3rd Party Risk Management , Governance & Risk Management , HIPAA/HITECH
More Healthcare Disruptions Tied to Vendor Incidents
Pharmacy Administration Vendor, EMR Hosting Firm Among Latest VictimsTwo companies that serve the healthcare sector have reported disruptive cyber incidents affecting their clients, the latest in a string of similar supply chain incidents.
The most recent incidents affected San Antonio-based CaptureRx, which provides healthcare technology and administrative services to hundreds of U.S. hospitals and others, and Dallas-based MedNetworx, which provides hosted medical software, including the Aprima electronic medical records system from CompuGroup eMDs.
Many of the largest health data breaches reported to federal regulators so far this year have involved vendors, including the attack that took advantage of vulnerabilities in the Accellion File Transfer Appliance product.
Earlier supply chain incidents involving debt collector firm American Medical Collection Agency and cloud-based fundraising software vendor Blackbaud led to dozens of health data breach reports affecting tens of millions of individuals.
In light of vendor breaches, healthcare organizations need to take extra precautions, privacy and security experts say.
"Healthcare organizations that hire these firms should take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
CaptureRX Incident
CaptureRx says it's notifying clients that unauthorized access to certain files could have exposed patient details, such as name, date of birth, prescription information and medical records.
The company also posted a list of about 40 healthcare clients affected by the incident.
CaptureRx says an investigation determined certain files were accessed and acquired on Feb. 6 without authorization.
In addition to notifying healthcare providers affected by the incident, it is working with those clients to notify individuals whose information was contained in the files, CaptureRx says. The company did not immediately reply to an Information Security Media Group request for comment, including whether ransomware was involved.
The company says it's reviewing its policies and procedures and will provide additional workforce training.
Several healthcare organizations have issued notices about being affected by the CaptureRX incident, including Faxton St. Luke’s Healthcare, an affiliate of the Mohawk Valley Health System, which announced on May 4 that the data of more than 17,000 patients had been breached.
MedNetworx Incident
Meanwhile, the cyber incident involving Dallas-based MedNetworx affected an unspecified number of small and midsized healthcare practices that rely on MedNetworx to host the Aprima electronic medical records system from vendor CompuGroup eMDs.
In a statement to ISMG, MedNetworx says that on April 22, it experienced a network outage that resulted in a temporary disruption to its servers and other IT systems.
"Upon discovering the outage, MedNetworx immediately initiated an investigation and took steps to contain the outage including taking a significant portion of its network offline."
The company's investigation has determined that the outage was due to a security incident that involved unauthorized access by a third party to certain of its computer networks, the company says.
"The investigation into the scope of the incident, including whether data was potentially affected, remains ongoing." MedNetworx did not respond to ISMG's inquiry about whether the incident involve ransomware.
CompuGroup eMDs did not immediately respond to ISMG's request for comment on the incident.
Client Impact
In recent weeks, however, several Aprima clients have posted notices that an EMR outage had affected the practices' ability to access patient records.
For instance, the Colorado-based Alpine Center for Diabetes, Endocrinology and Metabolism posted on its website an apology to patients regarding the April 22 Aprima incident that left the practice unable to access its EMRs for more than two weeks.
A receptionist at the clinic told ISMG on Monday that its services for the EMR had just been restored.
In addition to the practice's note to patients, the clinic posted a letter it received from Derek Pickell, the CEO eMDs, the developer of Aprima.
In the message, Pickell says that its unnamed hosting vendor had recently discovered a security incident that affected its system. "They continue to work around the clock to resolve any disruptions to certain systems and operations … The goals now are to remove any malware from all systems, make sure all devices are clean and restore full functionality and data."
A spokesperson for Arthritis & Osteoporosis Center of Kentucky, another eMDs client affected by the Aprima outage, tells ISMG that access to the EMR application has been spotty and unpredictable. For instance, the practice "has access at times to patients charts and scheduling, however, it is so slow it takes us several minutes to change from one tab to another making it nearly impossible to do anything."
The spokesperson, commenting midday Monday, adds: "This morning, we had no access whatsoever, and thankfully last week we printed out the schedule for this week. We had to roll our phones over to night mode and have not been able to answer calls for weeks, instead referring them to a HIPAA-compliant email to forward their concerns."
The practice is not able to access any lab results, "or even send out any billing, which is crippling for us because, if we don’t send out claims, there is no revenue coming in for the practice," the spokesperson says.
The practice, however, is still seeing patients but cannot schedule follow-up appointments.
"It seems every day improves just a little bit, but today it looks like we have taken three steps back from Friday of last week," the spokesperson adds.