UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

UnityPoint Health Notifies 1.4M Patients of Data Breach Caused by Phishing Attack

July 31, 2018
by Rajiv Leventhal
| Reprints

UnityPoint Health, a health system based in Des Moines, Ia., has let about 1.4 million patients know that their personal and health information may have been compromised, according to a press release from the organization.

According to the release, on May 31, UnityPoint Health discovered that a phishing email attack had compromised its business email system and may have resulted in unauthorized access to protected health information and other personal information for some patients.

A forensics investigation revealed that UnityPoint Health received a series of fraudulent emails that were disguised to appear to have come from a trusted executive within the organization. The phishing emails tricked some employees into providing their confidential sign-in information which gave attackers access to their internal email accounts between March 14 and April 3. Some of the compromised accounts included emails or attachments to emails, such as standard reports related to healthcare operations, containing protected health information and/or personal information for certain patients, according to UnityPoint Health officials.

"We take our responsibility to protect patient information very seriously and deeply regret this incident occurred," RaeAnn Isaacson, privacy officer, UnityPoint Health, said in a statement. "While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information."

Officials said that the phishing attack was more likely focused on diverting business funds like payroll or vendor payments, rather than on obtaining patient information.

Electronic medical record (EMR) and patient billing systems were not impacted by this attack, according to officials.  However, patient information that may have been in compromised email accounts included patient names and one or more of the following: addresses, dates of birth, medical record numbers, medical information, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and/or insurance information. For some individuals, information may have included a Social Security number and/or driver's license number. For a limited number of others, payment or bank information could have been breached.

The only unauthorized access to patient information may have occurred through compromised email accounts, where the information was contained in the body of an email or in attachments such as reports, officials asserted.

2019 Southeast Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

June 13 - 14, 2019 | Southeast


/news-item/cybersecurity/unitypoint-health-notifies-14m-patients-data-breach-caused-phishing-attack
/news-item/cybersecurity/twelve-states-file-first-multistate-healthcare-data-breach-lawsuit

Twelve States File First Multistate Healthcare Data Breach Lawsuit

December 5, 2018
by Heather Landi, Associate Editor
| Reprints

State Attorneys General from a dozen states filed a lawsuit Monday against several health IT companies, and their subsidiaries, alleging that poor security practices led to theft of protected health information (PHI) of 3.9 million individuals during a data security incident in 2015.

The 66-page complaint, filed in the U.S. District Court for the Northern District of Indiana, names four companies or subsidiaries, including Fort Wayne, Ind.-based Medical Informatics Engineering and NoMoreClipboard LLC. In the lawsuit, the state AGs allege that the companies failed to take “adequate and reasonable measures” to ensure their computer systems were protected.

Over several weeks in May, hackers infiltrated and accessed the “inadequately protected computer systems” of the companies and were able to access and exfiltrate the electronic PHI of 3.9 million individuals, whose PHI was contained in an electronic medical record stores in the companies’ computer systems. The personal information obtained by the hackers included names, addresses and Social Security numbers, as well health information such as lab results, health insurance policy information, diagnosis and medical conditions.

The lawsuit marks the first time state Attorneys General have joined together to pursue a HIPAA-related (Health Insurance Portability and Accountability Act) multistate data breach case in federal court, according to the Arizona Attorney General’s office. The lawsuit was filed by attorneys general from Arizona, Arkansas, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin.

According to a media report from azcentral.com, Arizonians were among those affected when hackers infiltrated WebChart, a web application operated by Indiana-based Medical Informatics Engineering Inc. and NoMoreClipboard (collectively known as MIE).

The 12 state AGs allege that the companies “failed to take reasonably available steps to prevent the breaches,” and “failed to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ PHI, failed to honor their promises and representations that patients’ PHI would be protected, and failed to provide timely and adequate notice of the incident, which caused significant harm to consumers across the U.S,” according to the complaint.

Further, the companies’ actions resulted in the violation of the state consumer protection, data breach, personal information protection laws and federal Health Insurance Portability and Accountability Act (HIPAA) statutes, the lawsuit states.

In July 2015, MIE issued a statement acknowledging the data breach, classifying it as a “data security compromise that has affected the security of some personal and protected health information relating to certain clients and individuals who have used a Medical Informatics Engineering electronic health record.” The company also referred to it as a “sophisticated cyber attack.”

