3rd Party Risk Management , Breach Notification , Business Continuity Management / Disaster Recovery
Victim List in EHR Vendor Hack Grows as New Details Emerge
More Than 348,000 Patients at Multiple Eye Care Practices Affected So FarThe list of ophthalmology practices and the number of individuals affected by a December hacking incident at cloud-based electronic health records vendor Eye Care Leaders are growing as more details about the attack slowly emerge.
See Also: Using the Netskope HIPAA Mapping Guide
As of Wednesday, nearly a dozen vision care practices around the U.S. are known to have reported to regulators data breaches involving the ECL incident, which has affected a total of more than 348,000 individuals, so far.
One of the latest eye care practices reporting a breach linked to the ECL incident also disclosed in its notification statement that the ECL medical record databases deleted by attackers had been hosted on the back end by Amazon Web Services.
Victim Count Soars
Over the past week, the Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website shows the addition of several more breach reports filed by vision practices affected by the ECL hacking incident.
The latest practices reporting breaches to HHS involving the ECL hack include:
- Kansas-based Frank Eye Center PA - 26,333 individuals affected;
- Nebraska-based Arkfeld, Parson & Goldstein PC, which does business as ilumin - nearly 15,000 individuals affected;
- Michigan-based Northern Eye Care Associates PC - 8,000 affected;
- Kansas-based Ad Astra Eye LLC - nearly 3,700 individuals affected.
Also added to the HHS OCR website is a hacking/IT incident involving electronic medical records reported by Regional Eye Associates Inc. & Surgical Eye Center of Morgantown, West Virginia, as affecting 194,035 individuals.
Like the other eye care practices affected by the ECL incident, Regional Eye Associates Inc. in its notification statement on its website says the breach involved a data security incident detected on Dec. 4, 2021, at its third-party electronic medical records vendor, in which an individual deleted several databases before being detected and locked out of the system.
Unlike the other affected eye care practices so far, Regional Eye Associates did not identify the EMR vendor in its breach notification statement. But Regional Eye Associates is featured in a customer case study on the ECL website.
Regional Eye Associates did not immediately respond to Information Security Media Group's request for comment.
Earlier Reports
Ophthalmology practices previously reporting to HHS and state regulators breaches involving the ECL incident include Tennessee-based Summit Eye Associates, Washington state-based King County Public Hospital District No. 2 - doing business as Evergreen Health, and Ohio-based Allied Eye Physicians & Surgeons Inc.
ECL did not immediately respond to ISMG's request for additional details about the incident, including the total number of practices and individuals affected. On its website, ECL says that its electronic medical record software and practice management systems are used by 9,000 ophthalmologists.
Incident Details
In a notification statement posted on its website, Northern Eye Care Associates, or NECA, says that on March 1, it became aware of a potential protected health information breach at its EHR contractor and business associate ECL involving the vendor's databases hosted on Amazon Web Services that occurred on Dec. 4, 2021.
"Attackers accessed the ECL myCare Integrity cloud-based back-end hosted on AWS and deleted databases and system configuration files," NECA says. "The activity was detected in less than 24 hours and ECL's incident response team contained and began investigating the incident immediately upon discovering it."
Shortly after stopping the attack, ECL also began efforts to restore deleted files and databases from backups to limit the impact on the availability of PHI, NECA says. "ECL identified and restored available backups for many of the deleted databases. However, there remain some databases that have not been restored."
Work is ongoing to determine whether these remaining unrestored databases can or need to be restored, NECA says, adding that its "complete" electronic health records for all patients were hosted with ECL.
"While the electronic container in which PHI databases are stored by ECL is encrypted, the database tables themselves are not encrypted at rest," NECA says.
To date, ECL's forensics team has not found any evidence that PHI was acquired or exfiltrated but cannot definitively rule out that possibility as the investigation continues, NECA says.
Questions Remain
Kate Borten, president of privacy and security consulting firm The Marblehead Group, says many questions about factors contributing to the ECL incident, including why not all client EHR-related data was encrypted at rest, remain unanswered.
"I'd love to see it all encrypted, but what does that do to record retrieval time?" she says. "On the other hand, if only the container or platform is encrypted, and many people have access to the platform, that's probably not good enough.
"For example, I may encrypt my laptop hard drive. But if I share my login credentials with my family or my team, and I have some patient records on there, then that likely won't meet HIPAA or other reasonable expectations of security and privacy," she says.
Critical Risks
Some experts say the incident is another stark reminder of serious security risks involving vendors handling critical healthcare IT systems and patient PHI.
"The cyberattacks that target vendors providing data management services for patient records and practice management operations are the scariest of incidents because of the breadth and sheer volume of the data they could be handling," says privacy attorney David Holtzman of the consulting firm HITprivacy.
Any vendor that produces software, manufactures hardware or provides managed services for other organizations is a prime target, he adds.
"The growing threats highlight the failure to uphold the chain of trust to safeguard an information ecosystem that relies on industry self-regulation, contractual agreements and limited enforcement of government regulatory standards.
"While this will not be a quick solution, the threat will not diminish until there is a comprehensive, mandatory framework of standards that apply to all," Holtzman says.
Messy Breach
Regulatory attorney Paul Hales of the Hales Law Group says hacking incidents involving EHRs "always leave a digital trail, so the cause of the Eye Care Leaders breach likely will be discovered quickly and may already be known."
But sorting out legal liability in the incident will take much longer, he says, as "it depends on a web of contracts and business associate agreements connecting all parties.
"Unfortunately, the biggest losers, besides affected patients, may be the eye care practices. Each affected practice will be subject to scrutiny by HHS OCR and may face private legal action rooted in state law. They are covered entities, responsible to patients for HIPAA compliance, including vetting business associate EHR vendors."
Optometrists and ophthalmologists generally practice in small groups, Hales says. "Typically, small practices do limited due diligence regarding a vendor's HIPAA compliance. And they execute contracts prepared by the vendor's lawyer to protect the vendor."
For example, he says, those contracts may include limitations of liability, mandatory mediation, choice of venue and other damage limiting provisions, and "the way this hack will play out is murky, but it most certainly will be lengthy and expensive."