A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers.

This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May.

This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials

The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams.

Business email compromise scams involve hackers gaining access to the email account of a senior executive and using that email account to send internal emails to try to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always necessary. If the attackers spoof an executive’s email account, it may be sufficient to fool employees into responding.

That is what appears to have happened in the UnityPoint Health phishing attack. A trusted executive’s email account was spoofed and several employees responded to the messages and disclosed their email credentials.

UnityPoint Health investigated the breach with assistance provided by a third-party digital forensics firm. The investigation suggested the primary purpose of the attack was to divert vendor payments and payroll funds to accounts controlled by criminals.

An analysis of the compromised email accounts revealed they contained a wide range of protected health information in the body of messages and attachments. That information could have been accessed by the hackers and downloaded.

The types of information exposed varied patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, lab test results, health insurance information, surgical information, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a limited number of patients, financial information such as credit card numbers.

A year of credit monitoring services has been offered to affected patients whose social security number, driver’s license numbers, or financial information has been exposed. UnityPoint Health says it has not received any reports of PHI misuse to date.

Second Major UnityPoint Health Phishing Attack to Be Detected in 2018

This is not the first UnityPoint Health phishing attack to be reported in 2018. In April, UnityPoint Health announced it had discovered several email accounts had been compromised resulting in the exposure of 16,400 patients’ PHI. Unauthorized individuals gained access to employees’ email accounts between November 1, 2017 and February 7, 2018. In response to that attack, UnityPoint Health said it had strengthened security controls to prevent further attacks. Whatever additional controls had been implemented clearly were not effective at protecting against email impersonation attacks.

The latest breach has prompted UnityPoint Health to implement further security controls, which include the use of two-factor authentication on employee’s email accounts, additional technological controls to detect suspicious emails from external sources, and further training has been conducted to help employees recognize phishing attempts.

When multiple data breaches are reported by a healthcare provider, especially breaches that involve large numbers of patient records, the Department of Health and Human Services’ Office for Civil Rights takes a keen interest. An investigation into these phishing attacks is likely to be conducted, with the UnityPoint Health’s security controls and security awareness training programs likely to be carefully scrutinized for evidence of compliance failures.

Even without fines for non-compliance, data breaches on this scale can prove incredibly costly. Recently, the Ponemon Institute/IBM Security released the results of its 2018 Cost of a Data Breach Study. This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. The healthcare industry has the highest breach costs at an average of $408 per record.

For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.

The post 1.4 Million Patients Warned About UnityPoint Health Phishing Attack appeared first on HIPAA Journal.

There was a 13.8% month-over-month increase in healthcare data breaches reported in June 2018, although the data breaches were far less severe in June with 42.48% fewer healthcare records exposed or stolen than the previous month.

In June there were 33 healthcare data breaches reported to the Department of Health and Human Services’ Office for Civil Rights and those breaches saw 356,232 healthcare records exposed or stolen – the lowest number of records exposed in healthcare data breaches since March 2018.

Healthcare Data Breaches (January-June 2018)

Healthcare Records Exposed (January-June 2018)

Causes of Healthcare Data Breaches (June 2018)

Unauthorized access/disclosure incidents were the biggest problem area in June, followed by hacking IT incidents. As was the case in May, there were 15 unauthorized access/disclosure breaches and 12 hacking/IT incidents. The remaining six breaches involved the theft of electronic devices (4 incidents) and paper records (2 incidents). There were no reported losses of devices or paperwork and no improper disposal incidents.

Healthcare Records Exposed by Breach Type

While unauthorized access/disclosure incidents were more numerous than hacking/IT incidents, they resulted in the theft/exposure of far fewer records. Compared to May, 157.5% more records were obtained by unauthorized individuals in theft incidents. There was a 56% fall in the number of healthcare records exposed/stolen in hacking/IT incidents and almost 74% fewer healthcare records exposed or stolen in unauthorized access/disclosure incidents.

Largest Healthcare Data Breaches (June 2018)

Hacking and phishing incidents were behind most (8) of the largest healthcare data breaches reported in June.

The largest breach was reported by the Med Associates, a provider of claims services to healthcare organizations. A computer used by one of the company’s employees was hacked and accessed remotely by an unauthorized individual. The device contained the PHI of 276,057 individuals.

HealthEquity Inc., Black River Medical Center, and InfuSystem Inc., all experienced phishing attacks that resulted in unauthorized individuals gaining access to email accounts containing ePHI.  The New England Baptist Health breach involved a patient list that was accidentally emailed to an individual unauthorized to receive the information.

The Arkansas Children’s Hospital breach was a case of snooping by a former employee, and the breach at RISE Wisconsin was a ransomware attack.

Location of Breached PHI (June 2018)

Email continues to be the most common location of breached PHI. In June, there were 9 email-related breaches reported to OCR. Seven of the nine email-related breaches involved unauthorized individuals accessing the email accounts of healthcare employees as a result of phishing attacks. One email-related breach involved PHI being sent to an individual unauthorized to receive the data and the cause of the other email-related breach has not been confirmed.

