Cloud-Based EHR Vendor Hack Affects Eye Care PracticesDatabase Deletion Incident Affects About 100,000 Individuals, So Far
A hacking incident at a cloud-based electronic health records vendor involving the deletion of databases and systems configuration data has so far affected multiple ophthalmology practice clients and about 100,000 or more of their patients.
In recent weeks, nearly a half-dozen eye care practices have reported to the U.S. Department of Health and Human Services and state regulators health data breaches involving the vendor Eye Care Leaders, based in Durham, North Carolina, and its cloud-based myCare Integrity electronic medical records offering.
On its website, Eye Care Leaders says that its EHR software and practice management systems are used by 9,000 ophthalmologists. The company also says that all of its EHRs products have been certified under the HITECH Act's HHS Office of the National Coordinator of Health IT's health IT certification program.
"The fundamental purpose of HIPAA, the HITECH Act and the EHR certification program through ONC is to ensure the confidentiality, integrity and availability of the data," regulatory attorney Rachel Rose tells Information Security Media Group.
Affected Ophthalmology Practices
Vision care practices that have reported data breaches involving the Eye Care Leaders EHR incident to federal or state authorities in recent weeks include:
- Tennessee-based Summit Eye Associates, which reported to HHS' Office for Civil Rights on April 27 that nearly 54,000 individuals had been affected;
- Washington state-based King County Public Hospital District No. 2 - doing business as Evergreen Health - which reported to HHS OCR on April 22 that nearly 21,000 individuals had been affected;
- Ohio-based Allied Eye Physicians & Surgeons Inc., which on April 27 reported to the Maine attorney general's office that the "external hacking" incident had affected nearly 21,000 individuals.
Regional Eye Associates Inc. of West Virginia posted a notification statement on its website regarding a hacking incident involving an unnamed third-party electronic medical records vendor. The practice is featured in a customer case study on the Eye Care Leaders website. As of Thursday, Regional Eye Associates' breach did not appear on the HHS OCR HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Rutland, Vermont-based Central Vermont Eye Care also reported to HHS OCR a hacking incident involving EHRs. The practice's April 6 breach report indicates that 30,000 individuals were affected by its hacking incident.
It is unclear, however, whether the Central Vermont Eye Care breach involves Eye Care Leaders' EHR or if it was a separate, unrelated EHR incident.
Central Vermont Eye Care did not immediately respond to ISMG's request for details about its incident, including whether it involved Eye Care Leaders. Central Vermont Eye Care as of Thursday did not have a breach notification statement available on its website.
Eye Care Leaders Compromise
Eye Care Leaders also did not immediately respond to ISMG's request for details about its hacking incident.
But breach notification statements issued by Eye Care Leaders' affected ophthalmology practices say the incident involved unauthorized access to the company's cloud-based myCare Integrity electronic medical record databases.
Notably, the incident did not involve unauthorized access to any of the affected practices' own systems, the notification statements say.
Summit Eye Associates in its breach notification statement says that on March 1, Eye Care Leaders notified the practice that it had experienced a data security incident that may have resulted in unauthorized access to some Summit Eye Associates patient information.
According to Eye Care Leaders, on or around Dec. 4, 2021, an unauthorized party accessed myCare Integrity data and deleted databases and system configuration files, Summit Eye Associates says.
Upon identifying the activity, Eye Care Leaders' incident response team "immediately stopped the unauthorized access" and began investigating the incident, Summit Eye Associates' notification statement says.
On March 28, Eye Care Leaders informed Summit Eye Associates that Eye Care Leaders' investigation is ongoing and that it does not know whether any Summit Eye Associates patient information was involved in the incident.
"Although Eye Care Leaders has not confirmed that any Summit Eye Associates patient information was accessed as a result of the incident, they have informed Summit Eye Associates that they cannot rule out that possibility," the notification says. Potentially affected information includes patient names, dates of birth, medical record numbers, health insurance information, Social Security numbers, and information regarding care received at the practice.
Similarly, in its breach notification statement, Regional Eye Associates says its EHR vendor informed it on March 1 of a breach involving an individual who had gained access to its vendor's system on Dec. 4, 2021.
"This individual deleted several databases between the hours of 7:18 pm and 10:13 p.m. before being discovered and locked out of the system. At this time, we do not have any evidence which leads us to believe that any personal health information was exfiltrated, but the investigation is ongoing," the notice says.
Vetting EHR Vendors
Healthcare practices that rely on cloud-based and other vendors for their EHRs products and services should scrutinize the security of those offerings carefully, some experts say.
"If the EHR is remotely hosted, obtain evidence of the security practices the hosting vendor has in place to protect patient data, including recovery capability from security incidents," says Keith Fricke, principal consultant at privacy and security consultancy tw-Security. "EHRs contain a large aggregation of data, causing larger breaches when unauthorized access occurs. In addition, crippling EHRs via data deletion or ransomware impacts a larger number of patients at the same time. EHR data contains all the elements necessary for ID theft."
Healthcare entities also need look beyond the notion of an EHR vendor's product being certified by ONC, says attorney Rose. "Ask for reasonable assurances from the vendor themselves. For example, Amazon Web Services and Microsoft provide their annual HIPAA reports and SOC 2 audits to customers," she says. Ask questions about any settings that need to be utilized by the end user in order to ensure compliance.
"In healthcare in particular, business continuity and disaster recovery plans are critical for covered entities and business associates, such as EHR vendors, who play a critical role in patient care. Have a comprehensive third-party audit done and be truthful about the gaps and areas of risk. Be sure to have a corrective action plan implemented, too, in order to correct the gaps."
Fricke says that when EHRs are hosted by vendors, "the standard security practices still apply - patching and vulnerability management, workforce training on phishing, 24x7 monitoring, cyber insurance, incident response plans, and validating backups are occurring as expected."
As of Thursday, the HHS OCR breach reporting website shows that so far in 2022, at least 11 major breaches affecting more than 312,400 individuals have been posted as involving EHRs.
In February, HHS' Health Sector Cybersecurity Coordination Center issued a warning about cybersecurity threats involving EHRs and EMRs, noting that the such data compromises are profitable to cybercriminals for extortion, fraud, identity theft, data laundering and sale on the dark web (see: HHS Warns of Threats to Electronic Health Records).