Healthcare Data Privacy

Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data

Despite many alternative communication methods being available, healthcare organizations still extensively use faxes to communicate. Some estimates suggest as many as 75% of all communications occur via fax in the healthcare industry.

While fax machines would not rank highly on any list of possible attack vectors, new research shows that flaws in the fax protocol could be exploited to launch attacks on businesses and gain network access.

The flaws were detected by researchers at Check Point who successfully exploited them to create a backdoor into a network which was used to steal information through the fax. The researchers believe there are tens of millions of vulnerable fax machines are currently in use around the world.

To exploit the flaw, the researchers sent a specially crafted image file through the phone line to a target fax machine. The fax machine decoded the image and uploaded it to the memory and the researchers’ script triggered a buffer overflow condition that allowed remote code execution. The researchers were able to gain full control of the fax machine and, using the NSA exploits Eternal Blue and Double Pulsar, spread malware to a vulnerable PC that was connected to the same network.

The malware was programmed to search for files of interest. When a file was located, it was sent back to the Check Point via fax.

Check Point’s research was mainly focused on HP’s OfficeJet Pro all-in-one fax printers, although the same flaws exist in many other manufacturers’ fax machines including those manufactured by Epson and Canon. Check Point alerted HP to the issue, which has now been patched, although other manufacturers’ devices remain vulnerable. In many cases, software on the all-in-one-printers cannot be updated. Correcting the flaw will only be possible by upgrading to newer devices.

Check Point suggests all businesses that still use fax machines, including healthcare organizations, should determine whether their fax machines are capable of being updated and ensure all software is kept up to date. If updates are not possible, upgrading the devices is recommended and the printer-fax machines should be located on secure networks separate from those on which protected health information is stored.

While the research was focused on all-in-one printers, the researchers note that attacks would not be limited to those devices. Potentially, stand-alone fax machines could also serve as an entry point into a business network as could fax-to-mail services.

At this stage there have been no reports of this method of attack being used in the wild, although the Check Point researchers note it will only be a matter of time before others determine how the attacks can be conducted.

The post Vulnerabilities in Fax Machines Can Be Exploited to Gain Network Access and Exfiltrate Sensitive Data appeared first on HIPAA Journal.

APWG Detects 46% Rise in Phishing Websites in Q1, 2018

The Anti-Phishing Working Group has released its Q1, 2018 Phishing Activity Trends Report which shows there was a substantial increase in unique phishing sites detected in the first few months of 2018 compared to the final quarter of 2017.

The report explores phishing attacks and methods used between January 1 and March 31, 2018.

In Q1, 263,538 unique phishing sites were identified – a 46% increase from the 180,577 unique sites identified in Q4, 2017 and a 38% increase from the 190,942 sites detected in Q3, 2017. There were 60,887 unique phishing sites detected in January 2018 which was on a par with December 2017, although a substantial increase in February (88,754) and a further major increase in March (113,897).

The number of unique phishing campaigns reported by APWG customers remained broadly the same in January (89,250) and February (89,010) with a slight fall in March (84,444). 235 brands were spoofed in January, rising to 273 in February, and falling to 238 in March.

APWG member MarkMonitor tracked the industry sectors that were most heavily targeted in phishing campaigns. Its figures show online payment services topped the list in Q1, 2018, accounting for 39% of all reported phishing attacks. Attacks involving SAAS and webmail providers accounted for 18.7% of the total, following by financial institutions (14.2%) and file hosting and cloud storage services on 11.3%.

As businesses have moved over to HTTPS sites, the phishers have followed. Each quarter has seen a substantial rise in the percentage of phishing sites that use HTTPS and secure the connection between the site and the browser. APWG member PhishLabs has been tracking the use of HTTPS on phishing sites and its figures show a third (33%) of all phishing sites were on HTTPS infrastructure in Q1, 2018 compared to just 10.5% in Q1, 2017.

