Privacy in the medical profession is rightfully serious. Since the enactment of the HIPAA rules (Health Insurance Portability and Accountability Act of 1996), healthcare providers have taken added measures to ensure client information privacy or faced consequences if they do not.
HIPAA doesn’t specifically have to do with computerized data and personal information, and some decidedly lower-tech breaches have occurred. The US Department of Health and Human Services (HHS) has an office, the Office for Civil Rights that investigates the loss of privacy. Breaches that affect 500 or more individuals are required to be publicly posted, which can be found on their site.
Data breaches in the healthcare arena vary greatly. Someone looking over your shoulder while you fill out forms at the doctor’s office could be considered an individual incident of breach of data. A medical researcher’s laptop getting stolen from their car would be reported to the HHS, in addition to the police, and if the device contained more than 500 records, it would be listed for public notification on their site.
Another low-tech breach example is under investigation regarding Aetna sending client notifications with a large window in the envelope. The window was wide enough to reveal that the mailing was for clients receiving HIV/AIDS treatment. ArsTechnica reported the incident, as well as the added irony that the notification was related to another mailing, the pending lawsuit against Aetna for requiring HIV/AIDS patient to order medication by mail.
But beyond these low-tech breaches (yes, the theft of the laptop really occurred), we’ll take a look at some of the biggest cyber security breaches in the medical world, just so far this year.
What are They After?
Low or high-tech, what value is there in the data at your doctor’s office? To an economic or cyber criminal, a treasure trove! Examples include:
- Personal information – Identity information like phone number, address and family member names, that can be used for fraud purposes.
- Social security numbers – SSN’s that can be used for the multi-billion dollar tax-fraud
- Health information – Personal health information might be valuable on the dark web for a variety of reasons, such as blackmail or spearphishing campaigns.
- Payment information – Your credit card or other payment methods can be stolen, just like at a retailer.
Much of this information gets sold in bulk on the cyber black market. Some of it might be used, in conjunction with other data obtained, to target specific individuals (which is what occurs in a spearphishing campaign). Other forms of attack, like ransomware, just assume that the hijacked data has enough value to you or to the procedures of the facility/hospital, that you would want to pay for it, in order to get your own data back.
Looking from the assailant’s perspective, hospitals, doctor’s offices, and other kinds of healthcare environments are a gold mine.
Some of the Big Ones
Some of the largest cyber attacks this year impacted health care merely as additional collateral damage. The National Healthcare Service (NHS) experienced such an attack. The Guardian reported that “Patient records, appointment schedules, internal phone lines and emails were rendered inaccessible and connections between computers and medical equipment were brought down. Staff were forced to turn to pen and paper and to use their own mobile phones.”
But even though that ransomware attack, the WannaCry virus, affected tens of thousands of organizations around the globe, it didn’t actually have as large of an impact on healthcare as some of the biggest medical cyber security breaches this year. For that data, we’ll have to stay in the US, where many of the largest-scale losses have occurred in 2017.
1. Banner Health – Records Affected: 3,620,000
Sometime around June 17th, the Phoenix, Arizona-based healthcare system, Banner Health, experienced a cyber attack. On July 7th, the data breach was discovered. At first report, it was thought to have been a point-of-sale (POS) specific attack, targeting food and beverage purchases in locations throughout their system (which includes Alaska, Arizona, California, Colorado, Nebraska, Nevada, and Wyoming, in addition to their home state of Arizona).
But by July 13th researchers identified a wider-scale attack of their network, with access to at least one server. Banner released a statement on August 3rd, informing the public that compromised data may have included:
- Credit card information – Cardholder name, card number, expiration date, and external verification numbers.
- Healthcare information – Physicians’ names, dates of service, health insurance information, beneficiary information, and health plan info.
- Personal information – Names, birthdates, addresses, and social security numbers.
As has become standard jargon for companies with data breaches, Banner included in their statement that no evidence of fraud had yet surfaced and cards can still be used — one should just “remain vigilant” to charges on card statements, explanations of benefits for services they did not receive, or any other signs of a specific fraud — not necessarily comforting words, but true.
2. Commonwealth Health Corporation – Records Affected: 697,000
Right at the beginning of this year, on January 4th, Med-Center Health, a Kentucky-based subsidiary of Commonwealth Health Corporation, reported a security breach to the HHS Office of Civil Rights. They had discovered that an employee had obtained unauthorized access to patient records in 2014 and 2015.
In a statement, Med Center Health said that the employee allegedly obtained the information, “without any work-related reason to do so.” The stolen data included:
- Billing information – names, addresses, social security numbers, and insurance information.
- Medical information – diagnoses, procedure codes, and charges for medical services
But here’s an interesting twist: the data was encrypted, and under HIPAA reporting regulations, encrypted data breaches do not necessarily need to be reported. The employee in question, according to their sleuthing, “intended to use these records to assist in the development of a computer-based tool for an outside business interest which had never been disclosed to Med Center Health officials.”
So this one is a data breach, a leak of personal medical information (that may or may not have ever turned up for other purposes), but more along the lines of outright theft than a cyber security incident.
3. Airway Oxygen – Records Affected: 500,000
Sometimes, in looking at data breaches, the numbers are so consistently huge, it’s difficult to have a sense of the scale. Compared to some of the biggest data breaches, like the Equifax leak of more than 140 million, half a million records breached doesn’t sound so bad. Well, here’s some perspective: 500,000 is about the number of people living in Sacramento, the capital city of California. It’s bigger than Miami, New Orleans or Pittsburg. It’s a lot of people.
