Victim Tallies Climb as Breach Investigations Continue
Ongoing investigations of two apparently unrelated phishing-related breaches that both affected members of Albuquerque, New Mexico-based Presbyterian Health Plan have revealed that the incidents had an even bigger and broader impact than originally thought. The investigations underscore the challenges organizations often face when assessing the true impact of breaches.
Back in August, Albuquerque, New Mexico-based Presbyterian Healthcare Services, parent organization of the health plan, issued a notification statement about a phishing incident involving employee email accounts discovered in June, The organization reported to federal regulators that it affected more than 183,000 individuals.
But now a spokeswoman says that on Nov. 25, Presbyterian Health Plan notified 276,000 individuals about being impacted by the phishing incident.
“As the investigation has continued, we learned of additional individuals affected by this incident and mailed notification on Nov. 25. Approximately 276,000 individuals received this additional notification,” she says.
“While our investigation is ongoing, we want to stress that we have no evidence indicating that any patient or member data has been used in any way and there was no access to our electronic health record or billing systems,” Dale Maxwell, president and chief executive officer, Presbyterian Healthcare Services – the parent organization of the health plan – says in a statement provided to Information Security Media Group.
Presbyterian Health Plan did not immediately respond to an IMSG inquiry Wednesday to clarify whether any of the original 183,000 individuals notified in August about the phishing incident are included among those who received the 276,000 letters recently mailed.
The company’s updated notification statement about the incident says that among those being notified are “some individual providers in the Presbyterian Health Plan network, including Presbyterian-employed providers.”
Another Growing Phishing Breach
Meanwhile, another investigation of a separate phishing-related breach originally thought to have affected only Presbyterian Health Plan members has determined that members of three more health plans were also impacted.
Back in mid-September Scottsdale, Arizona-based Magellan Health issued a statement saying two of its subsidiaries – National Imaging Associates and Magellan Healthcare – “discovered a potential data breach related to protected health information belonging to members of Presbyterian Health Plan.
Magellan Healthcare reported nearly 56,000 individuals were affected, and NIA reported about 600 individuals were affected, according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing major health data breaches affecting 500 or more individuals.
In an updated notification statement, NIA says it determined in November that members of Jacksonville, Fla.-based Florida Blue Health Plan; Buffalo, N.Y.-based Independent Health, and Honolulu, Hawaii-based HMSA were also impacted by the incident.
Magellan did not immediately respond to an ISMG inquiry about the number of individuals impacted at each of the three additional health plans.
“Magellan is not at liberty to share such plan-specific information without the approval of the impacted health plan,” a spokeswoman told ISMG in a statement. “The number of health plans impacted in the security incident represents a very small percentage of Magellan’s total business.”
In its new notification statement, NIA says that it found “an anonymous, unauthorized third party accessed the email accounts of two employees who handle member data for PHP. The unauthorized access occurred on May 28 and June 6, 2019.”
As a result of the hacking incident, those health plans’ members’ PHI may potentially have been accessed, the company says.
The affected email account included health care claims information and/or benefit authorization information, which may have included health plan member name, date of birth, member ID, provider name, authorization determination and/or number, claim number, dates of service, and billing codes, or benefit descriptions such as diagnosis or procedure, the statement says.
“A third-party expert assisted in our investigation, which found no evidence that PHI has actually been accessed as a result of this incident. We also found no compromise or unauthorized intrusion into any of our other systems used to handle member or provider personal information.”
Some experts note that the growing victim tallies in the Magellan and Presbyterian Health Plan incidents reflect the challenges that organizations often face in assessing the damage in the wake of a breach, as well as fulfilling regulatory breach reporting requirements.
For instance, under HIPAA, covered entities must report to HHS’ Office for Civil Rights health data breaches affecting 500 or more individuals as soon as possible, but no later than 60 days after discovery of the breach.
“A breach investigation, like any investigation, takes time and expertise,” says Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
“The larger the breach and more complex the circumstances the longer the investigation is likely to take. Also, organizations are sometimes slow in getting the forensic experts engaged to begin with. In both cases if the organization knows there are more than 500 individuals impacted and the 60 day clock is expiring, they need to report even though the investigation is incomplete.”
If an organization does not have breach response processes in place and has not practiced its response, it will face challenges, Moore adds.
“As a result, they will often submit a report and make notifications based on limited or inaccurate information. In addition, most organizations do not have the required forensic expertise on staff and must look to third parties to provide it,” he says. That’s why it’s important to identify in advance a firm to perform a breach forensics investigation, if needed.
“Also, if they are not careful, the evidence associated with the breach may be corrupted before the forensic experts arrive further impeding the investigation,” he says.
The impact of phishing attacks can be much more expansive than initially determined, security experts warn.
“Phishing attacks typically will go after multiple targets – as opposed to spear phishing or whaling attacks that are more focused – and it is not unusual for more than one person to fall for the attack,” Moore says.
“There are also multiphase attacks where the attacker first gains access to an email account through phishing then uses the compromised email account to go after others in the organization with targeted emails from that account,” he notes.
“In addition, a phishing email might contain malware that gives the attacker broader access to the organization, allowing them to go laterally and impact additional accounts.”