Ransomware Attack on EHR Vendor Impacts Home Health ChainPersonal Touch Home Care Explains Effect on Its Patients
A home healthcare company has filed 17 breach reports after a ransomware attack on its cloud-based electronic health records vendor last December, illustrating once again how a vendor breach can have a wide impact.
Personal Touch Home Care, a Lake Success, New York-based provider that has 17 offices in six states, recently submitted the breach reports on behalf of its various locations to the U.S. Department of Health and Human Services, according to the HHS Office for Civil Rights' HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
Each of the Personal Touch reports filed to HHS describes the breach in the same way: a hacking/IT incident involving a "network server and other." In total, the breach reports indicate that nearly 157,000 individuals were affected.
The company filed 17 reports because each of its affected offices is a "different legal entity," Laura Dechen, a vice president at Personal Touch, tells Information Security Media Group.
The attack on Crossroads Technologies is one of many recent cyber incidents involving vendors that provide crucial services to healthcare organizations.
For instance, an apparent ransomware attack on Albany, N.Y.-based accounting firm BST & Co. CPAs LLC recently exposed the patient data of Community Care Physicians, a large upstate New York medical group, as well as other clients of the firm (see Hacking of Accounting Firm Affects Medical Group).
Breach Notification Details
A sample breach notification letter that Personal Touch Home Care filed with the Vermont attorney general office says the incident involved a ransomware attack on Wyomissing, Pa.-based Crossroads Technologies, which hosts the home healthcare provider's cloud-based electronic health records.
Crossroads notified Personal Touch on Dec. 1, 2019, about a breach involving a ransomware attack on Crossroads' Pennsylvania data center where the home health agency's records are hosted, the notification states.
"If anything can be gleaned from this, it's to quadruple-check everything .... and understand all the risks vendors pose."
—Laura Dechen, Personal Touch Home Care
Potentially compromised information includes names, addresses, telephone numbers, dates of birth, Social Security numbers, medical treatment information and insurance information.
Dechen of Personal Touch tells ISMG that the investigation into the incident is ongoing and the company does not know the extent to which personal information was compromised.
Information on patients as well as caregivers contained in records were potentially exposed, she says. Affected individuals are being offered free credit and ID monitoring.
As a result of the attack on its EMR vendor, Personal Touch was unable to access electronic patient records for "only a few days." During that time, Personal Touch used its emergency business continuity protocols, including resorting to paper records, she notes. "We have continuity plans in which we're not reliant on electronic records," she says.
Dechen says she's unaware of any data being exfiltrated from Crossroad Technology's systems in the attack. Crossroads reported the incident to the FBI and is working with a forensics firm to determine the origins and scope of the attack, Personal Touch's notification statement notes.
"If anything can be gleaned from this, it's to quadruple-check everything .... and understand all the risks vendors pose," Dechen says.
Crossroads Technologies did not immediately respond to an ISMG request for additional details about the incident, including whether other clients beside Personal Touch were affected and whether a ransom was paid.
Managing Third-Party Risk
The rash of attacks on vendors should be a wake-up call for healthcare organizations, some security experts say.
"The healthcare sector continues to be a target for cyberattacks and must be more vigilant than ever," says Cathie Brown, vice president of professional services at privacy and security consultancy Clearwater. "Vendor risk management must be a priority for 2020 and beyond. Cloud options offer great opportunities and efficiencies, but security must be managed over the life of the contract."
Healthcare entities must include assessments of vendors in their risk management programs, she says.
"Review of those vendors should be commensurate with risk: For example, a cloud provider hosting an EMR would be considered high for the level of review for those services. Healthcare entities should ask for evidence the vendor has completed a risk analysis and vet the thoroughness by asking what controls were included and what company performed the analysis."
Healthcare organizations also should ask for the recovery time objective and recovery point objective the vendor can meet after a security incident, she says. "It's important to vet the vendor on an ongoing or periodic basis and not just at contract initiation time, as the threat environment and technology changes rapidly."
Get It in Writing
Another crucial vendor management step that entities need to take "is having the right contract and contractual language in place," she says.
"Many organizations use a standard business associate agreement with third-party vendors, but that standard language may not include specific controls that must be in place," she notes. Contracts can specify, for example, the obligations the vendor must meet in the event of a breach as well as requirements for having cyber insurance, she says.
"Contracts frequently include service-level agreements for support of problems, but lack specifics on capabilities for recovery times," she adds.