The company said that on May 26, 2015 it discovered suspicious activity in one of its servers. “We immediately began an investigation to identify and remediate any identified security vulnerability. Our first priority was to safeguard the security of personal and protected health information, and we have been working with a team of third-party experts to investigate the attack and enhance data security and protection. This investigation is ongoing. On May 26, 2015, we also reported this incident to law enforcement including the FBI Cyber Squad. Law enforcement is actively investigating this matter, and we are cooperating fully with law enforcement's investigation. The investigation indicates this is a sophisticated cyber attack. Our forensic investigation indicates the unauthorized access to our network began on May 7, 2015. Our monitoring systems helped us detect this unauthorized access, and we were able to shut down the attackers as they attempted to access client data,” the company said in a statement three years ago.

At the time, the company said it was continuing to take steps to remediate and enhance the security of its systems. “Remedial efforts include removing the capabilities used by the intruder to gain unauthorized access to the affected systems, enhancing and strengthening password rules and storage mechanisms, increased active monitoring of the affected systems, and intelligence exchange with law enforcement. We have also instituted a universal password reset,” the company said.

In a statement, Arizona Attorney General Mark Brnovich said the 12 AGs allege MIE is liable because, among other things, “it failed to implement basic industry-accepted data-security measures to protect ePHI from unauthorized access; did not have appropriate security safeguards or controls in place to prevent exploitation of vulnerabilities within its system; had an inadequate and ineffective response to the breach; and failed to encrypt the sensitive personal information and ePHI within its computer systems, despite representations to the contrary in its privacy policy.”

Minnesota Attorney General Lori Swanson said in a news release, “Patients expect health companies to protect the privacy of their electronic health records. This company did not do so.”

The lawsuit says the states are seeking unspecified statutory damages and civil penalties.

More From Healthcare Informatics

/article/cybersecurity/top-three-2019-healthcare-cybersecurity-trends

Top Three 2019 Healthcare Cybersecurity Trends

December 3, 2018
by Christian Aboujaoude, Industry Voice, Senior Director Enterprise Architecture, Scripps Health
| Reprints
There are non-complex strategies that can be easily implemented that can help keep data secure

In recent months, the healthcare industry has been the number one target of cyberattacks, exposing tens of millions of customers’ identities around the world, costing more than $1 billion USD in losses.

Executives from the National Association of County and City Health Officials say that healthcare breaches can cost up to $400 a patient, and yet, only 33 percent of the industry has taken the preventative measure of protecting themselves properly.  With billions of people across the world entrusting healthcare organizations to protect their identities, and these same organizations relying on their critical infrastructure to secure it all, it becomes crucial to not just have the right cybersecurity solution in place to stop an attack before it has a catastrophic impact, but to ensure they are able to prevent future ones from ever happening.

My provider organization— the San Diego-based Scripps Health—takes cybersecurity seriously, and has for many years. In 2013, we determined to take an identity-first approach to protect both internal and external data, and engaged with firms such as SecureAuth to pioneer an identity solution that would protect both internal and external data according to our unique needs. Today, we continue to evolve our solution to keep up emerging threats, and to stay ahead of threat trends and attackers.

Below are some of the biggest cybersecurity threat trends facing the healthcare industry for 2019, and some recommendations to combat them.

The growing trend of blurring lines between personal and business activities online

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

We are starting to see a kind of “blurring-of-the-lines” between personal activity on the Internet, and the activities that are done from a business perspective. For example, people often use their work email address for personal things, and/or they don’t know how to disable certain device tracking settings, such as cookies, that track their every move. Unfortunately, they don’t believe that it’s actually a problem, when indeed, it is. It’s like leaving the door open for people with malintent to send phishing emails so targeted that it’s often hard to decipher what’s real.  

Even more sophisticated, very targeted phishing attacks

According to one 2018 study, mobile device phishing attacks are up 85 percent, year-over-year, since 2011, and the reason has to do with the increasing amount of data collected by every site and app visited on your mobile device.

The easiest thing to do is go on your phone, do a search on the Internet, and within a couple of hours, you go onto Facebook or Instagram, for example, and you’ll notice that all of a sudden, you have targeted marketing in your feed based on your previous search.  That data from your search is also sent to other organizations, which means many things people do online is no longer private, leaving you open for a very targeted phishing attack.

To try to prevent these emails from getting through, we're constantly improving the environment by adding triggers that identify whether our users should trust or not.

The continual rapid rise of identity theft

2017 saw an unprecedented amount of identities stolen, to the tune of 158 million social security numbers and 16.5 million credit card numbers—and 27 percent of those thefts belonged to the healthcare industry, according to Experian’s latest identity theft statistics. It’s the continual rise of these thefts that has prompted us to think outside of the box, and into the future, on how to protect patients and employees.

