Hacking Incident at Billing Vendor Affects 270,000 PatientsAttack on Firm Impacts Those Treated at Dozens of Physician Practices
A hacking incident at a claims processing company in New York has impacted 270,000 patients of 42 physician practices, which means it likely is one of the largest health data breaches so far this year.
See Also: The Power and Scale of XDR
In a June 14 statement, Med Associates, based in Albany, New York, says that on March 22, the company became aware of "unusual activity relating to an employee's workstation occurring that same day."
The claims processing company says it immediately began investigating the incident with its IT vendor and subsequently retained a forensic investigation firm to assist.
"It was determined that the unauthorized party accessed the workstation and through that, may have had access to certain personal and protected information," the statement says.
While the investigation is ongoing, Med Associates says it has determined that information on 270,000 patients which may have been accessible from the workstation includes patient names, dates of birth, addresses, dates of service, diagnosis codes, procedure codes and insurance information, including insurance ID numbers.
"There was no banking or credit card information contained on or accessible from the workstation," the company says. "Additionally, we are currently not aware of any misuse of patients' protected health and/or personal information."
The vast majority of affected patients are based in New York, but some individuals in Massachusetts, Vermont and Florida were also notified of the incident, Cathy Alvey, Med Associates president, tells Information Security Media Group.
Alvery says that the organization - in addition to notifying patients - has notified "regulatory agencies ... as deemed appropriate by our legal team." That includes the Department of Health and Human Services.
As of Wednesday, the incident was not yet posted on HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.
If HHS confirms the details of the breach and adds it to the tally, it would be one of the largest breaches added so far this year.
Alvey notes that Med Associates' clients were given an opportunity to review its response and provide approval for Med Associates to notify required parties on their behalf. "Med Associates, as a business associate to the covered entities, notified the covered entities within 60 days of the [March 22] discovery," she adds.
Alvey did not provide ISMG with details about the nature of the hacking. But she said the attack did not involve ransomware or phishing.
"This was not a phishing incident; it was a hacking incident where an outside party gained remote access to a workstation. We were unable to determine the intruder's motive. Data was not encrypted or locked."
Alvey also tells ISMG that there was no evidence that the company's claim processing software was accessed and no malware was noted on its servers. "Through access to the workstation, the intruder could have potentially accessed claim submission files residing on our network. There was no evidence that they did. The notification was prompted by the fact that we are unable to definitively rule out the possibility that those claim submission files could have been accessed," she says.
In its statement, Med Associates reports that in the aftermath of the incident, it immediately secured the impacted workstation, implemented even more stringent information security standards and increased staff training on data privacy and security.
The company is providing patients affected by the breach one year of free credit monitoring and identity restoration.
Healthcare billing vendors are attractive potential targets for hackers, some security experts note.
"Billing companies often have huge amounts of patient data, particularly as it relates to health insurance data, patient treatments, prescriptions, etc. These are some of the most valuable types of data in the dark web, so they are attractive targets for hackers," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"The more PHI and other types of patient and treatment data that a business associate possesses, the more likely they will be targeted," Herold adds.
"With most BAs putting detailed information about their services on their websites, in addition to on Facebook, LinkedIn, Instagram, YouTube, and many other social media sites, it is very easy for cybercrooks to comb online sites to find their targets. CEs need to make sure that they increase oversight for their BAs as they increase the amount of PHI and other patient data that they entrust to BAs."
Med Associate's statement "leaves wide open the possibilities for what actually happened," Herold says. "Someone from the other side of the world could have gotten access into the workstation through the CE network, or through a Med Associates' worker's personal device that was not secured appropriately. Or, it could have been someone who found an open access point in the vicinity of the Med Associates offices and got into the worker's computer in that manner... The possibilities are endless."
Several different attack vectors can lead to workstation compromise, notes Keith Fricke, principle consultant at tw-Security. "Whether it be phishing attacks tricking people into opening malware infected attachments or visiting a website harboring malware, protecting workstations with up-to-date operating system and application patches is key," he says.
"Having defense-in-depth measures to filter and block websites and email helps reduce risks as well. Sometimes criminals trick people into thinking they need online computer support from an unknown party, leading to workstation compromise."
Recurring workforce training also is important, Fricke says. "Keeping security awareness top of mind helps prevent lax practices from creeping back into personal and work habits involving access to sensitive information."
The Med Associates breach spotlights again the risks to patient data posed by vendors.
"Obtaining reasonable assurances from your business associates extends well beyond getting them to sign your business associate agreement," says Susan Lucci, privacy and security consultant at tw-Security. "Obtain evidence of their compliance with all aspects of HIPAA, in particular, compliance with the security rule and the fact they are educating their workforce on privacy and security practices."
Herold offers a similar perspective. "Ensure oversight of the security and privacy practices of BAs. That includes requiring executives to attest to the veracity of their information security and privacy programs and validate security controls like those above through doing audits, reviewing the executive summaries of risk assessments, and requiring penetration tests and vulnerability assessments."