Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Misconfigured IT (Again) Leads to Big Health Data BreachDid Company Also Bungle Notification for Some Victims Impacted?
An all-too-common type of data security mistake - a misconfigured IT setting - has landed a Puerto Rico-based clearinghouse and cloud software services provider at the top of federal regulators' list of largest health data breaches so far this year, in an incident impacting nearly 1.6 million individuals.
According to a posting added Tuesday onto the Department of Health and Human Services' HIPAA Breach Reporting Tool website, San Juan-based Inmediata Health Group reported to HHS' Office for Civil Rights on April 24 a misconfiguration incident as an "unauthorized access/disclosure" breach involving a network server impacting 1.56 million individuals.
Also commonly called the "wall of shame," the HHS website lists health data breaches impacting 500 or more individuals.
Ironically, the Inmediata incident dislodged another misconfigured IT related breach from the top spot as largest health data breach listed so far in 2019.
That other incident - now the second the largest health data breach posted so far in 2019 on the federal tally - was reported in February by UW Medicine, involving a database coding error that exposed protected health information of more than 973,000 individuals to internet search engines.
Unfortunately, these types of mishaps are becoming increasingly common, some experts note. "The technology that we have available to us today is becoming more and more complex. Simultaneously, it is becoming quicker and easier to deploy," notes Jon Moore, senior vice president and chief risk officer at security and privacy consulting firm, Clearwater, formerly known as Clearwater Compliance.
"Together this creates an environment in which it is very easy to quickly deploy an improperly and/or insecurely configured solution," he adds.
Inmediata Breach Details
Inmediata says in a breach notification statement on its website that the company became aware in January "that some electronic health information was viewable online due to a webpage setting that permitted search engines to index internal webpages that are used for business operations."
The statement notes that immediately after Inmediata became aware of the situation, the company deactivated the website and engaged an independent digital forensics firm to assist with an investigation.
"Based on the current findings of the ongoing investigation, we have no evidence that any files were copied, or saved. In addition, to date we have not discovered any evidence to suggest that any information potentially involved in this incident has been subject to actual or attempted misuse," the statement says.
Information potentially exposed in the incident may include patients' names, addresses, dates of birth, gender, and medical claim information. "A very small group of the potentially impacted people may have Social Security numbers involved as well," the Inmediata notification statement says.
An Inmediata spokesman tells Information Security Media Group that of the 1.56 million individuals impacted by the incident, only 200 individuals whose Social Security numbers could have been compromised are being offered one-year of complimentary credit and ID monitoring.
The company has implemented "some new server and database procedures, as well as additional security features" to avoid a future incident of this nature, he says.
Bungled Breach Notification?
Inmediata is also facing scrutiny for its handling of breach notification regarding the mishap. Earlier this month, authorities in Michigan noted that they've launched an inquiry into the breach after receiving at least two consumer complaints about receiving multiple letters from the Inmediata dated April 22, 2019, including some letters misaddressed to other people.
In a May 2 statement, Michigan attorney general Dana Nessel and department of insurance and financial services director Anita Fox said the state had been made aware of the Inmediata incident impacting an undisclosed number of Michigan residents only after receiving those two consumer calls to the state's Consumer Protection Division.
"This is the second breach since the attorney general took office that [Nessel] learned of from sources other than the company itself," the statement says.
"The last breach was Wolverine Solutions Group," the statement notes, referring to a ransomware attack last fall on a company that provides billing and other business services to health plans and hospitals.
The Wolverine incident resulted in a breach affecting more than 600,000 individuals, according to Michigan state officials.
Why So Common?
Mishaps involving misconfigured IT settings or coding have been a common source of breaches in the healthcare, as well as in other sectors.
For instance, earlier this week, a security researcher found a database online that appeared to contain profile data for 49 million Instagram users, including their email addresses and phone numbers. That data was supposed to be private, but was apparently inadvertently left open without password protection on the internet (see: Database May Have Exposed Instagram Data for 49 Million.)
"It is crucial for organizations that handle sensitive personally identifiable information to put into place change management policies and procedures that include the testing of the security of the information system before putting the system into production."
—David Holtzman, CynergisTek
In the healthcare arena, in addition to the Inmediata and UWMedicine misconfiguration incidents, a coding error in a portal of the Employee Retirement System of Texas last year inadvertently allowed some users to view the information of others, potentially exposing health and other personal information on nearly 1.25 million of its members.
"In our experience, often the root cause of the misconfiguration of web servers, firewalls, and file transfer protocol sites are lack of policies and procedures for changes to information systems when applying patches and updates that result in to applications or hardware, which interferes with information security technologies that had been put into place to safeguard sensitive data," says privacy attorney David Holtzman of security consultancy CynergisTek.
"It is crucial for organizations that handle sensitive personally identifiable information to put into place change management policies and procedures that include the testing of the security of the information system before putting the system into production," he says.
A thorough enterprise-wide information security risk analysis also helps identify when an organization's change management processes were thorough and complete, he adds.
Breach Notification Challenges
Inmediata's alleged difficulty in correctly mailing some of its breach notification letters to individuals complicates the company's breach response situation, Holtzman notes.
"A challenge for healthcare organizations and IT contractors who serve them is to ensure that they can identify the individuals whose information is maintained in their information system. When there is an incident that results in the disclosure of PHI it is crucial to analyze the exposed data to determine with accuracy the identities of the individuals affected," he says.
In the case of a cybersecurity or ransomware incident, up-to-date data backups will be required to replace the data lost or corrupted, as well as to identify the individuals whose information was accessed or disclosed, he adds.
"Don't wait until you have had an incident to develop a strategy for making substitute notifications to those impacted by breach incident," he says.
"Healthcare organizations should expect that the records they have on individuals may not be up to date preventing breach notifications sent via U.S. mail from reaching them," he notes.
"The HIPAA Breach Notification Rule and most state breach notification schemes have requirements for making notifications through substitute means like releasing information to the media, posting notices on your organization's internet web site or including the information in newsletters sent to subscribers, patients and their families."
Moore offers a similar assessment. "We have observed that many organizations are not well prepared to comply with the HIPAA Breach Notification Rule," he says.
"Therefore, when they have a breach, particularly one of this magnitude, and are faced with the 60 day time limit to notify affected individuals, mistakes are likely," he says. "We recommend that organizations hold regular tabletop breach exercises that at a minimum include participants from IT, compliance, legal, and public relations."