[BreachExchange] How quick breach recovery hurt one provider

Destry Winant destry at riskbasedsecurity.com
Thu Aug 31 03:22:00 EDT 2017


https://www.healthdatamanagement.com/news/why-quick-breach-recovery-hurt-this-providers-efforts

Salina Family Healthcare Center in Kansas in mid-June was the victim
of a ransomware attack, but it was almost immediately able to restore
its computers and servers because it closely followed requirements of
its backup policy.

At Salina Family, data backups are done each night. In addition, all
servers are backed up once a week, and a comprehensive system backup
is done once a month. All backups are encrypted and stored off-site.

But the backup policy had a flaw that wasn’t known until the attack,
says Rob Freelove, MD, CEO. “We were so intent on getting back online,
we didn’t think about preserving evidence.”

The evidence was not available because all the servers were scrubbed
of data and rebuilt from backup tapes. “Leaving one server uncleaned
would have helped in getting more forensics evidence,” Freelove adds.
“We had 33 end-user terminals deleted and rebuilt and should have
saved one or two hard drives for the forensic investigators.”

That is important because forensic experts determine how a breach
occurred and if any information was accessed by an unauthorized party.

Consequently, the organization could not rule out the possibility of
data being compromised, which necessitated notification letters being
mailed to about 70,000 patients. The letters contained the offer of
one year of credit monitoring and identity protection services from
AllClear ID.

Data at risk included patient names, addresses, Social Security
numbers, dates of birth, health insurance information and treatment
information. “To date, we are not aware of the misuse of anyone’s
information as a result of this incident,” the organization said in
the patient notification letter.

As Salina Family Healthcare Center worked through the breach, it
encountered another obstacle when mailing out patient notification
letters. There are a lot of rental properties in town, and while a
notification letter may have been sent to the right address, the
affected individual may not have still been living at that address.

The city also has a large transient population that made patient
notification difficult. So, in an updated notification letter, the
healthcare center asked recipients who received a letter that was
incorrectly addressed to mark it “Return to Sender,” so returned
letters could be sent to the right address.


More information about the BreachExchange mailing list