Tag Archives: HIPAA

Another Blue Cross Hacked Undetected For Over 18 Months

Excellus Blue Cross Blue Shield revealed that it has been hacked.  Excellus did not detect it had been hacked at all.  In fact, it was not until they hired Mandiant to do an audit in the wake of the other Blue Cross hacks that they found out that they had been hacked.

The data of over 10 million customers and other individuals who’s data they held is at risk.  The breach is believed to have started in December 2013 and was not discovered until August 2015.

In this case, the data was encrypted, but that fact was irrelevant because the hackers masqueraded as a legitimate user.  As a result, the system decrypted the data for the hackers. This is the drawback of transparent encryption. It is convenient for the users, but is only useful if the computer is stolen while powered off.

The data taken ranges from names and addresses to birthdates and socials to financial information, claims data and clinical information.  In other words – everything that they could have possibly taken, they took.

Excellus says that “our investigation has not determined that any data was removed from our systems”.

This breach points to several things :

  • Encryption is not a silver bullet, especially transparent encryption where the system keeps the keys for the user.  If the hacker comes in as a legitimate user, the system decrypts the data for the hacker.
  • Lack of partitioning of the data allows a hacker to steal everything once they get in.  It would appear that whatever credentials that the hacker got gave them access to everything Excellus stored.
  • It would appear that they were not using two factor authentication.  Two factor is inconvenient for users, so most businesses won’t implement it.   However, it is also inconvenient for hackers.
  • Reading between the lines, since they don’t know if data was removed, I would guess that their audit logs were inadequate – either not enough logs or not stored for long enough.
  • They did not even know that they were hacked until someone told them they were.  This is actually quite common, unfortunately.  This means that their real time breach detection was lacking.

This poor job of information risk management will likely cost them millions  – from Mandiant’s fee (typically $300-$500 per hour per consultant), to fines, to the cost of credit monitoring, to lost customers.

Once again, you can pay me now or pay me later.  Take your pick.

Information for this post came from Data Breach Today.

Facebooktwitterredditlinkedinmailby feather

The Cost Of Not Following The HIPAA Rules For One Firm – $750,000

Cancer Care Group, an Indianapolis based Oncology practice learned a lesson the hard way.

They allowed an employee to have an unencrypted laptop and a server in his car, from which both computers were stolen.

They discovered that the computers contained protected health information – social security numbers and insurance data for 55,000 patients.

The  practice was in general denial regarding the HIPAA security rule – they had no written policy regarding removal of electronic media from the premises and did not conduct an enterprise risk assessment after the computers were stolen.

Now, as a result of this settlement, besides being $750,000 poorer, they will now have a partner in their security program – Health and Human Services.  HHS will need to approve their corrective action plan and review all those procedures that they did not have in place.

HHS is someone I would prefer NOT to have as my security partner.

Deal with it now or deal with it later.  Later is likely to be more expensive.


Information for this post came from Health Care News.

Facebooktwitterredditlinkedinmailby feather

Cyber Insurance Will Not Make Up For Your Sins

Columbia Casualty paid Cottage Health System a little over $4 million after a breach in December 2013.  Columbia wants their $4 million back, plus attorney’s fees and expenses because, they say, Cottage “did not follow minimum required practices for protecting information and did not truthfully attest to its security controls” (see article).

Here is more of the story.

Cottage Health, based in Santa Barbara, hired inSync to put patient records in a secure manner online.  The details of what this means is not clear.  However, it appears that inSync did not configure things correctly, making the records available publicly.

Inititally, it was thought that 32,000 patients’ information was compromised, but later that number was raised to around 50,000.

The breach lasted between October 8th and December 2, 2013, a short time, but long enough for Google to index the records.  The information compromised was health information – diagnoses, lab results and related things.  It did not include Social Security Numbers or other personal information.  The information released is considered protected health information or PHI and that release is a HIPAA violation.  In addition, Cottage was hit with a class action lawsuit.

Anyway, back to the $4 million.

