Latest HIPAA News

Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K

A laptop computer malware infection discovered by the Alaska Department of Health and Social Services (ADHSS) in April 2018 was initially thought to have potentially allowed hackers to gain access to the electronic protected health information (ePHI) of 501 individuals; however, the breach has been determined to be far more extensive than was initially thought.

On January 22, 2019, state officials said the malware potentially allowed the attackers to access and obtain the ePHI of between 500,000 and 700,000 individuals and that notification letters to the additional breach victims people had started to be sent. So far, letters have been sent to 87,000 individuals.

The malware variant used in the attack was a variant of the Zeus/Zbot Trojan – An information stealer. The individuals whose ePHI was potentially obtained by the hackers had interacted at some point with the Department of Public Assistance (DPA) through the DPA Northern regional offices.

Last year, ADHSS said the laptop had accessed sites in Russia, had unauthorized software installed, and other suspicious computer behavior was discovered that strongly indicated and malware infection. ADHSS was able to identify the virus and remove it, although the malware gave the attackers had access to the laptop between April 26 and April 30, 2018.

The malware was determined to have been inadvertently installed by an employee as a result of opening an email attachment. According to Shawnda O’Brien, director of the state’s Division of Public Assistance, the email appeared to be legitimate and sent from an applicant requesting assistance.

O’Brien explained that by the time the Trojan was identified and removed, it had got through several layers of security and the attackers gained full access to the laptop’s hard drive. The malware was not initially detected by anti-virus software as it was a day one attack – Conducted before the AV software had been updated with the Trojan’s signature.

The attack was investigated by ADHSS and the breach was reported to the Department of Health and Human Services’ Office for Civil Rights on June 28, 2018, although the investigation into the breach continued.

Due to the volume of data involved, assistance was sought from the FBI. The FBI’s analysis was extensive and took several months to complete. ADHSS has only recently received a list of the individuals whose PHI was stored on the laptop. The FBI investigation is continuing.

The laptop contained documents that included first and last names, dates of birth, phone numbers, Medicaid/Medicare billing codes, criminal justice information, health billing information, Social Security numbers, driver’s license numbers, pregnancy status, incarceration status, and other confidential information.

O’Brian said to KTVA, “We don’t have any reason to believe their information was compromised, but because their information could have been compromised, we had to let them know.”

While the virus made contact with sites in Russia, it could not be established whether the hackers were based in Russia or who was behind the attack.

Malicious emails can be highly convincing and can easily fool employees; however, this is not the only malware attack to have been experienced by AHDSS. Malware was discovered on two desktop computers in 2017. The breach was also reported to have affected 501 individuals. In 2009, a laptop computer was stolen that contained ePHI. That breach was also reported to have affected 501 individuals.

The 2009 breach was investigated by OCR which uncovered multiple HIPAA violation. The case was settled in 2012 and a financial penalty of $1.7 million was paid to OCR. The HIPAA violations included the failure to conduct a comprehensive risk analysis to identify vulnerabilities that could be exploited to gain access to PHI, insufficient device and media controls, and a lack of staff training on data security.

The post Alaska Department of Health and Social Services Revises 2018 Breach Victim Total from 501 to 500K-700K appeared first on HIPAA Journal.

New Report Reveals Spiraling Cost of Cyberattacks

A new report from Radware has provided insights into the threat landscape in 2018 and the spiraling cost of cyberattacks. The report shows there was a 52% increase in the cost of cyberattacks on businesses in since 2017.

For the report, Radware surveyed 790 managers, network engineers, security engineers, CIOs, CISOs, and other professionals in organizations around the globe. Respondents to the survey were asked about the issues they have faced preparing for and mitigating cyberattacks and the estimated cost of those attacks.

The 2018 Threat Landscape

93% of surveyed firms said they had experienced a cyberattack in the past 12 months. The biggest threat globally was ransomware and other extortion-based attacks, which accounted for 51% of all attacks. In 2017, 60% of cyberattacks involved ransoms. The reduction has been attributed to cybercriminals switching from ransomware to cryptocurrency mining malware.

