[BreachExchange] Email-Related Breaches: Why Are There So Many?

[Destry Winant]

https://www.databreachtoday.com/email-related-breaches-are-there-so-many-a-11876

Several recent health data breaches point to the need to better
mitigate the risks posed by email.

Security gaps and user mishaps are the culprits in many of these
breaches. But implementing the right technologies and best practices
can help reduce the risks, security experts advise.

Phishing email attacks often lead to incidents involving ransomware
and other malware infections - as well as other intrusions involving
unauthorized access to patient and other sensitive data.

But mistakes by users sending email also are persistent culprits in
major health data breaches.

Here's a recent example: A breach impacting 6,450 individuals reported
by family medical practice Prairie Fields Family Medicine of Fremont,
Nebraska, involved an email that exposed patient information. In a
notification statement, Prairie Fields notes that an email from its
office containing an unencrypted spreadsheet with patient information
was inadvertently sent to an incorrect email address. The incident was
discovered the same day.

"Prairie Fields has made several attempts to contact the recipient, by
email, but has not received any response. Prairie Fields suspects, but
cannot be certain, that the email address has been abandoned or is no
longer in use," the statement says.

"Simple, transparent email encryption between different users and
systems should be a global priority to achieve."
—Kate Borten, The Marblehead Group

The medical practice says it has not received any indication that any
patient's personal information has been accessed or used by the
unintended recipient. The information contained in the spreadsheet
included patient name, date of birth, age, sex, race, first language,
telephone number and certain health insurance information, including
provider's name and policy numbers.

The practice's statement notes that it's putting into place
"additional safeguards" to prevent future incidents.

Unauthorized Access

In another recent email-related incident, University of Vermont Health
Network - Elizabethtown Community Hospital reported a breach that
affected 32,000 and exposed the Social Security numbers of 1,200.

A notification statement says the incident involved one employee's
email account which "for a brief period of time" was remotely accessed
by an unauthorized user. "We completed an initial 60-day investigation
of the incident and have no evidence of any fraud or identity theftto
any individual as a result of this incident," according to the
notification.

"Upon learning of the incident ... we immediately took action,
including changing passwords, implementing enhanced security features
and engaging a leading forensic security firm to assist with the
investigation."

Other potentially compromised information included names, dates of
birth, addresses and limited medical information, such as medical
record numbers, dates of service and a brief summary of services
provided, the organization reports.

Ransomware and More

Hacker intrusions, including those that involve email-fueled
ransomware attacks, can also result in the installation of other
malicious programs.

Take the case of Mind and Motion Developmental Centers of Suwanee,
Georgia, a multidisciplinary treatment center offering mental health,
physical therapy and other health services, which recently reported a
hacking incident impacting 16,000 individuals.

In its notification statement, the treatment center says it discovered
that the company's server had been corrupted by ransomware. A forensic
investigation by a third-party consulting firm found that "an inactive
keylogger and spam emailer" also had been installed on the compromised
server.

"These programs and the associated accounts were removed," Mind and
Motion says. "Other minor malware was found and removed. It did not
appear that any of the malware found had access to any of our
scheduling, electronic billing or patient financial accounts."

Mind and Motion says it implemented several measures, including
changing passwords for all accounts used in the office. "Passwords
were required to be higher in complexity. A policy was put in place to
force password changes on a more regular basis as well as when
business events warrant them," the statement says.

In addition, all email accounts associated with the business domain
will have "the latest spam protection to prevent common methods of
phishing," the statement notes.

Protected health information potentially compromised by the incident
includes name, address, birthday, medical history, Social Security
number, medical diagnosis, insurance information and medical records,
Mind and Motion says in its statement.

A Common Problem

Email-related breaches are far too common in healthcare. A Dec. 19
snapshot of the Department of Health and Human Services' HIPAA Breach
Reporting Tool website shows a total of 344 major health data breaches
impacting 12.7 million individuals have been added to the tally so far
in 2018. Of those, 111 breaches impacting 3.4 million individuals were
reported as involving email.

Commonly called the "wall of shame," the federal website lists
reported HIPAA breaches impacting 500 or more individuals.

The largest email-related breach on the tally was a July hacking
incident reported by Iowa Health System, which does business under the
name UnityPoint Health.

That incident, which impacted 1.4 million individuals, involved a
phishing campaign that exposed an assortment of personal and medical
data stored in UnityPoint Health's email systems. But the information
exposure appears to have been an unintentional byproduct of an attempt
to divert corporate payments via what's known as business email
compromise, the organization said.

Ongoing Challenge

Incidents involving email - whether instigated by hackers or caused by
user mistakes - are an ongoing challenge for many healthcare sector
organizations.

"We can wrap technical protections around our systems and networks,
but ultimately people are the weak link, as we see with successful
phishing attacks," says Kate Borten, president of security and privacy
consultancy The Marblehead Group.

"Organizations should be giving their employees examples of successful
phishing attacks to demonstrate and remind them of how easily we can
fall for those emails. And organizations should routinely test their
employees with simulated attacks."

But other email-related breaches, such as those involving unsecured
patient information being sent via email, can be tricky to stop,
Borten says.

"Unfortunately, email encryption is not simple. The recipient needs to
go through several steps to open encrypted messages, and some
solutions are awkward to use and limited," she notes. "This fact
deters use of secure email between unrelated parties except in highly
regulated industries, such as finance. Simple, transparent email
encryption between different users and systems should be a global
priority to achieve."

In healthcare provider organizations, encryption is often voluntary,
relying on the sender to decide whether to encrypt and take extra
steps to encrypt the message, Borten says. "This is a flawed approach
and leads to mistakes," she adds.

Taking Action

Rebecca Herold, president of Simbus, a privacy and cloud security
services, says healthcare organizations should consider implementing
various technologies that can help to reduce the risk of email-related
breaches.

Besides encryption, those include logging and message blocking that
can be "automatically and transparently apply these controls to all
the email accounts, or at a minimum, the email accounts that deal with
personal and sensitive data," she notes.

"Using encryption plug-ins for the corporate email addresses the
organization users' side issues, but not the outside recipients'
risks," she says. "But it is still a good option to implement. "

To address internal and external exchanges, "using email encryption
cloud services that keep the emails encrypted so that the cloud
service itself never can get access to the messages is a great way to
exchange such confidential communications," she adds.

Training, followed up with frequent security and privacy reminders,
can help cut down on mistakes by staff members, Herold notes.