[BreachExchange] Delayed Data Breach Detection: Facing the Consequences

[Sophia Kingsbury]

https://www.healthcareinfosecurity.com/delayed-data-breach-detection-facing-consequences-a-17012

Two health data breaches that each took about a decade to discover
illustrate just how tough it can be to detect a security incident. One of
those breaches has led to a recent lawsuit settlement.

Arlington, Virginia-based dental and vision health plan administrator
Dominion National has agreed to pay $2 million to settle a federal class
action lawsuit filed in the wake of a data security incident that affected
nearly 3 million individuals and went undetected for nine years before
being discovered in 2019.

Meanwhile, the Canton, Ohio-based healthcare organization Aultman Health
Foundation last week began notifying 7,300 individuals affected by a breach
involving an employee who inappropriately accessed patient records for
nearly 12 years.

Dominion Settlement

Under a settlement approved by a Virginia federal court on May 18, Dominion
National has agreed to compensate class members up to $2 million for
certain losses arising from its security incident and spend nearly $2.7
million to improve its security.

Class members can receive cash payments up to $100 for lost time spent
responding to the security incident, cash payments up to $300 per person
for ordinary losses tied to the incident and cash payments for
extraordinary losses incurred responding to the security incident, up to
$7,500 per person.

Dominion National revealed on June 21, 2019, that it had discovered the
breach on April 24 of that year.

An investigation found that the organization's computer network system was
the target of a cyberattack that began about Aug. 25, 2010, court documents
note.

The compromised servers contained personal information pertaining to plan
producers and participating healthcare providers. In its breach
notification statement, Dominion National noted that the affected
information may have included names, addresses, email addresses, dates of
birth, Social Security numbers, taxpayer identification numbers, bank
account and routing numbers, member ID numbers, group numbers and
subscriber numbers.

Dominion National did not immediately respond to an Information Security
Media Group request for comment on the settlement.

"When considering the defense of a lawsuit, the organization is likely to
consider multiple factors, including the facts of the case," notes
regulatory attorney Marti Arvin of the security and privacy consultancy
CynergisTek, who was not involved in the case.

"Even if an organization has what it might consider a valid reason the
compromise went undetected, it might consider that a 'bad fact' to try to
explain. It also might consider it more economical to settle the case than
to continue the cost of defending it even if there is a reasonable chance
of an outcome in their favor."

Aultman Incident

In a recent notification statement, Aultman Health Foundation says that on
April 26, it learned that an employee accessed patient information outside
of the worker's "normal job duties" between September 2009 and April 2021.

"Upon discovering this, the employee’s access to our electronic health
record system was suspended and an investigation was conducted to determine
the nature and scope of the incident," the foundation says.

Further investigation determined that the employee accessed information for
some patients that included names, addresses, dates of birth, Social
Security numbers, insurance information and diagnosis and treatment
information, Aultman says.


The worker has since been terminated and no longer has access to any
Aultman patient information, the statement notes. Aultman says it has no
indication that any information was misused or further disclosed.

A foundation spokesman tells ISMG that the former employee is not facing
criminal charges.

"The employee had access to patient information as part of their job of
coordinating care for our patients. … Our employees are trained to only
access information related to their job. This employee went beyond that."

In the aftermath of the incident, Aultman has provided additional training
to its system users and is implementing additional measures to protect the
information of its patients, the spokesman says.

As of Thursday, the Aultman incident had not yet been posted on the
Department of Health and Human Services' HIPAA Breach Reporting Tool
website listing health data breaches affecting 500 or more individuals.

Facing Consequences

Federal regulators do not look favorably on delayed health data breach
detection and reporting.

For instance, last year, the HHS' Office for Civil Rights slapped health
insurer Premera Blue Cross with a $6.85 million financial penalty, citing a
nine-month delay in detecting the breach as a major consideration. The case
stemmed from a 2014 hacking incident that exposed the information of 10.4
million individuals.

“If large health insurance entities don’t invest the time and effort to
identify their security vulnerabilities, be they technical or human,
hackers surely will,” said Roger Severino, who was HHS OCR director at the
time of the settlement with Premera.

In another case involving delayed breach detection, HHS OCR signed a $5.5
million settlement with Hollywood, Florida-based Memorial Healthcare System
in 2017 for a breach that involved the use of login credentials of a former
employee of an affiliated physician’s office to access the electronic
health information on a daily basis without detection from April 2011 to
April 2012, affecting 80,000 individuals.

"The fact and circumstances of the accesses and the method of discovery are
what the regulators and courts are more likely to rely on regarding the
egregiousness of a breach," Arvin of CynergisTek says.

"For example, if an employee is inappropriately accessing records in a way
that should be easily detectable with reasonable security measures, that
will be viewed differently than if the employee is doing something in a
manner that seems consistent with their job duties and more difficult to
detect - even with reasonable security measures."

Under HIPAA, covered entities most notify HHS of breaches affecting 500 or
more individuals "without unreasonable delay and in no case later than 60
days following a breach."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210709/9c28e4cd/attachment.html>