The high number of successful phishing attacks on healthcare organizations highlights the importance of ongoing security awareness training for all healthcare employees with email accounts. Once a year training sessions are no longer sufficient. Training programs should be ongoing, with phishing simulation exercises routinely conducted to reinforce training and condition employees to be more security aware. OCR reminded HIPAA-covered entities that security awareness training was a requirement of HIPAA and offered suggestions to increase resilience to phishing attacks in its July 2017 Cybersecurity Newsletter.

Unauthorized accessing and theft of paper records was behind 6 breaches, highlighting the need for physical controls to be implemented to keep physical records secure.

Data Breaches by Covered Entity Type

Healthcare providers experienced the most data breaches in June with 23 data security incidents reported. There was a marked month-over-month increase in health plan data breaches with six incidents reported compared to just two in May. Business associates reported six breaches in June, although in total, 10 incidents had some business associate involvement – on a par with May when 9 breaches involved business associates to some extent.

Data Breaches by State

California was the state worst affected by healthcare data breaches in June 2018, with 5 data breaches reported by healthcare organizations in the state. Texas saw four breaches reported, with three security breaches reported by Michigan-based healthcare organizations and two breaches reported by healthcare organizations in Florida, Missouri, Utah, Wisconsin.

Arkansas, Arizona, Iowa, Illinois, Massachusetts, Minnesota, Montana, North Carolina, New Jersey, New Mexico, New York, Pennsylvania, Washington each had one breach reported.

Penalties for HIPAA Violations Issued in June 2018

OCR penalized one HIPAA-covered entity in June for HIPAA violations – The fourth largest HIPAA violation penalty issued to date.

OCR investigated MD Anderson after three data breaches were reported in 2012 and 2013 – The theft of a laptop computer from the vehicle of a physician and the theft of two unencrypted thumb drives. 34,883 healthcare records were impermissibly disclosed as a result of the breaches.

OCR determined a financial penalty was appropriate for the failure to encrypt ePHI and the resultant impermissible disclosures of patient health information. University of Texas MD Anderson Cancer Center (MD Anderson) contested the penalty, with the case going before and administrative law judge. The ALJ ruled in favor of OCR.

University of Texas MD Anderson Cancer Center was ordered to pay $4,348,000 to resolve the HIPPA violations that led to the breaches.

The post June 2018 Healthcare Breach Report appeared first on HIPAA Journal.

LabCorp, one of the largest clinical laboratories in the United States, has experienced a cyberattack that has potentially resulted in hackers gaining access to patients’ sensitive information.

The Burlington, NC-based company runs 36 primary testing laboratories throughout the United States and the Los Angeles National Genetics Institute. The company performs standard blood and urine tests, HIV tests and specialty diagnostic testing services and holds vast quantities of highly sensitive data.

The cyberattack occurred over the weekend of July 14, 2018 when suspicious system activity was identified by LabCorp’s intrusion detection system. Prompt action was taken to terminate access to its servers and systems were taken offline to contain the attack.

With its systems offline, this naturally affected test processing and customers have been prevented from accessing their test results online. LabCorp expects some of its systems to remain offline for several days while efforts continue to restore system functionality and those systems are fully tested. Delays in processing lab test results are expected to continue to be experienced until its systems are fully restored and patients may continue to experience delays receiving their test results.

The investigation into the breach is still in the early stages and it has yet to be confirmed whether the hackers behind the attack managed to gain access to patients’ medical information. So far, no evidence has been uncovered to suggest any patient information was transferred outside its system.

LabCorp is involved in several drug development programs, although the attack is believed to be limited to LabCorp’s Diagnostics systems. The systems used by Covance Drug Development are not believed to have been affected.

The cyberattack has been reported to the Securities and Exchange Commission (SEC) and other relevant authorities have also been notified.

Once the nature of the breach has been established and the likelihood of unauthorized access to patient data has been determined, patient will be notified if appropriate.

LabCorp has followed standard breach protocol to contain the attack and prevent data exfiltration and limit harm, and the shutting down of its systems is no indication that patient data has been accessed. However, the UL’s the Daily Mail newspaper claims to have contacted a company insider who said the hackers potentially had access to the medical records of millions of patients.

The post LabCorp Cyberattack Forces Shutdown of Systems: Investigators Currently Determining Scale of Breach appeared first on HIPAA Journal.

A recent study conducted by the Ponemon Institute on behalf of IBM Security has revealed the hidden cost of data breaches, and for the first time, the cost of mitigating 1 million-record+ data breaches.

The study provides insights into the costs of resolving data breaches and the full financial impact on organizations’ bottom lines. For the global study, 477 organizations were recruited and more than 2,200 individuals were interviewed and asked about the data breaches experienced at their organizations and the associated costs. The breach costs were calculated using the activity-based costing (ABC) methodology. The average number of records exposed or stolen in the breaches assessed in the study was 24,615 and 31,465 in the United States.