So when cyber attackers gained access to the network server at Michigan-based medical supply company, Airway Oxygen, Inc. in April, compromising half a million records, it was like hacking the entire state of Wyoming.
Airway’s ransomware attack may have breached:
- Patient information – Names, physical addresses, and birthdates.
- Insurance information – Including policy information and medical diagnoses.
- Employee information – Approximately 1,200 employee records, from past and current employees, may have also been compromised.
At this time it does not appear that social security numbers were connected with the breach or any payment information such as credit card numbers. Though the FBI-led investigation has not yet confirmed details, it seems that a weakness in the firewall may have permitted the installation of the ransomware. Fortunately, compartmentalization of data (which experts constantly encourage) may have protected some information, such as payment data.
4. Women’s Healthcare Group of PA – Records Affected: 300,000
Women’s Healthcare Group of PA has 45 offices throughout the state, and this particular data breach affected only one. External actors used a known security vulnerability to access a server, which the WHG office took offline as soon as the breach was noted. Though the attack blocked certain records, a ransomware tactic, and was discovered on May 16th of this year, investigators discovered that the breach may have gone back as far as January.
In a security notice to the public, WHG stated that “Although this security vulnerability allowed access to limited patient information and the virus encrypted certain files, we have been unable to determine if any specific information was actually acquired or viewed in connection with the incident.”
The information that may have been accessed included:
- Patient information – Such as name, physical address, phone number, date of birth, and social security number.
- Personal medical and demographic information – Including blood type, race, and pregnancy status.
- Medical information – Lab tests ordered and lab results, physician’s name, diagnosis, and insurance information.
Three hundred thousand patients, mostly women, were potentially impacted by this breach in cyber security. As in so many of these types of attacks, patients get notified, apologies get issued, security gets improved, but so many mysteries remain. Why and how were these offices, specifically, targeted? Since they appear to have been targeted (not randomly affected by a more widespread virus), one can only presume that the culprits do intend to sell or act on the data acquired. Will they use the information to build a profile and target phishing campaigns at patients, or commit insurance fraud in their names, or tax fraud, or, or, or…? The possibilities are nearly endless.
5. Patient Home Monitoring Company – Records Affected: 150,000
This next one affected 150,000 people, or more than 300,000 records, depending on how you count them (since patients often had more than one record). Louisiana-based Patient Home Monitoring (PHM) Company had an insecure server repository that held 47.5 gigabytes of medical records.
Ordinarily, a server would have limited access, enforced through IP whitelists and authentication requirements. However, security researchers at Kromtech Security discovered on September 29th that the files were openly accessible. They reported the incident to PHM Co, who secured the repository on October 6th. The breach was not publicly disclosed until October 10th, to ensure that the data was secure before the breach became more widely known.
Since the data was accessed by security researchers and not discovered as a result of any known attack, it’s unlikely that it will get reported to the Office for Civil Rights. Although, as previously mentioned, breaches of more than 500 accounts are required to be reported, under certain circumstances, a healthcare company may qualify for an exemption.
In this case, the data that was publicly accessible included:
- Patient information – name, physical address, and telephone number.
- Medical information – lab test results, such as blood work, doctor’s names, case management notes, and possibly additional client information (contained in the notes).
Given the simple misconfiguration of a server that made this data breach possible, it’s likely that someone without adequate IT experience set up the Amazon AWS S3 repository in the first place. Experts are calling it a “wakeup call” for healthcare facilities–with the increased connectivity and accessibility of doctor’s offices, comes an increased need to operate with cyber security in mind.
6. Bonus: Anthem Inc – Records Affected: 79,000,000
Anthem’s massive data breach goes on the 2017 record for another reason: they’ve just settled their 2015 cybersecurity data breach that potentially affected 79 million customers. With such a record-breaking breach comes an equally shattering payout–$115 million, the largest settlement ever for a data breach.
The money will go to pay for two years of credit monitoring, beyond the two years already offered to customers when the breach occurred in 2015 (for a possible total of four years of monitoring). But for those customers already enrolled in a credit-monitoring service, a cash payout of up to $50 per person would also be available.
The settlement was a consolidation of over 100 lawsuits brought against the Indianapolis-based company after an external threat actor accessed a database that may have included:
- Personal information – Names, birthdays, physical addresses, email addresses, and social security numbers.
- Employment information – Including employer and income information.
The breach did not contain medical information. The settlement sheds light on some of the costs of a data breach: the breach and notifications, the legal costs over a period of as much as several years, increased technology infrastructure and research costs, public relations expenses, and so much more. All told the Anthem cost now tallies $260 million.
A proactive plan, such as a thorough cyber security threat mitigation plan in the first place, is so much more cost-effective.
Protecting Health Care
Given the costs of the biggest cyber security breaches of 2017, medical facilities would do well to invest in their own digital health. File protection involves some low-tech measures, such as timely file purges, and more high tech methods, such as setting up analytics that may detect inappropriate internal access.
The biggest data breach threats in 2017 against the medical field have come from two primary categories: either external cyber attack or internal leak. Hospitals, doctor’s offices, insurance companies, and any office storing patient information and medical data would do well to protect themselves from liability and mitigate risks with an assessment of current infrastructure and a plan for rapid improvement.
Medical facilities often cite two barriers to system upgrades: trained personnel and money. Yet, in the event of an attack, the human and financial resources for a response have to be procured. In cyber security, as in medicine, the old proverb holds true: an ounce of prevention is worth of pound of cure.