Healthcare data breaches may give valuable lessons on how to address cyberthreats, yet their details are rarely made public. Learn why sharing the incident experience is crucial for healthcare
As a result of health care digitalization, unprecedented amounts of personal and health data are used. Unfortunately, data incidents in healthcare are becoming an unpleasant routine as every month is rich for data breaches or other incidents with many individuals affected. New info on healthcare data breaches is published on the Office for Civil Rights (OCR) portal almost every day. The office constantly works on investigating the incidents and holding businesses accountable for HIPAA non-compliance. However, we rarely learn how the affected entities work on error corrections and implement improvement steps. Sharing these experiences is crucial for improving the security posture within the whole industry.
In one of our previous articles, HIPAA Compliance: Learning from the Other’s Mistakes, we tried to educate businesses about common failures organizations demonstrated in handling customers’ data. In this article, we are underlining the importance of sharing experiences in addressing data incidents and answering why covered entities and business associates are so unwilling to share their data breach experiences.
Summarising recent breaches, the vast majority of victim organizations make vague statements on actions they have taken to respond to the incident. Generally, their statements sound along these lines: ” …. we take all necessary measures to help prevent similar incidents in the future….” Organizations neither share their experiences in addressing the incidents nor provide details on their actions taken to prevent future incidents. While some organizations are able to sustain the breach impact and remain afloat, others are forced to cease their operations. Many organizations provide different benefits to their customers, trying to minimize the damage to the public reputation.
Spending Months to Reveal Data Exfiltration. Starting from March 31, 2022, Law Enforcement Health Benefits Inc. (LEHB) began notifying customers of a powerful ransomware attack. The attack encrypted files stored on the organization’s network and impacted over 85,000 individuals. The LEHB’s network was compromised as early as September 14, 2021, but the sensitive data exfiltration was officially detected only four months later. Despite the evidence of data exfiltration, the benefits plan said it had not received any reports of identity theft or fraud as a result of the breach.
In the notice to customers, LEHB stated that it “takes this incident very seriously and that the company has taken additional steps to secure its network and improve internal procedures to remediate future threats.” The company does not specify the additional security procedures and why they were silent about the data incident for so long period.
Understating the Real Number of Victims. On April 24, 2021, Smile Brands fell victim to a ransomware attack, leading to unauthorized access to clients’ sensitive data. The company initially reported the incident to the OCR in June 2021, stating that the breach had affected 1,200 individuals. Later on, that number was updated to 199,683 individuals. Eventually, a report on the OCR website stated that the breach impacted nearly 2.6 million people, making it one of the largest 2021 breaches.
Smile’s consumers were notified of the breach three times – in September 2021, January 2022, and February 2022. In its notice, Smile Brands said it terminated the unauthorized access promptly and launched an investigation. The company has also offered impacted individuals free credit monitoring services for 12 months.
Despite the free services and the loyalty program, some consumers were deeply concerned about their data security. Thus, a lawsuit was failed against Smile Brands over the ransomware attack and related data exposure in December 2021. The suit claimed that the defendants “negligently left their computer systems open to attack” and that the contents of those systems “were available for the unauthorized individuals to access, view, acquire and exfiltrate for their nefarious use.
Ceasing Operations Following the Attack. On April 29 of 2022, Salusive Health company, commonly known as myNurse, posted a notice informing customers of a data security incident involving customers’ personal information. Naturally, the incident happened earlier, on Murch 3 fo 2022, when an unauthorized individual gained access to the organization’s system. It took four days before Salusive Health discovered the malicious activity and began containment and restoration efforts to secure its network.
Later on, the company sent the breach notification letter to the California Attorney General’s Office and announced that it would cease its operations by May 31. This part of the story is the most didactic as it demonstrates how destructive data breaches are for businesses and their reputation. Although the organization said that the decision to close was unrelated to the data security incident, there are good reasons to believe otherwise. The announcement was vague and seemed hidden between the central data breach information and a statement that the company “welcomes to keep any vitals monitoring devices they’ve received from myNurse, such as blood pressure monitors or scales…” With the last statement, Salusive Health has made a kind of curtsy to its consumers to drown out the bitter aftertaste of its failure.
Healthcare is an extremely segmented industry where services are provided through the close collaboration of multiple entities. A simple office visit involves not only the physician who provides the main service. It involves a whole chain of connections including healthcare services, invoicing, billing, insurance, and other ecosystem players. To have a comprehensive understanding of healthcare data breaches, one should consider these connections and study healthcare entities as a part of one big ecosystem. More importantly, although organizations focus on very different types of services, they operate within the same industry and follow the same standards and regulations regarding security and patient privacy.
Therefore, one organization’s experiences handling patient personal data are relevant to the other organizations in the chain. In other words, business associates and covered entities will have an excellent opportunity to learn from each other’s breach experiences.
The data incidents discussed above have different scenarios and implications, but they are united with one crucial moment: all of them provided poor explanations of what happened and what measures they are taking to prevent breaches in the future. Keeping the experiences of data incidents silent makes a significant gap in minimizing the number and severity of data breaches in the industry.
We found out several reasons why healthcare businesses are so frugal with words and comments regarding data incidents they’ve experienced and why many companies experience identical cyber attacks.
Punitive nature of the HIPAA enforcement. Most healthcare organizations are not willing to share information about their breaches due to the punitive nature of how OCR treats them. How OCR handles violations is similar to how the healthcare industry treated medical errors decades ago. Rather than having a systematic approach to identifying the root causes of breaches and addressing them, OCR focuses on individual instances and penalizes victim organizations.
Public and Media Scrutiny. Public and media scrutiny also discourages victim organizations from sharing their experiences about data breaches. After a breach, the media and public attention are focused on two extremes: individuals whose data is being breached on one side and an organization that is considered “irresponsible” on the other side. Under this pressure, the organization is assumed to not protect health data properly and thus is considered a perpetrator.
Lack of Incentive to Share Experiences. Even those who have not experienced a data incident are not willing to share their security policies and technologies due to many concerns. While many technology companies publish regular reports and whitepapers on the state of their security and strategies, the health care industry is not sharing such information. These facts make health care organizations practically unable to learn about their peers and more prone to further data breaches.
A Slow Investigation Process. It is a well-known secret that OCR investigation processes are accompanied by lengthy reports, in which details of the incident, response actions taken, and corrective actions are provided. Most of the interviewed organizations believe that the long and complicated investigation process helped carefully examine the breach and address organizations’ weaknesses in security and privacy. On the other hand, many businesses claim that the investigation process is exhausting, and responding to multiple requests by OCR can be overwhelming, especially for smaller organizations.
Thus, every data breach is a valuable learning experience for the industry as a whole. Yet, the lessons learned from these experiences are rarely documented and are hardly ever shared with other healthcare entities. As long as the factors that lead to data breaches are not registered and shared, others are equally likely to experience the same incidents in the future.
To stay updated on the recent healthcare-related events, keep reading our blog or contact the Planet 9 team. We’ll be happy to assist!