Last year, the Annual Cost of a Data Breach Study by the Ponemon Institute/IBM Security revealed the cost of breaches had fallen year over year to $3.62 million. The 2018 study, conducted between February 2017 and April 2018, showed data breach costs have risen once again.

The average cost of a data breach is now $3.86 million – An annual increase of 6.4%. The per capita cost of a data breach has risen by 4.8%, from $141 per record in 2017 to $148 per record in 2018.

Data breaches are costlier to resolve in the United States, where the average cost was $7.91 million. The cost of a data breach also varies considerably between industry sectors. The highest data breach resolution costs are for healthcare data breaches, which typically cost an average of $408 per record. This is considerably higher than financial services data breaches in second place, which cost an average of $206 per record. The lowest costs were in the public sector, with costs of $75 per record.

The type of breach has a bearing on the cost. Cyberattacks by malicious insiders and criminals cost an average of $157 per record, system glitches cost an average of $131 per record to resolve, while breaches caused by human error cost an average of $128 to resolve.

The mean time to identify a breach was 197 days and the mean time to contain a breach was 69 days. The time taken to identify and contain breaches both increased in the past year, which has been attributed to an increase in the severity of cyberattacks in this year’s sample.

Suffering one breach is bad enough, although many companies experience multiple breaches. IBM determined that companies that experience a data breach have a 27.9% chance of experiencing a second material breach within two years.

The Cost of Mega Data Breaches

For the first time, Ponemon/IBM analyzed the costs of mega data breaches, which are data breaches that have resulted in the theft or exposure of more than 1 million records. The number of mega data breaches experienced has nearly doubled in the past five years from 9 in 2013 to 16 in 2017.

The average time to detect and contain these mega data breaches was 365 days – almost 100 days longer than smaller data breaches which took an average of 266 days to detect and contain.

These mega data breaches can prove to be incredibly costly to resolve. The average cost of a mega data breach involving 1 million records is $40 million. That figure rises to an average of $350 million for a breach involving the exposure/theft of 50 million records. The biggest cost of these mega data breaches is loss of customers, typically costing $118 million for a 50-million record breach.

For the study, the costs of breach mitigation were divide into four areas; Detection and escalation, notification, post data breach response, and lost business cost. The costs for mega data breaches are detailed in the table below:

Source: IBM Security

Factors that Affect the Cost of a Data Breach

As with previous studies, Ponemon/IBM identified several factors that can have an impact on the cost of data breaches.

“Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake,” said Wendi Whitmore, Global Lead for IBM X-Force Incident Response and Intelligence Services (IRIS).

The time taken to identify and contain a breach has a significant bearing on cost. When companies can contain a breach within 30 days they typically save around $1 million in breach resolution costs.  Companies that identified and contained a breach within 100 days spent around $1 million less than those that took longer than 100 days.

The most important factor affecting the cost of a data breach is having an incident response team in place, which reduces the breach cost by an average of $14 per compromised record. In second place is the widespread use of encryption, which reduces the cost of a data breach by $13 per record.

Business continuity management reduced the per capita cost by $9.3 as did employee training. Participation in threat sharing reduced the per capita cost by $8.7 and use of an artificial intelligence cybersecurity platform reduced the cost by $8.2.

One of the biggest costs following a data breach is loss of customers. All businesses experience churn following a breach, although steps can be taken to reduce churn. Organizations that implement programs to preserve trust and loyalty before a breach experience lower churn rates, as do companies that have a chief Privacy Office (CPO) or Chief Information Security Officer (CISO) to direct initiatives to improve customer trust in the guardianship of personal information. When businesses offer identify theft protection and credit monitoring services to breach victims, churn rate is reduced.

Companies that lost 1% of their customers as a result of a breach had an average total cost of $2.8 million, whereas a loss of 4% or more customers saw breach costs rise to an average of $6 million – a difference of $3.2 million.

When companies employ security automation the cost of data breaches falls to $2.88 million per breach, although without any security automation the average breach cost is $4.43 million – a difference of $1.55 million per breach.

The main factors that increase the cost of a data breach are third-party involvement, which increases the cost by $13.4 per record. If a company is experiencing a major cloud migration at the time of the breach the cost increases by $11.9 per record. Compliance failures also increase the breach cost by $11.9 per record.

Extensive use of mobile platforms increases the breach cost by $10 per record while companies that extensively use IoT devices add $5.4 per record to data breach costs.

While breach victims need to be notified as soon as possible, rushing to issue breach notifications before all the facts have been obtained increases the cost of the data breach by $4.9 per record.

The 2018 Cost of a Data Breach Study can be viewed on this link.

The post Healthcare Data Breach Costs Highest of Any Industry at $408 Per Record appeared first on HIPAA Journal.