Healthcare Data Privacy

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

Posted by HIPAA Journal

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance.

Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered. However, the cyberattack occurred almost a year earlier with Anthem’s database discovered to have been infiltrated on February 18, 2014.

Data stolen in the attack included members’ Social Security numbers, birth dates, employment details, addresses, email addresses, and Medical identification numbers. The attackers were able to bypass multiple layers of cybersecurity defenses with a single phishing email sent to an employee of one of Anthem’s subsidiaries. The response to the email allowed the attacker to download malware onto Anthem’s network, which in turn allowed access to Anthem’s database of members. The attackers also managed to infiltrate 90 other information systems used by the insurer.

Anthem employed cybersecurity firm Mandiant to investigate the breach, although the independent investigation conducted by California Department of Insurance, with assistance from cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services, has taken considerably longer to conduct. While Mandiant’s investigation centered on how the breach occurred, the individuals affected, and the extent of the breach, the California Department of Insurance’s investigation probed deeper and attempted to determine who was responsible.

It was only recently that the California state agency discovered a credible link between the cyberattack and a foreign-government backed hacker. No announcement has been made as to which foreign government has been linked to the attack. The California Department of Insurance chose not to announce details of the government suspected to be linked to the attack as a federal investigation is still ongoing. However, a number of cybersecurity firms have linked the malware used in the attack to China.

The California Department of Insurance investigation was led by seven insurance commissioners and involved 40 other state and territorial insurance commissioners. One of those insurance commissioners, Dave Jones, said “our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government.”

The investigators were able to identify the attacker with “a significant degree of confidence”, although they only had “a medium degree of confidence” that the attacker was backed by a foreign government. Previous cyberattacks linked to the foreign government suspected of assisting in the attack have not resulted in any stolen data being passed on to non-state actors, yet the data from the Anthem attack appears to have been passed on to non-state groups.

Preventing cyberattacks such as Anthem’s is difficult. A coordinated effort between government agencies and private sector firms is required. Jones said “Insurers and regulators alone cannot stop foreign government-assisted cyberattacks.”

The California Department of Insurance investigation also looked at the cybersecurity defenses Anthem had put in place prior to the breach, the actions taken immediately after the breach was discovered, and the plans put in place to protect members from harm. The investigators determined that the defenses put in place to prevent cyberattacks were reasonable and the plan implemented to resolve the breach was rapid an effective.

Vulnerabilities were discovered during the course of the investigation and were communicated to the insurer and incorporated into its remediation plan. After cybersecurity defenses were improved post-breach, the investigators arranged for Anthem’s new cybersecurity defenses to be penetration tested. The California Department of Insurance found the improvements to be reasonable.

Early estimates on the breach resolution costs suggested Anthem would have to pay in excess of $100 million. However, the cost to the insurer has been significantly higher. Anthem Inc., has spent $260 million just to shore up its cybersecurity defenses and improve its information systems to prevent further attacks. All individuals affected by the breach have been offered 2 years credit monitoring/protection services free of charge, and the company is currently embroiled in numerous class-action lawsuits. There is also the possibility that the Department of Health and Human Services’ Office for Civil Rights may take action against the insurer. The final cost of the Anthem breach will not be known for many months to come.

The post Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach appeared first on HIPAA Journal.

Fetal Tissue Firms Guilty of Systemic HIPAA Violations

Posted by HIPAA Journal

The U.S. House of Representatives Select Investigative Panel has published the findings from its investigation into the sale of fetal tissue by abortion clinics, revealing systemic HIPAA violations by both abortion clinics and tissue procurement businesses.

An investigation was requested by the Energy and Commerce Subcommittee on Oversight and Investigations following revelations made by undercover journalist David Daleiden.

In 2015, Daleiden arranged a serious of meetings with businesses involved in the fetal tissue procurement industry via the not-for-profit group Center for Medical Progress (CMP).

