[author: Jane Anderson]

Report on Patient Privacy 21, no. 3 (March 2021)

◆ The Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive addressing critical vulnerabilities in Microsoft Exchange products.^[1] Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange servers. This could allow hackers to gain persistent system access and control of an enterprise network, CISA said. CISA and its partners have observed widespread active domestic and international exploitation of this vulnerability. CISA strongly recommends organizations examine their systems to detect any malicious activity detailed in its alert AA21-062A.^[2] Microsoft has released an updated script that scans Exchange log files for indicators of compromise associated with the vulnerabilities.^[3]

◆ Health information of some University of Pittsburgh Medical Center St. Margaret hospital patients might have been “inappropriately disclosed” after an employee sent a medication administration report to an outside organization without a business need, UPMC officials said. Officials at the 249-bed acute care and teaching hospital located in Pennsylvania said in a news release that they learned of the breach on Aug. 8.^[4] Through an investigation, officials determined that names, internal UPMC identification numbers and medication administration data, such as drug name, dosage, date and time of administration, and reason for administration, may have been disclosed. Officials terminated the unnamed employee’s access to UPMC systems, and the person is no longer affiliated with UPMC.^[5]

◆ Cloud security company Bitglass found that there were 599 health care breaches in 2020, a 55.1% increase since 2019, according to the firm’s Healthcare Breach Report 2021.^[6] Hacking and information technology (IT) incidents were the top breach causes in health care in 2020, leading to 67.3% of compromises, the report said. Other breach causes included unauthorized disclosure (21.5% of breaches), and loss or theft (8.7% of breaches). “Breaches caused by hacking and IT incidents exposed 91.2% of all breached records in healthcare in 2020—24.1 million out of 26.4 million,” the report said. “These results demonstrate the heightened impact of cybersecurity breaches, the shifting strategies of malicious actors, as well as how healthcare organizations are grappling with cybersecurity in today’s dynamic, cloud-first world.” As recently as 2014, lost and stolen devices were the leading causes of security breaches in health care, while hacking and IT incidents were the least common causes, the report said. “Today, things have essentially inverted. Hacking and IT incidents are now the primary forces behind healthcare breaches—as they have been each year since 2017. As organizations continue to embrace cloud migration and digital transformation, healthcare organizations must leverage the proper tools and strategies to successfully protect patient records and respond to the growing volume of threats to their IT ecosystems,” the report said. The average cost per breached record increased from $429 in 2019 to $499 in 2020, and in 2020, the average health care firm took about 236 days to recover from a breach, according to the report.

◆ Grand River Medical Group in Dubuque, Iowa, reported that information about 34,000 patients may have been disclosed after an unauthorized person gained access to an employee’s email account. Grand River said that the email account was terminated once the unauthorized access was discovered and an investigation was launched. The accessed documents included names, Social Security numbers for a limited number of patients, dates of birth, addresses, patients’ balances and balance types, claim amounts and status codes, visit types and medications. According to the medical group, safeguards were implemented to prevent similar breaches going forward, and Grand River is offering one year of free identity theft protection services for patients.^[7]

◆ Southern California-based Harvard Eye Associates said that its online storage vendor—which it did not name—suffered a breach that potentially exposed protected health information, and that the vendor paid a ransom to get the data back. “After consulting with cybersecurity experts and the FBI, the vendor made the payment. The hackers then returned the data and told the vendor that they had not disclosed the data or kept any copies.” The vendor determined that the hackers might have been able to access Harvard Eye’s data as early as October 24, 2020. Information that was taken included names, addresses, phone numbers, email addresses, dates of birth, medical histories, health insurance information, plus information about treatments and medications. For some patients who had eye surgery, the data might also include medical information related to their surgeries. The hackers did not have access to patients’ Social Security numbers, drivers’ license numbers, other government identification, or debit or credit card information, according to Harvard Eye Associates. Internet monitoring has not turned up any disclosures of the data to date, according to the vendor. Harvard Eye Associates is offering free credit monitoring to all who were affected.^[8]

