Hacking Incidents Involving Email Are Common
The HHS OCR HIPAA Breach Reporting Tool website lists health data breaches affecting 500 or more individuals.
Three weeks into the new year, several hacking incidents involving email have already been added to the federal tally of major health data breaches.
A snapshot Tuesday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website shows seven data breaches have been added so far in 2020, affecting a total of nearly 131,000 individuals.
All but one of those were reported as hacking/IT incidents involving email.
Commonly called the “wall of shame,” the federal website lists health data breaches impacting 500 or more individuals.
The wall of shame on Tuesday listed 3,065 reported health data breaches affecting a total of 232.4 million individuals since 2009.
The largest of the breaches added to the federal tally so far in 2020 is an incident affecting more than 49,000 individuals reported on Jan. 3 by Minnesota-based Douglas County Hospital, which is operated by Alomere Health.
In a Jan. 3 statement, Alomere says that on Nov. 6, 2019, it learned that an unauthorized person gained access to an Alomere Health employee’s email account between Oct. 31 and Nov. 1. “We immediately secured the account and began an investigation with a leading computer forensic firm hired to assist. During the investigation, on Nov. 10, 2019, we discovered unauthorized access to a second employee email account occurring on Nov. 6, 2019,” the statement notes.
“We determined that portions of some patients’ information were contained in the email accounts. This information may have included patients’ names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information. For a limited number of patients, Social Security number and/or driver’s license numbers were also found in the accounts.”
Alomere Health says it has no confirmation that patient information was actually viewed by the unauthorized person, or that it has been misused.
Another email-related incident recently added to the federal tally, which was reported on Jan. 3 by Portland, Oregon-based Native American Rehabilitation Association of the Northwest, affected more than 25,000 individuals.
In a statement posted on the organization’s website last week – which has since been removed – NARA said the attack, which took place on Nov. 4, 2019, and involved Emotet Trojan malware, “a credential stealer that can also obtain emails and files in email attachments.”
The Oregon organization said in the statement that “it is possible that the hackers obtained emails and attachments in the impacted accounts, some of which held protected health information.”
NARA did not immediately respond to an Information Security Media Group inquiry about the removal of its breach notification statement from its website, or to its request for additional information about the incident.
Of course, there have been public revelations of other health data security incidents in 2020 that have not yet shown up on the HHS breach site.
In a statement, Enloe Medical Center says its network infrastructure was attacked on Jan. 2. “Essentially, data on the network was encrypted in a way that it was not immediately accessible by the hospital. Per industry recommendations, Enloe IT security notified local law enforcement and the FBI,” the statement says.
More than three dozen 2019 breach reports have been added to the HHS breach tally website since mid-December.
HHS’s Office for Civil Rights, which enforces HIPAA, adds breaches to the tally after it evaluates and confirms details.
As of Tuesday, the HHS website shows a total of 505 breaches reported to the agency in 2019 impacting more than 41.2 million individuals.
Of those, 298 were reported as hacking/IT incidents, impacting 36.1 million individuals – or nearly 90 percent of those affected by major health data breaches in 2019.
Among the most disturbing additions late in 2019, was an incident at The Center for Facial Restoration, a plastic surgery clinic located in Miramar, Florida, in which hackers not only exfiltrated patients’ medical records and tried to extort a ransom from the clinic, but also demanded ransoms be paid by some patients (see: Ransom Demanding Gangs Target Fresh Victims: Patients).
In light of recent breach trends, what steps should healthcare entities be taking to protect email systems – beyond awareness training for their employees to spot phishing scams before they click?
Tom Walsh, CEO of consultancy tw-Security advises organizations to:
- Turn on the email rule that warns users when an email originates from an external source;
- Block file attachments that could contain ransomware or other malicious code;
- Update their on premises email servers or use a cloud service for email hosting;
- Establish better security controls on webmail. Those controls include implementing multifactor authentication, prohibiting access to personal webmail through organizational resources, and opening and testing embedded hyperlinks contained within emails in a safe environment – i.e. sandbox – before allowing the email to pass through to the email server.
In addition, Walsh recommends organizations remove or restrict certain types of protocols used by system administrators or by email vendors.
“For example, protocols and services used by Microsoft Exchange which could exploited include Exchange Web Services and Remote Procedure Call,” he says.
“Many users have the same password for their email as they do for their organization’s HR/payroll system … That means if a hacker can get a user’s email credentials, then they try to get into the employee portal to redirect their payroll deposit to an offshore bank account.”
—Tom Walsh, tw-Security
“Make sure system administrators have dedicated admin accounts for email. Also, remind the workforce the password they use for their own personal webmail or for a consumer website – for example, Amazon.com – cannot be used as a password for access to any organizational application or system. People have a tendency to reuse passwords because they cannot remember a lot of different passwords, especially if the passwords change frequently. Consumer webmail and websites have been hacked and user credentials have been taken.”
Kate Borten, president of privacy and security consulting firm The Marblehead Group, stresses the importance of “effective workforce training” on data security issues.
“Training must be more than an annual refresher, and it must be engaging,” she says. “Further, all but the smallest organizations should be routinely running simulated phishing attacks and following up with anyone who falls for the attack. Results should be documented and analyzed, with real consequences for individuals who fail.”
So what kinds of breaches should healthcare entities be on alert for as 2020 progresses?
“Ransomware is almost certain to continue to be a lead cause of health data breaches,” Borten predicts. “It is a low-budget attack that can yield nice profits for the perpetrators. And success relies in part on individuals who are not being mindful.”
Walsh predict the focus of the hackers will shift from protected health information to personally identifiable information. “Many users have the same password for their email as they do for their organization’s HR/payroll system – primarily because both may use the same Active Directory credentials. That means if a hacker can get a user’s email credentials, then they try to get into the employee portal to redirect their payroll deposit to an offshore bank account.”
Most organizations have well written policies regarding the use and disclosure of PHI, he contends. “When I ask, ‘May I see your use and disclosure policies on PII?’ – many do not have anything. Privacy officers need to have a more global approach to data privacy – not just focus solely on PHI.”