We need to create an external identity and an internal identity, and what I mean by that is, we need the external world to see us one way (our presence on the Internet), and then the internal systems need to have a mask of sorts, like a VPN, to prevent attackers from being able to monitor activity.  From a cloud perspective, it’s imperative to use a service proxy from an identity provider to authenticate back and forth.

We use biometrics to ensure that the right user is supposed to be taking the action they are trying to take. We also lock down access to certain websites to be from an internal IP range, versus having the open Internet all the time.  Taking these measures reduces the amount of exposure that attackers have from an outside perspective.

What’s more, here are some things that are easily implemented that can help keep data secure:

Continuous education

At Scripps Health, we implemented a mandatory, continuous education program for employees that helps them to understand how their personal actions on business devices, emails, and so forth, can have a detrimental effect on the organization.

It all starts with humans, and whether intentional or unintentional, we all make mistakes.  Thus, we are working to reduce these behaviors while avoiding the creation of a negative and overly complex experience for our employees.  From a user perspective, security is attached to everything we do. We aren’t always aware of that, and we need to be.  From an IT perspective, it’s around understanding business process in order to build the right cybersecurity framework.

Continuous evolution

While education is a significant preventative measure, the evolution of the environment to account for future new kinds of attacks is even greater.

Most people have not spent a lot of time thinking about how they change their environment, how they change their actions, and leverage a Security Operations Center (SOC), and in my opinion, that needs to change significantly.  I really like to implement processes that we can leverage and expand on. It’s vital to the health of our infrastructure.

Having the right tools in place

To continue to protect the environment, we have made a significant investment in the tools we use to keep our infrastructure safe.

We believe that having the right tools in place reduces negativity and complexity in our environment.  In fact, I don’t subscribe to the opinion of needing to have complexity to have security. The more complex your infrastructure is, the more exposed you are.


Related Insights For: Cybersecurity

/news-item/cybersecurity/atrium-health-s-billing-vendor-hacked-265m-patients-affected

Atrium Health’s Billing Vendor Hacked, 2.65M Patients Affected

November 28, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

The personal health data of more than 2 million Atrium Health patients has been compromised following a hack on the organization’s third-party billing vendor, AccuDoc.

According to a joint news release from Atrium Health, formerly Carolinas HealthCare System headquartered in Charlotte, and the billing vendor AccuDoc, an unauthorized third party gained access to AccuDoc’s databases sometime between September 22 and September 29. Importantly, noted officials, forensic investigations indicated that the information was not removed from AccuDoc’s systems.

According to officials, the databases accessed by the unauthorized third party contained information provided in connection with payment for healthcare services at an Atrium Health location, and at locations managed by Atrium Health, including Blue Ridge HealthCare System, Columbus Regional Health Network, NHRMC (New Hanover Regional Medical Center) Physician Group, Scotland Physicians Network and St. Luke’s Physician Network.

Information that may have been accessed includes certain personal information about patients and guarantors, such as first and last name, home address, date of birth, insurance policy information, medical record number, invoice number, account balance, dates of service and, in some instances, Social Security numbers.

Officials did note that since Atrium Health’s core systems and those of its managed locations are separate from AccuDoc’s systems and were not involved in this incident, personal clinical and medical records were not involved, nor was financial account information, such as bank account numbers or credit card or debit card information.

According to an Atrium Health spokesperson, “The exact number [of affected records] is hard to pinpoint, but based on our investigation it looks like the unauthorized user gained access to databases that had about 2.65 million records. Of the 2.65 million, it appears around 700,000 included Social Security numbers. It is very important to understand that the data was accessed but not downloaded in this incident. Our forensics reports indicate they were not able to actually download or remove the files.”

However, according to a report in the Charlotte Observer, AccuDoc general counsel Kenneth Perkins did not rule out that more patients might be affected than the number disclosed, adding that “it’s highly unlikely the number will grow. That’s because the current figures are based on entire databases of patients out of an abundance of caution,” he said, according to that report. The story also noted that one other AccuDoc client, Baylor Medical Center at Frisco in Texas, was affected by the hack. Data for about 40,000 people were impacted at that hospital.

Atrium Health operates 44 hospitals across North Carolina, South Carolina and Georgia, and is the largest healthcare provider and employer in Charlotte. AccuDoc is a Morrisville, N.C.-based company that provides billing and other services for healthcare providers.

Currently, AccuDoc and Atrium Health are contacting patients and guarantors whose information was in the affected databases “out of an abundance of caution,” officials said.

See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis