Breach Notification, Critical Infrastructure Security, Cybercrime
Software and Billing Company, Emergency Care Provider Report Incidents
Marianne Kolbasuk McGee (HealthInfoSec) •
April 20, 2022
More than 670,000 people were affected by two hacking breaches in 2021 that were only recently reported to federal regulators. The incidents involve a healthcare software and billing services company and an emergency care provider.
The larger of the two breaches was a hacking incident reported April 13 by Williston, North Dakota-based Adaptive Health Integrations involving a network server and affecting nearly 510,600 people, according to HIPAA Breach Reporting from the US Department of Health and Human Services. Tool website.
The HHS Civil Rights Office website, commonly referred to as the “Wall of Shame”, lists data breaches affecting 500 or more people.
Wednesday’s AHI incident is the third-largest HIPAA violation posted on the HHS OCR website so far in 2022.
Urgent Team Holdings, based in Nashville, Tenn., which operates urgent care and walk-in clinics in five states, also reported a major breach to HHS OCR in recent weeks.
The HHS OCR website shows that Urgent Team reported a hacking incident on March 31 involving a network server and affecting more than 166,600 people.
AHI Violation Details
A sample breach notification letter provided by AHI to the Montana Attorney General’s office states that the healthcare software and billing services provider “recently learned that on or about October 17, 2021, an unauthorized person may have accessed a limited amount of data stored” on its systems.
A violation report filed by AHI with the Montana Attorney General says the incident affected 813 people in that state. The company’s report to HHS OCR says the incident affected a total of 510,574 people.
Under the HIPAA breach notification rule, covered entities must notify HHS and affected individuals no later than 60 days after discovering a major health data breach.
In the sample notification letter, AHI states that upon becoming aware of the incident, it contained the threat “by disabling unauthorized access to our network and immediately initiated a prompt and thorough investigation.”
Through a thorough investigation involving outside forensic experts and an internal review concluded Feb. 23, AHI says it determined that “certain” personal information was potentially accessed during the incident.
The sample notification letter does not specify the type of personal information affected by the incident.
AHI states in its letter that it is offering affected individuals one year of free credit and identity monitoring.
AHI did not immediately respond to Information Security Media Group’s request for additional details about the breach.
Urgent Team Incident
In a notice posted on its website, Urgent Team says it recently discovered unauthorized access to its network that occurred between November 12 and November 18, 2021.
Based on a “thorough investigation and document review” that ended on January 31, 2022, the Urgent team discovered that some patient information may have been “removed” from its network. . This includes full names and potentially birth dates and/or medical record numbers, Urgent Team says, adding that there is “no evidence that this information was actually accessed or deleted.”
At this time, Urgent Team also says it is not aware of any reports of impersonation or misuse of any information as a direct result of the incident.
Following the incident, Urgent Team claims to have implemented multi-factor authentication as well as a “robust” anti-malware solution to notify the organization when it detects an attempt to gain unauthorized access to its systems.
Urgent Team did not immediately respond to ISMG’s request for additional details about its hacking incident.
Risks of delayed breach notification
Some experts say that while HIPAA requires notification of major violations within 60 days of discovery, there are various possible reasons why, on the HHS OCR violation reporting website, AHI appears to have reported its violation several months after taking knowledge of the incident.
Regulatory attorney Rachel Rose said it’s possible the AHI was advised by law enforcement officials to delay reporting. It is also possible that AHI called HHS OCR earlier to alert the agency of a potential breach without having yet verified all the details, such as the number of patients affected, or that AHI “ignored” the 60-day reporting requirement, she says.
“If law enforcement determines that the risk to individuals is greater if they are alerted within 60 days rather than delaying notification, that is a decision of fact and circumstance,” a Rose said.
But, she adds, further delays in reporting breaches can pose additional risks to those affected.
“If a delay is made simply because an entity chooses to ignore the 60-day deadline, which may be shorter for state law filings, individuals delay taking action such as blocking the access to their credit and reporting to major credit reporting agencies,” says Rose.
For breached entities, reporting and notification delays also carry risks, she adds.
“In my experience, HHS takes the 60-day deadline seriously — both to alert OCR, patients, and the media,” she says. “It could increase the monetary penalty and depends on the facts and the circumstances. There is a lot to do in the event of a violation, and OCR investigations are intensive.”
Rose suggests that organizations regularly assess the adequacy of their policies and procedures regarding breach notification, ransomware attacks, business continuity, and disaster recovery, and update them annually.
“Past compliance items — such as risk analysis, policies and procedures, evidence of training, etc. — should be retained as HHS OCR will consider this information when assessing sanctions,” says- she.