Breach Notification , Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime
UF Health Central Florida: Cyberattack Leads to PHI Breach
Incident Bears Similarities to Recent Attack at Scripps HealthIn the wake of a recent cyberattack that reportedly disrupted access to patients' electronic health records and other systems for about a month during recovery, UF Health Central Florida has now reported that the incident exposed patient information.
See Also: Gartner Market Guide for DFIR Retainer Services
In a breach notification statement posted on its website, the organization says its investigation into the recent cyber incident determined that unauthorized access to its computer network occurred between May 29 and May 31.
"During this brief time period, some patient information may have been accessible, such as names, addresses, dates of birth, Social Security numbers, health insurance information, medical record numbers and patient account numbers, as well as limited treatment information used by UF Health for its business operations," the organization says.
The organization's electronic medical records were not accessed, the statement notes.
Breach Details
UF Health says it first detected unusual activity on computer systems May 31. "We took immediate action to contain the event, including reporting it to law enforcement and launching an investigation with independent experts."
The organization's UF Health Leesburg Hospital and UF Health The Villages Hospital were affected by the incident, but not UF Health Jacksonville Hospital or UF Health Shands Hospital in Gainesville, the statement notes.
"We have no reason to believe the information was further used or disclosed," the organization says. But it's offering affected individuals complimentary credit monitoring and identity protection services.
UF Health says it is taking steps to enhance the security of its electronic systems and the information it maintains.
Apparent Ransomware Incident
Some local news media outlets, including Villages News, have cited unnamed UF Health insiders and reported that the UF Health incident involved ransomware and the attackers demanded a $5 million ransom.
For weeks, UF Health clinicians reportedly had to rely on paper records for patient care, and some appointments were canceled or postponed as the organization shut down many of its IT systems, including electronic health records, while mitigating the incident.
As of Wednesday, the UF Health Central Florida incident was not posted on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
UF Health Central Florida did not immediately respond to Information Security Media Group's request for additional details about the incident.
Similar Incident
Some experts note that the Florida incident apparently is similar to a recent ransomware-related breach reported by San Diego-based Scripps Health.
The ransomware attack on Scripps Health resulted in networks outages, causing disruptions to EHR access for clinicians and portal access for patients, for weeks during the recovery. It also caused the cancellation and postponement of patient appointments.
Like UF Health Central Florida, Scripps Health said its EHR system was not compromised in the incident. Scripps Health also reported a data breach resulting from the incident, with 147,000 individuals’ data affected.
Several lawsuits have been filed against Scripps Health in recent weeks (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).
"Challenges created by legacy systems, lack of documentation, backup restoration times, etc., can all contribute to the recovery process being much longer and more complicated than anticipated - and, in a healthcare environment, that can put lives at risk," notes Brett Callow, a threat analyst at security firm Emsisoft.
Taking Action
While advance planning for potential cyberattacks is key to minimizing downtime, it’s critical that those plans be periodically tested, Callow notes.
"Running tabletop exercises will enable providers to identify shortcomings and improve their strategies accordingly," he says. "You don’t want to wait until your plan has been put into action to discover it has big problems."
Crisis management and investigations attorney Bill Moran of the law firm Otterbourg P.C. notes: "UF Health’s long-haul tribulations in the wake of the cyberattack are, unfortunately, typical among the unprepared. This is especially so in the healthcare sector, which is a prime target right now."
Moran advises his clients to use a business continuity plan checklist "to identify the critical elements of the business so as to develop a framework of action in response to a disabling crisis event."
From this, he says, an organization can "establish a business continuity plan with the aim of both minimizing the likelihood in the first instance of a business disruption, such as a cybercrime encryption of systems, and setting forth the process by which the business will respond to such an event to maintain operation."