Business Associate Data Breach Impacts Multiple Providers
July 25, 2019 - Michigan-based Northwood, a medical equipment benefits administrator, is notifying multiple healthcare providers that their patient data was potentially breached after an employee email hack in May.
The business associate breach is listed on the Department of Health and Human Services’ breach reporting tool as impacting four covered entities with a total of 15,027 patient records breached.
On May 12, Northwood officials discovered suspicious activity on an employee email account and launched an investigation with an outside computer forensics team. The account was immediately taken offline and the password was changed.
Officials said they also mandated password resets for all employee email accounts and notified employees to keep an eye out for suspicious emails.
The investigation determined a hacker gained access to the account for three days between May 3 and May 6. However, they could not determine which email messages were opened or viewed during the hack.
READ MORE: Business Email Compromise Attempts Doubled in 2018, Treasury Dept Says
The impacted account contained information related to patients who received medical equipment that was supplied or managed by Northwood, including patient names, dates of birth, medical record numbers, member health plan identification, diagnoses and codes, treatment details, medical device information.
The compromised information varied by patient and could also include Social Security numbers and driver’s license numbers for some patients. For health plan members, insurance provider names were also breached.
The impacted account also included certain provider information connected to their exclusion status with the HHS Centers for Medicare and Medicaid Services, which included their names and Social Security numbers. All impacted patients will receive free credit monitoring services.
Since the security incident, Northwood has added security features to its email systems and provided employees with further training and education to prevent a recurrence. The investigation is ongoing.
Cancer Treatment Centers of America Email Breach
The Eastern Regional Medical Center branch of Cancer Treatment Centers of America recently fell victim to an email hack, which potentially compromised the data of 3,904 patients.
READ MORE: Providers Must Go Beyond Frameworks for Strong Risk Management
This is the third breach reported by a CTCA branch within the last year. CTCA reported a breach caused by a phishing attack in May, which compromised patient data for six months, while its Western Regional Medical Center reported a phishing-related incident in December that breached the data of 42,000 patients.
The latest CTCA security incident was discovered on June 6, when suspicious activity was detected on an employee email account. Officials said they immediately changed the account password and launched an investigation.
They determined the hacker first accessed the account on May 4, which continued for 11 days until May 15. The investigation could not rule out whether the attacker accessed or copied any patient data. The compromised data varied by patient, but could include contact information, dates of birth, medical record numbers and other patient identifiers, health insurance data, and medical information.
Employees of CTCA’s Eastern Regional Medical Center have received additional training on security threats, while officials said they’re evaluating technical controls and will implement security improvements to the email system.
3 Providers, More than 150,000 Patients Added to AMCA Breach Tally
Three more providers have been added to the tally of the American Medical Collection Agency breach victims, which has now seen more than 25 million patient records potentially compromised.
READ MORE: Healthcare Needs Proactive Security to Reduce Fallout From Cyberattacks
AMCA first reported an eight-month server hack in June, which began in August 2018 and lasted until March when it was discovered. The breach has claimed more than 20 covered entities so far, including Quest Diagnostics, LabCorp, BioReference, Penobscot Community Health Center in Maine, Clinical Pathology Laboratories, Austin Pathology Associates, and eight other providers.
Since those breach notifications, three more providers have been added to the list: Pathology Solutions with 13,300 impacted patients, Laboratory Medicine Consultants with 147,600 patients affected, and Western Pathology Associates with 4,550 compromised patient records.
In May, AMCA notified LMC some of its data was breached during the hack on the billing services vendor. But like many of the impacted providers, LMC officials said AMCA did not provide them with enough information to fully understand the scope of the incident. As a result, the investigation is ongoing.
So far, LMC officials said the potential impacted data included patient names, contact details, dates of birth, treatment provider information, dates of service, account balances, and credit card or banking data. Social Security numbers, laboratory results, and clinical histories were not included in the AMCA data.
AMCA notified 4,200 patients about the breach, while LMC notified another 143,400 patients. However, the financial information of those patients was not compromised.
Pathology Solutions’ breach notification is nearly identical to LMC’s, down to the variations in the number of patients notified by AMCA and the covered entity: the vendor notified just 600 patients, while Pathology informed another 12,700 individuals.
Meanwhile, Western Pathology Consultants’ notification is also similar with variations in breach numbers, as well.
All three providers have ceased doing business with AMCA as a result of the breach. Many industry stakeholders have warned that more covered entities may come forward as AMCA breach victims in the coming weeks. It’s quickly becoming one of the largest healthcare breaches to date.
AMCA has since filed for bankruptcy, as it faces investigations and several lawsuits.
Gloss