Many consumers still believe that a website starting with HTTPS means the site is legitimate, when that is certainly not the case. It only means that the connection between the browser and the site is secured. If the site is owned by a phisher, or if a legitimate site has been hijacked, any information entered can be captured. Many phishers are registering their own domains and are taking advantage of the free SSL certificates that are offered to make their sites look more legitimate.

RiskIQ’s figures show that the phishing URLs used by phishers closely match TLD market share, with .com’s the most widely used TLD’s by phishers. .Coms accounted for 6,608 of the 13,594 unique domains used in phishing attacks in Q1, 2018. Those domains were widely distributed among different domain registrars.

Brazilian cybersecurity firm Axur provided a breakdown of internet-based attacks on individuals and companies in Brazil. The firm’s data show scam websites were the leading threat and accounted for 9,061 of the 17,065 attacks in Q1, 2018. They were followed by social media scams (4,209), mobile app scams (1,840) and phishing scams (1,816). 350 redirection URLs were detected that sent visitors to exploit kits and phishing sites and 257 URLs were being used to deliver malware.

The post APWG Detects 46% Rise in Phishing Websites in Q1, 2018 appeared first on HIPAA Journal.

At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018

In total, there were 143 data breaches reported to the media or the Department of Health and Human Services’ Office for Civil Rights (OCR) in Q2, 2018 and the healthcare records of at least 3,143,642 patients were exposed, impermissibly disclosed, or stolen. Almost three times as many healthcare records were exposed or stolen in Q2, 2018 as Q1, 2018.

The figures come from the Q2 2018 Breach Barometer Report from Protenus. The data for the report came from OCR data breach reports, data collected and collated by, and proprietary data collected through the Protenus compliance and analytics platform, which monitors the tens of trillions of EHR access attempts by its healthcare clients.

Q2 2018 Healthcare Data Breaches

Month Data Breaches Records Exposed
April 45 919,395
May 50 1,870,699
June 47 353,548


Q2, 2018 saw five of the top six breaches of 2018 reported. The largest breach reported – and largest breach of 2018 to date – was the 582,174-record breach at the California Department of Developmental Services – a burglary.

It is unclear if any healthcare records were stolen in the breach although data theft could not be ruled out. Many physical records were damaged by a fire started by the burglars which activated the sprinkler system which caused water damage. Electronic equipment was taken although it was encrypted.

The second largest data breach of 2018 was reported by MSK Group in May. The orthopedic group detected unauthorized access of parts of its network that contained the protected health information of 566,236 patients.

The third largest breach of 2018 involved the exposure and potential theft of 538,127 records from LifeBridge Health. Malware had been installed on a server on which billing information and medical records were stored.

The fifth and sixth largest breaches of the year to date were reported in June. Oklahoma State University Center for Health Sciences experienced a 279,865-record breach when its computer network was hacked and Med Associates, Inc., discovered a desktop computer had been hacked resulting in the exposure of 276,057 patients’ PHI.

The Threat from Within

Protenus has drawn attention to the threat from insider breaches and the importance of detecting privacy breaches promptly. When medical records are accessed by employees without authorization, there is a 30% chance of an employee violating patient privacy again within 3 months and a 66% chance they will do so again within 6 months. One of the main problems for hospitals is the time taken to investigate and respond to insider threats. On average, one investigator monitors the ePHI access attempts of 4,000 employees across an average of 2.5 hospitals – a significant burden.

Out of every 1,000 healthcare employees, Protenus determined than 9 will breach patient privacy, most commonly by snooping on the medical records of family members.  In Q2, 2018 71.4% of breaches involved employees snooping on family members’ medical records.

30.99% of breaches (44) reported to the Office for Civil Rights in Q2 were insider breaches, and out of the 27 incidents for which details have been disclosed, the records of 421,180 patients were known to have been compromised. There were 25 incidents involving insider error and 18 incidents involving insider wrongdoing.

