Bizmatics Cyberattack: Assessing the FalloutTracking the Impact of Hack of Cloud-Based EHR Vendor
The total impact of a 2015 hacker attack against cloud-based electronic health records vendor Bizmatics Inc. might not be known for months because it's still unclear how many of the company's group practice clients were affected - and how many records were compromised.
As a result, security experts are urging the company's clients to reach out to the vendor to inquire whether their patients' protected health information was potentially compromised by the hack.
Although San Jose, Calif.-based Bizmatics apparently has not publicly commented about the incident, the disclosure of the cyberattack by Bizmatics to certain customers has essentially put all its clients on notice that their data, too, may have been compromised, says privacy and security attorney Stephen Wu of the law firm Silicon Valley Law Group.
"If you are a Bizmatics customer, you're under obligation to do due diligence" to see if protected health information of your patients has been compromised, requiring notification, he says.
Wu and other experts suggest the company's clients consider engaging forensics specialists to help verify whether patients' data has been exposed. They also suggest taking additional steps to help shore up security related to all their business associates.
As of June 30, it appears that at least 17 Bizmatics clients - and a total of about 264,000 patients - have been impacted by the cyberattack. Those figures are based on the Department of Health and Human Services "wall of shame" tally of major health data breaches and the breach notification statements issued by the various affected healthcare organizations that specifically name the involvement of Bizmatics, as first tracked by Databreaches.net. The listings on the HHS breach tally, due in part to how some covered entities fill out their breach reports submitted to HHS, do not mention the involvement of Bizmatics.
Bizmatics Clients Reporting Breaches
|Clinic||State||# Patients Affected|
|Southeast Eye Institute (dba Eye Associates of Pinellas)||Florida||87,314|
|Stamford Podiatry Group||Connecticut||40,491|
|Illinois Valley Podiatry Group||Illinois||26,588|
|North Ottawa Community Health System||Michigan||20,000|
|Integrated Health Solutions||Pennsylvannia||19,976|
|Pain Treatment Centers of America||Arkansas||19,397|
|ENT and Allergy Center||Arkansas||16,200|
|Lafayette Pain Care||Indiana||7,500|
|Grace Primary Care||Tennessee||6,853|
|Complete Family Foot Care||Nebraska||5,583|
|California Health and Longevity Institute||California||5,386|
|The Vein Doctor||Missouri||3,000|
|Allen Dell (law firm on behalf of client)||Florida||2,500|
|Vincent Vein Center Grand Junction||Colorado||2,250|
|Mark Anthony Quintero, M.D||Florida||650|
|Family Medicine of Weston||Florida||500|
The largest known Bizmatics-related incident listed on the federal tally was reported May 5 by Florida-based Southeast Eye Institute, which does business as Eye Associates of Pinellas. That incident is listed as affecting 87,314 individuals.
Bizmatics claims on its website that its PrognoCIS EHR and practice management software "serves over 15,000 medical professionals." And it still remains to be seen how many of those professionals' practices were affected by the breach.
Hard to Pinpoint
Part of the difficulty in tallying the full number of affected entities appears to be rooted in uncertainties turning up in the post-breach forensics investigation of the Bizmatics cyberattack.
In a breach notification posted on its website, one of the covered entities known to be impacted, Florida-based HeartCare Consultants, notes that Bizmatics recently informed the provider that a malicious hacker attacked the vendor's data servers, resulting in "unauthorized access to Bizmatics customers' records across the U.S., including some records belonging to us."
HeartCare Consultants also notes that after becoming aware of the incident in late 2015, Bizmatics began an investigation with the help of law enforcement and the security forensics firm CrowdStrike. "Bizmatics believes the incident may have occurred in early 2015 ... [but] CrowdStrike could not find a sufficient log of evidence to determine all of the information accessed or viewed by the hackers," HeartCare Consultants notes.
Records compromised may include health visit information, patient names, addresses, health insurance numbers, and in some cases, Social Security numbers, HeartCare Consultants reports.
Bizmatics did not immediately respond to an Information Security Media Group request for comment on the incident .
Crowdstrike in a statement to ISMG says, "as a matter of policy, CrowdStrike does not comment on customer engagements and issues pertaining to customers, so we can neither confirm nor deny involvement in this case."
Because Bizmatics claims to have thousands of customers and appears to have insufficient log evidence to help sort out the incident, there could be many more organizations potentially impacted by the cyberattack, experts say.
Although Bizmatics, like other business associates under HIPAA, is required to notify covered entities no later than 60 days after discovering a major breach affecting a covered entity's data, Wu advises clients of Bizmatics to directly contact the vendor about the incident if they have not yet been notified about the cyberattack.
Rebecca Herold, CEO of The Privacy Professor and co-founder of SIMBUS360 Security and Privacy Services, says there's another possible reason why more Bizmatics clients haven't been notified by the vendor about the breach - or haven't themselves reported the incident to HHS.
"A large portion of those clients may have had less than 500 PHI records within the Bizmatics data warehouse, which would mean they wouldn't need to legally report them to HHS right away, but could wait and include that information at the end of the year," Herold says. "Of course Bizmatics should have reported to those smaller CEs already. Looking at the known types of providers listed so far, it seems Bizmatics may have had a lot of small clinics that they were doing work for. So after the end of 2016, you will likely see the number of CEs whose PHI was involved jump up dramatically." That's because smaller breaches must be reported annually to HHS.
Nevertheless, Herold anticipates that more clinics will report data compromises tied to the Bizmatics breach in the weeks ahead, given the steady additions to the HHS tally in past weeks.
Regardless of HIPAA's breach reporting requirements, it's critical that vendors notify covered entities of breaches as soon as possible, says Dodi Glenn, vice president of cybersecurity at security services firm PC Pitstop.
"Breach notifications should happen just as soon as the breach has been detected," he stresses. "This allows the healthcare organization to tighten their own security and be on the lookout for suspicious activities related to their own network. The longer the vendor waits on disclosing the breach, the more damage it can do to the organizations who are associated with them."
Herold says that business associates should contact covered entities within 24 hours of discovering a breach impacting the client's PHI. "The BA should provide regular reports to their CEs as they mitigate the breach and answer any questions they have," she says. "Following mitigation, the BA should have an objective third part do a risk assessment covering the scope of the breach to ensure all vulnerabilities have been addressed appropriately."
Wu suggests that Bizmatics clients engage a third-party security firm to assess whether their patients' PHI has been compromised, especially because it appears that Bizmatics might be having trouble sorting that out.
The BizMatics cyberattack offers lessons to organizations using the services of any cloud-based services vendor.
"Don't assume that your data is secure in the cloud, regardless of who you are partnering with," Glenn says. "As we've seen from this breach, and several others in the healthcare industry, hackers are actively targeting these types of organizations. Make sure that the company you are doing business with has an incident response plan in place and ask to view the plan."
Herold suggests healthcare organizations reassess their business associate management practices "and determine how they are going to provide some type of ongoing oversight for BAs."
Meanwhile, she says business associates need to implement stronger and more comprehensive information security programs.
In light of Bizmatics reportedly having insufficient log information to determine the extent of the cyberattack's impact, Herold recommends that covered entities and business associates fortify their log-related practices. That includes:
- Documenting logging, network security activity and accounting of disclosures policies and procedures;
- Assigning responsibility for oversight of the policies and procedures that include logging access to PHI, as well as logging security events that occur within the network and associated with PHI data repositories;
- Providing training to those with audit and log review responsibilities;
- Periodically conducting a test to ensure such access logging and procedures are adequate and accurate;
- Establishing breach identification and response policies and procedures that include such log access tools and procedures.