Political attacks and hacktivism accounted for 31% of attacks, down from 34% in 2017. The motive behind 31% of attacks was unknown, which demonstrates that attackers are now more purposeful about hiding their motives. 27% of attacks were insider threats, 26% were attacks by competitors, 19% were attributed to cyberwar, and 18% were conducted by angry users. The primary aim of the attacks was service disruption (45%), data theft (35%), and espionage (3%). 16% of attacks had another aim or the purpose had not been established.

One in five businesses reported being attacked daily: A 62% increase year over year. 13% reported weekly attacks, 13% monthly attacks, and 27% experienced one or two attacks in the past year. 19% were unsure how many times they had been attacked.

Healthcare was the second most attacked industry behind the government sector. 39% of healthcare organizations reported having to fend off daily or weekly cyberattacks by hackers. Only 6% of healthcare organizations claimed they had not been attacked in the past year.

The biggest threats were malware and bots (reported by 76% of organizations), social engineering attacks such as phishing (65%), DDoS attacks (53%), web application attacks (42%), ransom threats (38%), and cryptocurrency miners (20%).

Respondents from healthcare organizations felt they were best prepared for phishing and other social engineering attacks (58%), malware, bots and DDoS attacks (55%), and web application attacks (52%). Only 39% felt they were well prepared to deal with ransomware attacks and advanced persistent threats.

The Rising Cost of Cyberattacks

The Radware study asked respondents about the business cost of a successful cyberattack. According to the report, the cost more than doubled compared to last year and is now $1.1 million. Respondents that had a formalized calculation to determine the financial impact of a cyberattack reported the cost to be $1.7 million, compared to $880,000 for those with no formal calculation.

For SMBs with fewer than 1,000 employees, the average cost of a cyberattack was estimated to be $450,000. That rose to $1.1 million for enterprises with between 1,000 and 10,000 employees, and $2.1 million for large corporations with more than 10,000 employees.

The average cost of a successful cyberattack on a healthcare organization was determined to be $1.43 million. Fortunately, most healthcare organizations (82%) had a breach response plan in place, which can limit the cost of a cyberattack.

The True Cost of a Cyberattack

The cost of a cyberattack is likely to be significantly higher than the estimates. Radware notes that the estimates do not factor in direct costs such as extended labor, investigations, and the development of software patches, indirect costs such as the hiring of technical consultants, legal expenses, and stock price drops, and costs associated with the prevention of future cyberattacks.

Other costs that are difficult to calculate are lost revenue, brand reputation damage, and loss of customers – All real possibilities after a data breach. Radware notes that following a successful cyberattack, 43% of respondents said there had been a negative customer experience, 37% suffered brand reputation damage, and 23% reported a loss of customers.

“The cost of cyberattacks is simply too great to not succeed in mitigating every threat, every time,” explained Radware. “Customer trust is obliterated in moments, and the impact is significant on brand reputation and costs to win back business.”

The post New Report Reveals Spiraling Cost of Cyberattacks appeared first on HIPAA Journal.

December 2018 Healthcare Data Breach Report

November was a particularly bad month for healthcare data breaches, so it is no surprise that there was an improvement in December. November was the worst month of the year in terms of the number of healthcare records exposed (3,230,063) and the second worst for breaches (34). December was the second-best month for healthcare data breaches with 23 incidents reported, only one more than January.

2018 Healthcare Data Breaches

In total, 516,370 records were exposed, impermissibly disclosed, or stolen in breaches reported in December: A considerable improvement on November. Were it not for the late reporting of the Adams County breach, December would have been the best month of the year to date in terms of the records exposed. The Adams County breach was experienced in March 2018, confirmed on June 29, yet reporting to OCR was delayed until December 11.

