Email-Related Breaches: Why Are There So Many?How Addressing Common Mistakes, Security Gaps Can Help Prevent These Incidents
Several recent health data breaches point to the need to better mitigate the risks posed by email.
See Also: HIPAA Audits: A Revised Game Plan
Security gaps and user mishaps are the culprits in many of these breaches. But implementing the right technologies and best practices can help reduce the risks, security experts advise.
Phishing email attacks often lead to incidents involving ransomware and other malware infections - as well as other intrusions involving unauthorized access to patient and other sensitive data.
But mistakes by users sending email also are persistent culprits in major health data breaches.
Here's a recent example: A breach impacting 6,450 individuals reported by family medical practice Prairie Fields Family Medicine of Fremont, Nebraska, involved an email that exposed patient information. In a notification statement, Prairie Fields notes that an email from its office containing an unencrypted spreadsheet with patient information was inadvertently sent to an incorrect email address. The incident was discovered the same day.
"Prairie Fields has made several attempts to contact the recipient, by email, but has not received any response. Prairie Fields suspects, but cannot be certain, that the email address has been abandoned or is no longer in use," the statement says.
"Simple, transparent email encryption between different users and systems should be a global priority to achieve."
—Kate Borten, The Marblehead Group
The medical practice says it has not received any indication that any patient's personal information has been accessed or used by the unintended recipient. The information contained in the spreadsheet included patient name, date of birth, age, sex, race, first language, telephone number and certain health insurance information, including provider's name and policy numbers.
The practice's statement notes that it's putting into place "additional safeguards" to prevent future incidents.
In another recent email-related incident, University of Vermont Health Network - Elizabethtown Community Hospital reported a breach that affected 32,000 and exposed the Social Security numbers of 1,200.
A notification statement says the incident involved one employee's email account which "for a brief period of time" was remotely accessed by an unauthorized user. "We completed an initial 60-day investigation of the incident and have no evidence of any fraud or identity theft to any individual as a result of this incident," according to the notification.
"Upon learning of the incident ... we immediately took action, including changing passwords, implementing enhanced security features and engaging a leading forensic security firm to assist with the investigation."
Other potentially compromised information included names, dates of birth, addresses and limited medical information, such as medical record numbers, dates of service and a brief summary of services provided, the organization reports.
Ransomware and More
Hacker intrusions, including those that involve email-fueled ransomware attacks, can also result in the installation of other malicious programs.
Take the case of Mind and Motion Developmental Centers of Suwanee, Georgia, a multidisciplinary treatment center offering mental health, physical therapy and other health services, which recently reported a hacking incident impacting 16,000 individuals.
In its notification statement, the treatment center says it discovered that the company's server had been corrupted by ransomware. A forensic investigation by a third-party consulting firm found that "an inactive keylogger and spam emailer" also had been installed on the compromised server.
"These programs and the associated accounts were removed," Mind and Motion says. "Other minor malware was found and removed. It did not appear that any of the malware found had access to any of our scheduling, electronic billing or patient financial accounts."
Mind and Motion says it implemented several measures, including changing passwords for all accounts used in the office. "Passwords were required to be higher in complexity. A policy was put in place to force password changes on a more regular basis as well as when business events warrant them," the statement says.
In addition, all email accounts associated with the business domain will have "the latest spam protection to prevent common methods of phishing," the statement notes.
Protected health information potentially compromised by the incident includes name, address, birthday, medical history, Social Security number, medical diagnosis, insurance information and medical records, Mind and Motion says in its statement.
A Common Problem
Email-related breaches are far too common in healthcare. A Dec. 19 snapshot of the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows a total of 344 major health data breaches impacting 12.7 million individuals have been added to the tally so far in 2018. Of those, 111 breaches impacting 3.4 million individuals were reported as involving email.
Commonly called the "wall of shame," the federal website lists reported HIPAA breaches impacting 500 or more individuals.
The largest email-related breach on the tally was a July hacking incident reported by Iowa Health System, which does business under the name UnityPoint Health.
That incident, which impacted 1.4 million individuals, involved a phishing campaign that exposed an assortment of personal and medical data stored in UnityPoint Health's email systems. But the information exposure appears to have been an unintentional byproduct of an attempt to divert corporate payments via what's known as business email compromise, the organization said.
Incidents involving email - whether instigated by hackers or caused by user mistakes - are an ongoing challenge for many healthcare sector organizations.
"We can wrap technical protections around our systems and networks, but ultimately people are the weak link, as we see with successful phishing attacks," says Kate Borten, president of security and privacy consultancy The Marblehead Group.
"Organizations should be giving their employees examples of successful phishing attacks to demonstrate and remind them of how easily we can fall for those emails. And organizations should routinely test their employees with simulated attacks."
But other email-related breaches, such as those involving unsecured patient information being sent via email, can be tricky to stop, Borten says.
"Unfortunately, email encryption is not simple. The recipient needs to go through several steps to open encrypted messages, and some solutions are awkward to use and limited," she notes. "This fact deters use of secure email between unrelated parties except in highly regulated industries, such as finance. Simple, transparent email encryption between different users and systems should be a global priority to achieve."
In healthcare provider organizations, encryption is often voluntary, relying on the sender to decide whether to encrypt and take extra steps to encrypt the message, Borten says. "This is a flawed approach and leads to mistakes," she adds.
Rebecca Herold, president of Simbus, a privacy and cloud security services, says healthcare organizations should consider implementing various technologies that can help to reduce the risk of email-related breaches.
Besides encryption, those include logging and message blocking that can be "automatically and transparently apply these controls to all the email accounts, or at a minimum, the email accounts that deal with personal and sensitive data," she notes.
"Using encryption plug-ins for the corporate email addresses the organization users' side issues, but not the outside recipients' risks," she says. "But it is still a good option to implement. "
To address internal and external exchanges, "using email encryption cloud services that keep the emails encrypted so that the cloud service itself never can get access to the messages is a great way to exchange such confidential communications," she adds.
Training, followed up with frequent security and privacy reminders, can help cut down on mistakes by staff members, Herold notes.