Daleiden secretly recorded abortion providers – and companies involved in the fetal tissue business – detailing the nature of the business of buying and selling tissues from aborted fetuses. Daleiden’s meetings uncovered some dark truths about the practices employed by abortion clinics to obtain fetal tissue, including how termination procedures were often changed in order to obtain more intact specimens, including the use of illegal abortion procedures. The investigation showed how abortion clinics were selling fetal tissue to improve their bottom lines with profit often placed above patient welfare.

The Select Investigative Panel’s 471-page report is the culmination of a yearlong investigation into the fetal procurement industry. The aim of the investigation was sixfold: To examine the medical procedures and business practices used by the industry; to investigate other relevant matters related to fetal procurement; to review federal funding and support for abortion service providers; to investigate the practice of second and third trimester abortions (including partial birth abortions); to assess medical procedures used to care for a child born alive; and to determine whether there was a need for law changes and/or further regulation of the industry.

The investigation centered on the tissue procurement company StemExpress and three Californian abortion clinics: Two operated by Planned Parenthood and one operated by Family Planning Specialists Medical Group.

Planned Parenthood and StemExpress Violated the HIPAA Privacy Rule

The investigation revealed that StemExpress and the Californian abortion clinics: Planned Parenthood Mar Monte (PPMM), Planned Parenthood Shasta Pacific (PPSP), and Family Planning Specialists Medical Group (FPS), routinely violated the Health Insurance Portability and Accountability Act’s Privacy Rule. The organizations’ HIPAA violations were found to be systemic and occurred over a 6-year period between 2010 and 2015.

While HIPAA Rules are in place to protect the privacy of healthcare patients and prevent unauthorized disclosures of individuals’ identifiable protected health information, the above abortion clinics were discovered to have impermissibly disclosed individual’s PHI to facilitate the sale of human fetal tissue.

Further, some tissue procurement businesses misrepresented that the consent forms used, along with the methods employed to harvest fetal tissue, complied with federal regulations.

The Panel determined that tissue procurement businesses routinely violated the HIPAA privacy rights of women for the sole purpose of making money by selling fetal tissue, and were concerned with profit over patient welfare.

Impermissible Disclosures of PHI

The Panel determined that the fetal tissue trade “did not meet the exceptions for cadaveric organ, eye or tissue transplantation or for research,” and that the HIPAA Privacy Rule had been repeatedly violated. The abortion clinics were discovered to have allowed employees of StemExpress to enter their clinics, view patients’ PHI, interact with patients, and seek and obtain their consent to donate fetal tissues. However, consent to share PHI had not been obtained prior to sharing sensitive information with StemExpress. StemExpress was found to have violated HIPAA Rules by viewing the PHI of women without there being a medically valid reason for doing so.

No HIPAA Business Associate Agreements

The Panel also determined that the consent forms obtained by StemExpress “did not constitute sufficient authorizations for the disclosure of PHI,” and that the information disclosed to StemExpress was not “the minimum necessary information” as required by HIPAA. Abortion clinics are HIPAA-covered entities and their dealings with StemExpress made the company a HIPAA business associate, yet the clinics and StemExpress had not entered into a business associate agreement as required by HIPAA Rules.

While the clinics could have entered into a valid business associate agreement and provided PHI in accordance with HIPAA Rules, they did not, and instead impermissibly shared “the most intimate information about their patients,” and violated patients’ privacy.

The Select Investigative Panel determined that the disclosures were both deliberate and purposeful, with StemExpress employees being provided with full patient charts containing highly sensitive medical information.

While a contractual agreement between the abortion clinics and Planned Parenthood clinics existed, the agreements were not compliant with HIPAA Rules. The report says the agreements with StemExpress instructed the company to “treat the information obtained from patients’ charts in order to preserve the confidentiality of the patients,” but said this “cannot trump a law prohibiting the Planned Parenthood abortion clinics from permitting these disclosures in the first place.”

