Clinic Notifies 212,500 About 2020 Breach Involving FraudPractice Says Compromised Email Accounts Were 'Voluminous'
A Florida-based gastroenterology practice is in the process of notifying more than 212,500 individuals of a December 2020 breach involving business email compromise and fraud.
Florida Digestive Health Specialists LLP on Dec. 27 reported to the state of Maine's attorney general office that an email breach discovered more than a year earlier involving wire fraud, has affected 212,509 individuals, including 11 Maine residents.
Lakewood Ranch, Florida-based FDHS has more than a dozen healthcare locations throughout the state.
"On Dec. 16, 2020, an employee noted suspicious activity within their FDHS email account that resulted in suspicious emails having been sent from their employee account," FDHS says in a Dec. 27 breach notification statement.
"Several days later, on Dec. 21, 2020, FDHS learned that funds had been misrouted to an unknown bank account."
'Voluminous' Email Accounts
FDHS says it immediately began an investigation and found that "a limited number" of FHS employee email accounts had been accessed by unauthorized users.
"That investigation was involved and, though access was confined to a limited number of FDHS email accounts, those accounts were voluminous," the breach notification statement says.
FDHS says it investigated to determine what information was contained in the compromised email accounts, assessing whether it constituted personal information, protected health information, or other confidential information, and to whom that information belonged.
"This process took a considerable amount of time and only concluded on Nov. 19, 2021," FDHS says.
The PHI contained in the affected email accounts include individuals' first and last names, address, date of birth, Social Security number, financial information, health insurance information, medical information, diagnosis, health insurance individual policy number, and Medicare/Medicaid information, FDHS says in its notification statement.
Breach Notification Duties
As of Tuesday, the FDHS incident had not yet been posted to the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Under the HIPAA breach notification rule, individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach, according to HHS' Office for Civil Rights. Additionally, for PHI breaches affecting 500 or more individuals, covered entities must notify HHS no later than 60 days following a breach.
But aside from HIPAA, all 50 states, as well as Washington D.C., and Puerto Rico, have breach notification laws with varying reporting deadlines, experts note.
"Each state and regulatory body is potentially going to have their own reporting requirements. Often, variables, such as, the number of individuals affected, will determine the required course of action," says Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek.
FDHS is certainly not the first covered entity to report a major health data breach or to notify affected individuals many months past the general HIPAA breach notification 60-day deadline (see: Osteopathic Professional Group Reports Year-Old Breach).
In some recent data security incidents, including various ransomware attacks, authorities occasionally request an organization to delay breach notification, such as when a law enforcement official states it would impede a criminal investigation or cause damage to national security (see: Ransomware Roundup: Healthcare Sector's Latest Victims).
For instance, on Jan. 2, another Florida-based healthcare entity, Fort Lauderdale-based Broward Health, began notifying 1.3 million individuals of a data exfiltration breach discovered in October. Broward Health says the U.S. Department of Justice had requested that the entity "briefly delay" notification about the breach due to an ongoing law enforcement investigation into the incident.
A FDHS spokesman tells Information Security Media Group there is no evidence that any of the affected individuals' information has been used for malicious or fraudulent purposes. The wire fraud incident involved only affected FDHS, and not fraud committed against the entity's patients or employees, he says.
The incident was reported to law enforcement. FDHS continues to cooperate with that investigation, he adds.
So far, FDHS's investigation has not conclusively determined how the incident occurred. However, the forensic analysis has found no evidence that any other FDHS systems were impacted as part of this event, he says.
In its breach notification statement, FDHS says it is offering affected individuals complementary credit monitoring and identity restoration services for 12 months.
Additionally, FDHS says it has taken steps to bolster data security, including resetting passwords and strengthening password protocols, enabling multifactor authentication throughout its IT systems, and reconfiguring its firewall.
"I think anytime a malicious individual has sensitive information, it should be pause for concern. The question is what do you do about it?" Denkers says. "Credit monitoring, credit freezing, routinely changing passwords, and enabling multifactor authentication on everything are all ways victims can help minimize potential impact," he says.
"Attackers’ tools, techniques and procedures are constantly evolving," Denkers says. "Organizations need to be continually validating that technical controls and safeguards in place are effective and working as designed."
When it comes to preventing business email compromises that lead to potential fraud, Denkers says aside from technical controls, organizations should also have business processes in place that validate financial transactions are legitimate.
"These types of processes can help catch when a business email compromise has happened, prior to funds being lost."