Healthcare Hacking Incidents Increased in Q2 2018

The biggest cause of healthcare data breaches in Q2, 2018 was hacking/IT incidents which accounted for 36.6% of all reported breaches in the quarter. There were 52 hacking/IT incidents reported in Q2, compared to 30 in Q1 – a 73% increase. Those breaches resulted in the exposure/theft of at least 2,065,813 healthcare records.

Details were available for 44 breaches, ten of which were phishing-related breaches, 7 involved ransomware or malware, and one involved another form of extortion.

There were 23 reported cases of theft of physical or electronic records and a further 23 breaches that did not include enough information for them to be categorized.  Overall, 84% of breaches involved electronic records and 16% involved paper records.

Healthcare providers were the worst hit with 76.37% of reported breaches, following by health plans on 10.91%, business associates on 5.45%, and other entities on 7.27%.

The average time to discover a breach was 204 days and the median time was 18 days. The detection times ranged from one day to 1,587 days. From the available data, the average time to disclose breaches to the Office for Civil Rights was 71 days and the median time was 59 days. The maximum time frame under HIPAA for disclosing breaches is 60 days. California was the worst hit state with 20 incidents followed by Texas on 13.

The Protenus Q2 2018 healthcare data breach report can be downloaded on this link (PDF).

The post At Least 3.14 Million Healthcare Records Were Exposed in Q2, 2018 appeared first on HIPAA Journal.

More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched

OpenEMR is an open-source electronic health record management system that is used by many thousands of healthcare providers around the world. It is the leading free-to-use electronic medical record platform and is extremely popular.

Around 5,000 physician offices and small healthcare providers in the United States are understood to be using OpenEMR and more than 15,000 healthcare facilities worldwide have installed the platform. Around 100 million patients have their health information stored in the database.

Recently, the London-based computer research organization Project Insecurity uncovered a slew of vulnerabilities in the source code which could potentially be exploited to gain access to highly sensitive patient information, and potentially lead to the theft of all patients’ health information.

The Project Insecurity team chose to investigate EMR and EHR systems due to the large number of healthcare data breaches that have been reported in recent years. OpenEMR was the natural place to start as it was the most widely used EMR system and with it being open-source, it was easy to test the code without running into legal problems. The findings of the investigation into OpenEMR v5.0.1.3 are detailed in Project Insecurity’s vulnerability report (PDF).

After identifying around 20 serious vulnerabilities, the vendor was contacted on July 7, 2018 and was given a month before public disclosure, allowing time for developers to correct the flaws.

One of the most serious vulnerabilities discovered allowed an attacker to bypass authentication on the Patient Portal Login. The authentication was simple, requiring next to no skill to pull off. An individual only needed to navigate to the registration page and modify the requested URL to access the desired page. By exploiting this flaw, it would be possible to view and alter patient records and potentially compromise all records in the database.

Project Insecurity discovered nine flaws that allowed SQL injection which could be used to view data in a targeted database and perform other database functions, four flaws could be exploited that would allow remote code execution to escalate privileges on the server, several cross-site request forgery vulnerabilities were discovered, three unauthenticated information disclosure vulnerabilities, an unrestricted file upload flaw, and unauthenticated administrative actions and arbitrary file actions were possible.

The vulnerabilities were identified through a manual review of the code and by modifying requests. No source code analysis tools were used. If the flaws had been found by a hacker, huge numbers of medical records could have been accessed, altered, and stolen.

OpenEMR has now issued patches to correct all the flaws identified by the Project Insecurity team.

The post More Than 20 Serious Vulnerabilities in OpenEMR Platform Patched appeared first on HIPAA Journal.

Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps

An advisory has been issued by ICS-CERT about vulnerabilities in MedTronic MyCareLink Patient Monitors and the MiniMed 508 Insulin Pump. This is the second advisory to be issued about MyCareLink Patient Monitors in the past six weeks. In June, ICS-CERT issued a warning about the use of a hard-coded password (CVE-2018-8870) and an exposed dangerous method or function vulnerability (CVE-2018-8868).

