[BreachExchange] 4 Healthcare Providers, Vendors Report Data Breaches From 2020

[Destry Winant]

https://healthitsecurity.com/news/4-healthcare-providers-vendors-report-data-breaches-from-2020

In recent weeks, a number of HIPAA-required notifications from covered
entities and business associates have reported patient data breaches that
occurred in 2020: Beacon Health Solutions, Planned Parenthood of
Metropolitan Washington, DC, VEP Healthcare, and Administrative Advantage.

However, under HIPAA, covered entities and relevant business associates are
required to report data breaches impacting more than 500 patients within 60
days of discovery—not at the close of an investigation.

As exhaustively reported by HealthITSecurity.com, HIPAA explains in great
detail that a breach is determined “discovered” by the entity through
reasonable diligence: “the ‘business care and prudence expected from a
person to satisfy a legal requirement under similar circumstances.’”

That means that even when an investigation is ongoing, the Office for Civil
Rights does not make an exception to the timeline. In fact, the only
exception to the rule is when it’s requested by law enforcement.

“Timing begins on when it is known, not when the investigation is complete
— even if it is initially unclear whether the incident constitutes a breach
as defined in the rule,” renowned healthcare attorney with Clark Hill
Strasburger, Corinne Smith, previously explained. “The 60 days are an outer
limit and in some cases it may be an unreasonable delay to wait 60 days.”

“It’s not a good idea to wait until your forensics investigation is
complete before thinking about providing notice,” she continued. “It’s best
to run parallel tracks – one preparing to notify patients and the other
running the investigation.”

BEACON HEALTH REPORTS DATA BREACH FROM OCTOBER 2020
An undisclosed number of patients are being notified that their health
information and personal data was compromised and acquired in October 2020,
after a security incident at Beacon Health Solutions.

Florida-based Beacon Health is a third-party administrator for managed
healthcare plans.

On October 5, the business associate “experienced a data security incident”
that prevented access to its data and systems. An investigation led with
assistance from an outside digital forensics firm concluded on January 29,
2021.

The review determined both personal and protected health information was
acquired during the incident. The impacted data varied by patient but could
include patient names, contact details, Social Security numbers, driver’s
licenses, and health insurance information.

Medical data was also compromised or stolen during the incident and could
include Member or Medicaid ID numbers, treatments, diagnoses, dates of
service, provider names, patient account numbers and medical record numbers.

The notice does not provide further information on just what occurred, nor
why Beacon Health waited more than five months to notify patients that
their data had been stolen by hackers.

PLANNED PARENTHOOD OF WASHINGTON, DC REPORTS SEPTEMBER 2020 BREACH
An undisclosed number of patients of Planned Parenthood of Metropolitan
Washington, DC (PPMW) were recently notified that their data was acquired
during a security incident nearly six months ago in September 2020.

Unusual network activity was discovered on September 3, 2020, and PPMW took
steps to secure the system. An investigation was launched with assistance
from a third-party cybersecurity team, which concluded on October 21, 2020.

The team found that a hacker first gained access to the network on August
27, 2020 and concluded more than a month later on October 8, 2020. During
that time, the attacker stole copies of patient-related documents.

The stolen data varied by individual and could include names, dates of
birth, contact information, medical record numbers, provider names, dates
of service, diagnoses, treatments, and or prescription information.

For some patients, health insurance details, financial account information,
and SSNs were also part of the acquired data. These patients will receive
free complimentary credit monitoring and identity theft protection services.

PPMW did not explain the reason for the months-long gap between the
breach’s discovery and the patient notifications. The health clinic is
continuing to work with law enforcement.

VEP HEALTHCARE REPORTS PHISHING INCIDENT FROM 2020
A phishing attack on California-based VEP Healthcare led to the compromise
of several employee email accounts in 2020 and resulted in the compromise
of some patient data.

