[BreachExchange] Osteopathic Professional Group Reports Year-Old Breach

[Terrell Byrd]

https://www.inforisktoday.com/osteopathic-professional-group-reports-year-old-breach-a-17735

The American Osteopathic Association has just begun notifying nearly 28,000
individuals about a June 2020 data exfiltration incident involving their
personal information. The medical professional organization says workforce
challenges during the pandemic led to the delayed identification of people
affected by the data breach.

In a breach report submitted on Wednesday to the state of Maine's attorney
general office, AOA says the incident affected about 27,500 individuals,
including 209 Maine residents.

The Chicago-based non-profit professional association says it represents
151,000 osteopathic physicians and medical students across the U.S.

Breach Details
AOA, in a sample breach notification letter provided to Maine's attorney
general's office, says that on June 25, 2020, AOA became aware of
"suspicious activity" relating to certain systems. AOA worked with third
party forensic investigators to examine the nature and scope of the
activity, and the AOA systems of interest, the letter notes.

AOA determined that certain information within its systems was exfiltrated
by an unauthorized malicious actor. In response, AOA conducted "a
deliberate and thorough assessment of the information affected and to whom
that information pertained," the organization says.

"Like many businesses, the COVID-19 pandemic presented considerable
challenges to AOA’s normal business operations," AOA says

"As a result, it has taken an extended time for AOA to identify the names
and addresses of impacted individuals due to the pandemic’s impact on our
staff’s working conditions, and their inability to be on location to
identify all potentially impacted parties.”

AOA says that on June 1, it confirmed the total population and contact
information for individuals affected by the incident.

Information that was subject to the compromise includes name, address,
Social Security number, date of birth, financial account information, and
email address/username and password .

AOA says it is unaware of any actual or attempted malicious use of the
affected information as a result of the incident, but is offering affected
individuals one year of complimentary credit and identity monitoring.

AOA did not immediately respond to Information Security Media Group's
request for additional details about the data breach.

Notification Duties
Many of AOA's members – such as osteopathic physicians – are required to
comply with the HIPAA rules in the handling of their patients' protected
health information, including the HIPAA breach notification rule.

However, AOA itself does not fit the definition of a covered entity - such
as a health plan, healthcare clearinghouse or healthcare provider that
falls under the HIPAA umbrella, says regulatory attorney Marti Arvin of the
privacy and security consultancy CynergisTek.

Also, AOA "would only be a business associate [under HIPAA] if it performs
services for or on behalf of its member providers. While some professional
associations do business associate-type of functions, not all do," she
notes.

Privacy attorney David Holtzman of the consulting firm HITprivacy LLC notes
that AOA, unlike some medical professional societies, also does not
maintain patient registries that collect data containing PHI from
healthcare providers.

Under the HIPAA breach notification rule, individual notifications must be
provided without unreasonable delay and in no case later than 60 days
following the discovery of a breach, according to the Department of Health
and Human Services. Additionally, for breaches affecting 500 or more
individuals, covered entities must notify HHS no later than 60 days
following a breach.

But aside from HIPAA, all 50 states, as well as Washington D.C., and Puerto
Rico, have breach notification laws with varying reporting deadlines that
could potentially pertain to AOA, Arvin notes.

The laws vary regarding the types of entities and data covered, and the
time periods within which to report a breach, she says.

"Many states don’t have a defined term but say something like 'without
unreasonable delay.' Without guidance from the state regulatory it would be
unclear what would be considered an unreasonable delay, even one year,"
Arvin says.

Some states require organizations to begin notifying affected consumers in
as few as 15 days after discovery of the breach while others have
"open-ended requirements" for communicating news about incidents, Holtzman
says.

Maine's breach notification law requires entities to report breaches “no
more than 30 days after becoming aware of the breach and identifying its
scope," Arvin notes.

"Identity theft and medical billing fraud is always a risk when the
personal information of providers is compromised and as with any data
compromise, the longer it takes to notify the more that risk can be
increased," she says.

Other Incidents
The AOA is not the only medical professional organization to recently
report a hacking incident affecting thousands of its members.

In April, the American College of Emergency Physicians reported that a
"malware" attack detected in Sept. 7, 2020, affected more than 70,000 of
the group's current and former members, as well as members of three other
emergency medical professional organizations (see: ER Physician Association
Hacked).

"The information compromised through the security incidents involving an
organization that serves the medical community is especially sensitive
because it can expose the individuals whose data was disclosed to
significant financial fraud or harm to their reputation," Holtzman says.

When collecting sensitive personally identifiable information,
organizations should carefully assess why the information is being
collected and minimize access to the data to only those with an appropriate
role in the entity, he advises.

"Do not create unnecessary or duplicative collections of sensitive PII,
including information stored on backup servers, network drives or
unencrypted drives or applications," he says.

"Securely delete electronic files containing sensitive PII is no longer
needed and wherever it is stored."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211015/07b26a62/attachment.html>