◆ The developer of a period and fertility-tracking app used by more than 100 million consumers has settled Federal Trade Commission (FTC) allegations that the company shared the health information of users with outside data analytics providers after promising that such information would be kept private. The proposed settlement requires Flo Health Inc. to obtain an independent review of its privacy practices and get user consent before sharing health information. “Apps that collect, use, and share sensitive health information can provide valuable services, but consumers need to be able to trust these apps,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “We are looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.” In its complaint, the FTC alleged that Flo promised to keep users’ health data private. “According to the complaint, Flo disclosed health data from millions of users of its Flo Period & Ovulation Tracker app to third parties that provided marketing and analytics services to the app, including Facebook’s analytics division, Google’s analytics division, Google’s Fabric service, AppsFlyer, and Flurry,” the news release said. In addition, Flo did not limit how third parties could use this health data and did not stop disclosing the data until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users, according to the FTC.^[9]

◆ Nebraska Medicine and the University of Nebraska Medical Center (UNMC) suffered a data breach last September that may have compromised information from some 219,000 patients. The security incident, which may have involved ransomware, affected numerous Nebraska Medicine locations, including several hospitals. Some nonurgent procedures were canceled because providers couldn’t access medical records. In its notification letter, the medical center said it identified unusual network activity on Sept. 20, and “immediately upon learning of this incident, we initiated our incident response protocols to minimize any disruption to patients, isolated potentially impacted devices, and shut off select systems as a precaution.” After its investigation, the medical center confirmed that “an unauthorized person gained access to select systems on our network between August 27, 2020 and September 20, 2020. During that time, the unauthorized person deployed malware and acquired copies of some patient and employee information held on those systems.” Information that was disclosed included names, addresses, dates of birth, health insurance information, medical record numbers, and clinical information such as physician notes, laboratory results, imaging, diagnosis information, treatment information and prescription information. For a limited number of patients, Social Security numbers also were exposed. The incident did not result in unauthorized access to Nebraska Medicine and UNMC’s electronic medical record application, the organization said. Patients whose Social Security numbers or driver’s license numbers were compromised will receive free credit monitoring and identity theft protection, the organization said.^[10]

1 Cybersecurity & Infrastructure Security Agency, “Update to Alert on Mitigating Microsoft Exchange Server Vulnerabilities,” news release, March 4, 2021, https://bit.ly/3blWFqS.
2 Cybersecurity & Infrastructure Security Agency, “Mitigate Microsoft Exchange Server Vulnerabilities,” alert AA21-062A, revised March 8, 2021, https://bit.ly/2MSYjXB.
3 Cybersecurity & Infrastructure Security Agency, “Microsoft IOC Detection Tool for Exchange Server Vulnerabilities,” news release, March 6, 2021, https://bit.ly/30kvB55.
4 University of Pittsburgh Medical Center, “Privacy and Breach Alerts: UPMC St. Margaret,” news release, March 5, 2021, https://upmc.me/3uWsL4t.
5 Megan Tomasic, “Some UPMC St. Margaret patients may have had health information ‘inappropriately disclosed,’ officials say,” TribLive, March 5, 2021, https://bit.ly/3rufT3i.
6 Bitglass, Healthcare Breach Report 2021: Hacking and IT Incidents on the Rise, February 2021, https://bit.ly/3e5xquC.
7 “Dubuque medical provider alerts patients of potential data breach; up to 34,000 affected,” Telegraph Herald, February 19, 2021, https://bit.ly/2NJoaBY.
8 “Notice of Data Breach,” Harvard Eye Associates, accessed March 8, 2021, https://bit.ly/3kBnytO.
9 Federal Trade Commission, “Developer of Popular Women’s Fertility-Tracking App Settles FTC Allegations that It Misled Consumers About the Disclosure of their Health Data,” news release, January 13, 2021, https://bit.ly/3uIQdSv.
10 “Privacy Incident,” University of Nebraska Medical Center, accessed March 8, 2021, https://bit.ly/2PoNhuc.

[View source.]