Phishing Attack Last Year Exposed Health Data on 417,000Why Did It Take 10 Months to Determine a PHI Breach Occurred?
Augusta University Health in Georgia says it just recently determined that a phishing attack that occurred - and was detected - 10 months ago resulted in a breach potentially exposing information on 417,000 individuals. Security experts are questioning why the breach determination took so long.
In addition to determining on July 31 that a massive data breach resulted from the cyberattack occurring on Sept. 10-11, 2017, Augusta University says it was also the victim of a smaller scale phishing attack on July 11. The university is still assessing the number of individuals impacted by that smaller incident, a university spokeswoman tells Information Security Media Group.
Augusta University Health includes a medical center, cancer care center, children's hospital as well as several clinics and other facilities.
In a statement issued Thursday, Augusta University says it was "targeted by a series of fraudulent emails" on Sept. 10 and 11, 2017.
"These sophisticated phishing emails solicited usernames and passwords, giving attackers access to a small number of internal email accounts," the statement notes. "Upon recognizing the nature of the attack, we acted immediately to stop the intrusion, disabling the impacted email accounts, requiring password changes for the compromised accounts and maintaining heightened monitoring of the accounts to ensure that no other suspicious activity was taking place."
An external investigation is nearly complete but remains ongoing, the university says. "Investigators reported on July 31 that the email accounts in question contained some individuals' protected health information and/or other personal information. The computer forensic firm could not definitively conclude if patient information was actually accessed, viewed, downloaded or otherwise acquired by the unauthorized user."
The university attributed the 10-month lag between the discovery of the September 2017 attack and the determination that a breach had occurred to the time-consuming investigation that's still not finished.
"The attackers gained access to 24 employee email accounts, which were immediately identified and secured," the university says.
Some of the email accounts contained spreadsheets of information. Investigators had to manually review more than 364,000 emails and attachments and 3.5 million lines of text, the university notes. "Unfortunately, this complex review took a long time," the statement says.
Investigators reported on July 31, 2018, that the email accounts in question contained approximately 417,000 individuals' PHI and/or other personal information, a university spokeswoman tells ISMG. "So, while we discovered the attack in September , it wasn't until July that we could confirm the incident as a data breach," she says.
Patient information that may have been viewed in the compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, dates of service and insurance information, the university says.
"For a small percentage, information that may have been viewed included a Social Security number and/or driver's license number," the university says.
Individuals whose Social Security numbers may have been exposed in the incidents will be offered free credit protection, according to the statement.
Some security experts say that it appears to have taken the university an unusually long time to conclude that a breach had occurred as a result of a cyberattack nearly a year ago.
"For most security incidents, taking 10 months from discovery of an incident to determination of a breach of personal data is quite excessive," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"With proper procedures in place and being followed, and with appropriate access and activity logs being consistently generated and analyzed, there generally should not be much time necessary to determine a breach, except possibly under the most rare of circumstances."
Kate Borten, president of the privacy and security consulting firm The Marblehead Group, suggests that to help speed up the breach determination, "the compromised email accounts should have been scrutinized at the message-content level promptly after discovery"
In a statement, Brooks A. Keel, university president and CEO of Augusta University Health, says the organization is taking steps to improve data security in the wake of the incidents. Among the actions being taken are:
- Making changes in key leadership and accelerated implementation of some security initiatives that were already underway. That includes creating a new position of vice president for audit, compliance, ethics and risk management "to bring fresh leadership and direction" to the organization's compliance functions.
- Implementing multifactor authentication for off-campus email and system access.
- Reviewing and adopting solutions to limit email retention.
- Implementing a policy banning PHI in email communications and reviewing and adopting technology solutions to automatically screen emails for PHI or/and prevent them from being sent.
- Providing additional training this fall to employees "on their critical role in preventing security breaches.
Borten says that when it comes to training, the organization should be providing its full workforce with education about phishing attacks, including how to recognize and report them.
"Further, IT should be testing training effectiveness through periodic simulated phishing attacks, and those who fall for the attack should be required to attend further training," she says. "Individuals who fail multiple times should be subject to stronger action."
As for preventing PHI from being sent via email, "many healthcare providers have long required PHI - and other confidential information - in email to be encrypted, at least when message leave the organization's local network," Borten notes.
"This is a more feasible policy to follow since normal workflow sometimes relies on email for fast and trackable communication," she says. "Security should never hinder patient care, so the organization must ensure that there are secure, easy to use alternatives."
The university has reported the September 2017 phishing incident to the U.S. Department of Health and Human Services' Office for Civil Rights, as well as other regulatory authorities and law enforcement, the spokeswoman tells ISMG.
Once OCR confirms details, the September 2017 phishing attack could be the fourth largest health data breach reported to HHS this year, according to an Aug. 17 snapshot of the HHS HIPAA Breach Reporting Tool Website.
Commonly called the "wall of shame," the federal website lists health data breaches impacting 500 or more individuals.