[BreachExchange] Elekta Health Data Breach Victim Count Grows

[Sophia Kingsbury]

https://www.healthcareinfosecurity.com/elekta-health-data-breach-victim-count-grows-a-17112

The number of U.S. healthcare entities affected by a recent cyber incident
targeting a Sweden-based provider of oncology radiation systems and related
services is growing.

Some security experts say this points to the additional risks offshore
business associates can pose to their clients.

"HIPAA does not require any special terms for contracting with BAs outside
of the U.S.," says privacy attorney Adam Greene of the law firm Davis
Wright Tremaine. "The Department of Health and Human Services' Office for
Civil Rights guidance suggests that your risk analysis consider whether
there are increased risks related to the BA being overseas, such as whether
the BA operates in a country with a known higher prevalence of hacking or
malware attacks."

In recent weeks, several U.S.-based healthcare organizations have reported
that some of their patients' protected health information was potentially
compromised by a data security incident first disclosed in April by their
business associate Elekta, which provides cloud-based oncology related data
services.

Among the latest Elekta clients notifying patients of breaches are
Utah-based Intermountain Healthcare, New Jersey-based Saint Peter's
University Hospital, Alaska-based Fairbanks Cancer Center, Oklahoma-based
Cancer Centers of Southwest Oklahoma, and Illinois-based Northwestern
Memorial HealthCare.

Northwestern Memorial's data breach was among the largest Elekta-related
incidents reported so far to U.S. federal regulators. The Chicago-based
healthcare provider reported the incident to HHS OCR on June 25 as
affecting more than 200,000 individuals.

Recent Notifications

As of Tuesday, Intermountain Healthcare's breach involving the Elekta
incident was not yet posted on HHS OCR's HIPAA Breach Reporting Tool
website listing health data breaches affecting 500 or more individuals.

But a July 16 breach notification report Intermountain Healthcare provided
to Maine's attorney general indicates the Elekta incident affected nearly
29,000 Intermountain patients, including two Maine residents.

In a breach notification statement, Intermountain says that on April 6, it
received notice from Elekta that the vendor experienced a data security
incident.

"On May 17, Elekta reported that a server with some data relating to
Intermountain Healthcare patients was affected. … Elekta’s investigation
determined that the data present on their impacted systems at the time of
the incident included your name and scanned image files. The scanned image
files could have included medical images, and information on medical intake
forms," Intermountain's notification says.

An Intermountain spokesman tells Information Security Media Group that as a
result of the Elekta incident, some patient appointments needed to be
rescheduled at four specialty clinics in Nevada. "Intermountain assured
that any patient who was identified as high-risk had appointments
rescheduled with one of our treatment partners," the spokesman says.

Other Affected Entities

Meanwhile, in its July 9 breach notification statement, Saint Peter's
Hospital says that on May 13, it was informed by Elekta about a PHI breach
affecting 585 patients, involving the Elekta electronic prescription
platform, eRx, used by physicians in the hospital's radiation oncology
department.

Other Elekta clients in the U.S. that were earlier identified as being
affected by the vendor's incident included Yale New Haven Health in
Connecticut, Southcoast Health in Massachusetts and cancer care facilities
of Lifespan Cancer Institute in Rhode Island (see: Attack on Radiation
Systems Vendor Affects Cancer Treatment).

Those entities also reportedly had to postpone some patients' scheduled
cancer treatment because of the Elekta security incident.

Elekta Statement

Elekta, in a statement provided to Information Security Media Group on
Tuesday, says its recent data security incident "was limited to a subset of
Elekta’s customers in North America" and involved the company's
first-generation cloud-based storage system.

"As soon as we became aware of the event, Elekta partnered with leading
cybersecurity experts and law enforcement, including the FBI, to
investigate what had happened and mitigate any possible harm," the
statement says.

"Offshore vendors usually lead to somewhat additional front-end diligence,
but in general, I am just as worried about a breach in Seattle as I am
about a breach in Sweden."
—Kirk Nahra, WilmerHale

"We have migrated our cloud-based applications to Elekta’s Axis Cloud,
which was not impacted by the incident and operates on the Microsoft Azure
environment, which employs the latest and most stringent cloud and security
technologies. Elekta also implemented additional security enhancements to
prevent future incidents.

All affected customers have been notified, Elekta says, noting that it's
not disclosing details of the incident "for the safety and security of our
customers and their patients."

Elekta did not respond to ISMG's inquiries about the total number of Elekta
clients and their patients affected by the incident or whether the incident
involved ransomware.

Off-Shore PHI Risk Considerations

"U.S. organizations also should be aware that U.S. regulators may not have
jurisdiction to directly enforce HIPAA against overseas BAs with respect to
noncompliance occurring overseas, with foreign regulators instead having
jurisdiction with respect to any applicable foreign privacy and security
laws," says Greene, the attorney.

"Accordingly, you may have a business associate agreement, but not the same
level of HIPAA protection as with respect to a U.S. BA."

Regulatory attorney Paul Hales of Hales Law Group says: "It's a huge
mistake to try to address offshore business associate issues in a business
associate agreement."

The correct way to address offshore BA issues, he says, "is by due
diligence and a well- written service-level agreement. Due diligence must
confirm that the BA complies with all HIPAA BA requirements, has a legal
presence in the U.S. that makes it subject to U.S. law … and has assets or
insurance that are accessible and sufficient to pay damages arising from
its negligence or breach of contract."

The service-level agreement "should specify jurisdiction and venue in the
event of a breach and include customary protective clauses, like
indemnification and minimum insurance requirements," Hales says.

Commenting on the Elekta incident, privacy attorney Kirk Nahra of the law
firm WilmerHale says: "I view this as a supply chain issue more than an
offshore issue."

U.S. law "does not distinguish between in-country business associates and
out-of-country ones - at least HIPAA does not," he says. "There certainly
can be a perception difference with some customers and others - and many
hospitals actually preclude their vendors from storing or accessing
information from offshore."

A business associate agreement with an offshore vendor "obligates them to
follow the contract and informs them of their obligations directly under
HIPAA," Nahra notes. "A company that is offshore could try to say to HHS if
they were investigated that they are not subject to HIPAA, but that
position would mean … that no U.S. business would work with them," he says.

"Offshore vendors usually lead to somewhat additional front-end diligence,
but in general, I am just as worried about a breach in Seattle as I am
about a breach in Sweden."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210721/b9d0b405/attachment.html>