2018 Healthcare Data Breaches - Records Exposed

Largest Healthcare Data Breaches in December 2018

Rank Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach
1 Adams County Healthcare Provider 258,120 Unauthorized Access/Disclosure
2 JAND Inc. d/b/a Warby Parker Healthcare Provider 177,890 Hacking/IT Incident
3 University of Vermont Health Network – Elizabethtown Community Hospital Healthcare Provider 32,470 Hacking/IT Incident
4 The Podiatric Offices of Bobby Yee Healthcare Provider 24,000 Hacking/IT Incident
5 Choice Rehabilitation Business Associate 4,309 Hacking/IT Incident
6 Virtual Radiologic Professionals, LLC Healthcare Provider 2,568 Hacking/IT Incident
7 Kent County Community Mental Health Authority Healthcare Provider 2,284 Hacking/IT Incident
8 Butler County Board of County Commissioners Health Plan 1,912 Unauthorized Access/Disclosure
9 Barnes-Jewish Hospital Healthcare Provider 1,643 Hacking/IT Incident
10 Tift Regional Medical Center Healthcare Provider 1,045 Hacking/IT Incident

Causes of December 2018 Healthcare Data Breaches

The healthcare industry experiences more insider breaches than other industry sectors, although in December, hacking/IT Incidents outnumbered unauthorized/access disclosure incidents by almost two to one. Eight of the top ten data breaches for the month were hacks, ransomware attacks, and other IT incidents.

While unauthorized access/disclosure incidents usually impact fewer individuals that hacking breaches, that was not the case in December. The largest breach of the month was the unauthorized accessing of a network server by a former employee of Adams County, WI.

In total, 264,049 healthcare records were exposed in the 7 unauthorized access/disclosure incidents reported in December. The mean breach size was 37,721 records and the median breach size was 911 records.

250,404 healthcare records were exposed in the 13 hacking/IT incidents. The mean breach size was 19,261 records and the median breach size was 1,643 records.

There were two theft incidents reported in December and one case of improper disposal of paper records. No lost devices were reported.

Causes of December 2018 Healthcare Data Breaches

Location of Breached Protected Health Information

Phishing attacks continue to plague healthcare organizations and December was no exception. The largest phishing incident reported in December affected 32,470 patients of Elizabethtown Community Hospital. The PHI was contained in a single email account.

Three email accounts were compromised at Kent County Community Mental Health Authority, although they only contained the PHI of 2,200 individuals.

The most common location of breached PHI in December was email, although network server breaches were more severe. The two largest December 2018 healthcare data breaches were network server incidents which impacted 436,010 individuals – 84.43% of the total number of breached records in December.

Location of Breached Protected Health Information

Data Breaches by Covered-Entity Type

Health plans made it through November without reporting any data breaches, although they didn’t fare so well in December. 6 health plan data breaches were announced in December; however, all were relatively small, with only the breach at Butler County Board of County Commissioners impacting more than 1,000 plan members (1,912).

One data breach was reported by a business associate of a HIPAA-covered entity, although a further three breaches had some business associate involvement. The remaining 16 breaches were reported by healthcare providers.

Data Breaches by Covered-Entity Type

Healthcare Data Breaches by State

In December 2018, healthcare organizations in 13 states reported PHI breaches. Minnesota was the worst affected state with a total of four breaches followed by Arizona with three. There were two breaches reported by healthcare organizations based in each of California, Missouri, New York, Ohio, and Wisconsin, and a single breach was experienced in each of Georgia, Illinois, Kentucky, Massachusetts, Michigan, and Pennsylvania.

HIPAA Fines and Settlements in December 2018

The Department of Health and Human Services’ Office for Civil Rights (OCR) agreed two settlements with HIPAA-covered entities in December to resolve violations of HIPAA Rules. OCR finished the year on ten fines and settlements, the same number as 2017. (You can view all 2018 HIPAA fines and settlements here).

Advanced Care Hospitalists, a Florida Contractor Physicians’ Group, was investigated by OCR following the submission of a breach report in April 2014. The report stated the PHI of 400 patients had been subject to unauthorized access, although the number of individuals affected was subsequently increased to 8,855 patients.

OCR confirmed there had been a preventable impermissible disclosure of PHI, and found that a business associate had been engaged without first entering into a business associate agreement. Additionally, insufficient security measures had been implemented and there had been no effort to comply with HIPAA Rules prior to April 1, 2014. Advanced Care Hospitalists and OCR settled the HIPAA violation case for $500,000.