The Select Investigative Panel’s report says “The Panel’s work has revealed that this corruption extends to the method of obtaining consent from the patient, which is both deceptive and unlawful,”

Recommendations for the Department of Health and Human Services

The panel has made numerous recommendations, including a request that Planned Parenthood is stripped of all federal funding, including reimbursements for Medicaid services. Instead those funds should be made available to healthcare providers that “provide comprehensive preventive healthcare for their patients, and that do not perform abortions,” except in the case of rape or incest or when abortions are required to prevent women from being placed in danger of death.

The potential HIPAA violations have been referred to the Department of Health and Human Services and the Select Investigative Panel has recommended that HHS conducts “greater oversight over misleading consent forms, IRBs, HIPAA violations, and abortion provider competence to care for infants born alive during abortion procedures.”

The sale of fetal tissue by abortion clinics has been condemned by many pro-life groups. Kristan Hawkins, president of Students for Life of America (SFLA), said “It is our deepest hope that Planned Parenthood, StemExpress, their business partners, and these late-term abortionists be brought to swift justice by the immediate investigation and prosecution of the U.S. Department of Justice and various state Attorneys General to whom charges were referred.”

The Select Investigative Panel report can be downloaded on this link.

The post Fetal Tissue Firms Guilty of Systemic HIPAA Violations appeared first on HIPAA Journal.

Patients Holding Back Health Information Over Fears of Data Privacy

Posted by HIPAA Journal

A fully interoperable health system is becoming closer to reality. Barriers to health data sharing are being removed and the ONC and HHS’ Office for Civil Rights are stepping up their efforts to prevent information blocking by healthcare providers.

However, in order for information to be able to flow, it is essential that information is collected. If healthcare providers and other healthcare organizations only have access to partial medical histories, the usefulness of health data will be limited.

Unfortunately, many patients are reluctant to provide their full medical histories to their healthcare providers, and even when information is provided, many patients do not want that information shared with anyone other than their primary healthcare provider.

Privacy and security issues are a major concern, and the problem is growing. As healthcare data breaches continue to increase year on year, consumer confidence is decreasing. This has a direct impact on the willingness of patients to share their health data.

Important Medical Information is Being Withheld by Patients

The extent to which patients are withholding information has recently been highlighted by a Black Book survey. Between September and December 2016, Black Book conducted a national poll on 12,090 adult consumers to assess patients’ confidence in healthIT and the extent to which they have been willing to share their health information.

The results of the survey clearly show that patients are extremely concerned about the privacy of their data and believe that sensitive health information is being shared without their knowledge. There are also serious concerns about healthcare organizations’ abilities to protect health information and ensure that it remains private.

For the Black Book survey, consumers were asked about the contact they had had with technology used by their physician, hospital, and other healthcare organizations over the past 12 months, including mobile apps, patient portals, and electronic health records.

57% of respondents who had experience of these health technologies said they were concerned about the privacy protections put in place and whether their data could be kept private.

87% of Patients Unwilling to Share their Full Medical Histories

Consumer confidence in privacy and security measures put in place by healthcare providers appears to be at an all time low. In the last quarter of 2016, Black Book reports that 87% of patients were unwilling to comprehensively share all of their health information with their providers. 89% of consumers who had visited a healthcare provider in 2016 said they had withheld some information during their visits.

While certain types of information are openly shared, healthcare patients are particularly concerned about sharing highly sensitive data. Many feel that those data are being shared without their knowledge.

90% of respondents said they were concerned about details of their pharmacy prescriptions being shared beyond their chosen provider and payer, and that information was being shared with the government, retailers, and employers. 81% were concerned that information about chronic conditions was being shared without their knowledge, and 99% were concerned about the sharing of mental health notes. 93% of respondents said they were concerned about their personal financial information being shared.

According to Black Book Managing Partner Doug Brown, “Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming.” In a statement issued about the findings of the survey he said, “This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability.”

