Natali_Mis/istock via Getty Imag

Ensuring Transparency: Language to Avoid in HIPAA Breach Notifications

In the wake of a breach or ransomware, healthcare entities must be transparent with patients to protect privacy, prevent further crimes, and ensure compliance in HIPAA breach notifications.

HIPAA-required breach notifications in the wake of a security incident continue to be an Achille’s heel for the healthcare sector. Many notices appear laden with flowery language that make light of an incident to protect an entity’s reputation, rather than transparent phrasing to protect patient privacy. 

In age where double extortion, i.e. data exfiltration, runs rampant in the industry, it’s never been more crucial for providers to provide notifications that not only tick the boxes for compliance purposes, but give patients a chance to fully comprehend an incident and potential impact for future cybercrimes. 

Transparency Failures and Privacy Implications

Reports show that data is taken in more than one out of every 10 ransomware attacks. However, upon reviewing subsequent notifications to patients, that language is often omitted. A prime example is seen with the recent notification from the AAA Ambulance Service. 

The notice explained that the Missouri provider fell victim to a ransomware attack in July, which led to a compromise of patient information. The investigation revealed the data was accessed or exfiltrated during the incident but does not explain the stolen data was published online by the attackers: the hacking group behind REvil ransomware. 

Screenshots of the dark web posting shared with HealthITSecurity.com showed the hackers attempted to extort AAA Ambulance by publishing proofs of the more than 24 GB of data taken from the provider. The lot contained scanned documents with driver’s licenses, signed patient forms with health information and Social Security numbers, and private information, including contact details. 

When no bids were made on the posting, the group simply released the stolen data online for free. 

Despite the severity and privacy implications this extortion attempt could have on patients, the breach notification claimed: there’s “no evidence to suggest that any personally identifiable information or personal health information has been actually misused.”

"Exfiltrated data relating to other organizations may be used to target those organizations with, for example, spear phishing campaigns or BEC scams," said Brett Callow, Threat Analyst for Emsisoft. "It is, therefore, critical that those organizations be promptly notified of the breach. Failing to do so can result in one crime leading to many."

AAA Ambulance is just one of numerous incidents to include this bold statement. It also begs the question, what happens when a provider faces an extortion attempt and quietly pays the hackers to prevent further data leakage? 

As seen recently, the Conti hacking group posted data allegedly stolen from West End Medical Center, now known as Family Health Centers of Georgia, on October 19. The posting has since been removed, presumably as the parties are negotiating the ransom demand. It leads to numerous privacy and compliance implications, such as whether patients or regulatory agencies will receive notice of this incident.

“’The personal information of certain individuals may have been accessed’… ‘The information potentially affected may have included’… ‘While we are not aware of the misuse of any information potentially impacted’… Breach notifications often contain wishy-washy wording such as this and, while it may meet the minimum legal requirements, it doesn’t really tell people what actually happened to their personal information,” explained Callow. 

“And what happened could be that their name, address, social security number, medical records and other personal information were put up for public auction on the dark web and bought by cybercriminals who intend to use them to commit identity theft,” he added. “Should people be provided with more in the way of specific details? I believe they should. Downplaying the severity of a breach may result in people not taking sensible precautions, and so could result in one crime leading many.” 

Breach Notification Requirements

Under HIPAA, covered entities and their business associates are required to report any breach impacting more than 500 patients within 60 days of discovery. 

A breach is defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.”  

“An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment,” according to the Department of Health and Human Services. 

“[Risk assessment factors include]: The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; the unauthorized person who used the protected health information or to whom the disclosure was made; whether the protected health information was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated,” they added. 

Given these factors, there are also a number of compliance risks posed by these less-than-transparent notifications – and lack thereof.

"Breach notifications often contain wishy-washy wording... while it may meet the minimum legal requirements, it doesn’t really tell people what actually happened to their personal information.”

Erik B. Weinick, privacy and cyber litigation attorney for Otterbourg PC, explained providers should also be mindful that HIPAA is not the only regulation that should govern their response to a security incident. States, federal regulations, and even foreign laws like the General Data Protection Regulation, may also govern the appropriate response.  

But in terms of transparency when it comes to HIPAA, notifications must include a brief description of the breach, types of information involved, steps affected patients should take to protect against potential harm, and what the covered entity is doing to both investigate the breach – and to prevent future incidents. Notices must also include contact information. 

The Importance of Transparency

While not every breach is audited by the Office for Civil Rights, a provider is taking a serious risk in attempting to lessen the impact of a breach in its notification. To Weinick, patient trust and an organization’s reputation are an entity’s most important assets. 

“Failing to provide full transparency about the true scope and impact of a security event could be an instance where the ‘cover up’ is worse than the crime itself,” Weinick said. “Many consumers have become somewhat numb to data incidents, even when it comes to highly sensitive personal information, such as their medical information.” 

“In fact, some consumers even expect and recognize that there is only so much that can be done to protect data in the face of constant cyberattacks,” he added. “What they will not as readily forgive and forget, however, is dishonesty in the aftermath of the security incident. Consumers correctly expect prompt and fulsome disclosure.”  

Instead, providers should take the approach of unveiling the full impact, or what’s known at the time of disclosure, rather than slowly allowing details to come to light, Weinick explained. 

