Medical Records from Prospect Ransomware Attack Appear on Dark Web

Posted by Steve Alder

Medical records extracted during the recent Prospect Medical Holdings ransomware attack are being allegedly offered for sale on the dark web according to social media sources. The notification of the sale has been interpreted as a signal to Prospect Medical Holdings to quickly respond to the hackers’ ransom demands.

On August 3, the Prospect Medical Holdings health system was hit by a ransomware attack that crippled operations at the health system’s 17 hospitals and 166 outpatient clinics. At the time, the perpetrators of the attack were unknown. However, last week, a notice appeared on the Rhysida dark leak site, claiming responsibility for the attack.

The notice also announced an auction of data hacked in the attack – the data consisting of more than 500,000 Social Security Numbers, passports of clients and employees, drivers’ licenses, patient files (profiles and medical histories), financial and legal documents. In all, it is claimed, the sale consists of 1TB of unique files and a 1.3TB SQL database.

The notice was accompanied by several snapshots of the stolen data – some of which has been independently verified as genuine by comparing the snapshots to publicly available records – and a price tag of 50 Bitcoin ($1,298,340). The addition of the price tag has led some sources to comment that the notice is intended to accelerate a ransom payment.

It is not known at this time whether the sale will proceed or whether Prospect Medical Holdings will give in to the ransom demands. As of this past weekend, some services continue to be suspended and staff in some medical units are still having to rely on paper records. A spokesperson for Prospect Medical Holdings also issued the following statement:

“We have become aware that Prospect Medical data was taken by unauthorized actors, the nature of which is being actively examined. If the investigation determines that any protected health or personal information is involved, we will provide the appropriate notifications in accordance with applicable laws. Because our investigation is ongoing, we do not have additional information to share at this time. We are taking all appropriate measures to address this incident.”

The post Medical Records from Prospect Ransomware Attack Appear on Dark Web appeared first on HIPAA Journal.

Judge Questions Whether Website Metadata is Regulated by HIPAA

Posted by Steve Alder

The HHS’ Office for Civil Rights released guidance in 2022 on HIPAA and website tracking technologies and confirmed disclosures of protected health information to third parties via website tracking technologies is a HIPAA violation unless authorization has been received from patients or if there is a valid business associate agreement in place. OCR and the Federal Trade Commission also wrote to 130 healthcare and telehealth providers to warn them about tracking technologies on their websites and OCR has made HIPAA violations related to website tracking tools an enforcement priority.

However, OCR’s interpretation that metadata is regulated under the Health Insurance Portability and Accountability Act has been questioned by an Illinois court in a ruling on a class action lawsuit that was filed against a healthcare provider over the disclosure of patient data via website tracking technologies.

The lawsuit – Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health – was filed in District Court for the Northern District of Illinois, Eastern Division and alleged that third-party tracking code had been placed on the defendant’s website and MyChart patient portal which resulted in the plaintiffs’ individually identifiable health information (IIHI) being disclosed to Facebook, Google, and Bidtellect for advertising purposes.

The lawsuit was initially dismissed for the failure to state a claim aside from the request for injunctive relief, then an amended complaint was filed that asserted the same 5 claims plus a further 6. The lawsuit alleged violations of the federal Wiretap Act as amended by the Electronic Communications Privacy Act of 1986, breach of an implied duty of confidentiality, violations of the Illinois Consumer Fraud and Deceptive Business Practices Act, violations of the Illinois Uniform Deceptive Trade Practices Act, intrusion upon seclusion, publication of private facts, trespass to chattels, breach of contract, breach of the duty of good faith and fair dealing, unjust enrichment, and violations of the Illinois Eavesdropping Act.

Rush moved to have the amended lawsuit dismissed and the court granted the motion for all counts aside from the breach of contract and Illinois Eavesdropping Act claims. The lawsuit claimed that per OCR guidance, the disclosure of IIHI to Meta, Google, and Bidtellect was a HIPAA violation; however, in the ruling dismissing the wiretapping claim, the court rejected using the HHS bulletin as a basis for assessing liability under federal wiretapping laws and also questioned whether website metadata actually qualified as IIHI.