Providers’ Expertise with Technology Inspires Trust

Providers can do more to improve patients’ confidence in technology by demonstrating that they know how to use it. Patients do not appear to have an issue with the technology itself. Only 5% of respondents said they mistrusted the technology. However, 69% of respondents said their current primary care physician did not display enough technology prowess for them to be able to trust that individual with all of their data. 84% of respondents said their level of trust in their provider was influenced by how that provider used technology.

Patients are also having trouble using technology. 96% of consumers said they had left physicians’ offices “with poorly communicated or miscommunicated instructions on patient portal use,” and 83% reported having difficulty using the portal at home. Only 40% of patients said they had tried to use the portal in their physician’s office.

The survey also revealed that patients believe the data they are collecting via personal wearable devices is important. 91% of consumers said their physician practice’s medical record system should store any health-related data they request. However, most physicians do not want access to so much information. 94% of physicians that responded to this section of the survey said much of the personally collected health information is redundant and would be unlikely to make a clinical difference. Furthermore, so much information is now being collected that they are becoming overwhelmed by data.

The post Patients Holding Back Health Information Over Fears of Data Privacy appeared first on HIPAA Journal.

11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor

Posted by HIPAA Journal

A security researcher has discovered that the sensitive data of psychologists, doctors and other health workers employed by the United States Special Operations Command (SOCOM) have been exposed on the Internet by Woodbridge, VA-based Potomac Healthcare, a subcontractor for the Department of Defense. Potomac Healthcare supplies health workers to government organizations through Booz Allen Hamilton.

Chris Vickery of MacKeeper discovered 11GB of internal Potomac data were left unprotected and could be accessed over the Internet without a username or a password. The data included names, Social Security numbers, locations, assigned units, and salaries of psychologists, doctors, and other healthcare professionals. The files also included lists of websites and programs with their associated usernames and passwords. Vickery said that the details of at least two Special Forces data analysts who had “Top Secret government clearance” were also present in the data.

It is unclear for how long the data had been exposed and whether any other individuals had gained access to the information. Vickery reports on his blog that after notifying Potomac Healthcare of issue, the data were still available online an hour later. Only when the issue was escalated and reported to ‘Potomac’s boss’ was the information secured and access prevented. That happened within 30 minutes of the phone call.

According to Vickery, he discovered an “unprotected remote synchronization service was active at an IP address tied to Potomac.” The data were allegedly made available to the public via the Internet as a result of a misconfigured data backup.

Potomac Healthcare issued a statement to Threatpost saying that after being notified of the breach by Vickery, “we immediately initiated an internal review and brought in an external forensic IT firm for additional support.”

Potomac Healthcare also confirmed that the investigation into the security breach is ongoing and that aside from Vickery, “we have no indication that any sensitive government information was compromised.”

The post 11GB of Sensitive Data Left Unprotected by Department of Defense Subcontractor appeared first on HIPAA Journal.

Massachusetts Data Breach Notification Archive Now Available Online

Posted by HIPAA Journal

The Office of Consumer Affairs and Business Regulation of the state of Massachusetts has taken a major step toward improving transparency by making its data breach notification archive available to the public. Previously, members of the public were permitted to view the breach reports, but only by submitting a public records request. Now all breach notifications made to the state’s Office of Consumer Affairs and Business Regulation can be viewed online.

The Massachusetts Data Breach Notification Archive can be viewed and downloaded in PDF form, with the identity theft report detailing the date the incident was reported, the organization affected, breach type, number of residents impacted, types of sensitive data exposed (SSNs, Driver’s license numbers, financial information, credit/debit card numbers), and whether credit monitoring services have been offered to breach victims. The reports include breaches of both physical records and electronic personal information from 2007. The report for 2016 currently includes 1,865 breach summaries.

State law (Chapter 93H) requires all entities that maintain a record of any personal information of residents of the state of Massachusetts to issue breach notifications to individuals if their personal information is “acquired or used by an unauthorized person or for an unauthorized purpose.” Breaches of encrypted data are not reportable unless a key to unlock the data is also compromised. Breaches must also be reported to the state attorney general and the Office of Consumer Affairs and Business Regulation.