On June 7, 2013, OCR received a complaint about Pagosa Springs Medical Center, a critical access hospital in Colorado, which had failed to terminate access to a web-based scheduling calendar after an employee’s contract had been terminated. The OCR investigation confirmed the former employee accessed the calendar on two occasions after leaving employment.

For the failure to terminate employee access and the lack of a business associate agreement with Google covering Google Calendar resulted in a financial penalty of $111,400 for Pagosa Springs Medical Center.

There were two financial penalties issued by state Attorneys General in December to resolve violations of HIPAA Rules.

The Massachusetts Attorney General fined McLean Hospital $75,000 over a breach of 1,500 patients PHI. The information was stored on backup tapes that had been taken offsite by an employee. When the employee was terminated, McLean Hospital was unable to recover two of the backup tapes.

The New Jersey Attorney General issued a financial penalty of $100,000 to EmblemHealth over an impermissible disclosure of PHI. In 2016, an EmblemHealth mailing had Social Security numbers printed on the outside of envelopes. This was the second fine for EmblemHealth in relation to the breach. The New York Attorney General had previously settled its case with EmblemHealth for $575,000 earlier in the year.

 

The post December 2018 Healthcare Data Breach Report appeared first on HIPAA Journal.

Revised Common Rule Now Effective

The updated Federal Policy for the Protection of Human Subjects (45 CFR part 46), otherwise known as the Common Rule, is now in effect. The compliance date of the revised Common Rule was January 21, 2019.

The Common Rule governs federally funded research on human subjects and was introduced in 1991. The Common Rule was amended in 2015 and underwent a major revision in 2017 to improve protections for research subjects while easing the administrative burden on researchers, especially for low-risk research.

The compliance date of the revised Common Rule was initially January 19, 2018; however, two days before the compliance date, an interim final rule was published which delayed the compliance date initially for six months, and subsequently for another six months.

Regulated entities were required to comply with the pre-2018 version of the Common Rule until January 20, 2019, with the exception of three provisions of the revised Common Rule which aimed to reduce the administrative burden on researchers.

Those three provisions, which could be adopted between July 2019 and January 20, 2019, were:

  • A change to the definition of research, which exempted certain research activities such as public surveillance activities to monitor the spread of disease, journalistic activities, and criminal investigations.
  • Eliminating the requirement for continuing reviews of certain categories of research that are considered low-risk
  • Eliminating the requirement that institutional review boards (IRB) review grant applications or other funding proposals related to the research

Now that the compliance date has arrived, regulated entities that receive federal funding for research now need to work quickly to implement all of the changes to the Common Rule, including the above three principles if they have not already been adopted.

Notable changes in the revised Common Rule are detailed below:

Consent Forms

Consent forms can be long and complex, but the changes to the Common Rule will make it easier for voluntary research subjects to find the information they need.

Consent forms need to include a concise explanation at the start of the document in which all of the key information about the study is clearly explained, including the purpose of the study, the risks and benefits, and appropriate alternative treatments that may be beneficial to the research subject.

Future uses of research data must also be specified and a statement must also be included on the consent form which explains if and when the results of the study will be made available to the research subject.

A statement will need to be included, if applicable, explaining that biospecimens may be used for commercial profit and whether the research subject will receive a share of that profit.

IRBs do not need to obtain informed consent in cases of obtaining information or biospecimens for screening, recruiting, or determining eligibility of prospective subjects, under certain circumstances.

Consent forms for clinical trials that are conducted by or supported by a Federal department or agency require an approved consent form which must be posted online or made available on a federal website that serves as a depository for consent forms.

Broad Consent

The final rule allows for the optional use of broad consent for the storage and secondary use of identifiable private information and biospecimens in lieu of obtaining study-specific informed consent.

Study Reviews by Single IRB

One notable change for federally funded studies that require IRB approval is the requirement to have a single IRB oversee research studies that are conducted at multiple sites. Compliance with this aspect of the revised Common Rule is not mandatory until January 21, 2020.

The post Revised Common Rule Now Effective appeared first on HIPAA Journal.

