Breach Notification , Critical Infrastructure Security , Cybercrime
Utah Imaging Associates Notify Nearly 584,000 of PHI HackWhat Serious ID Theft and Other Risks Do Affected Patients Face?
A recent hack of a Utah medical radiology group's network server has compromised sensitive health information of more than a half-million patients, ranking the incident among the 20 largest health data breaches posted on the federal tally so far this year.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
In a Thursday breach notification statement, Farmington, Utah-based Utah Imaging Associates says that on Sept. 4 it detected a network security incident. Upon discovery, UIA says it promptly secured and began remediating its network.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals, shows that UIA reported the incident on Nov. 3 as affecting nearly 584,000 individuals.
As of Monday, the UIA breach ranks as the 19th-largest health data breach posted to the federal tally so far in 2021.
A breach report filed by UIA to the Maine attorney general's office indicates the breach began Aug. 29, and unauthorized data access continued for about a week until Sept. 4, when the incident was detected and stopped.
"Based on the available evidence, the forensic investigation determined that some UIA files containing sensitive data were available to the unauthorized actor during the incident," UIA says in its breach notification statement.
Protected health information potentially exposed to the unauthorized actor includes patients' first and last names, mailing address, date of birth, Social Security number, health insurance policy number, and medical information. That includes, but is not limited to, medical treatment, diagnosis and prescription information. "We maintained this information for patient care and administrative purposes," UIA says.
According to UIA, it has no evidence of the misuse of any of the compromised information, but it is offering affected individuals 12 months of complementary identity and theft monitoring.
In a statement provided to Information Security Media Group, UIA did not disclose the type of network security incident it experienced, but it said the incident did not disrupt its medical imaging services.
"Since the discovery of the incident, we have taken and will continue to take steps to mitigate the risk of future issues. Notably, upon discovery of the incident, we moved quickly to initiate our incident response plan, which included conducting an investigation with the assistance of the third-party forensic specialists to contain and safely restore our systems," UIA says.
Its statement to ISMG says that it is also revamping its IT department in the wake of the incident "to better meet the needs of today’s evolving cybersecurity landscape."
"We are also enhancing our security measures for our systems and servers and have installed endpoint monitoring tools to continuously monitor our system."
UIA did not elaborate on the steps it is taking to revamp its IT department.
Patient ID Concerns
Some experts say the type of medical information compromised and the vast number of individuals affected by the UIA incident is particularly alarming.
"The UIA breach is extremely serious because the breached information may expose patients to grave health safety risks caused by medical identity theft in addition to bothersome financial headaches," says regulatory attorney Paul Hales of Hales Law Group.
"Medical identity theft is the fastest-growing form of identity theft in the U. S. and rewards criminals with premium prices on the black market," he says.
Hales also notes that medical identity information such as what was potentially compromised in the UIA incident is often used by criminals to commit health insurance fraud, unlawfully obtain prescription drugs and for other illicit activities, and it can potentially put patients in danger of physical harm.
"Patient safety is compromised when someone uses another’s health insurance to get medical care and the thief’s medical information, like a different blood type, becomes part of a patient record. Transfusion of the wrong blood type can be life-threatening," he says.
The identity theft advice UIA provides to affected patients in its breach notification statement "focuses exclusively on awareness of financial fraud with no warning or guidance about checking the accuracy of their medical records," Hales says.
The HIPAA Breach Notification Rule requires covered entities to notify individuals of steps they should take to protect themselves from potential harm resulting from the breach, he notes.
"Arguably the Breach Notification Rule requires covered entities to inform individuals of steps to protect themselves of reasonably foreseeable potential harm including medical identity theft when appropriate.
"The fallout from this major breach will affect UIA and its patients for years to come."
Of the top 20 largest health data breaches posted to the HHS OCR website so far in 2021, all but one was reported as a hacking/IT incident involving a network server.
That one exception was a hacking/IT incident involving email phishing reported in January by New York-based American Anesthesiology Inc. as affecting nearly 1.3 million individuals.