June has been a busy month across healthcare, and not always for the best reasons. The number of data breaches at hospitals, health systems, health plans and elsewhere has been significant – even in comparison to the risk-fraught cybersecurity landscape we’ve all become accustomed to.
Here’s a partial list, including some high-profile names.
On June 3, Kaiser Permanente informed members of its Kaiser Foundation Health Plan of Washington of an unauthorized access incident that occurred on April 5, 2022.
Kaiser security officials “discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.”
PHI potentially exposed included names, medical record number, dates of service, and lab results, officials said, but Social Security and credit card numbers were not included.
“We do not have any evidence of identity theft or misuse of protected health information as a result of this incident,” said Kaiser Permanente officials.
At Atrium Health, officials served notice this month that an unauthorized third party “gained access to a home health employee’s business email and messaging account” via a phishing exploit.
After that incident, which occurred in April, Atrium Health at Home secured the affected account, confirmed the unauthorized party had no further access, notified law enforcement and engaged an outside security firm.
“The behavior of the unauthorized party indicates they were likely focused on sending other phishing emails and not targeting medical or health information,” said Atrium officials. “Unfortunately, despite a thorough investigation, we could not conclusively determine whether personal information was actually accessed by the unauthorized party.”
Personal information in the affected account may have included names, home addresses, dates of birth, health insurance information and medical information, including dates of service, the provider and facility, and/or diagnosis and treatment information.
“For a limited subset of individuals, Social Security numbers, driver’s license/state ID numbers and/or financial account information also may have been involved,” officials said. “Our electronic medical record systems are separate from email accounts and were not affected by this incident.”
Also this month, UNC Lenoir Health Care disclosed an incident involving a breach of patient information by MCG Health, one of its third-party business partners.
MCG’s clinical support services including patient care guidelines. UNC officials said that in December of 2021 and January of this year, MCG “was contacted by an unknown third-party who claimed to have improperly obtained patient data from MCG.”
This person “made a demand for money in exchange for the return of the patient data to MCG. MCG opened an investigation and contacted the FBI.”
MCG informed UNC Lenoir of the incident in April, the health system said, and its forensic investigators confirmed that health records for 10 patients were listed for sale on the dark web.
“These records are believed to have come from MCG,” said UNC officials. “Lenoir patient records were not found on the dark web, but MCG has determined that the unauthorized third-party may be in possession of Lenoir information which could include: patient name, Social Security number, medical codes, street address, telephone number, email address, date of birth and gender.”
At Quincy, Massachusetts-based Shields Health Care Group, which provides management and imaging services, healthcare customers were informed in June about some suspicious activity on its network.
“With the assistance of third-party forensic specialists, we took immediate steps to contain the incident and to investigate the nature and scope of the incident,” which occurred in March, officials said.
“An unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022,” according to Shields. “To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud. However, the type of information that was or may have been impacted could include one or more of the following: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.”
Data breaches are nothing new in healthcare, of course, but in recent years, the variety, frequency and, sometimes, severity of cybersecurity exploits has increased.
The U.S. Department of Health and Human Services has offered help. Most recently, its Health Sector Cybersecurity Coordination Center, or HC3, published a new guidance on Strengthening Cyber Posture in the Health Sector on June 16. Among the steps it suggests:
Conduct regular security posture assessments.
Consistently monitor networks and software for vulnerabilities.
Define which department owns what risks, and assign managers to specific risks.
Regularly analyze gaps in your security controls.
Define a few key security metrics.
Create an incident response plan and a disaster recovery plan.
But some hospitals and health systems still think the feds should be doing more to help manage the increasingly challenging burden as healthcare cyberattacks intensify.
As Politico reported this past week, “from January through June, the Office of Civil Rights tallied 256 hacks and information breaches, up from 149 for the same period a year ago.”
As those attacks increase – posing serious risks to patient safety – healthcare leaders are asking the government to do more to help protect the critical IT systems of U.S. providers.
“It blows my mind that ultimately, it’s on the individual hospital systems to attempt to – essentially in isolation – figure it out,” Politico quotes Lee Milligan, chief information officer at Oregon-based Asante Health System. “If a nation state has bombed bridges that connect over the Mississippi River and connect state A and B, would we be looking at it in the same way? And yet the same risk to life happens when they shut down a health system.”