State law covers accidental and deliberate breaches including, but not limited to, loss and theft of electronic data or papers, hacking incidents, insider errors, and unintentional data leakage.

In the state of Massachusetts, personal information is classed as a state resident’s first and last name or initial and last name in combination with any of the following data elements:

  • Social Security number
  • Driver’s license number
  • State-issued ID number
  • Financial account number
  • Credit or debit card number (with or without a CVV/CVC code
  • Personal ID number and/or password that would allow a financial account to be accessed

Breach notifications are not required if data elements are lawfully obtained from publicly available information or federal, state, or local records that are available to the general public.

Breaches of medical information are not included in the state’s definition of personal information as is the case in a number of other states, although such information is covered under HIPAA Rules and breach notification letters would need to be issued to affected individuals by HIPAA-covered entities.

State public records law was updated in June last year, although the records have only just been made public. Consumer Affairs Undersecretary John Chapman issued a statement on January 3 explaining the move: “The Data Breach Notification Archive is a public record that the public and media have every right to view.” He went on to say, “Making it easily accessible by putting it online is not only in keeping with the guidelines suggested in the new Public Records law, but also with Governor Baker’s commitment to greater transparency throughout the Executive Office.”

The post Massachusetts Data Breach Notification Archive Now Available Online appeared first on HIPAA Journal.

Largest Healthcare Data Breaches of 2016

Posted by HIPAA Journal

 

2016 was a particularly bad year for healthcare data breaches. While the numbers of records exposed was nowhere near the level of 2015 – 15,936,849 records compared to 113,267,174 in 2015 – more covered entities reported breaches than in any other year since OCR started publishing breach summaries on its ‘Wall of Shame’ in 2009. 2016 ranks as the second worst year in terms of the number of patient and health plan members’ records that have been exposed in a single year.

As 2017 begins, there have been 313 reported breaches of more than 500 records that have been uploaded to the OCR breach portal.

2016 Healthcare Data Breaches of 500 or More Records

 

Year Number of Breaches Number of Records Exposed
2016 313 15,936,849
2015 270 113,267,174
2014 307 12,737,973
2013 274 6,950,118
2012 209 2,808,042
2011 196 13,150,298
2010 198 5,534,276
2009 18 134,773
Total 1785 170,519,503

 

While the above figures appear to suggest a significant reduction in large healthcare data breaches year on year, the figures are somewhat misleading.

In 2015 there were three massive data breaches reported by covered entities: Anthem Inc., Premera Blue Cross, and Excellus Health Plan. Those three cyberattacks resulted in the theft of 78.8 million records, 11 million, and 10 million records respectively.

More records may have been exposed in 2015 as a result of those major cyberattacks, although in each size category, 2016 ranked worse than 2015. Many healthcare organizations will be happy to put 2016 behind them.

 

Year 2016 Healthcare Data Breaches
500 to 1000 Records 1,000 to 10,000 Records 10,000 to 100,000 Records 100,001+ Records
2016 13 62 151 86
2015 12 37 142 76

 

Aside from one major breach at a business associate, all of the largest healthcare data breaches of 2016 – those that resulted in the exposure or theft of more than 100,000 healthcare records – affected healthcare providers. The largest data breach experienced by a health plan was the 91,187-record breach reported by Washington State Health Care Authority in September.

