part of the EHR database," ARH says.
Its statement does not indicate whether the incident involved ransomware and does not say how many individuals were affected.
"There is no evidence of further misuse of the data, and we have received assurance that the data has been deleted," the statement says.
Neither ARH nor ADFHT immediately responded to Information Security Media Group's request for comment and additional details about the incident.
Protecting Legacy Data
Of the 13 categories of data ARH says were affected in the incident, the oldest group was information pertaining to patients treated between April 1996 and January 2010.
Some experts say the range of legacy and more recent data affected in the ARH breach is troubling.
"The volume and age of data in this incident certainly have 'shock value,'" says Cathie Brown, vice president of consulting services at Clearwater, a privacy and security consultancy.
"Until healthcare entities look beyond current production systems and understand all locations [where patient data] is stored, maintained, processed or transmitted within their organizations - and apply appropriate security controls across the board - it is not surprising breaches of this magnitude happen," she says.
Healthcare entities should implement robust protection for patient data regardless of where it resides, including in administrative systems, says Eric Wedin, senior incident response consultant at security firm Pondurance.
"If that 'administrative' data includes information that falls under privacy requirements, like personally identifying information or protected health information, it should be protected in the exact same manner as the health record data is," he says.
Also, Wedin says, older data needs to be effectively safeguarded. "Many businesses, including the medical industry, are victims of data breaches on a regular basis. As a result of this trend, businesses should not horde data for the sake of 'we may need it one day.'
"Nonrelevant data should be examined and removed when it no longer has validity. Another consideration would be: Does personal or health data need to be preserved with a satisfaction survey?"
Brown offers a similar assessment, saying, "All [patient] data must be protected and legacy is not an exception. That means applying controls across the organization without exception."
The controls include limiting user access, providing network segmentation where appropriate, monitoring legacy systems the same as production EHR systems, and adhering to other basic security principles, she says.
"Overall, it is preferable to migrate data from legacy systems into newer systems that have strong security controls, if at all possible. Once that's done, the legacy system can be retired and removed from the network, thus reducing the risk of a breach.
"This incident should be an alert for healthcare entities to identify where patient data lives within the enterprise and ensure proper security controls are in place," Brown says.