Texas Specialty Practice Suffers Ransomware AttackUrology Austin Says it Mitigated Attack, But Reports Large Breach
A ransomware attack on a Texas urology practice that potentially could affect nearly 280,000 patients ranks as one of the largest health data breaches reported to federal regulators this year.
"Within minutes, we were alerted to the attack, our computer network was shut down, and we began an investigation," the practice says in its statement. "We also began to take steps to restore the impacted data and our operations."
Urology Austin says an internal investigation determined that patient names, addresses, dates of birth, Social Security numbers and medical information were "impacted" by the ransomware.
Affected individuals are being offered 12 months of free credit and identity monitoring.
Attorney Lindsay Nickle of the law firm Wilson Elser Moskowitz Edelman & Dicker, which represents Urology Austin, says the attack occurred on a Sunday, and the healthcare provider's internal and external IT teams, once alerted of the incident, immediately began addressing the issue to limit the impact on delivering patient care.
That mitigation effort included restoring data from backups and wiping the servers clean. During the mitigation process, patient care services were limited for only about a day as the practice restored operations. Urology Austin did not pay a ransom, she says.
Although the attack did not have an impact on practice's electronic health records, Nickle says other applications, including legacy data, were potentially affected.
She says law enforcement was not notified of the ransomware attack, and because servers were "wiped clean" as part of the mitigation effort to restore operations quickly, Urology Austin does not know what type of ransomware was involved in the attack.
Because the Urology Austin ransomware incident potentially affected legacy applications, some of those receiving notifications include individuals who may have been Urology Austin patients many years ago.
The Urology Austin breach is listed on the Department of Health and Human Services' Office for Civil Rights "wall of shame" website as a hacking incident affecting 279,663 individuals.
As of March 27, the Urology Austin incident is the second largest breach added to the wall of shame so far for 2017.
The largest breach in 2017 is a "theft" reported on March 1 by Kentucky-based Commonwealth Health Corp., which operates Med Center Health. While that CHC breach is listed on the wall of shame as impacting nearly 698,000 individuals, a CHC spokeswoman says that the incident potentially had an impact on only about 160,000 individuals, and that the higher figure represents how many patient encounters were reflected in the insider incident involving the theft of encrypted storage devices.
Protecting Patient Data
Healthcare entities holding on to data many years after caring for individuals who are no longer patients is a common problem. "This is a big issue in healthcare as many entities do not destroy anything related to patients," says Mac McMillan, president and chief strategy officer at security consulting firm CynergisTek. "That means that its not only possible but highly probable that there is patient information in systems and data bases that they have not care for in quite some time. Data management and data retention are linked and represent a real shortcoming in most environments. There are technologies like data loss prevention solutions that can search for [and] discover old patient information so that it could be removed from active or production systems and archived properly."
Kate Borten, president of security and privacy consulting firm The Marblehead Group notes that healthcare faces some additional challenges compared with other sectors in protecting older data. Healthcare "is not like an insurance contract with effective and termination dates, or a bank account that has opened and closed dates. In healthcare, an 'old' patient can show up again at any time. Our Master Patient Indexes need to keep track of all our patients, not just currently active ones."
Still, all protected health information, including older legacy data of former patients, must be properly safeguarded, "regardless of how long the entity has had the data," says Rebecca Herold president of Simbus, a privacy and security cloud services firm, and CEO of The Privacy Professor, a consultancy. "Every provider does need to have a data retention policy and supporting procedures in place, which include how to irreversibly destroy/delete data when it is no longer needed to support legal requirement and patient care needs," she says. "This should become a provider mantra: When you don't need data, eliminate the data and you will also lower your risks because you will then have less data to protect.
'De-Identify' Data for Research
"Keep the data as long as the patient is still receiving care, but then irreversibly destroy it. If you want it for research, then de-identify the data so you can still get the research benefits, but you will then significantly reduce the risks to the associated patients."
To prevent back-up data from being impacted by ransomware and other attacks, back-up data needs to be stored offline. "Too many organizations still do not do this, and as a result, because the backups are attached to their network, the ransomware then encrypts the backups also," she says.
McMillan says that there are various guidelines for data retention and retention periods under regulations related to HIPAA, federally treated substance abuse and mental health patients and also children. "Categories of information can be identified and retention periods established that could be enforced. Archival does not mean 'gone', so I think its safe to say after some reasonable period of time if you haven't seen a patient you should be able to archive their file," he says.
Signs of Progress?
As for Urology Austin incident, Herold says it was encouraging that the practice did not pay the ransom and had a current backup plan to restore data quickly.
"Ransomware is profitable to the cybercrooks ... and there is low chance of being caught if the crooks are careful," she says. "As long as these factors exist, cybercrooks will continue," she says.
McMillan points out that when it comes to ransomware assaults on the healthcare sector lately, "we're seeing as many attempts [as last year], but fewer successful attacks, which is good news all around."