The latest vulnerabilities to be discovered are an insufficient verification of data authenticity flaw (CVE-2018-10626) and the storage of passwords in a recoverable format (CVE-2018-10622). The vulnerabilities are present in all versions of the Medtronic MyCareLink 24950 and 24952 Patient Monitors.

If an attacker were to obtain per-product credentials from the monitor and the paired implanted cardiac device, it would be possible for invalid data to be uploaded to the Medtronic Carelink network due to insufficient verification of the authenticity of uploaded data. The vulnerability has been assigned a CVSS v3 score of 4.4 (medium severity).

The way that passwords are stored could allow them to be recovered by an attacker and used for network authentication and encryption of local data at rest. This vulnerability has been assigned a CVSS v3 score of 4.9 (medium severity).

The vulnerabilities were identified by security researchers at Whitescope LLC, who reported them to the National Cybersecurity and Communications Integration Center (NCCIC).

Medtronic has already taken steps to address the vulnerabilities. Server-side updates have been made to correct the data authenticity verification issue and further mitigations will be implemented shortly to enhance data integrity and authenticity. To reduce the risk of exploitation, Medtronic recommends users maintain good physical control over their home monitors and only use monitors that have been obtained from healthcare providers.

Two vulnerabilities have also been identified in the Medtronic MiniMed 508 Insulin Pump by the Whitescope researchers. The first is the cleartext transmission of sensitive information (CVE-2018-40634) and the second is an authentication bypass flaw that could be exploited in a capture replay attack (CVE-2018-14781).

The researchers discovered that communications between the insulin pump and wireless accessories are sent in cleartext, which could allow sensitive information such as the device serial number to be captured by an attacker. The vulnerability has been assigned a CVSS v3 score of 4.8 (medium severity).

When the insulin pump is paired with a remote controller and the easy-bolus and remote bolus options are set, the device is vulnerable to a capture-replay attack which would allow the wireless transmissions to be captured and replayed resulting in an additional insulin (bolus) delivery. The vulnerability has been assigned a CVSS v3 score of 5.3 (medium severity).

The vulnerabilities affect the following MiniMed insulin pumps and associated products: MMT 508 MiniMed insulin pump, MMT – 522 / MMT – 722 Paradigm REAL-TIME, MMT – 523 / MMT – 723 Paradigm Revel, MMT – 523K / MMT – 723K Paradigm Revel, and MMT – 551 / MMT – 751 MiniMed 530G.

Medtronic will not be issuing a fix to correct the flaws as devices are only vulnerable if the remote option is enabled. Devices are not vulnerable in their default configuration. Users can disable to easy bolus and remote bolus options if they have been set. If users wish to continue to use the easy bolus option, they should be attentive to device alerts when enabled and should turn off the easy bolus option when they are not intending to use the remote bolus option.

The post Vulnerabilities Discovered in Medtronic MyCareLink Patient Monitors and MiniMed Insulin Pumps appeared first on HIPAA Journal.

OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media

In its July Cybersecurity Newsletter, the Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA covered entities about HIPAA Rules for disposing of electronic devices and media.

Prior to electronic equipment being scrapped, decommissioned, returned to a leasing company or resold, all electronic protected health information (ePHI) on the devices must be disposed of in a secure manner.

HIPAA Rules for disposing of electronic devices cover all electronic devices capable of storing PHI, including desktop computers, laptops, servers, tablets, mobile phones, portable hard drives, zip drives, and other electronic storage devices such as CDs, DVDs, and backup tapes.

Healthcare organizations also need to be careful when disposing of other electronic equipment such as fax machines, photocopiers, and printers, many of which store data on internal hard drives. These devices in particular carry a high risk of a data breach at the end of life as they are not generally thought of as devices capable of storing ePHI.