Cottage is blaming inSync for the lack of protection.  While this may technically true, for purposes of both HIPAA and Columbia’s lawsuit, that fact is unimportant.  Cottage can certainly go back to inSync and sue them for damages.  Assuming their contract allows for that.

All this is meant to point out that, one more time, supply chains can come back and bite you in very sensitive body parts.

Outsourcing does not absolve you of ANY liability.  It may make someone else additionally liable, but it does not remove your liability.

If you don’t manage your outsourcers, you could be in worse shape than if you did it yourself.

And, if you don’t manage your outsource contracts, you actually may have both the cost of outsourcing and ALL of the liability.

That’s not a pleasant thought.


Facebooktwitterredditlinkedinmailby feather

Dentists (and Doctors) A Target For Cyber Criminals

DentistryIQ, a web site for dental professionals ran a piece last week talking about dentists (and while the article didn’t talk about it, doctors as well) being a target for cyber criminals (see article).

If you think about it, it makes a lot of sense.  Think about all the non public personal information that a dental or other health care practice keeps.  Social security numbers, names, addresses, birth dates, phone numbers and even client banking information.  That, of course, is in addition to all of the health care (HIPAA protected) information.

Fines for loss of HIPAA protected information can be staggering – up to $1,500,000 a year in some cases, but even the small fines hurt.  A practice can be fined up to $25,000 year even if the person did not know of the violation and reasonably would not have known (reference).

That of course does not include costs for investigating the breach, notifying patients, remediating the problem, lawsuits, legal costs, etc.

Some dentists, the article says, don’t think small offices are attractive targets.  Think about it.  If I were a crook, would I want to go after a large company with an in house IT team and a lot of security hardware and software?  Or would I rather go after a small office with no in house IT and weaker security?

Again, according to the article, health care organizations make up 33% of all breaches and is the single most breached industry.  More than half of the organizations that are breached have less than 1,000 employees.

In fact, 55% of all breaches compromise less than 1,000 records (see post here).  If a practice has only 300 families as patients and each family has 3+ members, that is 1,000 records.  That would be a small practice.

This means that health care practices need to consider the risks and take appropriate, cost effective actions.  Many times employees accidentally do things (like clicking on links or surfing at compromised web sites) that cause a breach.  Many actions to reduce risk are inexpensive and not terribly painful.

In addition, having an incident response plan is very important.  Other wise, you will be flailing if something occurs.

Plan now so you don’t have to panic later.


Facebooktwitterredditlinkedinmailby feather

Why Healthcare Providers Need To Have An Effective Cyber Security Program

The Anchorage Community Mental Health Services (ACMHS) just agreed to pay a $150,000 fine after a 2012 breach of approximately 2,500 patients protected Health Information (PHI) due to malware on their healthcare software system according to Healthcare IT News.

Apparently ACMHS had adopted the sample Security Rule policies in 2005 but didn’t bother to follow them from 2005 to the date of the breach in 2012.  As a result, they ran outdated, unpatched software leading to the breach.

In addition to the $150,000 fine, they agreed to a corrective action plan lasting two years, which, if they complete successfully, they are off the hook for this HIPAA violation.

While this organization had 5 locations, if they only have 2,743 patients, they are small.

On the other hand, the good, old fashioned paper breaches are still going strong.  Parkview Health System in Ft. Wayne Indiana decided that placing 71 boxes of patient records on the driveway of a retiring physician  (who was out of town) was a good plan.  They had to cough up $800,000 in fines.

But these fines are not limited to the small guys.  New York Presbyterian Hospital/Columbia University Medical System paid a $4.8 million fine after patient records for 6,800 patients would up on Google back in 2010.

These 3 incidents represent a small part of the $26 million in fines the Feds have levied against healthcare entities so far.

While having a good cyber security program won’t stop you from having a breach, it will improve the odds.  For example, If your cyber security program requires you to encrypt data on laptops and tablets and you actually do that, when one of your employees loses a device containing PHI, you have a safe harbor meaning that you don’t have to pay a fine.


Facebooktwitterredditlinkedinmailby feather