VEP Healthcare is a business associate that provides emergency and hospital
staffing management services and staffing for urban trauma centers and
community hospitals.

The notice does not detail when the incident was first detected. But upon
discovering the email-related incident, VEP launched an investigation with
support from outside cybersecurity professionals that concluded on March
21, 2021.

A manual review determined that an attacker gained access to the accounts
for about two months, between November 15, 2019 and January 20, 2020. The
notification does not outline the impacted data, just that the accounts
contained “personal information.”

VEP has since bolstered its email security, updated security policies and
procedures, and provided employees with further security training.
Officials said they’re also in the process of implementing two-factor
authentication.

THIRD-PARTY VENDOR INCIDENT IMPACTS REMEDY MEDICAL GROUP

Some patient data belonging to Remedy Medical Group in California was
compromised last year, after an email hack against its billing support
services vendor, Administrative Advantage (AA).

Unusual activity was discovered on an AA employee email account in July
2020. Working with third-party computer specialists, AA determined the
impacted email account was accessed by a hacker for several weeks between
June 23, 2020 and July 9, 2020.

The account contained certain information received from its client
providers, but AA could not conclusively determine whether the attacker
accessed the information.

The affected data varied by individual but could include names, SSNs,
financial accounts, driver’s licenses, state IDs, credit cards, expiration
dates, and CVVs, passports, electronic signatures, credentials, medical
record numbers, Medicare or Medicaid numbers, treatment locations,
diagnoses, health insurance information, lab results, and other treatment
data.

Impacted patients will receive identity theft protection services. AA is
currently reviewing its existing security policies and procedures and
conducting further employee training to reduce risk to the enterprise.

MALWARE ATTACK ON AMERICAN COLLEGE OF EMERGENCY PHYSICIANS

About 70,349 former and current members of the American College of
Emergency Physicians are being notified that their data was compromised
during a months-long malware attack in 2020.

ACEP provides professional organization services to members and healthcare
organizations, including the Emergency Medicine Foundation, Emergency
Medicine Residents’ Association, and the Society for Emergency Medicine
Physician Assistants.

On September 7, 2020, the security team first detected unusual activity on
its systems. A forensics review of the incident found that an attacker
compromised credentials by hacking a separate server that stored SQL
database credentials.

The credentials allowed for unauthorized access to the members’ data for
more than five months, between April 8, 2020 and September 21, 2020. The
investigation could not rule out access to the data stored on the servers.

The affected information includes member, customer, or donor details,
including contact details, SSNs, and or usernames or email addresses and
hashed passwords. No patient or health information was involved in the
incident.

ACEP has since rebuilt the impacted server and issued a password reset, in
addition to implementing further security measures.

ACCELLION BREACH TALLY INCLUDES MEMORIAL SLOAN KETTERING CANCER CENTER

Memorial Sloan Kettering Cancer Center (MSK) recently notified 1,893
patients that their data was included in the massive compromise of
third-party service vendor Accellion.

First reported in February, threat actors exploited several unpatched
vulnerabilities in Accellion’s File Transfer Appliance (FTA) and stole a
trove of sensitive information in a widespread extortion campaign.

A wide range of companies were impacted by the incident, including those in
the medical, financial, legal, energy, and telecommunications sectors.
Centene, Trillium Community Health Plan, the Southern Illinois University
School of Medicine, and Kroger were also among the healthcare victims.

Accellion informed MSK on January 23 that its document-sharing systems were
included in the incident, which allowed the attackers to access and copy a
subset of electronic documents stored on the system.

The investigation determined the access occurred January 20 to January 22,
resulting in the unauthorized access of documents that contained the
personal health information of some MSK patients.

The affected information varied by patient and could include names, dates
of birth, contact information, test results, and treatments. For just three
patients, SSNs or financial information was also compromised.

MSK continues to have access to all documents stored on the impacted system
but will not be putting the Accellion FTA back into service.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210426/68b280ee/attachment.html>