State AG Proposes Tougher Data Breach Notification Laws in North Carolina

Following an increase in data breaches affecting North Carolina residents in 2017, state Attorney General Josh Stein and state representative Jason Saine introduced a bill to update data breach notification laws in North Carolina and increase protections for state residents

The bill, Act to Strengthen Identity Theft Protections, was introduced in January 2018 and proposed changes to state laws that would have made North Carolina breach notification laws some of the toughest in the country. The January 2018 version of the bill proposed an expansion of the definition of a breach, changes to the definition of personal information, and a maximum of 15 days from the discovery of a breach to issue notifications to breach victims.

Attorney General Stein and Rep. Saine unveiled a revised version of the bill on January 17, 2019. While some of the proposed updates have been scaled back, new requirements have also been introduced to increase protections for state residents.

The updated bill coincides with the release of the state’s annual security breach report for 2018. The report shows there were 1,057 data breaches affecting state residents in 2018. Those breaches impacted 1.9 million state residents. While there was a 63% decrease in individuals affected by data breaches from 2017, the number of breaches increased 3.4% year over year.

The proposed update to the definition of a data breach remains unchanged from the 2018 version of the bill and defines a breach as “Any incident of unauthorized access to or acquisition of someone’s personal information that may harm the person.” As such, the new definition broadens the definition to include ransomware attacks.

Ransomware is typically used only to extort money from victims. However, in recent months there has been a growing trend of combining ransomware with other malware variants such as information stealers, making data theft more likely. Regardless of the nature of the ransomware attack, the bill requires notifications to be issued to allow state residents to make an informed decision about the actions that need to be taken to reduce the risk of harm.

The bill also requires businesses that own or license personal information to implement and maintain reasonable security procedures and practices, which must be appropriate to the nature of information collected and maintained. Of note to HIPAA-covered entities, the definition of personal information has been expanded to include medical information, genetic information, and insurance account numbers.

The 2018 version of the bill called for breach notifications to be issued within 15 days of the discovery of a breach. The latest incarnation has seen the timescale for issuing notifications changed to within 30 days of discovery of a breach.

Any business that experiences a data breach that is found to have failed to implement appropriate security measures or fails to issue notifications within the 30-day deadline will be in violation of the Unfair and Deceptive Trade Practices Act, and could be issued with a civil monetary penalty.

If the legislation is passed, state residents will be allowed to place a credit freeze on their credit reports free of charge. Credit agencies will be required to put in place “A simple, one-stop shop for freezing and unfreezing credit reports across all major consumer reporting agencies, without the person having to take any additional action.”

Companies doing business in the state of North Carolina will be required to provide breach victims with 2 years of free credit monitoring services in the event of a breach of Social Security numbers, and four years of free credit monitoring services for breaches at credit agencies.

Any business that wants to access or use a person’s credit report or credit score will be required to obtain consent from the person in advance and must explain why access to the information is required. State residents will also be given the right to submit a request to a consumer reporting agency for a list of all information the agency maintains, including credit and non-credit related information, and a list of all entities to which that information has been disclosed.

The post State AG Proposes Tougher Data Breach Notification Laws in North Carolina appeared first on HIPAA Journal.

Physician Receives Probation for Criminal HIPAA Violation

A physician who pleaded guilty to a criminal violation of HIPAA Rules has received 6 months’ probation rather than a jail term and fine for the wrongful disclosure of patients’ PHI to a pharmaceutical firm.

The case was prosecuted by the Department of Justice in Massachusetts in conjunction with a case against Massachusetts-based pharma firm Aegerion.

In September 2017, the Novelion Therapeutics subsidiary Aegerion agreed to plead guilty to mis-branding the prescription drug Juxtapid. The case also included deferred prosecution related to criminal liability under HIPAA for causing false claims to be submitted to federal healthcare programs for the drug.

Aegerion admitted to conspiring to obtain the individually identifiable health information of patients without authorization for financial gain, in violation of 42 U.S.C. §§ 1320d-6(a) and 1320-6(b)(3) and HIPAA Rules. Aegerion agreed to pay more than $35 million in fines to resolve criminal and civil liability.

