Second Largest Health Data Breach So Far This Year
A California-based genetic testing laboratory has reported an email hacking incident that may have exposed medical information on nearly 233,000 individuals. It’s the second-largest health data breach posted to the federal health data breach tally so far in 2020.
See Also: API Security: Making Sense of the Market
The incident that Ambry Genetics reported on March 22 to the U.S. Department of Health and Human Services also serves as a reminder about the cyberthreats facing all laboratories and other healthcare entities that handle sensitive patient information – including medical testing data related to the COVID-19 pandemic.
“Labs are handling more tests than in normal times, increasing the amount of patient data stored, processed or transmitted,” says Keith Fricke, principal consultant at tw-Security.
“Criminals may see this as another source of information to steal for financial gain. Additionally, IT departments continue to focus on the support needs of a remote workforce and setting up technology infrastructure for COVID-19 triage and treatment tents. Consequently, less time may be spent on monitoring network activity, unless a third party is contracted to monitor network and system event logs.”
The Breach Tally
As of Friday, the Ambry Genetics breach was the second largest health data breach in 2020 on HHS’ HIPAA Breach Reporting Tool website, which lists health data breaches impacting 500 or more individuals.
The largest breach, which involved the theft of an unencrypted laptop, was reported in February by Health Share of Oregon. That incident affected nearly 654,400 individuals (see: Breach Report: Sometime Encryption is Still Overlooked).
So far in 2020, 35 of the 36 largest breaches posted to the HHS tally were reported as hacking/IT incidents.
“Hacking usually yields the largest access to patient information,” Fricke notes. “Unprotected portable devices that are lost or stolen can contain a lot of information, but generally not as much as a clinical system with a database of patients.”
Ambry Breach Details
In a statement posted on its website, Aliso Viejo, California-based Ambry Genetics, a Konica Minolta company, says its security team identified unauthorized access to an employee’s email account between January 22 and 24.
“We promptly initiated an investigation, with the assistance of outside experts. The investigation was unable to determine whether there was unauthorized access to, or acquisition of, any particular information from the email account, and we are not aware of any misuse of any personal information.”
The company says it’s notifying customers because of the potential of their personal information being disclosed in the incident. That information includes customers’ names, medical information, information related to customers’ use of Ambry’s services and, in some cases, Social Security numbers, the statement says.
“We have taken steps designed to prevent this type of event from happening again, including through an ongoing effort to enhance our security measures and to provide additional training to employees,” the statement says. The company says it is also offering identity monitoring services to potentially impacted individuals.
Ambry Genetics did not immediately respond to an Information Security Media Group request for additional details about the breach, including whether any genetic information was potentially exposed.
Protecting Sensitive Data
Healthcare entities that handle especially sensitive patient information need to be vigilant in protecting the security and privacy of that data.
“Genetic information is considered to be especially sensitive because it is unique to the individual, cannot be de-identified and will forever be linked to only one person in the world,” says privacy attorney David Holtzman of the security consultancy CynergisTek.
“Genetic data is used to diagnose manifested disease or disorders as well as the manifestation of disorders in the individual or other members of their family,” he says. “Federal laws recognize the harmful effects from the use of genetic information by prohibiting the use of this data in the offering or underwriting of health insurance and in employment decisions. Some states go further in prohibiting discrimination on the basis of genetic data in most circumstances including housing, education and financial services.”
But unauthorized access to “raw” genetic data is not of concern as much as the interpretation of the genetic test data, Fricke of tw-Security says. “Mental health data is certainly in the category of ‘more sensitive’ by way of comparison. In any case, any medical information subject to unauthorized access and exposure is not good. What criminals threaten to do with or actually do with any compromised data, genetic testing-related or otherwise is of concern.”
Clyde Hewitt, executive adviser at CynergisTek, says the COVID-19 pandemic “has increased directed attacks toward laboratories and research organizations. There may be several potential motivations to conduct attacks; some based on a desire to control the virus, but others based on greed,” he says.
All medical laboratories should consider themselves to be high-value targets, especially now as they potentially have large amounts of data that could help develop a cure for COVID-19, Hewitt says.
“Responding to these attacks will require a top-down approach, where the executive leadership team engages with their security staff to identify all cyber risks, then provide resources to mitigate that risk,” he says.
Susan Lucci, a senior privacy and security consultant at tw-Security, says the COVID-19 crisis will fuel the threats that have already been playing out in the healthcare sector.
Hacking “has been trending consistently higher every year since 2012 with no indicators of slowing down,” she says. “As we move further into 2020, evidence shows that hacking of healthcare by any possible means will continue.”