Largest Healthcare Data Breaches of 2016

 

Rank Covered Entity Entity Type Cause of Breach Records Exposed
1 Banner Health Healthcare Provider Hacking/IT Incident 3,62,0000
2 Newkirk Products, Inc. Business Associate Hacking/IT Incident 3,466,120
3 21st Century Oncology Healthcare Provider Hacking/IT Incident 2,213,597
4 Valley Anesthesiology Consultants Healthcare Provider Hacking/IT Incident 882,590
5 County of Los Angeles Departments of Health and Mental Health Healthcare Provider Hacking/IT Incident 749,017
6 Bon Secours Health System Incorporated Healthcare Provider Unauthorized Access/Disclosure 651,971
7 Peachtree Orthopaedic Clinic Healthcare Provider Hacking/IT Incident 531,000
8 Radiology Regional Center, PA Healthcare Provider Loss 483,063
9 California Correctional Health Care Services Healthcare Provider Theft 400,000
10 Central Ohio Urology Group, Inc. Healthcare Provider Hacking/IT Incident 300,000
11 Premier Healthcare, LLC Healthcare Provider Theft 205,748
12 Athens Orthopedic Clinic, P.A. Healthcare Provider Unauthorized Access/Disclosure 201,000
13 Community Mercy Health Partners Healthcare Provider Improper Disposal 113,528

 

Main Causes of Healthcare Data Breaches in 2016

Insider breaches continue to plague the healthcare industry in the United States. As in 2015, the main cause of healthcare data breaches in 2016 was unauthorized access/disclosure. Hacking incidents on the scale of those at Anthem, Premera, and Excellus were not repeated in 2016, but 2016 saw a major increase in healthcare hacks.

The loss and theft of unencrypted devices used to store PHI fell considerably year on year, although the use of data encryption technology could have prevented all 76 of those data breaches and the exposure of 1,459,816 healthcare records.

Main Cause of Breach 2016 2015
Unauthorized Access/Disclosure 127 102
Hacking/IT Incident 102 57
Theft 60 81
Loss 16 23
Improper Disposal 7 6

 

2016 Healthcare Data Breaches by Covered Entity

Healthcare data breaches in 2016 followed a similar pattern to 2015, with healthcare providers the main entities breached, although the percentage of breaches affecting health plans was significantly lower in 2015. Data breaches at business associates remained at the same level year on year.

 

Breached Entity 2016 2015
Healthcare Provider 247 196
Health Plan 46 62
Business Associate 19 19

Data Source: Department of Health and Human Services’ Office for Civil Rights

The post Largest Healthcare Data Breaches of 2016 appeared first on HIPAA Journal.

TigerText Announces Record-Breaking Year for Growth

Posted by HIPAA Journal

TigerText, the nation’s leading secure healthcare messaging platform provider, has announced it has recorded another record-breaking year for growth, signing up over 300 healthcare organizations in 2016.

The company now boasts more than 3,000 healthcare customers in the United States, including five of the top ten largest health systems in the country. More than 10 million secure messages are now being sent via the TigerText platform every day and the platform is used in over 5,000 healthcare facilities in the United States.

TigerText was originally developed as a standalone messaging platform, yet over the course of the past 6 years it has evolved into a comprehensive clinical communications platform. The platform has been tailored to meet the exacting needs of healthcare organizations, including the strict privacy and security controls required by the Health Insurance Portability and Accountability Act (HIPAA).

This year has seen two major new developments. Earlier this year, the TigerText platform achieved the prestigious HITRUST certification and in October the company launched a new healthcare workflow solution –TigerFlow.

TigerFlow incorporates a range of healthcare-specific features that allow healthcare organizations of all sizes to optimize and enhance communications workflows. As Brad Brooks, co-founder and CEO of TigerText, explained “TigerFlow is the first clinical communication platform built to be the central hub for care teams, thus truly enabling the last mile of care.” Brooks went on to explain that “Optimizing communication at the point of care frees physicians and nurses to do what they love – take care of patients.” The introduction of TigerFlow is seen as the biggest event in the company’s history since its 2010 launch.

The healthcare industry faces unique communications challenges and has historically struggled with integrating new technology. The pager has proved to be an invaluable and reliable tool for the healthcare industry for more than 60 years, yet many healthcare organizations have now accepted that the time has come for a modern replacement to be introduced. The launch of TigerFlow has spurred many healthcare organizations to finally make the transition to a new, and more efficient communication system.

