[BreachExchange] Tech Vendor Email Breach Affects Dozens of Health Entities

[Terrell Byrd]

https://www.inforisktoday.com/tech-vendor-email-breach-affects-dozens-health-entities-a-18244

A healthcare technology vendor is notifying dozens of its healthcare
provider clients of an email security breach affecting their patients'
protected health information. Experts say the incident serves as the latest
reminder of the risks business associates pose to sensitive healthcare data.

In a notice posted on its website, Ciox Health, an Alpharetta,
Georgia-based healthcare information management vendor, says that between
Nov. 23 and Dec. 30, 2021 it began the process of notifying healthcare
provider customers of an email compromise last summer affecting some of
their patients' PHI.

Ciox in the notice also included a list of about 32 healthcare providers
affected by the incident.

The affected entities include a wide range of different types of healthcare
providers, including medical specialty practices such as Alabama
Orthopaedic Specialists; community hospitals, such as Cameron Memorial
Community Hospital; regional medical centers including Niagara Falls
Memorial Medical Center; and large university-affiliated health delivery
networks, including Ohio State University Health System.

Business associates and other vendors have been at the center of many major
recent health data breaches.

The Department of Health and Human Services' HIPAA Breach Reporting Tool
website on Wednesday showed that of the 698 major health data breaches
affecting 45.1 million individuals posted to the site in 2021, 245
incidents affecting more than 21.1 million involved business associates.

That means business associates were involved in about 35% of all major
health data breaches posted so far on the HHS site in 2021, but those
vendor incidents were responsible for nearly 47% of the individuals
affected.

Breach Details
In its notice, Ciox says an unauthorized person accessed one Ciox
employee’s email account between June 24 and July 2, 2021, potentially
downloading emails and attachments contained in the account.

Ciox Health says that on Sept. 24, it learned that some emails and
attachments in the compromised employee’s email account contained "limited"
patient information related to Ciox billing inquiries and other customer
service requests. The review was completed on Nov. 2, Ciox says.

"Since then, we have worked with the providers to notify the affected
individuals whose information was identified by the review," Ciox says.

Information contained in the compromised email account included patient
names, provider names, dates of birth, and/or dates of service, Ciox says.
In addition, in some limited instances, information affected also included
Social Security numbers or driver’s license numbers, health insurance
information, and/or clinical or treatment information, the statement says.

"It is important to note that the Ciox employee whose email account was
involved did not have direct access to any healthcare provider’s or
facility’s electronic medical record system," Ciox says.

"Ciox believes that the account access occurred for purposes of sending
phishing emails to individuals unrelated to Ciox, not to access patient
information," the notice adds.

More Entities Affected?
Beyond the list of affected healthcare providers named on Ciox's website,
some additional entities have also separately begun notifying their
patients that they too were affected by the Ciox incident.

For instance, UVA Health in a Dec. 3 public notice, said 429 patients of
its UVA Medical Center in Charlottesville, Virginia and UVA Culpeper
Medical Center in Culpeper Virginia were affected by the Ciox Health
incident.

Ciox did not immediately respond to Information Security Media Group's
request for additional details about the incident, including the total
number of clients and individuals affected.

Taking Action
So, what steps can covered entities take to help better prevent their
patients' PHI falling victim to vendor breaches, including those involving
email compromises?

"One of the fundamental steps is to know who your business associates and
vendors are. Once a covered entity has developed a comprehensive inventory,
it can begin to understand the type, movement, and access to its data,"
says Dawn Morgenstern, who leads vendor risk management services at privacy
and security consultancy Clearwater.

Another step is to assess vendors to understand where there are gaps and
risks to their security posture, she suggests. "Assessments can provide
valuable information regarding the business associate's training program,
compliance, and security controls implemented," she advises.

Also among the most critical measures that healthcare providers can take
are having a comprehensive business associate agreement and "obtaining
reasonable assurances by creating a one-page attestation," says regulatory
attorney Rachel Rose.

That attestation should accompany the business associate agreement, and
include several critical questions and components, she suggests.

Rose recommends that attestations include a statement about "truthfulness"
and a signature line - plus, these questions:

Does your organization require annual training for workforce members?;
Do you undergo an annual risk analysis to evaluate the requisite technical,
administrative, and physical safeguards?;
Do you have business associate agreements in place with all required
persons?;
Is your data encrypted both at rest and in transit?
"This way, a healthcare provider not only has reasonable assurances
obtained to hand over to the HHS Office for Civil Rights or another
government agency, but in the event of a business associate breach, if the
business associate was untruthful, it could provide the healthcare provider
with additional legal recourse," Rose says.

“In addition to ongoing awareness training and deploying software, choosing
the right IT and other business partners is crucial, as well as staying
abreast of new types of attacks," she says.

Stay Vigilant
Morgenstern urges organizations to stay vigilant. "Too often, covered
entities and business associates think that once they address an incident
or breach, they are done. Wrong. Bad actors are always looking for ways to
exploit vulnerabilities and they continually change their methods and
levels of sophistication," she says.

Covered entities should continually monitor industry trends,
assess/reassess their business associate/vendor relationships, and keep
leadership and their board informed about any potential risks, she says.

"Cybersecurity is an ongoing process that requires adequate resources to
combat the threats and vulnerabilities."

For its part, Ciox in its statement says that to help prevent future
similar incidents, it is evaluating implementing additional procedures to
strengthen its email security, including providing "enhanced cybersecurity
training" to employees.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220106/d0444d7b/attachment.html>