Partners HealthCare Breach: Why So Long to Confirm?Malware Incident Took Months to Investigate
A malware incident at Partners HealthCare that was detected last spring but was only recently determined to have exposed patient data illustrates that confirming a data breach through a forensics investigation can be difficult and time-consuming.
See Also: Threat Intelligence - Hype or Hope?
In a statement released this week, Partners, a Boston-based integrated delivery system, says that it did not determine until December 2017 that a malware incident first detected in May 2017 actually exposed data on 2,600 patients.
"On May 8, 2017, Partners became aware that our computer network had been affected by a sophisticated, malicious computer program introduced by an unauthorized third party," the statement says. "Our monitoring systems identified suspicious activity, and we immediately blocked some of this malware and began an investigation working with third party forensic consultants to identify the problem and mitigate its impact."
Partners says it determined that the malware was not specifically targeted to impact its environment, operations or any information maintained by Partners. The organization says it also confirmed that there was no unauthorized access to its electronic medical record system.
"As we continued the investigation, however, we became aware that the malware may have resulted in unauthorized access to certain data resulting from user activity on affected computers from May 8, 2017 to May 17, 2017. As impacted computers were identified, Partners implemented aggressive containment measures to mitigate further impact."
Partners says that as part of its ongoing review, it became aware on July 11, 2017, that the exposed data appeared to possibly involve personal and health information. "The impacted data was not in any specific format, and it was mixed in together with computer code, dates, numbers and other data, making it very difficult to read or decipher," Partners says.
"After an extensive manual data analysis completed in December 2017, we are notifying individuals whose personal and health information may have been involved, in an abundance of caution."
Based on Partners' review, the information involved may have included certain types of protected health information, including names, dates of service, and certain limited amounts of clinical information, such as procedure type, diagnosis or medication. For some patients, Social Security numbers and financial account data may have been exposed.
Partners says it's not aware of any misuse of patients' health information. But it's offering free credit monitoring for individuals whose Social Security numbers were exposed.
The organization says it has taken several measures to prevent similar incidents, "including enhancing its security program, controls and procedures and continuing to actively monitor systems for unusual activity."
Some experts note that the seven-month lapse between Partners detecting the malware incident and determining a reportable breach involving PHI is not uncommon in forensic investigations.
"Forensics investigations take varying amounts of time depending upon the complexity of the breach; the numbers of devices, operating systems and files involved; even trying to determine which devices were involved, which sadly most organizations don't know because they don't keep an up-to-date inventory of all their data, systems, applications and devices," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
Tom Walsh, president of tw-Security, offers a similar assessment. "Any investigation takes time to do it right. Log files are extensive. Even one minute of a single user activity can generate volumes of log data," he says.
Walsh says that before going public with a breach notification, organizations need to determine:
- How the breach occurred;
- All applications and systems involved;
- All data that may have been accessed or used in an unauthorized manner;
- What affected individuals need to do to protect themselves.
As for Partners noting that its investigation found patient information "mixed in together with computer code ... making [the data] very difficult to read or decipher," that is not unusual and should not necessarily have slowed the breach confirmation, Herold contends.
"Typically when you collect 'raw data' from memory or storage, it often looks like a lot of code mixed with the actual data itself," she says. "This sounds like what they may be describing. And this official statement seems to be a way of minimizing the impacts of a breach to keep the involved breach victims from becoming more concerned than what the Partners would like."
Meaningful data usually can be parsed from the computer code, Herold says. "And so trying to say it would be 'very difficult to read or decipher' is a way to minimize this breach that likely isn't representative of the hackers' actual capabilities to take the data meaningful to them," she says.
" You cannot assume what unknown hackers can, and cannot, decipher."
"You cannot assume what unknown hackers can, and cannot, decipher. This longtime way of organizations trying to dismiss breach impacts must stop. You cannot assume that unknown hackers, or groups of hackers, do not have the capability to determine the values, meaning, etc. of the data they took."
HIPAA Breach Reporting
Partners did not immediately respond to an Information Security Media Group request for additional information about the incident.
As of Feb. 7, the Partners incident was not listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly referred to as the "wall of shame," the website list health data breaches impacting 500 or more individuals.
In determining whether a security incident is a reportable breach under HIPAA, covered entities and business associates must assess incidents considering four factors:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Partners has reported a couple of previous health data breaches. That includes a breach reported in 2014 that involved a 2013 phishing attack impacting 3,300 individuals (see Partners HealthCare Reports Breach).
Also, in 2011 Massachusetts General Hospital and its physicians organization - part of Partners - signed a $1 million settlement with HHS' Office for Civil Rights for a 2009 breach case involving the loss of scheduling documents for 192 patients in the hospital's General Infectious Disease Associates outpatient practice, including those with HIV/AIDS.