The communications system incorporates a wide range of features to improve productivity, patient outcomes, provider satisfaction, and profitability. As Brooks explained, “The TigerFlow solution specifically improves collaboration and clinical communications by addressing and solving health systems’ concerns around integrating technology.” In addition to the messaging platform, healthcare providers benefit from enhanced data integration capabilities, end-to-end workflow consultation services, and on-demand data analytics.

The cost savings that can be generated are considerable. Brooks believes the potential savings could be excess of $100 billion across the healthcare industry as a whole. One of the company’s large healthcare clients has generated over $6 million in cost savings in 2016 alone, while another reported savings of more than $200,000 in just 8 weeks after implementing the TigerText platform.

The past few months have also seen the company bring in new talent with a wealth of healthcare experience to further accelerate growth in the healthcare industry. Kirk Paul Kirkman has been recruited to serve as President of the TigerText Client Organization while Kelli Castellano has been appointed Chief Marketing Officer. Both new hires have extensive experience in the healthcare industry and are highly focused on improving physician and nurse satisfaction and helping providers improve patient outcomes.

The post TigerText Announces Record-Breaking Year for Growth appeared first on HIPAA Journal.

108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted

Posted by HIPAA Journal

It has taken some time for the County of Los Angeles to announce it was the victim of a major phishing attack, especially considering the attack was discovered within 24 hours of the May, 2016 breach. However, notification had to be delayed so as not to interfere with an “extensive” criminal investigation.

The investigation into the phishing attack was conducted by county district attorney Jackie Lacey’s cyber investigation response team. In many cases, cybercriminals are able to effectively mask their identities and it is relatively rare for the individuals responsible for phishing attacks to be identified. Bringing individuals to justice is harder still. All too often the perpetrators are based overseas.

In this case, the investigation has resulted in the identification of a suspect: Austin Kelvin Onaghinor, 37, of Nigeria. On December 15, 2016, a criminal arrest warrant for Onaghinor was issued. Onaghinor faces nine charges related to the phishing attack, including theft and misuse of L.A. County confidential information, unauthorized computer access, and identity theft.

At the time of writing, Onaghinor has yet to be arrested and his whereabouts is unknown. He is considered to be a fugitive of the law and Lacey said “My office will work aggressively to bring this criminal hacker and others to Los Angeles County where they will be prosecuted to the fullest extent of the law.”

The phishing attack occurred on May 13, 2016. A large number of expertly crafted phishing emails were sent to Los Angeles County employees. The emails appeared to be legitimate; however, responding to the emails resulted in employees disclosing their usernames and passwords to the attacker. In total, 108 L.A. County employees responded, and by doing so, compromised their email accounts.

The email accounts contained a wide range of sensitive data including financial and health information. Investigators were required to individually check each email in the 108 compromised accounts to determine which individuals had been impacted and what information had been exposed.

The extensive investigation determined that 756,000 individuals had been impacted by the breach. Those individuals had previously had contact via email with the following Los Angeles County departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works.”

According to the breach notice recently uploaded to the Department of Health and Human Services’ Office for Civil Rights breach portal, 749,017 patients of the County of Los Angeles Departments of Health and Mental Health were impacted.

The information contained in the email accounts included full names, home addresses, phone numbers, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, Medi-Cal and insurance carrier IDs, medical record numbers, payment card numbers, bank account information, and medical information, including diagnoses and treatment information.

While the information was potentially accessed 7 months previously, Los Angeles County has uncovered no evidence to suggest that any information has been misused. As a precaution against identity theft and fraud, all individuals impacted by the breach have been offered a year of credit monitoring, identity consultation, and identity restoration services without charge.

Phishing emails are regularly sent to government employees and many make it past spam filters to employees’ inboxes. However, for the emails to result in the disclosure of 108 email account credentials is concerning.

Preventing employees from responding to phishing emails is a challenge, but a successful attack of this scale suggests a spectacular failure of systems and training, although the attack was detected the following day and L.A. County “immediately implemented strict security measures” to reduce the impact of the breach.

