Breach Notification , Fraud Management & Cybercrime , Healthcare

Ascension Files Placeholder Breach Report for May Hack

Meanwhile, Wait Continues for Change Healthcare's Breach Report in Massive Attack
Ascension Files Placeholder Breach Report for May Hack
Ascension has filed a preliminary breach report to federal regulators - and the wait continues for Change Healthcare's breach report. Neither entity has begun to mail notifications to affected individuals. (Image: Getty Images)

U.S. hospital chain Ascension has filed its first breach report to federal regulators on its May 8 ransomware attack, which involved the theft of data from seven servers and disrupted patient care services at facilities across several states for weeks. The notice is a placeholder that says the breach affected at least 500 people.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

Ascension is one of two healthcare firms affected by highly disruptive - and high-profile - ransomware attacks. Software vendor Change Healthcare is expected to report its data breach from a February cyberattack by the end of July. The two incidents combined are expected to affect tens of millions of individuals.

The July 3 report by Ascension to the U.S. Department of Health and Human Services appeared Friday on HHS' Office for Civil Rights' HIPAA Breach Reporting Tool website listing major HIPAA breaches affecting 500 or more individuals.

Ascension in a statement Friday told Information Security Media Group that it filed the placeholder report to HHS OCR to comply with the 60-day breach notification deadline for reporting protected health information compromises affecting 500 or more individuals.

"This report was preliminary and was filed to ensure Ascension met its regulatory obligations. Ascension continues to work alongside third-party experts to review the nature and scope of the data impacted by the May incident," the statement says.

"Once this review is completed, Ascension will finalize its findings, update its report to OCR and notify individuals, in accordance with our legal and regulatory obligations.”

Ascension's analysis of affected data is expected to take several more weeks.

Ascension's breach analysis could take several more weeks.

The Missouri-based group in June said ransomware attackers stole files from seven of the organization's 25,000 servers after gaining access to its IT network when an employee inadvertently downloaded a file containing malware (see: Worker-Downloaded Malware Caused Ascension Ransomware Attack).

Sources close to the Ascension investigation have said Russian-speaking ransomware group Black Basta was behind the attack, but Ascension has not publicly commented on the attacker.

Soon after discovering the incident on May 8, Ascension shut down electronic health records, pharmacy and other clinical IT systems across most of the 19 states where it operates its 140 hospitals and other healthcare facilities (see: Impact of Ascension's Cyberattack Outage Varies by Region).

The organization said in updates posted on its website that IT systems and services are restored in regions that were affected by the outage.

The Waiting Game

Meanwhile, the wait continues for Change Healthcare to file to federal regulators a breach report and begin notifying the tens of millions of individuals whose sensitive information was potentially compromised in the company's massive Feb. 21 cyberattack.

Change Healthcare, the IT services unit of UnitedHealth Group, last month issued a "substitute" HIPAA breach notice and began to notify healthcare sector clients affected by the incident, saying that breach notification to affected individuals is not likely to start until late July (see: Change Healthcare Begins to Notify Clients Affected by Hack).

As of July 18, Change Healthcare had still not filed a breach report to HHS OCR, said Melanie Fontes Rainer, the federal agency's director, during a fireside chat at Information Security Media Group's Healthcare Cybersecurity Summit in New York City.

Change Healthcare said it expects to begin individual breach notifications by late July.

As of Friday, the HHS OCR breach reporting website still did not show a report by Change Healthcare.

Change Healthcare in a statement on Friday told ISMG that the company is continuing to publicly update the status of the incident and issued its substitute breach notification last month.

Change Healthcare is also in regular communication with HHS OCR and other regulators about its notification process. "We are committed to notifying potentially impacted individuals as quickly as possible and are immediately providing support and robust protections to people concerned about their data potentially being impacted," Change Healthcare said.

More than 90% of the affected files have been reviewed, the company said.

Regulatory attorney Sara Goldstein of the law firm BakerHostetler said she expects notifications from Change Healthcare will commence in the coming days.

"HIPAA-covered entities are required to provide notification to individuals as quickly as possible, within 60 days of discovery of the incident. With large incidents, like ransomware attacks, it is very common for covered entities to not have completed their investigations or to have identified all individuals requiring notification of an incident within 60 days of discovery," she said.

Therefore, a strategy that many organizations take is to notify as many people as possible and provide a substitute notice, media notice and HHS OCR notice within 60 days of discovery - and then to update those notifications as more information becomes available, she said.

Earlier this month, the state attorneys general of Massachusetts, California, New Hampshire and several other states issued warnings to consumers about possible identity theft and other fraud crimes involving the data stolen in the Change Healthcare attack.

Those consumer alerts followed a letter sent by 22 state attorneys general in June to UHG CEO Andrew Witty, urging the company to provide more transparency and to take "meaningful action" to protect healthcare entities, pharmacies and patients affected by the incident (see: State AGs, Industry Groups Urge Action in Change Health Saga).

Witty testified before two congressional committees in April that the attack on Change Healthcare by ransomware gang AlphV/BlackCat potentially affected the information of one-third of the U.S. population - or about 100 million individuals. Witty said UHG paid a $22 million ransom demand (see: UnitedHealth CEO: Paying Ransom Was 'Hardest Decision' Ever).

Regulatory attorney Rachel Rose said that when covered entities approach the 60-day deadline for reporting major HIPAA breaches to HHS OCR but are still uncertain about the exact number of individuals affected, she recommends the organizations report the incidents as affecting "at least 500 people" or "500 people known at this time" - along with saying that more information is forthcoming.

"Therefore, the 60-day time frame is met and the disclosure is accurate yet gives latitude for additional information, including affected persons, if necessary," she said.

Rose said HHS OCR has been in regular communication with Change Healthcare, and HIPAA regulations allow for some wiggle room when law enforcement such as the FBI or other regulators are involved in investigating a case.

"It is possible that the time frame was changed for Change Healthcare to formally report in accordance with the existing regulatory language," she said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.