Notification of Breach Affecting 219,000 DelayedNebraska Medicine/UNMC Now Contacting Patients Affected by September 2020 Breach
Nebraska Medicine and the University of Nebraska Medical Center have just begun notifying 219,000 individuals of a hacking incident that was discovered last September. The lag between breach discovery and notification illustrates the difficulties organizations often face in incident response, some security experts say.
Nebraska Medicine/UNMC says in a statement posted earlier this month that on Sept. 20, 2020, it identified unusual network activity that affected some of its IT systems.
Nebraska Medicine/UNMC then initiated incident response protocols to minimize any disruption to patients and "isolated potentially impacted devices and shut off select systems as a precaution," the statement says. "We also initiated an investigation, computer forensic experts were engaged to assist our ongoing investigation and we notified law enforcement."
The organization eventually determined that an unauthorized person had gained access to some systems on its network between Aug. 27 and Sept. 20, 2020. "During that time, the unauthorized person deployed malware and acquired copies of some patient and employee information held on those systems," the statement notes.
In addition to exposing information about patients treated at Nebraska Medicine/UNMC, the incident exposed data on "a limited number of patients" treated at three other Nebraska healthcare organizations - Faith Regional Health Services, Great Plains Health and Mary Lanning Healthcare - whose information was in the Nebraska Medicine/UNMC network, the statement notes.
Data exposed varied by patient, but included name, address, date of birth, health insurance information, medical record number and clinical information, the statement says.
"For a limited number of patients, Social Security numbers were also impacted. Importantly, this incident did not result in unauthorized access to Nebraska Medicine and UNMC’s electronic medical records," the statement says.
Nebraska Medicine/UNMC says there is no evidence that any affected data has been used to commit fraud. But those whose Social Security numbers or driver’s license numbers were compromised are being offered prepaid credit and identity theft monitoring services.
Nebraska Medicine/UNMC declined Information Security Media Group's request for additional details about the incident, including the nature of the hack and the delay in notification.
Under HIPAA, healthcare entities must notify affected individuals of a breach of unsecured protected health information within 60 days of discovery. Breaches affecting 500 or more individuals must also be reported to the Department of Health and Human Services within the same time frame.
"Notification was long past the HIPAA-required 60 days, and the organization does not provide an explanation," notes Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Notification delay raises the risk of harm to patients," she adds. "If patients are unaware that their information has been compromised, they cannot take protective steps."
The data compromised in this breach appears to be highly sensitive, she points out. "The organization attempts to reassure patients by stating that the electronic medical record system was not breached. This is disingenuous since the crucial point is what data was affected, not which system."
She says the organization's notification "downplays the risk and could mislead patients so they do not take the breach seriously."
A Common Problem
In recent years, many other healthcare organizations have delayed breach notifications.
For instance, Choice Health Management Services, an operator of senior care facilities in North Carolina and South Carolina, last June began notifying nearly 12,000 individuals of an email hacking incident that was discovered in "late 2019." The organization said in a June 2020 statement that it took months for it to determine whose personal information was contained in emails or attachments within the accounts that were accessed without authorization.
"Far too many organizations have weak incident response plans leading to delay in containing risks and lag in patient notification," Borten says. "Delays over 60 days, without exceptional circumstances, should be treated as the HIPAA violations they are. Even an incomplete notification, with more detailed follow-up later, is preferable in terms of alerting patients to their risks."
But some experts note that the larger the data breach, the more difficult it can be for organizations to determine the extent of the impact so they can offer swift notification.
In the case of Nebraska Medicine/UNMC, "it might have taken some time to identify all of the impacted systems and devices or get good contact information for the individuals involved," says regulatory attorney Marti Arvin of privacy and security consultancy CynergisTek.
So what steps can entities take to help ensure prompt notification of breach victims?
"Having better detection mechanisms that alert the organization that a bad actor is in the system could help identify the incident," Arvin says. "But to investigate, gather needed information to provide notice and get the notice out may take significant time."