Phishing emails are a difficult threat to mitigate, although there are proven technologies and tactics that can be employed to reduce risk and at least limit the harm caused. Anti-phishing training has been demonstrated to greatly improve employees’ phishing email identification skills, in particular when anti-phishing exercises are conducted.

A study of 40 million phishing simulation emails by PhishMe (between January 2015 and July 2016) showed that susceptibility to phishing attacks falls to around 20% after just one failed phishing email simulation, while the implementation of a reporting tool can dramatically reduce the time to detect phishing threats. The sooner the threat is detected, the easier it is to alert employees and mitigate risk.

Solutions such as advanced spam filters can reduce the volume of phishing emails that are delivered to end users, while web filtering gateways can block users’ attempts to respond to phishing emails. Preventing end users from visiting websites based in foreign countries can reduce risk, although foreign-based phishers often host their phishing sites in the United States.

Along with next generation firewalls and intrusion detection systems it is possible to mount a reasonable defense against phishing attacks and reduce the damaged caused when those attacks succeed.

The attack should serve as a reminder of how serious the threat of phishing is, and how important it is for organizations – government and private sector – to enhance the controls they have in place to mitigate the threat.

The post 108 L.A. County Employees Fall for Phishing Attack: 756,000 Impacted appeared first on HIPAA Journal.

Regular PHI Access Log Audits Can Prevent Major PHI Breaches

Posted by HIPAA Journal

Infirmary Health has announced that an employee has been fired after being discovered to have accessed the health records of approximately 1,000 patients without authorization. The individual was required to access patients’ protected health information (PHI) for legitimate work reasons, yet data access rights were abused.

The employee worked in the Atmore Community Hospital: A 49-bed facility serving patients in Escambia and Monroe counties in Alabama. A routine audit of PHI access logs on November 18, 2016 revealed that the individual first started inappropriately accessing patient records from October 3, 2015.  Records continued to be inappropriately accessed until November 11, 2016.

According to a press release issued by Infirmary Health, the information accessed was limited to patient names, admission dates and flowsheets. It is unclear why the information was accessed, although it is not believed that any data have been disclosed to any other individual nor copied and removed from the hospital. PHI appears to have been accessed purely out of curiosity.

In accordance with Health Insurance Portability and Accountability Act (HIPAA) Rules, the employee was authorized to view the minimum necessary information to conduct work duties and had received extensive training and specific instructions not to access the PHI of patients for non-work related reasons.

As a result of the discovery, the employee was placed on leave until the matter was investigated, and was later fired for breaching hospital policies and HIPAA Rules.

Infirmary Health has informed affected patients by mail and advised them to monitor their personal financial activity as a precaution, although the risk of any information being used inappropriately is believed to be very low.

Tacking the Problem of Unauthorized PHI Access by Employees

Training must be provided to healthcare employees on HIPAA Rules covering patient privacy, the circumstances under which PHI can be accessed, and the penalties for improper access.

Healthcare organizations should be aware that even with extensive training, unauthorized PHI access is likely to occur. In this case, patient privacy has been violated but no financial harm is believed to have been caused. However, as we have seen on numerous occasions this year, that is not always the case. All too often PHI is stolen and used for identity theft and fraud.

Hospitals and medical centers are required to conduct regular audits of PHI access logs, but all too often those audits occur far too infrequently. Annual checks could potentially allow rogue employees to view vast numbers of patient records before the privacy violations are discovered. During that time, hundreds of patients could suffer financial harm.

Only by regularly conducting audits of PHI access logs can healthcare organizations limit the harm caused to patients and nip the problem in the bud. Regular audits will also send a strong message to healthcare employees that inappropriate PHI access will be rapidly identified and swift action taken against the individuals concerned.

The post Regular PHI Access Log Audits Can Prevent Major PHI Breaches appeared first on HIPAA Journal.