The DOJ also charged a Georgia-based pediatric cardiologist with criminal violations of HIPAA Rules for allowing a sales representative of Aegerion to access the confidential health information of patients without first obtaining patient consent. The sales rep was allowed to view the information of patients who had not been diagnosed with a medical condition that could be treated with Juxtapid (lomitapide) in order to identify new potential candidates for the drug.

This is the second such criminal HIPAA violation case in Massachusetts in the past four months to result in probation rather than a jail term or fine. In September, Massachusetts gynecologist Rita Luthra was given 1 year of probation over payments received by a pharmaceutical firm (Warner Chilcott) for providing sales reps with access to the individually identifiable health information of patients for financial gain. While prosecutors were pushing for a fine and a jail term to act as a deterrent, Judge Mastroianni explained in his ruling, “Her loss of license and ability to practice is a substantial deterrent.”

While probation was received in both of these cases, a substantial fine, jail term, and loss of license are real possibilities for physicians found to have criminally violated HIPAA Rules. Both physicians could have received a fine of up to $50,000 for the violations and up to one year in jail.

The post Physician Receives Probation for Criminal HIPAA Violation appeared first on HIPAA Journal.

New Massachusetts Data Breach Notification Law Enacted

A new Massachusetts data breach notification law has been enacted. The new legislation was signed into law by Massachusetts governor Charlie Baker on January 10, 2019 and will come into effect on April 11, 2019.

The new legislation updates existing Massachusetts data breach notification law and introduces new requirements for notifications.

Under Massachusetts law, a breach is defined as the unauthorized acquisition or use of sensitive personal information that carries a substantial risk of identity theft or fraud. Notifications must be issued if one or more of the following data elements are obtained by an unauthorized individual along with an individual’s first name and last name or first initial and last name.

  • Social Security number
  • Driver’s license number
  • State issued ID card number
  • Financial account number, or credit/ debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account.

As with the previous law, there is no set timescale for issuing breach notifications. They must be issued “as soon as is practicable and without unreasonable delay,” after it has been established that a breach of personal information has occurred.

That said, one change to the timescale for issuing breach notifications is individuals and companies that have experienced a data breach can no longer wait until the total number of individuals impacted by the breach has been determined. The legislation states “In such case, and where otherwise necessary to update or correct the information required, a person or agency shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”

One notable update to Massachusetts data breach notification law is the requirement to offer breach victims complimentary credit monitoring services, as is the case in Connecticut and Delaware. The minimum term for complimentary credit monitoring services is 18 months or, in the case of a consumer reporting agency, a minimum of 42 months.

Notifications are required to be issued to all individuals impacted by the breach, the Office of Consumer Affairs and Business Regulation, and the Massachusetts Attorney General’s Office.

The Office of Consumer Affairs and Business Regulation and the Attorney General’s Office must be provided with a detailed description of the nature and circumstances of the breach, the number of Massachusetts residents affected, the steps that have been taken relative to the security breach, steps that will be taken in the future in response to the breach, and whether law enforcement is investigating the breach. If the breach has been experienced by a parent company or affiliated organization, the name of that company must be detailed in the notification.

The post New Massachusetts Data Breach Notification Law Enacted appeared first on HIPAA Journal.

OCR Seeks Permanent Deputy Director for Health Information Privacy

The U.S. Department of Health and Human Services’ Office for Civil Rights has advertised for a permanent Deputy Director for Health Information Privacy. The position was posted on USAJOBS on January 14, 2019.

The last permanent Deputy Director was Deven McGraw, who left OCR in October 2017 for the private sector. Iliana Peters, OCR’s Senior Advisor for Compliance and Enforcement, took on the role of acting Deputy Director for Health Information Privacy but also left the post for the private sector in February 2018. Timothy Noonan, the former regional manager for the HHS Office for Civil Rights in Atlanta, replaced Peters in February 2018.

The role involves leading OCR’s day-to-day HIPAA privacy and security program operations, development of privacy and security policies, administrative rulemaking, interpretation of current regulations, providing technical assistance to the department’s regional offices, and coordinating HIPAA Privacy and Security Rule compliance activities to ensure consistent application of policies across all regional offices.

