<div dir="ltr"><a href="http://www.databreachtoday.com/bizmatics-cyberattack-assessing-fallout-a-9234">http://www.databreachtoday.com/bizmatics-cyberattack-assessing-fallout-a-9234</a><br><br><p>The total impact of a 2015 hacker attack against cloud-based <a href="http://www.healthcareinfosecurity.com/electronic-health-records-c-252">electronic health records</a>
vendor Bizmatics Inc. might not be known for months because it's still
unclear how many of the company's group practice clients were affected -
and how many records were compromised.</p><p><b>See Also:</b> <a href="http://www.databreachtoday.com/webinars/data-center-security-study-results-w-909?rf=promotional_webinar">Data Center Security Study - The Results</a></p>
<p>As a result, security experts are urging the company's clients to
reach out to the vendor to inquire whether their patients' protected
health information was potentially compromised by the hack.</p>
<p>Although San Jose, Calif.-based Bizmatics apparently has not publicly
commented about the incident, the disclosure of the cyberattack by
Bizmatics to certain customers has essentially put all its clients on
notice that their data, too, may have been compromised, says <a href="http://www.healthcareinfosecurity.com/privacy-c-151">privacy</a> and security attorney Stephen Wu of the law firm Silicon Valley Law Group.</p>
<p> "If you are a Bizmatics customer, you're under obligation to do due
diligence" to see if protected health information of your patients has
been compromised, requiring notification, he says.</p>
<p>Wu and other experts suggest the company's clients consider engaging
forensics specialists to help verify whether patients' data has been
exposed. They also suggest taking additional steps to help shore up
security related to all their business associates.</p>
<h3>What Happened?</h3>
<p>As of June 30, it appears that at least 17 Bizmatics clients - and a
total of about 264,000 patients - have been impacted by the cyberattack.
Those figures are based on the Department of Health and Human Services <a href="https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf" target="_blank">"wall of shame"</a>
tally of major health data breaches and the breach notification
statements issued by the various affected healthcare organizations that
specifically name the involvement of Bizmatics, as first tracked by <a href="https://www.databreaches.net/264000-and-counting-hack-of-ehremr-vendor-leaves-clients-scrambling/" target="_blank"><i>Databreaches.net</i></a>.
The listings on the HHS breach tally, due in part to how some covered
entities fill out their breach reports submitted to HHS, do not mention
the involvement of Bizmatics.</p>
<h3> Bizmatics Clients Reporting Breaches</h3>
<table class="">
<tbody>
<tr>
<th width="60%">Clinic</th>
<th width="20%">State</th>
<th width="20%"># Patients Affected</th>
</tr>
<tr>
<td>Southeast Eye Institute (dba Eye Associates of Pinellas)</td>
<td>Florida</td>
<td>87,314</td>
</tr>
<tr>
<td>Stamford Podiatry Group</td>
<td>Connecticut</td>
<td>40,491</td>
</tr>
<tr>
<td>Illinois Valley Podiatry Group</td>
<td>Illinois</td>
<td>26,588</td>
</tr>
<tr>
<td>North Ottawa Community Health System</td>
<td>Michigan</td>
<td>20,000</td>
</tr>
<tr>
<td>Integrated Health Solutions</td>
<td>Pennsylvannia</td>
<td>19,976</td>
</tr>
<tr>
<td>Pain Treatment Centers of America</td>
<td>Arkansas</td>
<td>19,397</td>
</tr>
<tr>
<td>ENT and Allergy Center</td>
<td>Arkansas</td>
<td>16,200</td>
</tr>
<tr>
<td>Lafayette Pain Care</td>
<td>Indiana</td>
<td>7,500</td>
</tr>
<tr>
<td>Grace Primary Care</td>
<td>Tennessee</td>
<td>6,853</td>
</tr>
<tr>
<td>Complete Family Foot Care</td>
<td>Nebraska</td>
<td>5,583</td>
</tr>
<tr>
<td>California Health and Longevity Institute</td>
<td>California</td>
<td>5,386</td>
</tr>
<tr>
<td>The Vein Doctor</td>
<td>Missouri</td>
<td>3,000</td>
</tr>
<tr>
<td>Allen Dell (law firm on behalf of client)</td>
<td>Florida</td>
<td>2,500</td>
</tr>
<tr>
<td>Vincent Vein Center Grand Junction</td>
<td>Colorado</td>
<td>2,250</td>
</tr>
<tr>
<td>Mark Anthony Quintero, M.D</td>
<td>Florida</td>
<td>650</td>
</tr>
<tr>
<td>Family Medicine of Weston</td>
<td>Florida</td>
<td>500</td>
</tr>
<tr>
<td>HeartCare Consultants</td>
<td>Florida</td>
<td>NA</td>
</tr>
</tbody>
</table>
<i>Sources: Department of Health and Human Services, notification letters and Databreaches.net</i>
<p>The largest known Bizmatics-related incident listed on the federal
tally was reported May 5 by Florida-based Southeast Eye Institute, which
does business as <a href="http://www.eyeassociatesofpinellas.com/2-eye-conditions/56-patient-breach" target="_blank">Eye Associates of Pinellas</a>. That incident is listed as affecting 87,314 individuals.</p>
<p>Bizmatics claims on its website that its PrognoCIS EHR and practice
management software "serves over 15,000 medical professionals." And it
still remains to be seen how many of those professionals' practices were
affected by the breach.</p>
<h3>Hard to Pinpoint</h3>
<p>Part of the difficulty in tallying the full number of affected
entities appears to be rooted in uncertainties turning up in the
post-breach forensics investigation of the Bizmatics cyberattack.</p>
<p>In a breach notification posted on its website, one of the covered entities known to be impacted, Florida-based <a href="http://www.srqheartcare.com/important-hippa-breach-notification/" target="_blank">HeartCare Consultants</a>,
notes that Bizmatics recently informed the provider that a malicious
hacker attacked the vendor's data servers, resulting in "unauthorized
access to Bizmatics customers' records across the U.S., including some
records belonging to us."</p>
<p>HeartCare Consultants also notes that after becoming aware of the
incident in late 2015, Bizmatics began an investigation with the help of
