[BreachExchange] How quick breach recovery hurt one provider

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 29 19:11:46 EDT 2017


https://www.healthdatamanagement.com/news/why-quick-breach-recovery-
hurt-this-providers-efforts


Salina Family Healthcare Center in Kansas in mid-June was the victim of a
ransomware attack, but it was almost immediately able to restore its
computers and servers because it closely followed requirements of its
backup policy.

At Salina Family, data backups are done each night. In addition, all
servers are backed up once a week, and a comprehensive system backup is
done once a month. All backups are encrypted and stored off-site.

But the backup policy had a flaw that wasn’t known until the attack, says
Rob Freelove, MD, CEO. “We were so intent on getting back online, we didn’t
think about preserving evidence.”

The evidence was not available because all the servers were scrubbed of
data and rebuilt from backup tapes. “Leaving one server uncleaned would
have helped in getting more forensics evidence,” Freelove adds. “We had 33
end-user terminals deleted and rebuilt and should have saved one or two
hard drives for the forensic investigators.”

That is important because forensic experts determine how a breach occurred
and if any information was accessed by an unauthorized party.

Consequently, the organization could not rule out the possibility of data
being compromised, which necessitated notification letters being mailed to
about 70,000 patients. The letters contained the offer of one year of
credit monitoring and identity protection services from AllClear ID.

Data at risk included patient names, addresses, Social Security numbers,
dates of birth, health insurance information and treatment information. “To
date, we are not aware of the misuse of anyone’s information as a result of
this incident,” the organization said in the patient notification letter.

As Salina Family Healthcare Center worked through the breach, it
encountered another obstacle when mailing out patient notification letters.
There are a lot of rental properties in town, and while a notification
letter may have been sent to the right address, the affected individual may
not have still been living at that address.

The city also has a large transient population that made patient
notification difficult. So, in an updated notification letter, the
healthcare center asked recipients who received a letter that was
incorrectly addressed to mark it “Return to Sender,” so returned letters
could be sent to the right address.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170829/77d5da33/attachment.html>


More information about the BreachExchange mailing list