If electronic devices are not disposed of securely and a data breach occurs, the costs to a healthcare organization can be considerable. Patients must be notified, it may be appropriate to pay for credit monitoring and identity theft protection services, and third-party breach response consultants, forensic investigators, and public relations consultants may need to be hired. OCR and/or state attorneys generals may conduct investigations and substantial financial penalties may be applied. Breach victims may also file lawsuits over the exposure of their financial information.

The costs all add up. The 2018 Cost of a Data Breach Study conducted by the Ponemon Institute/IBM Security highlighted the high cost of data breaches, in particular healthcare data breaches. The average cost of a breach of up to 100,000 records was determined to be $3.86 million. Healthcare data breaches cost an average of $408 per exposed record to mitigate, while the cost of data breaches of one million or more records was estimated to be between $40 million and $350 million.

It is not possible to ensure that all ePHI is disposed of securely if an organization does not know all systems and devices where PHI is stored. A full inventory of all equipment that stores ePHI must be created and maintained. When new equipment is purchased the list must be updated.

A full risk analysis should be conducted to determine the most appropriate ways to protect data stored on electronic devices and media when they reach the end of their lifespan.

Organizations must develop a data disposal plan that meets the requirements of 45 C.F.R. §164.310(d)(2)(i)-(ii). Paper, film, or other hard copy media should be shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. OCR notes that “Redaction is specifically excluded as a means of data destruction.”

Electronic devices should be “cleared, purged, or destroyed consistent with NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization,” to ensure that ePHI cannot be retrieved. If reusable media are in use, it is important to ensure that all data on the devices are securely erased prior to the devices being reused. Before electronic devices are scrapped or disposed of, asset tags and corporate identifying marks should be removed.

Third party contractors can be used to dispose of electronic devices, although they would be considered business associates and a business associate agreement would need to be in place. All individuals required to handle the devices must be aware of their responsibilities with respect to ePHI and its safe handling and should be subjected to workforce clearance processes.

Organizations should also consider the chain of custody of electronic equipment prior to destruction. Physical security controls should be put in place to ensure the devices cannot be stolen or accessed by unauthorized individuals and security controls should cover the transport of those devices until all data has been destroyed and is no longer considered ePHI.

The OCR newsletter, together with further information on secure disposal of ePHI and PHI, can be found on this link (PDF).

The post OCR Reminds Healthcare Organizations of HIPAA Rules for Disposing of Electronic Devices and Media appeared first on HIPAA Journal.

NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices

The HIPAA Security Rule requires HIPAA-covered entities to ensure the confidentiality, integrity, and availability of electronic protected health information at all times. Healthcare organizations must ensure patients’ health is not endangered, their privacy is protected, and their identities are not compromised.

A range of physical, technical, and administrative controls can be implemented to secure ePHI on servers and desktop computers, but ensuring the same level of security for mobile devices can be a major challenge.

Mobile devices offer many benefits for healthcare providers. They can improve access to protected health information, ensure that data can be accessed anywhere, and they help healthcare providers improve coordination of care.

However, when ePHI is stored on mobile devices such as laptops, tablets and mobile phones, or is transmitted using those devices, it is particularly vulnerable. Mobile devices are easy to lose, are often stolen, and data transmitted through mobile devices can also be vulnerable to interception. In healthcare, mobile device security is a major concern.

Despite security concerns, the majority of healthcare providers are either using mobile devices or plan to implement a mobile device initiative. Mobile device usage by healthcare providers is expected to increase significantly over the next two years.

To help healthcare organizations take advantage of mobile devices without violating the HIPAA Security Rule and patient privacy, the National Institute of Standards and Technology (NIST) and The National Cybersecurity Center of Excellence (NCCoE) has produced a new guideSecuring Electronic Health Records on Mobile Devices.

The guide focuses on healthcare organizations that use mobile devices to review, update, and exchange electronic health records and addresses risks such as the loss or theft of devices, the hacking of devices, connecting to untrusted networks, and interaction between mobile devices and other systems.