law enforcement and the security forensics firm CrowdStrike. "Bizmatics
believes the incident may have occurred in early 2015 ... [but]
CrowdStrike could not find a sufficient log of evidence to determine all
of the information accessed or viewed by the hackers," HeartCare
Consultants notes.</p>
<p>Records compromised may include health visit information, patient
names, addresses, health insurance numbers, and in some cases, Social
Security numbers, HeartCare Consultants reports.</p>
<p>Bizmatics did not immediately respond to an Information Security Media Group request for comment on the incident . </p>
<p>Crowdstrike in a statement to ISMG says, "as a matter of policy,
CrowdStrike does not comment on customer engagements and issues
pertaining to customers, so we can neither confirm nor deny involvement
in this case."</p>
<h3>Being Proactive</h3>
<p>Because Bizmatics claims to have thousands of customers and appears
to have insufficient log evidence to help sort out the incident, there
could be many more organizations potentially impacted by the
cyberattack, experts say.</p>
<p> Although Bizmatics, like other business associates under <a href="http://www.healthcareinfosecurity.com/hipaa-hitech-c-282">HIPAA</a>,
is required to notify covered entities no later than 60 days after
discovering a major breach affecting a covered entity's data, Wu advises
clients of Bizmatics to directly contact the vendor about the incident
if they have not yet been notified about the cyberattack. </p>
<p>Rebecca Herold, CEO of The Privacy Professor and co-founder of
SIMBUS360 Security and Privacy Services, says there's another possible
reason why more Bizmatics clients haven't been notified by the vendor
about the breach - or haven't themselves reported the incident to HHS.</p>
<p>"A large portion of those clients <i>may</i> have had less than 500
PHI records within the Bizmatics data warehouse, which would mean they
wouldn't need to legally report them to HHS right away, but could wait
and include that information at the end of the year," Herold says. "Of
course Bizmatics should have reported to those smaller CEs already.
Looking at the known types of providers listed so far, it seems
Bizmatics may have had a lot of small clinics that they were doing work
for. So after the end of 2016, you will likely see the number of CEs
whose PHI was involved jump up dramatically." That's because smaller
breaches must be reported annually to HHS.</p>
<p>Nevertheless, Herold anticipates that more clinics will report data
compromises tied to the Bizmatics breach in the weeks ahead, given the
steady additions to the HHS tally in past weeks.</p>
<h3>Quick Response</h3>
<p>Regardless of HIPAA's breach reporting requirements, it's critical
that vendors notify covered entities of breaches as soon as possible,
says Dodi Glenn, vice president of cybersecurity at security services
firm PC Pitstop.</p>
<p> "Breach notifications should happen just as soon as the breach has
been detected," he stresses. "This allows the healthcare organization to
tighten their own security and be on the lookout for suspicious
activities related to their own network. The longer the vendor waits on
disclosing the breach, the more damage it can do to the organizations
who are associated with them."</p>
<p>Herold says that business associates should contact covered entities
within 24 hours of discovering a breach impacting the client's PHI. "The
BA should provide regular reports to their CEs as they mitigate the
breach and answer any questions they have," she says. "Following
mitigation, the BA should have an objective third part do a risk
assessment covering the scope of the breach to ensure all
vulnerabilities have been addressed appropriately."</p>
<p>Wu suggests that Bizmatics clients engage a third-party security firm
to assess whether their patients' PHI has been compromised, especially
because it appears that Bizmatics might be having trouble sorting that
out.</p>
<h3>Vendor Lessons</h3>
<p>The BizMatics cyberattack offers lessons to organizations using the services of any cloud-based services vendor.</p>
<p>"Don't assume that your data is secure in the <a href="http://www.healthcareinfosecurity.com/cloud-computing-c-232">cloud</a>,
regardless of who you are partnering with," Glenn says. "As we've seen
from this breach, and several others in the healthcare industry, hackers
are actively targeting these types of organizations. Make sure that the
company you are doing business with has an incident response plan in
place and ask to view the plan."</p>
<p>Herold suggests healthcare organizations reassess their business
associate management practices "and determine how they are going to
provide some type of ongoing oversight for BAs."</p>
<p>Meanwhile, she says business associates need to implement stronger and more comprehensive <a href="http://www.healthcareinfosecurity.com/governance-c-93">information security programs</a>.</p>
<h3>Analyzing Logs</h3>
<p>In light of Bizmatics reportedly having insufficient log information
to determine the extent of the cyberattack's impact, Herold recommends
that covered entities and business associates fortify their log-related
practices. That includes:</p>
<ul><li>Documenting logging, network security activity and accounting of disclosures policies and procedures;</li><li>Assigning responsibility for oversight of the policies and
procedures that include logging access to PHI, as well as logging
security events that occur within the network and associated with PHI
data repositories;</li><li>Providing training to those with audit and log review responsibilities;</li><li>Periodically conducting a test to ensure such access logging and procedures are adequate and accurate;</li><li>Establishing breach identification and response policies and procedures that include such log access tools and procedures.</li></ul><br></div>