The Deputy Director for Health Information Privacy is a key player in the development of departmental policies, legislative, and regulatory proposals, and special OCR initiatives to ensure health information is protected and remains private.

The role involves advising OCR Director Roger Severino and senior OCR officials on HIPAA policies and application of those policies. The successful applicant will be required to work closely with the OCR Director and assist with the planning, organization, and formulation of policies and procedures for OCR and health privacy and security policies across the HHS.

According to the posting, the Deputy Director represents the Director and OCR on health information privacy and security matters and coordinates work where problems and issues involve more than one component of the HHS. The Deputy Director is also required to maintain relationships concerning health information privacy and security issues at a number of senior management levels.

Applications are being accepted until February 5, 2019.

The post OCR Seeks Permanent Deputy Director for Health Information Privacy appeared first on HIPAA Journal.

10 Year Jail Term for Boston Children’s Hospital Hacker

The hacker behind a Distributed Denial of Service (DDoS) attack on Boston Children’s Hospital in 2014 has been handed a jail term of 10 years and must pay $443,000 in restitution.

Martin Gottesfeld, 34, of Somerville, MA, launched attacks on the Framingham, MA, Wayside Youth and Family Support Network and Boston Children’s Hospital in 2014 as a protest over the handling of a case of suspected child abuse.

In 2013, teenager Justina Pelletier was admitted to Boston Children’s Hospital after a physician at Tufts Medical Center recommended she was transferred in order for her to see her longtime gastroenterologist. Justina suffered from mitochondrial disease; however, Boston Children’s Hospital believed Justina’s condition was psychological rather than physical.

Justina’s parents tried to get their daughter transferred back to Tufts Medical Center but the hospital believed the actions of the parents and interference in their daughter’s care amounted to medical abuse. In the subsequent custody case, the parents lost custody of their daughter to the state of Massachusetts. Justina spent the following 16 months in state custody.

Gottesfeld took issue with the treatment of Justina. Operating as a hacker under the banner of the hacking group Anonymous, Gottesfeld launched DDoS attacks on the medical facilities. An attack was launched on the Wayside Youth and Family Support Network in March 2014, where Justina was a resident after her discharge from hospital. In April 2014, Gottesfeld attacked Boston Children’s Hospital. The attack caused significant disruption to day-to-day operations at the hospital over a period of two weeks.

According to the Department of Justice, “[Gottesfeld] unleashed a DDoS attack that directed so much hostile traffic at the Children’s Hospital computer network that he not only knocked Boston Children’s Hospital off the internet, but knocked several other hospitals in the Longwood Medical Area off the internet as well.”

Prosecutors claim the attacks not only caused disruption to patient care at Boston Children’s Hospital, but also hampered its research capabilities, disrupted communications with other healthcare facilities, and resulted in a loss of around $300,000 in donations while its fundraising portal was disabled. The Wayside Youth and Family Support Network spent around $18,000 mitigating and responding to the DDoS attacks.

Gottesfeld was suspected of being behind the DDoS attacks and in October 2014, the FBI executed a warrant and seized Gottesfeld’s computer and hard drives. Gottesfeld was not charged at the time, but with charges pending, fled the country with his wife in February 2016. The pair got into trouble in a small boat off the coast of Cuba and sent out a distress signal. They were picked up by a passing Disney cruise ship and Gottesfeld was arrested by the FBI when the ship made port in Miami.

In August 2018, Gottesfeld was charged with two counts of conspiracy and two counts of causing damage to protected computers and was recently sentenced in Boston. Gottesfeld claimed he had no regrets over the attacks and said “I wish I could have done more.”

Assistant U.S. Attorney David D’Addio claimed the attacks put children’s lives at risk and suspected Gottesfeld would commit further attacks in the future when released from prison. “It is terrifying to contemplate what he will do with the next cause he adopts,” said D’Addio.

U.S. District Judge Nathaniel Gorton said Gottesfeld’s crimes were “contemptible, invidious and loathsome,” and warranted a long custodial sentence.

Gottesfeld, who has been in custody since February 2016, is planning to appeal.

The post 10 Year Jail Term for Boston Children’s Hospital Hacker appeared first on HIPAA Journal.