The guide explains how ePHI can be secured on mobile devices without having a negative impact on delivering quality care and offers straightforward and detailed advice on securing electronic health records on mobile devices.

The guide explains how IT professionals can implement a security architecture to improve device security and better protect ePHI that is accessed, stored, or transmitted through mobile devices. The guide explains how commercially available and open-source technologies and tools can be deployed as part of a layered cybersecurity strategy to ensure ePHI can be accessed and shared securely.

The guide maps security characteristics to NIST standards and best practices and to the HIPAA Security Rule and includes a detailed architecture and capabilities that address security controls. The guide provides detailed information on automated configuration of security controls for ease of use and addresses both in-house and outsourced implementations.

The guide serves as a how-to guide to implement NIST’s security solution, or it can be taken as a starting point and customized to suit each individual organization. Since the guide is modular, healthcare providers can choose to implement the parts to suit their own needs.

”All healthcare organizations need to fully understand the potential risk posed to their information systems, the bottom-line implications of those risks, and the lengths that attackers will go to exploit them,” wrote NIST/NCCoE in the guide. “Assessing risks and making decisions about how to mitigate them should be continuous to account for the dynamic nature of business processes and technologies, the threat landscape, and the data itself. The guide describes [NIST’s] approach to risk assessment. We recommend that organizations implement a continuous risk management process as a starting point for adopting this or other approaches that will increase the security of EHRs. It is important for management to perform regular periodic risk review, as determined by the needs of the business.”

The post NIST/NCCoE Release Guide for Securing Electronic Health Records on Mobile Devices appeared first on HIPAA Journal.

Consumers More Worried About Exposure of Financial Information Than Health Data

The privacy and security of health data is less of a concern for consumers than the privacy and security of financial information such as credit card numbers, according to a recent survey by the healthcare marketing agency SCOUT.

The Harris Poll survey was conducted on 2,033 adults from May 10-14, 2018 as part of a new research series called SCOUT Rare Insights. The survey revealed fewer than half of consumers (49%) were very concerned about the privacy and security of their health data, whereas more than two thirds of consumers (69%) were very concerned about the privacy and security of their financial data such as credit/debit card numbers and bank account information.

Consumers are often covered by insurance policies on their credit cards and can reclaim losses in many cases. A new credit card number can be issued in cases of theft and there are laws that limit personal liability. However, if health insurance information and Social Security numbers are stolen, breach victims can suffer severe losses that may not be recoverable.

Medical identity theft can also cause patients serious problems. When identities are stolen for the purpose of obtaining medications or medical services, medical records can be altered and patients may come to physical harm as a result. There is a booming market for medical identity theft and healthcare data breaches are occurring at an alarming rate.

Financial data breaches are usually detected rapidly and victims are alerted to the fraudulent use of their information promptly. In the case of health data breaches, it may take many months or even years before patients become aware that their health data has been misused. There are also few protections in place to limit liability and damages.

“We need to be much more aware and concerned about the safety of our health data,” said Raffi Siyahian, principal at SCOUT. “First, the risk of having your medical data exposed is pretty significant. And second, the consequences of someone gaining unauthorized access to your personal health information can be far more damaging than having someone illegally access your personal financial information.”

The survey also revealed that just over a third of patients (36%) are using online portals to access their personal health information. Only 28% of under 35s were using portals compared to 39% of over 35s. Checking health records regularly can ensure mistakes are promptly corrected and misuse of personal health information is detected rapidly.

The main reasons why online portals were not used were a preference for discussing health matters in person (47%) and concerns over the security of health data in online portals (39%).

When asked about the types of medical information patients were most concerned about being mishandled and shared, the area of most concern was diagnosed medical conditions and diseases, rated as a concern by 31% of respondents.

The post Consumers More Worried About Exposure of Financial Information Than Health Data appeared first on HIPAA Journal.

