Healthcare information breach roundup: Atrium, Kaiser, UNC and extra

June has been a busy month throughout healthcare, and never all the time for one of the best causes. The variety of information breaches at hospitals, well being methods, well being plans and elsewhere has been important – even compared to the risk-fraught cybersecurity panorama we have all change into accustomed to.

This is a partial record, together with some high-profile names.

On June 3, Kaiser Permanente knowledgeable members of its Kaiser Basis Well being Plan of Washington of an unauthorized entry incident that occurred on April 5, 2022.

Kaiser safety officers “found that an unauthorized social gathering gained entry to an worker’s emails. We terminated the unauthorized entry inside hours after it started and promptly commenced an investigation to find out the scope of the incident. We have now decided that protected well being info was contained within the emails and, whereas we have now no indication that the knowledge was accessed by the unauthorized social gathering, we’re unable to utterly rule out the chance.”

PHI doubtlessly uncovered names, medical report quantity, dates of service, and lab outcomes, officers stated, however Social Safety and bank card numbers weren’t included.

“We would not have any proof of id theft or misuse of protected well being info because of this incident,” stated Kaiser Permanente officers.

At Atrium Well being, officers served discover this month that an unauthorized third social gathering “gained entry to a house well being worker’s enterprise e mail and messaging account” through a phishing exploit.

After that incident, which occurred in April, Atrium Well being at House secured the affected account, confirmed the unauthorized social gathering had no additional entry, notified legislation enforcement and engaged an outdoor safety agency.

“The conduct of the unauthorized social gathering signifies they had been seemingly targeted on sending different phishing emails and never concentrating on medical or well being info,” stated Atrium officers. “Sadly, regardless of a radical investigation, we couldn’t conclusively decide whether or not private info was really accessed by the unauthorized social gathering.”

Private info within the affected account could have included names, residence addresses, dates of start, medical health insurance info and medical info, together with dates of service, the supplier and facility, and/or prognosis and remedy info.

“For a restricted subset of people, Social Safety numbers, driver’s license/state ID numbers and/or monetary account info additionally could have been concerned,” officers stated. “Our digital medical report methods are separate from e mail accounts and weren’t affected by this incident.”

Additionally this month, UNC Lenoir Well being Care disclosed an incident involving a breach of affected person info by MCG Well being, one in all its third-party enterprise companions.

MCG’s scientific assist providers together with affected person care tips. UNC officers stated that in December of 2021 and January of this yr, MCG “was contacted by an unknown third-party who claimed to have improperly obtained affected person information from MCG.”

This individual “made a requirement for cash in change for the return of the affected person information to MCG. MCG opened an investigation and contacted the FBI.”

MCG knowledgeable UNC Lenoir of the incident in April, the well being system stated, and its forensic investigators confirmed that well being data for 10 sufferers had been listed on the market on the darkish internet.

“These data are believed to have come from MCG,” stated UNC officers. “Lenoir affected person data weren’t discovered on the darkish internet, however MCG has decided that the unauthorized third-party could also be in possession of Lenoir info which may embrace: affected person title, Social Safety quantity, medical codes, avenue tackle, phone quantity, e mail tackle, date of start and gender.”

At Quincy, Massachusetts-based Shields Well being Care Group, which gives administration and imaging providers, healthcare prospects had been knowledgeable in June about some suspicious exercise on its community.

“With the help of third-party forensic specialists, we took instant steps to comprise the incident and to research the character and scope of the incident,” which occurred in March, officers stated.

“An unknown actor gained entry to sure Shields methods from March 7, 2022 to March 21, 2022,” in line with Shields. “Thus far, we have now no proof to point that any info from this incident was used to commit id theft or fraud. Nevertheless, the kind of info that was or could have been impacted may embrace a number of of the next: Full title, Social Safety quantity, date of start, residence tackle, supplier info, prognosis, billing info, insurance coverage quantity and knowledge, medical report quantity, affected person ID, and different medical or remedy info.”

Assist needed

Knowledge breaches are nothing new in healthcare, in fact, however in recent times, the range, frequency and, generally, severity of cybersecurity exploits has elevated.

The US Division of Well being and Human Companies has provided assist. Most just lately, its Well being Sector Cybersecurity Coordination Middle, or HC3, revealed a brand new steering on Strengthening Cyber ​​Posture within the Well being Sector on June 16. Among the many steps it suggests:

  • Conduct common safety posture assessments.

  • Constantly monitor networks and software program for vulnerabilities.

  • Outline which division owns what dangers, and assign managers to particular dangers.

  • Often analyze gaps in your safety controls.

  • Outline a number of key safety metrics.

  • Create an incident response plan and a catastrophe restoration plan.

However some hospitals and well being methods nonetheless assume the feds ought to be doing extra to assist handle the growing difficult burden as healthcare cyberattacks intensify.

As Politico reported this previous week, “from January by June, the Workplace of Civil Rights tallied 256 hacks and knowledge breaches, up from 149 for a similar interval a yr in the past.”

As these assaults enhance – posing severe dangers to affected person security – healthcare leaders are asking the federal government to do extra to assist defend the essential IT methods of US suppliers.

“It blows my thoughts that in the end, it is on the person hospital methods to aim to – basically in isolation – determine it out,” Politico quotes Lee Milligan, chief info officer at Oregon-based Asante Well being System. “If a nation state has bombed bridges that join over the Mississippi River and join state A and B, would we be it in the identical approach? And but the identical threat to life occurs once they shut down a well being system.”

Twitter: @MikeMiliardHITN
Electronic mail the author: [email protected]

Healthcare IT Information is a HIMSS publication.