[BreachExchange] Breach Involving Encrypted Devices Raises Questions

[Audrey McNeil]

http://www.databreachtoday.com/breach-involving-encrypted-devices-raises-
questions-a-9789

Under the HIPAA Breach Notification Rule, the theft or loss of encrypted
computing or storage devices is not considered a reportable data breach.
But a recent incident at a Kentucky-based healthcare organization
demonstrates that making a determination on whether an incident is a
reportable breach isn't always clear-cut.

On March 21, Bowling Green, Kentucky-based Med Center Health, which
includes several hospitals, issued a public notification saying that on
Jan. 4, 2017, "during the course of an internal investigation, we
determined that [a] former Med Center Health employee had, on two past
occasions during their employment, obtained certain billing information by
creating the appearance that they needed the information to carry out their
job duties for Med Center Health."

Med Center Health says that its investigation indicates that in August 2014
and February 2015, the employee allegedly obtained patient information on
an encrypted CD and encrypted USB drive, "without any work-related reason
to do so."

The billing information involved in the incident included patients' names,
addresses, Social Security numbers, health insurance information, diagnoses
and procedure codes and charges for medical services, the healthcare
provider says. "Patients' medical records were not included in the
information inappropriately obtained. Clinical medical records were not
accessed and remain fully intact. Medical history and treatment have not
and will not be affected by this incident."

Evidence about the incident that Med Center Health has gathered suggests
that the former employee "intended to use these records to assist in the
development of a computer-based tool for an outside business interest which
had never been disclosed to Med Center Health officials," the notification
statement says.

The matter, which was reported to law enforcement, "is under investigation
by the FBI and other federal agencies," a Med Center Health spokeswoman
tells Information Security Media Group.

Citing the investigation, she declined to disclose details of the incident,
including specifics regarding the job that the former employee held at the
organization, and whether the individual would have had access to a
decryption key or other means of accessing the encrypted data - or whether
the data was accessed by the individual before it was encrypted on the
storage devices.

Breach Victim Tally

Commonwealth Health Corp., the parent company of Med Center Health, on
March 1 reported to the U.S. Department of Health and Human Services that
the breach affected 697,800 individuals and involving an unspecified
"theft."

That figure represents the number of patient encounters reflected in the
data incident, says Ramona Hieneman, Commonwealth's chief privacy officer,
in response to an ISMG inquiry about the breach report appearing on the HHS
Office for Civil Rights' "wall of shame" website listing breaches affecting
500 or more individuals.

The Med Center Health spokeswoman tells ISMG that the organization is
sending out notifications to about 160,000 patients who have been impacted.
"In addition, information for those patients' insurance subscribers and
guarantors may also have been contained in the records," she notes.

Whether the incident affected 697,800 individuals - as listed on the wall
of shame - or only 160,000 individuals, as the Med Center Health
spokeswoman states, the breach as of March 23 still ranks as the largest
incident added to the HHS tally so far in 2017.

Encryption Safe Harbor

It's somewhat unclear why Med Center Health reported the incident as a
breach, since, under HIPAA, the theft of loss of encrypted devices is not
considered a reportable breach.

Privacy attorney Kirk Nahra of the law firm Wiley Rein says the description
Med Center Health has provided so far about the incident is unclear.

"If the data was encrypted and the person couldn't access it, then I don't
know how that person could do any of the things that the person [allegedly]
seemed to be doing," he says. "So I have to assume that the person had some
way to get through the encryption. If that is the case, then it isn't
really encrypted data and [breach] notice would be appropriate - or at
least you don't get the benefit of the safe harbor."

Similarly, in a theoretical incident involving an encrypted laptop
computer, "if the laptop is open and working when it is stolen, then the
encryption isn't activated and wouldn't be sufficient" for avoiding the
need to report a breach, Nahra notes.

"All - or most - [breach notification] laws would work that way - if the
data is potentially encrypted but not actually in context, it isn't
considered encrypted," he says. "Companies always need to think about
whether the data really was encrypted, in context."

Under Kentucky law, notification is required for computer security breaches
involving "unencrypted and unredacted computerized data that compromises
the security, confidentiality, or integrity of personally identifiable
information" and could cause identity theft or fraud.

But some states, including California and Illinois, have recently tweaked
their encryption safe harbors for breach notification. For instance, both
states now require notification if de-encryption keys were acquired by
unauthorized persons in the security incidents. Plus, California also
requires notification if security credentials were stolen along with the
encrypted data.

HIPAA guidance from the HHS' Office for Civil Rights notes that in order
for incidents to fall under the encryption safe harbor for breach
notification, "electronic PHI must have been encrypted as specified in the
HIPAA Security Rule by 'the use of an algorithmic process to transform data
into a form in which there is a low probability of assigning meaning
without use of a confidential process or key' ... and such confidential
process or key that might enable decryption has not been breached. To avoid
a breach of the confidential process or key, these decryption tools should
be stored on a device or at a location separate from the data they are used
to encrypt or decrypt."

More Insider Incidents

The Med Center Health breach is just the latest of several recent security
incidents involving insiders at healthcare organizations.

For instance, on March 16, St. Charles Health System in Bend, Oregon, began
notifying nearly 2,500 patients that a caregiver - over a period of about
27 months - was found to have accessed individuals' electronic medical
records without authorization (see Why Insider Breach Prevention Needs to
Stay Top-of-Mind).

Also, last week, an Alabama federal judge granted class-action status to a
lawsuit filed against Flowers Hospital, where a former lab technician was
sentenced to a two-year prison sentence in 2014 for identity theft that led
to federal tax refund fraud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170323/6061fe33/attachment.html>