Ransomware Breach Notifications: Sign of Things to Come?Healthcare Organizations Acknowledge Attacks; Experts Expect Others Will Do the Same
Is recently issued guidance from federal regulators, which aimed to clarify when a ransomware attack needs to be reported as a health data breach under the HIPAA Breach Notification Rule, starting to have an impact? Two recent breach notifications could be an early indication that the answer is yes.
Yuba-Sutter Medical Clinic in California and University Gastroenterology in Rhode Island recently issued breach notifications to patients that either specifically named ransomware as the culprit or described an incident as involving attackers encrypting patient data.
The two incidents, however, have not yet been posted on the Department of Health and Human Services' Office for Civil Rights "wall of shame" website of breaches affecting 500 or more individuals - nor have other ransomware attacks that have grabbed headlines since earlier this year. That includes the attack on Hollywood Presbyterian Medical Center, which acknowledged in February that it paid extortionists to unlock patient data.
In fact, so far only one breach on the federal tally is described as involving ransomware - a breach reported in February by Ohio-based Mayfield Clinic affecting more than 23,000 individuals.
"I do think healthcare entities are notifying patients about breaches involving ransomware as a result of [the] Office for Civil Rights' recent guidance," says Dan Berger, CEO of security consultancy RedSpin. "OCR made clear that ransomware represents a security incident in which electronic protected health information is 'acquired' in a manner not permitted under the HIPAA Security Rule that compromises the security or privacy of the protected health information."
In its Sept. 11 data breach notification letter, Yuba-Sutter Medical Clinic notes: "On or about Aug. 3, the Yuba-Sutter Medical Clinic's computer system came under a 'ransomware attack' by hackers.
"In such an attack, the risk is not usually to patient privacy. Instead it poses an operational risk to health systems in that it can result in patients being turned away due to an inability to provide care as a result of not having immediate access to records," the notification states. "Fortunately, we were able to regain access and no data was lost. Nevertheless, as a result of the attack, we were temporarily denied access to certain portions of our computer system, and we regret any delays or rescheduling of appointments that may have resulted from this incident."
Yuba-Sutter notes that it reported the incident to federal authorities and law enforcement.
In a Sept. 9 breach notification, University Gastroenterology in Rhode Island described an incident involving the unauthorized encryption of data, although it does not use the word "ransomware."
"On July 11, we discovered that an unauthorized individual had gained access to an electronic file storage system from a practice we acquired in 2014, Consultants in Gastroenterology, and encrypted several files. We immediately took action to secure our system and conducted an investigation to determine what information was contained in those files."
University Gastroenterology says that it determined that some impacted files may have contained patient names, addresses, dates of birth, Social Security numbers and medical billing information.
Ellen Matesanz, executive director of University Gastroenterology, tells Information Security Media Group that the incident did, indeed, involve a ransomware attack. The attack hit a server containing the former electronic medical records system used by the medical practice University Gastroenterology had acquired.
"The server was still online but not in use for patient care, so we immediately shut it down," she says. The clinic did not pay a ransom.
Matesanz notes that legal counsel advised the clinic to issue a breach notification. The attack happened just a day before HHS issued its ransomware guidance on July 12, she adds.
The HHS Office for Civil Rights, in guidance about ransomware issued in July, described ransomware as "a type of malware ... distinct from other malware; its defining characteristic is that it attempts to deny access to a user's data, usually by encrypting the data with a key known only to the hacker who deployed the malware until a ransom is paid."
The long-awaited OCR guidance, which was issued after several ransomware attacks earlier this year, aimed to clarify that most ransomware attacks result in a breach of protected health information that must be reported under HIPAA to affected individuals and HHS.
The guidance states that aside from a few exceptions, when electronic PHI is encrypted as the result of a ransomware attack, the incident is a reportable breach.
"Breach notification is now required in most ransomware attacks," Berger notes. "While OCR allows for exceptions, the CE or BA must conduct a risk assessment and conclude that other than being encrypted by the malicious attack, there is a low probability PHI was otherwise accessed or disclosed. This sets the bar very high."
Privacy attorney Kirk Nahra of the law firm Wiley Rein, says the HHS guidance "is pushing more people to give notice of ransomware attacks. There still is some real question about whether notice actually makes sense, since often the data is essentially 'frozen' or 'locked' rather than taken, but that is the way the guidance pushed."
Details of One Attack
A Mayfield Clinic spokesman, in a statement provided to ISMG, shared details that illustrate how some ransomware attacks are waged.
On Feb. 23, a phishing email was distributed to approximately 30,000 employees, patients and vendors through the clinic's account with a third-party online email distribution firm, the spokesman says. Some 6,200 of the emails were intercepted by firewalls.
The bogus email included the following message: "Valued Customer: We are sad to inform you of the bad situation with your transfer in amount of $7,300.00 for the job we have completed. As it was agreed in the contract, the check of $750.00 is a subject of interest rate of 5% per week in case of late payment. It has been already three months since the last deadline has passed and we have not received any transfer, or information regarding this situation from you. Please check the updated details of your payment below, enclosed to email."
Alert employees helped to detect the phishing email before serious damage occurred, he says.
"What users didn't know was that if they clicked on the attachment, an attempt would be made to download a ransomware virus that would lock up the recipient's computer and hold it hostage until the user paid to have it unlocked," he says. "Within minutes of the fraudulent email distribution, we began receiving phone calls and emails about the scam. ... We quickly verified that the message was sent through our [third-party email marketing software] account, and locked the account immediately to prevent further hacks."
The clinic determined that its anti-virus software had blocked malware from being installed on the PC of any employee who had clicked on the attachment, the spokesman explained. "We sent follow-up emails to all recipients notifying them that only email addresses were obtained and no other personal information. We also advised them not to open the attachment."
The clinic has no evidence that the virus was activated on the computer of any email recipient, so no one was held for ransom, the spokesman says. "This may be because of the ransomware fix we distributed broadly once we understood what we were dealing with."
Ransomware threats - and related confusion - aren't likely to abate in the healthcare sector anytime soon.
"Ransomware is definitely on the rise. While it is not a new phenomenon, new variants of the malicious software have enabled attackers to target larger organizations," says Berger, the consultant.
Nahra, the attorney, adds: "We can expect there to continue to be confusion about appropriate notice steps, appropriate mitigation, what is and what isn't ransomware and the full range of issues associated with this concern. The best advice is to simply use this as an opportunity and an incentive to beef up your overall security program."
Neither Yuba-Sutter Medical Center nor OCR immediately responded to ISMG's request for comment.