[BreachExchange] Cybersecurity Attacks Leading Large Health Data Breach Cause

[Audrey McNeil]

http://healthitsecurity.com/news/cybersecurity-attacks-
leading-large-health-data-breach-cause

While the summer of 2016 is quickly coming to an end, covered entities and
their business associates cannot ease up on their data security measures.
If the past three months have been any indication, large health data
breaches are not about to cease anytime soon.

Between June 1, 2016 and August 31, 2016, the Office for Civil Rights(OCR)
shows that the majority of reported incidents were classified as
unauthorized access or disclosure, with 28 cases being listed as such.
Hacking incidents were a close second, with 25 reported incidents in the
same time frame.

The five largest reported cases of a potential healthcare data breach also
hold true to those classifications. Those incidents were either listed as
stemming from cybersecurity attacks, which would include hacking, or as
cases of unauthorized access or disclosure.

Banner Health

The largest reported health data breach in the past few months was at
Banner Health, an Arizona-based facility. In August, 2016, Banner announced
that it had been the victim of a cybersecurity attack, affecting
approximately 3.6 million patients, members and beneficiaries, providers,
and food and beverage outlet customers.

The incident affected “a limited number of Banner Health computer servers
as well as the computer systems that process payment card data at certain
Banner Health food and beverage outlets.”

In the case of patients specifically, names, dates of birth, addresses,
physicians’ names, dates of service, clinical information, and possibly
health insurance information accessed. If Social Security numbers were
provided, then those may also have been exposed.

The food and beverage outlet breach was discovered on July 7, 2016, while
payment cards used at 27 different Banner Health locations from June 23,
2016 to July 7, 2016 may have been affected. The possibly affected
locations on Banner’s list are in Arkansas, Arizona, Colorado, and Wyoming.

“The attackers targeted payment card data, including cardholder name, card
number, expiration date and internal verification code, as the data was
being routed through affected payment processing systems,” Banner said.

Newkirk Products, Inc.

Newkirk, which issues healthcare ID cards for health insurance plans,
announced in August 2016 that it experienced a data breach potentially
compromising the information of approximately 3.4 million plan members.

When the incident was reported, Newkirk maintained that no health plan
systems were accessed or affected in any way. Even so, the Department of
Health and Human Services (HHS) was notified.

“On July 6, 2016, Newkirk discovered that a server containing member
information was accessed without authorization,” Newkirk said in its
statement. “Newkirk shut down the server, started an investigation into the
incident and hired a third party forensic investigator to determine the
extent of the unauthorized access and whether the personal information of
its clients’ members may have been accessed. Newkirk also notified federal
law enforcement.”

Data that may have been accessed included some combination of member names,
mailing addresses, type of plan, member and group ID numbers, names of
dependents enrolled in the plan, primary care providers, and in some cases,
dates of birth, premium invoice information and Medicaid ID numbers.

Valley Anesthesiology and Pain Consultants

Valley Anesthesiology and Pain Consultants (VAPC) reported last month that
unauthorized access to one of its computer systems may have exposed the
information of 882,590 patients.

The unauthorized access may have occurred on March 30,. 2016, but VAPC
learned about the incident on June 13, 2016.

“VAPC recognizes the importance of protecting the privacy and security of
personal information, and regrets any inconvenience or concern this
incident may cause,” VAPC said in a statement. “In addition to security
safeguards already in place, VAPC is taking steps to enhance the security
of its computer systems in order to prevent this type of incident from
occurring again in the future. These steps include reviewing its security
processes, strengthening its network firewalls, and continuing to
incorporate best practices in IT security.”

For patient information, names, providers' names, dates of service, places
of treatment, names of health insurers, insurance identification numbers,
diagnosis and treatment codes, and Social Security numbers in a few cases,
may have been exposed.

Bon Secours Health System Incorporated

Bon Secours Health System, Inc. announced in August that one of its vendors
inadvertently made patient files available online as it attempted to adjust
its computer network settings from April 18, 2016 to April 21, 2016.

This may have exposed the information of 651,971 individuals, according to
the OCR breach reporting tool.

The incident was discovered on June 14, 2016, and Bon Secours explained
that it immediately notified R-C Healthcare so that the patient information
would no longer be available.

“We deeply regret any concern this may cause our patients,” Bon Secours
said on its website. “To help prevent something like this from happening in
the future, we are reinforcing standards with our vendors to ensure our
patients’ information is securely maintained.”

While medical records were not made available, patients’ names, health
insurers’ names, health insurance identification numbers, limited clinical
information, Social Security numbers, and in some instances, bank account
information were included in the visible files.

Athens Orthopedic Clinic, P.A.

Georgia-based Athens Orthopedic Clinic reported in July 2016 that an
external entity had launched a cyberattack on its EHR system using a
third-party vendor’s credentials the month prior.

Both current and former patients may have had names, addresses, Social
Security numbers, dates of birth, telephone numbers, and, in some cases,
diagnoses and partial medical histories exposed.

The OCR data breach reporting tool states that 201,000 individuals were
affected by the incident.

“Rest assured that we are taking all necessary measures to ensure that any
resulting damage is limited to the extent possible and working to retain
your trust in our practice,” Athens CEO Kayo Elliott told OnlineAthens.com
at the time. “We advise that our patients contact credit reporting agencies
to create a fraud alert as soon as possible; we have posted a statement on
our website that includes credit reporting agency contact information.”

Athens surgeon Chip Ogburn explained in an opinion piece for the Athens
Banner-Herald that once Athens learned of the potential breach, it notified
federal authorities. However, it was frustrating for the clinic to not be
able to notify patients as soon as the breach happened.

“We have always taken patient privacy very seriously,” Ogburn wrote. “We
are human. And we are committed. Please understand that we put top priority
on protecting your privacy long before this crime occurred. We will
continue to do so, as well as to focus on high-quality patient care.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160902/7dbe656b/attachment.html>