Why Did a Clinic Notify All Patients, Employees of Attack?Practice Says Determining Exactly Whose Data Might Have Been Exposed Was Too Costly
Houston-based practice Gastroenterology Consultants notified all 162,000 of its patients and employees that their sensitive information had potentially been compromised in a January ransomware attack, saying it would have been too time-consuming and costly to pinpoint exactly which individuals had data exposed.
In recent days, the organization has confirmed the number of individuals notified and acknowledged that some data was exfiltrated in the attack. But it says the attackers agreed to destroy stolen data after a "negotiated resolution," implying a ransom was paid.
Breach Notification Statement
In a breach notification statement posted on its website in March, Gastroenterology Consultants said it had experienced a ransomware attack on Jan. 10. "We have resolved the cyber issues and remediated and restored our systems to a more secure state," the statement said.
"After undertaking an extensive data mining process to determine specifically whether any patient or employee had any sensitive personal information or personal health information exposed, we, unfortunately, learned that the time and effort to manually review thousands of documents was not cost-effective," the practice added.
"Therefore, although there is no evidence of any unauthorized use of patient or employee data, we have determined it best to issue mail notifications to all employees and patients detailing the specific type of information potentially exposed."
Recent Report to Maine Attorney General
Gastroenterology Consultants' breach report submitted to Maine's attorney general on Aug. 6 provides more details. For example, it notes that the incident affected more than 162,000 individuals, including one Maine resident.
The statement posted on the practice's website noted that its electronic medical record system was not affected by the incident.
"However, there was some personal health information and/or sensitive personal information such as Social Security numbers included in PDFs or Excel files prepared by employees to facilitate patient processing," the statement said. “Those patients with potential Social Security number exposure - less than 50 total - will be provided free credit monitoring along with any employees with sensitive personal information exposure."
A letter submitted to Maine's attorney general Aug. 9 from Robert Walker - an attorney with the law firm Wilson Elser Moskowitz Edelman & Dicker LLP, which is representing Gastroenterology Consultants - notes that an investigation of the incident conducted by a third-party cybersecurity firm hired by the healthcare practice determined that "some files containing sensitive information may have been exfiltrated by the attacker." The letter also indicates that a ransom apparently was paid.
"Based on the negotiated resolution with the attacker, Gastroenterology received assurances that any potential exfiltrated data had been destroyed. Gastroenterology then promptly performed data mining to identify the specific individuals and the type of information that may have been compromised," the letter notes.
"Although Gastroenterology is unaware of any fraudulent misuse of information, it is possible that individuals’ full name, address and Social Security number may have been exposed as a result of this unauthorized activity."
Update From Attorney
Walker tells Information Security Media Group that the healthcare provider "does not store Social Security numbers as a regular practice."
"Further, the electronic medical record system was not compromised in this incident. The clinic does not even store SSNs in the EMR system," he says. "The clinic was able locate some isolated instances of SSN storage on a shared drive that possibly were impacted by this incident and notified those individuals accordingly."
The practice decided it was more cost-effective to notify all 161,698 patients, 451 employees and 14 others - clients who were not patients - who might have been affected by the incident than to manually review the thousands of documents potentially compromised in the incident, he says.
The incident involved an attack by the Avaddon ransomware group, he notes. He did not immediately respond to ISMG's inquiry about the ransom demand.
The Right Approach?
Regulatory attorney Paul Hales of the Hales Law Group says the practice's decision to notify everyone who might possibly have been affected is not necessarily the best way to handle breach notification.
"Gastroenterology Consultants is subject to both HIPAA and Texas breach notification requirements that require notification no later than 60 days after discovery of the breach," he notes. "However, its March 19, notice apparently fails to comply with either. It is late and ambiguous.
"Under HIPAA, notification to each affected individual must include a description of the types of PHI involved in the breach. Instead, the 'Notice to All Patients' is only a frightening warning that 'some' of their PHI may have been exposed. And it is coupled with the excuse that a thorough breach investigation was ‘not cost-effective.'"
But, Hales points out, PHI breaches themselves are expensive; costs include investigation, mitigation, notification, potential fines and lawsuits, as well as reputational damage.
A breach report was submitted by the practice to the Department of Health and Human Services' Office for Civil Rights on March 19, Walker notes. But as of Thursday, the practice's breach report had not yet been posted on HHS OCR's HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
HHS OCR says in a statement provided to ISMG: "The HIPAA Breach Notification Rule requires that a covered entity, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used or disclosed as a result of the breach."
The notification should occur without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach, HHS OCR adds.