A staunch contrast can be provided in breach disclosures from 2019 and 2020. In a case of what should be avoided, the massive Blackbaud incident demonstrates what can happen when information trickles out to the public, rather than an initial, fully transparent response. 

A ransomware attack hit the self-hosted environment of Blackbaud on February 7 but was not discovered by the cloud-computing vendor until May 20. During that time, the hacking group exfiltrated data from its clients, including donors and those connected to those clients, including patient information. 

Some of its breach victims were first to report the incident, of which the tally of victims has reached at least 10 million. The vendor was honest in reporting that it had paid the hackers “with confirmation that the copy they removed had been destroyed.” 

But during initial reports, Blackbaud stressed that banking information, Social Security numbers were not included in the stolen data. The vendor later revealed that may not have been the case. Noting, not to the public, but in a later SEC filing: “The cybercriminal may have accessed some unencrypted fields… In most cases, fields intended for sensitive information were encrypted and not accessible.” 

While that information may not have been known at the time of the initial reports, continuing to stress that data was protected could have spurred patients and other individuals to not take the breach reports as seriously, given reports said only names, demographic details, and contact information were breached. 

Affected individuals have filed at least 10 lawsuits against the vendor, in response. The Blackbaud incident mirrors similar missteps made by the American Medical Collection Agency after its eight-month hack in 2019. 

In contrast, a massive phishing campaign on Oregon Department of Human Services in 2019 and the breach notification that followed demonstrate just how covered entities can provide transparency and protect the integrity of an organization in the process. 

First reported in March 2019, nine employees fell victim to a targeted phishing campaign on January 9, 2019, compromising more than 2 million emails and the information of potentially 350,000 patients of Oregon DHS in the process. 

The notice detailed that once it was realized the email accounts contained patient data, an outside security firm was hired to investigate the incident and to manually review the emails to determine the scope of the incident. 

What’s important to note about the notice is the level of transparency: Oregon DHS acknowledged the breach, the amount of work it would take to review the impacted accounts, and that the current tally of victims would likely expand once the IT team began reviewing the emails.

“Failing to provide full transparency about the true scope and impact of a security event could be an instance where the ‘cover up’ is worse than the crime itself.” 

The provider also explained the details they did know at the time: Social Security numbers, administration information, full names, and case information were accessed during the attack. In June, Oregon DHS provided an update: the investigation was complete and nearly 300,000 more patients were added to the final breach tally. 

“If a patient cannot expect their healthcare provider to be prompt and honest when it comes to a security incident, they will question that provider’s ability to be completely prompt and honest when it comes to delivery of, and communication about, the care itself,” Weinick said. 

Language to Avoid 

As demonstrated in the previous examples, it’s imperative organizations provide transparency, while maintaining accuracy in breach notices. Weinick explained covered entities and business associates should avoid any language that creates more uncertainty or anxiety for the individuals impacted by the event. 

“Notifying entities should focus on what is known, not what is unknown at that point, and certainly should not engage in speculation,” said Weinick. “To be clear though, it is acceptable (and even necessary) to state that certain facts are not known or are being withheld for security, legal or other reasons, but those matters should likely not be the primary (or first) information conveyed.”  

“Supplemental notifications can be provided if appropriate when more is known,” he added. “Given the need to promptly provide notification, a complete recitation of facts may not always be possible because an investigation may not be complete, or because counsel is concerned that providing certain information may have a detrimental litigation impact.” 

As a result, breach notifications should balance phrasing that avoids deflecting blame for the incident – which will likely be off-putting to individuals – and accepting responsibility to care for patients. Weinick stressed it doesn’t mean that a breached entity needs to plead guilty or accept fault for the incident, but they also shouldn’t spend a lot of time defending everything it did to prevent the incident. 

Further, organizations should not attempt to place the blame on another entity, such as the threat actor or a third-party vendor. 

Breach Notification Best Practices 

Under HIPAA, providers are required to give notice about breaches that impact 500 or more patients within 60 days of discovering an incident or by exercising reasonable diligence. 

“With respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate,” according to HHS

“Covered entities and business associates should consider which entity is in the best position to provide notice to the individual, which may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual,” they added. 

Weinick stressed that preparation for breach notifications should not be done on the fly in the wake of a breach in the “uncertain and stressed hours or days following an incident,” and it should be expected that a security incident will occur. 

As such, breaches should be considered a question of when, not if, it will occur, and entities must allocate resources for mitigating an incident – including funds for pre-planning responses to those incidents.  

“The more that can be done in advance, the better the outcome,” Weinick said. “Covered entities should have a response team and plan in place in advance of an incident. It should be known who will handle, among other things, the legal issues, the technical response, the investigation, the general public relations, the patient specific communications, and the internal communications.” 

“Covered healthcare entities should conduct as much of their pre-incident mitigation and post-incident response as possible through specialized outside counsel,” he added. “Not only does working through counsel bring a wealth of expertise and experience to the process, it may allow for some pre- and post-incident communications to be shielded from discovery in litigation and regulatory actions if those communications constitute either attorney-client privileged communications or protected attorney-work product.” 

Next Steps

Dig Deeper on HIPAA compliance and regulation