1.4 Million Patients Warned About UnityPoint Health Phishing Attack

A massive UnityPoint Health phishing attack has been reported, one in which the protected health information of 1.4 million patients has potentially been obtained by hackers.

This phishing incident is the largest healthcare data breach of 2018 by some distance, involving more than twice the number of healthcare records as the California Department of Developmental Services data breach reported in April and the LifeBridge Health breach reported in May.

This is also the largest phishing incident to be reported by a healthcare provider since the HHS’ Office for Civil Rights (OCR) started publishing data breaches in 2009 and the largest healthcare breach since the 3,466,120-record breach reported by Newkirk Products, Inc., in August 2016.

Email Impersonation Attack Fools Several Employees into Disclosing Login Credentials

The UnityPoint Health phishing attack was detected on May 31, 2018. The forensic investigation revealed multiple email accounts had been compromised between March 14 and April 3, 2018 as a result of employees being fooled by email impersonation scams.

Business email compromise scams involve hackers gaining access to the email account of a senior executive and using that email account to send internal emails to try to obtain sensitive data such as W-2 Forms or to convince employees top make fraudulent wire transfers. However, access to an executive’s email account is not always necessary. If the attackers spoof an executive’s email account, it may be sufficient to fool employees into responding.

That is what appears to have happened in the UnityPoint Health phishing attack. A trusted executive’s email account was spoofed and several employees responded to the messages and disclosed their email credentials.

UnityPoint Health investigated the breach with assistance provided by a third-party digital forensics firm. The investigation suggested the primary purpose of the attack was to divert vendor payments and payroll funds to accounts controlled by criminals.

An analysis of the compromised email accounts revealed they contained a wide range of protected health information in the body of messages and attachments. That information could have been accessed by the hackers and downloaded.

The types of information exposed varied patient to patient, but may have included names, addresses, birth dates, medical record numbers, diagnosis information, treatment information, lab test results, health insurance information, surgical information, provider names, dates of service, driver’s license numbers, Social Security numbers and, for a limited number of patients, financial information such as credit card numbers.

A year of credit monitoring services has been offered to affected patients whose social security number, driver’s license numbers, or financial information has been exposed. UnityPoint Health says it has not received any reports of PHI misuse to date.

Second Major UnityPoint Health Phishing Attack to Be Detected in 2018

This is not the first UnityPoint Health phishing attack to be reported in 2018. In April, UnityPoint Health announced it had discovered several email accounts had been compromised resulting in the exposure of 16,400 patients’ PHI. Unauthorized individuals gained access to employees’ email accounts between November 1, 2017 and February 7, 2018. In response to that attack, UnityPoint Health said it had strengthened security controls to prevent further attacks. Whatever additional controls had been implemented clearly were not effective at protecting against email impersonation attacks.

The latest breach has prompted UnityPoint Health to implement further security controls, which include the use of two-factor authentication on employee’s email accounts, additional technological controls to detect suspicious emails from external sources, and further training has been conducted to help employees recognize phishing attempts.

When multiple data breaches are reported by a healthcare provider, especially breaches that involve large numbers of patient records, the Department of Health and Human Services’ Office for Civil Rights takes a keen interest. An investigation into these phishing attacks is likely to be conducted, with the UnityPoint Health’s security controls and security awareness training programs likely to be carefully scrutinized for evidence of compliance failures.

Even without fines for non-compliance, data breaches on this scale can prove incredibly costly. Recently, the Ponemon Institute/IBM Security released the results of its 2018 Cost of a Data Breach Study. This year’s study showed the average cost of a data breach has risen to $3.86 million for a breach of up to 100,000 records. The healthcare industry has the highest breach costs at an average of $408 per record.

For the first time, the study investigated the cost of ‘mega’ data breaches – Those that involve the exposure of more than 1 million records. The cost of resolving these mega data breaches was estimated to be $40 million when more than 1 million records have been exposed.

The post 1.4 Million Patients Warned About UnityPoint Health Phishing Attack appeared first on HIPAA Journal.