Breach Notification , Critical Infrastructure Security , Cybercrime
Pair of 2021 Health Data Hacks Affect 670,000 IndividualsSoftware and Billing Firm, Urgent Care Provider Report Incidents
More than 670,000 individuals have been affected by two 2021 hacking breaches that were only recently reported to federal regulators. The incidents involve a healthcare software and billing services firm and an urgent care provider.
The larger of the two breaches was a hacking/IT incident reported on April 13 by Williston, North Dakota-based Adaptive Health Integrations involving a network server and affecting nearly 510,600 individuals, according to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website.
The HHS' Office for Civil Rights website, commonly called the "wall of shame," lists data breaches affecting 500 or more individuals.
As of Wednesday, the AHI incident is the third-largest HIPAA breach posted on the HHS OCR website so far in 2022.
Also reporting a major breach to HHS OCR in recent weeks is Nashville, Tennessee-based Urgent Team Holdings, which operates urgent care and walk-in clinics in five states.
The HHS OCR website shows that Urgent Team on March 31 reported a hacking/IT incident involving a network server and affecting more than 166,600 individuals.
AHI Breach Details
A sample breach notification letter provided by AHI to Montana's attorney general's office says that the healthcare software and billing services vendor "recently learned that on or about Oct. 17, 2021, an unauthorized individual may have accessed a limited amount of data stored" on its systems.
A breach report filed by AHI to Montana's attorney general indicates the incident affected 813 individuals in that state. The company's report to HHS OCR says the incident affected a total of 510,574 individuals.
Under the HIPAA Breach Notification Rule, covered entities must notify HHS and affected individuals no later than 60 days following discovery of a major health data breach.
In the sample notification letter, AHI says that upon learning of the incident, it contained the threat "by disabling unauthorized access to our network and immediately commenced a prompt and thorough investigation."
Through an extensive investigation involving external forensics experts and an internal review concluded on Feb. 23, AHI says it determined that "certain" personal information potentially had been accessed in the incident.
The sample notification letter does not specify the type of personal information affected in the incident.
AHI says in its letter that it is offering affected individuals one year of complimentary credit and identity monitoring.
AHI did not immediately respond to Information Security Media Group's request for additional details about the breach.
Urgent Team Incident
In a notice posted on its website, Urgent Team says it recently discovered unauthorized access to its network that occurred between Nov. 12 and Nov. 18, 2021.
Based on a "comprehensive investigation and document review" that concluded on Jan. 31, 2022, Urgent Team discovered some patient information may have been "removed" from its network. That includes full names and potentially dates of birth and/or medical record numbers, Urgent Team says, adding that it has "no evidence that this information was actually viewed or removed."
To date, Urgent Team also says it is not aware of any reports of identity fraud or improper use of any information as a direct result of the incident.
In the aftermath of the incident, Urgent Team says it has implemented multifactor authentication as well as a "robust" anti-malware solution to notify the organization when it detects an attempt to gain unauthorized access to its systems.
Urgent Team did not immediately respond to ISMG's request for additional details about its hacking incident.
Breach Notification Delay Risks
Some experts say that while HIPAA requires the notification of major breaches within 60 days of discovery, there are a variety of possible reasons why, on the HHS OCR breach reporting website, AHI appears to have reported its breach several months after learning of the incident.
Regulatory attorney Rachel Rose says that it is possible that AHI was advised by law enforcement officials to delay reporting. It is also possible that AHI placed a call to HHS OCR earlier to alert the agency of a potential breach without yet having ascertained all details, such as the number of patients affected, or AHI may have "ignored" the 60-day reporting requirement, she says.
"If law enforcement determines that the risk to individuals is greater if they are alerted within the 60 days rather than delaying the notification, it is a fact and circumstance determination," Rose says.
But, she adds, other delays in breach reporting can present additional risks to those affected.
"If a delay is made just because an entity chooses to ignore the 60-day time frame, which may be shorter for state law reporting, individuals delay taking measures such as blocking access to their credit and reporting to the major credit reporting agencies," Rose says.
For the breached entities, reporting and notification delays also carry risks, she adds.
"In my experience, HHS takes the 60-day deadline seriously - both for alerting OCR, the patients and the media," she says. "It could increase the monetary penalty and is fact and circumstance-specific. There is a lot to do when a breach occurs, and OCR investigations are intensive."
Rose suggests that organizations regularly assess the adequacy of their policies and procedures involving breach notification, ransomware attacks, business continuity and disaster recovery, and update them annually.
"Past compliance items - such as risk analysis, policies and procedures, training evidence, etc. - should be kept because HHS OCR will consider this information when assessing penalties," she says.