Personally identifiable information (PII) and protected health information (PHI) of more than 3.3 million individuals was stolen in a ransomware attack at a California healthcare provider. The provider became aware of the incident on December 8, 2022, but the breach occurred on or about December 1, 2022.
On December 2, 2022, employees noticed difficulty in accessing some of the provider’s servers. After extensive review, malware was detected, which a threat actor had utilized to access and exfiltrate data. The provider hired third-party vendors to assist with their response to the incident. The provider worked with the vendors to restore access to the affected systems and to analyze the impacted data.
The provider informed the US Department of Health and Human Services about the incident on February 1, 2023, saying that more than 3.3 million individuals might have been impacted. The provider also started sending breach notification letters to the impacted individuals on February 1, informing them that their data had been compromised in the incident.
Affected PII and PHI includes names, addresses, birth dates, phone numbers, Social Security numbers, diagnosis and treatment information, health plan member numbers, laboratory test results, prescription details, and radiology reports.
Compliance Perspective
Issue
The healthcare sector is one of the largest victims of ransomware due to its vulnerability to breach of confidentiality and the critical nature of online patient records. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. It is imperative that all nursing facilities become proactive in preventing ransomware attacks to avoid data breaches which are reportable in terms of HIPAA requirements.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*