Pennsylvania has the dubious distinction of leading the country in health care data breaches for the first half of 2017, with two of the five largest breaches occurring in our state. These two breaches have affected about 400,000 people.
Harrisburg Gastroenterology Providers
In April, Harrisburg Gastroenterology, LTD reported a breach affecting 93,323 individuals. Harrisburg Endoscopy and Surgery Center, located at the same address, also reported a breach the same day, affecting 9,092 individuals. In their patient notifications, both providers stated that on March 17, an unauthorized person potentially accessed patient information. Neither provider can state with certainty if information was accessed or obtained.
Women’s Health Care Group
Last month, the Women’s Health Care Group of Pennsylvania, with 45 offices statewide, reported a breach affecting 300,000 individuals. According to their notification, it was discovered on May 16 that a workstation at one of the practice locations had been infected with a virus designed to block access to system files. However, their investigation revealed that the hackers responsible for the virus had access to their systems as early as January of this year. As in the Harrisburg breach, Women’s Health Care Group cannot state definitively if information was acquired or viewed.
OCR breach portal entries for Pennsylvania as of August 4, 2017
Are Ransomware Attacks HIPAA Breaches?
The Office for Civil Rights issued guidance last year about ransomware and HIPAA. In it, they draw a distinction between the presence of ransomware on an organization’s computer system, and the execution of a ransomware attack against an organization.
The presence of ransomware is deemed to be a security incident, which as defined in 45 CFR §164.304 is “the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with systems operations in an information system”. So, the presence of ransomware on an organization’s system is definitely a security incident – but not necessarily a breach.
It’s when ransomware is executed in an organization’s system that the situation crosses the line between security incident and breach. According to the OCR’s guidance, “when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule”.
This means Women’s Health Care Group may have been able to save themselves from OCR’s dreaded “Wall of Shame” if they had identified and removed the ransomware from their system before it was activated, and they were able to prove that no PHI was compromised by the ransomware’s presence prior to its activation.
As demonstrated in the Women’s Health Care Group attack, ransomware can lurk undetected in your organization’s network for quite some time before it is activated. Detection depends on many factors. Some factors, such as the malware hackers employ to trigger their attacks, cannot be controlled by the organization. But other factors, such as the security vulnerabilities exploited by the hacker, can at least be mitigated.
Organizations that keep their computers’ operating system and software patches up-to-date, utilize robust security technology, and proactively scan for viruses and malware infections in their systems can often prevent attacks, or at least nip them in the bud before all levels of security have been infiltrated.
Organizations that also train their staff well are the best prepared. Hackers are often successful in introducing malware and viruses into an organization’s network through phishing attacks. Once someone in your office clicks an infected email attachment or website link, they’ve opened their computers, and your entire network, to potential attack.
Here’s hoping Pennsylvania providers fare better with breaches in the second half of the year.