vladimircaribb - stock.adobe.com

Cyberattack Drives Okanogan County Public Health IT System Offline

The public health department of Washington’s Okanogan County has been driven offline, after a cyberattack on the government’s infrastructure; a business associate breach and two email hacks complete this week’s breach roundup.

A cyberattack on Washington’s Okanogan County government computer infrastructure has driven multiple regional offices offline, including the Public Health department, according to a news release.

First reported on January 18, the entire computer system is down, as well as the phone and email systems. As a result, officials said services provided to the community have been affected.

The county’s “specialized team” is working with service professionals to bring the system back online. In the meantime, officials warned that offices are open but limited in the services they are able to provide.

“At this time, we do not have a projected date for the computer system to be fully operational,” officials explained.

Einstein Healthcare Network Reports Breach from August 2020

Philadelphia-based Einstein Healthcare Network is just now notifying some of its patients of a breach to their protected health information caused by a hack of its employee email system in August 2020.

On August 10, suspicious activity was detected in several employee email accounts. The accounts were secured by resetting passwords, and officials said they contracted with an independent forensics firm to assist with an investigation.

The investigation revealed the hackers had access to the email accounts for 12 days, between August 5 and August 17, 2020.

The accounts contained a trove of patient data, including names, dates of birth, medical record or patient information, and or treatment and clinical data, like diagnoses, provider names, treatments, and locations of service.

For some patients, SSNs, health insurance details, and or driver’s licenses were included in the breached data. Those patients will receive free credit monitoring and identity protection services.

Einstein has since reinforced staff education around identifying and avoiding suspicious emails and intends to bolster the security of its email environment.

HIPAA requires all covered entities and business associates to report data breaches within 60 days of discovery. Providers have previously demonstrated how to effectively tackle tricky breach notifications for email compromises, which can make it difficult to determine just what, if any, patient information was compromised.

In perhaps one of the most notable examples, the Oregon Department of Human Services began notifying 350,000 patients in March 2019 that nine employee email accounts had been breached and that patient data was impacted during the incident.

The notification honored the HIPAA-required timeline, while providing as much information as was known at the time. Officials stressed that the investigation was ongoing and that an update would be provided once they learned the full scope of the incident.

As a result, the Oregon DHS had time for a complete audit and updated the final breach tally in June 2019 to include another 300,000 patients that their data was found in the impacted accounts, as well.

Privacy leaders have stressed the need for transparency in breach notifications, which allow patients to better prepare and protect their privacy from fraud attempts and the like.

“Notifying entities should focus on what is known, not what is unknown at that point, and certainly should not engage in speculation,” Erik B. Weinick, privacy and cyber litigation attorney for Otterbourg PC, previously told HealthITSecurity.com.

“To be clear though, it is acceptable (and even necessary) to state that certain facts are not known or are being withheld for security, legal or other reasons, but those matters should likely not be the primary (or first) information conveyed,” he added. “Supplemental notifications can be provided if appropriate when more is known.”

Email Hack of Business Associate MEDNAX

MEDNAX Services experienced a hack of several employee email accounts in June, which breached some patient and guarantor information of American Anesthesiology, owned by North American Partners in Anesthesia (NAPA).

NAPA purchased American Anesthesiology from MEDNAX in May of 2020 but MEDNAX  continued to provide support and services to the business.

On July 16, MEDNAX informed NAPA that a hacker gained access to several email accounts on its Microsoft O365 system for five days between June 17 and June 22 through a successful phishing campaign. 

The investigation concluded in November and determined protected health information from American Anesthesiology was contained in the compromised accounts. It appears the hacker infiltrated the accounts to attempt payroll fraud, which was unsuccessful.

Further, officials said they could not determine whether the attacker accessed the data contained in the accounts during the incident. The exposed data included contact details, Social Security numbers, health insurance details, medical records, dates of birth, billing and claims data, and a host of other sensitive information.

All impacted patients will receive complimentary credit monitoring services. Officials said they’ve since reset all user passwords and shifted all O365 accounts to American Anesthesiology’s email system. The provider intends to implement additional authentication and provide its workforce with further security training requirements.

Given the length of time between discovery and notification, it again should be noted that providers and business associates are required to report PHI breaches within 60 days of discovery and not at the close of an investigation.

Behavioral Health Specialist CASES Email Security Incident

The Center for Alternative Sentencing and Employment Services (CASES), a New York-based provider of behavioral health, recovery, and community services, recently began notifying its clients that a hack of some email accounts compromised certain patient data.

On November 18, officials said they learned a limited number of employee email accounts that contained client information were hacked for nearly three months between July 6 and October 4, 2020.

Working with outside cybersecurity firms, CASES learned that hackers obtained the data contained in the compromised accounts. The stolen data included names, dates of birth, medical record or client identification numbers, and or clinical information related to care received through CASES.

For some clients, SSNs, financial data, health insurance information, and or driver’s licenses were compromised. Those individuals will receive free credit monitoring and identity protection services.

CASES has since bolstered security controls and reinforced email security education with its staff.

Next Steps

Dig Deeper on Healthcare data breaches