[author: Doug Austin, Editor of eDiscovery Today]
Are the moles winning? A few months ago, I wrote how the job of protecting protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) is becoming more like a game of “Whac-a-Mole” because there are more places than ever where PHI can appear. As we can see from the latest batch of cyber attacks on healthcare organizations, the healthcare organizations may be losing the game.
Recent Healthcare Organization Cyber Attacks
It doesn’t take more than a few web searches to find several recent cyber attacks on healthcare organizations. Here are eight that were reported in just the past few weeks:
- Newman RegionalHealth: They identified suspicious activity within an e-mail account and determined there was unauthorized access to a limited number of e-mail accounts between January 26, 2021, and November 23, 2021 – almost 10 months of exposed information that “may have included individuals’ names; dates of birth; medical record or other identification numbers; addresses, phone numbers, or e-mail addresses; limited heath, treatment or insurance information”. They also said: “a limited group of individuals may have social security number or financial information affected.”
- Wellstar Health System: They also suffered a data breach through their email system over approximately one month. The exposed information included names, medical record numbers, unique Wellstar account numbers, and laboratory information.
- Ballad Health: They determined that an employee’s email account was accessed without authorization “for a limited amount of time”. The types of personal information that may have been accessible to the unauthorized actor include name, address, date of birth, medical history, medical condition or treatment information, medical record number, diagnosis code, and patient account number.
- Taylor Regional Hospital: On March 21, 2022, they notified the US Department of Health and Human Services (‘HHS’) Office for Civil Rights (‘OCR’) of a data security incident affecting 190,209 individuals, stating that on January 20, 2021, they identified unauthorized activity on their computer systems. That’s 14 months after they first identified the activity!
- Valley View Hospital: A phishing scam granted outside users access to four email accounts, potentially impacting the personal data of about 21,000 people, including hospital employees and patients.
- LA County Department of Mental Health: On April 21, they disclosed that they had suffered a data breach in a phishing incident. The type of information that may have been affected included “name, address, date of birth, driver’s license, Social Security number, medical and/or health information, health insurance information, SSID student identifier, and/or financial account number.”
- Tague Family Practice: They fell victim to a LockBit ransomware attack. On March 17, the threat actors added TFP to their leak site and subsequently dumped data that appears to be from the practice.
- Partnership Health Plan of California: A ransomware group called Hive claimed to have stolen private data for 850,000 members. A screenshot of the claim describes the “stolen data includes…850,000 unique records of name, SSN, date of birth, address, contact, etc.” It also states that 400 gigabytes of data were stolen from the Partnership’s file server.
Those weren’t the only reported cyber attacks on healthcare organizations over the past few weeks, but it gives you a sense of how frequently they are occurring.
Lack of a Common Thread
What’s the common thread between these attacks? There isn’t one. Some involve phishing attacks, others involve ransomware. Points of entry vary – sometimes it’s one or more email accounts; other times, it’s direct access into their systems. Sometimes the access is limited and reported quickly; other times, notification doesn’t happen until months later.
With so many attacks, so many potential entry points, and so many patient records compromised – at least 1 million in the examples reported above – identifying where personally identifiable information (PII) and PHI exists in your organization is more important than ever. That takes a combination of Information Governance best practices and technology designed to detect and (where appropriate) remedy that personal data.
As the examples above illustrate, healthcare organizations continue to be under (cyber) attack! It’s time to strengthen defenses against that attack.