“The interpretation of IIHI offered by HHS in its guidance goes well beyond the meaning of what the statute can bear. As just described, IIHI under section 1320d(6) must, in addition to other requirements, “relate to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual,” wrote District Judge, Matthew F. Kennelly. “The type of metadata that Kurowski alleges was transmitted via third-party source code does not in the least bit fit into that category.”

While it is possible that information disclosed in private communications between the plaintiff and the defendant via the website may have been transmitted to third parties and the transmitted information may qualify as IIHI, the plaintiff contended that it was unreasonable to expect her to disclose that type of intimate information she transmitted to the defendant in her complaint. “Kurowski could have requested to file the complaint under seal,” wrote Kennelly. “Kurowski cannot reasonably expect to bring a lawsuit related to the invasion of her medical privacy and completely evade revealing what it is that she alleges Rush disclosed to third parties.”

The post Judge Questions Whether Website Metadata is Regulated by HIPAA appeared first on HIPAA Journal.

Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack

Posted by Steve Alder

The Joint Commission has issued a Sentinel Event Alert offering guidance on preserving patient safety following a cyberattack. Healthcare cyberattacks have been increasing in number and sophistication and it is no longer a case of if a healthcare organization will be attacked but when.

Cyberattacks can cause considerable disruption to healthcare operations and put patient care at risk so it is critical that healthcare organizations do all they can to prevent cyberattacks, such as decreasing the attack surface, updating software and patching promptly, providing phishing awareness training, and implementing a range of cybersecurity solutions. Healthcare organizations must also plan for the worst case scenario and must assume that their defenses will be breached. They must therefore have a tried and tested incident response plan that can be activated immediately in the event of a cyberattack.

When defenses are breached and unauthorized individuals have established a foothold in internal networks, a great deal of the recovery process will be handled by the IT department; however, all hospital staff members must be prepared to operate during such an emergency and must be included in the incident response planning process. A good starting point is the hazards vulnerability analysis (HVA), which is required by the Joint Commission. The HVA must cover human-related hazards, which include cyberattacks. The HVA helps hospitals identify and implement mitigation and preparedness actions to reduce the disruption of services and functions and ensure patient safety in the event of an attack. The Joint Commission also requires a continuity of operations plan, disaster recovery plan, emergency management education and training program, and these must be evaluated annually.

The Sentinel Event Alert provides recommendations on these processes specific to cyberattacks:

  • Evaluate HVA findings and prioritize hospital services that must remain operational and safe during extended downtime.
  • Form a downtime planning committee to develop preparedness actions and mitigations. The planning committee should include representation from all stakeholders.
  • Develop downtime plans, procedures, and resources and ensure they are regularly updated.
  • Designate response teams – An interdisciplinary team should be created that can be mobilized following a cyberattack.
  • Train team leaders, teams, and all staff on operating procedures during downtimes. Develop drills and exercises to ensure staff members are familiar with downtime resources.
  • Establish situational awareness with effective communication throughout the organization and with patients and families.
  • Following a cyberattack, regroup, evaluate, and make necessary improvements to the incident response plan and improve protections for systems to address the specific failures that allowed the attack to succeed.

“Cyberattacks cause a variety of care disruptions – leading to patient harm and severe financial repercussions,” said David W. Baker, MD, MPH, FACP, the Joint Commission’s executive vice president for healthcare quality evaluation and improvement. “Taking action now can help prepare healthcare organizations to deliver safe patient care in the event of future cyberattacks. The recommendations in the Sentinel Event Alert, as well as The Joint Commission’s related requirements on establishing and following a continuity of operations plan, disaster recovery plan and more, can help healthcare organizations successfully respond to a cyber emergency.”

The post Joint Commission Issues Guidance on Ensuring Patient Safety After a Cyberattack appeared first on HIPAA Journal.