Blue Cross of Idaho and Palmetto Health Report Financial, Payroll Breaches
Two recent data breaches at organizations in the healthcare sector illustrate that systems beyond those directly related to patient care can be at risk.
Boise, Idaho-based health insurer Blue Cross of Idaho Health Service Inc. reports that hackers recently attempted to manipulate a financial payment.
Meanwhile, Columbia, S.C.-based integrated healthcare delivery system Palmetto Health says it believes a recent phishing attack was aimed at trying to gain access to employee payroll information. Palmetto is undergoing a name change to Prisma Health as it completes a merger this year with Greenville Health System.
The incidents are an important reminder for healthcare entities to remain vigilant about all cyber risks, including those unrelated to medical information, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
“With limited resources, it is easy for organizations to fall into the trap of focusing exclusively on protecting their electronic medical records or claims data and insufficiently training staff and implementing safeguards around other valuable information assets,” he says.
“Covered entities and business associates should consider leveraging resources that are used to protect medical information to also protect all other business-critical information systems, including systems with employee information or confidential proprietary information.”
Blue Cross of Idaho Incident
In an April 12 statement, Blue Cross of Idaho says the recent incident – which it reported as a privacy breach impacting protected health information for 1 percent of its members – involved hackers trying to manipulate a financial payment to a healthcare provider.
The health insurer did not immediately respond to an Information Security Media Group request for additional details about the incident, including the number of individuals impacted by the breach.
As of Monday, the incident was not yet listed on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website of health data breaches affecting 500 or more individuals.
In its statement, Blue Cross of Idaho says that on March 21, an unauthorized user accessed its online provider portal with the intent of fraudulently rerouting a provider financial transaction.
“Blue Cross of Idaho stopped the attempted financial fraud and secured the portal. On March 22, Blue Cross of Idaho determined the unauthorized user was able to access provider remittance documents, which contained protected health information.”
Exposed data includes member names, enrollee/subscriber numbers, dates of service, healthcare provider names, providers’ patient account numbers, claims numbers, claims payment information and procedure codes, the health insurer says.
“Blue Cross of Idaho reported the incident to the FBI, which opened an active investigation,” according to the statement, which also notes that the insurer has “engaged internal and external cybersecurity and financial experts to review the provider portal and associated financial transactions.”
The insurer says it is not aware of any improper use, or attempted use, of members’ information. Nevertheless, it’s sending “most members” new ID cards with new member numbers. It is also offering a prepaid three-year membership for credit monitoring and identity theft restoration services
Palmetto Health Incident
Palmetto Health reported its breach to HHS on March 29 as a hacking/IT incident involving email and impacting nearly 24,000, according to the HHS’ Office for Civil Rights HIPAA breach reporting website. The incident is believed to have occurred last November, the organization says.
In a statement, Palmetto Health notes that the phishing incident was limited to certain employee email accounts and did not affect its electronic medical records system.
“We believe the purpose of the unauthorized access was to gain access to payroll information,” Palmetto Health says. “Upon discovery, we blocked the unauthorized access and then engaged outside technical experts to investigate the incident thoroughly to evaluate the full nature and scope of the access. These experts determined that unauthorized access may have first occurred this past November.”
After completing an extensive review process of data contained in the impacted email, on Feb. 19, Palmetto was alerted by those investigating the incident to the names of the individuals whose information was within the accounts, which contained certain patient information typically used by a healthcare provider in the course of offering treatment or consultation, the statement says. “A lesser portion of the emails contained Social Security numbers and medical insurance information.”
Palmetto Health says that it has no evidence that any patient information contained in the affected email accounts has been used inappropriately, but it’s offering prepaid identity theft protection services to patients and employees those whose financial data could have been accessed.
In a statement provided to ISMG, the organization notes: “Palmetto Health takes a multifaceted approach to information security. Employees receive annual training on the best practices to secure information and ongoing education throughout the year. We continue to enhance our technical controls, filters and safeguards of electronic information to help prevent something like this from happening in the future. We are in a constant state of vigilance around information security because we value the safety and security for our patients’ and employees’ information.”
Palmetto Health, however, did not immediately respond to an ISMG request for additional details about the incident, including how many employees’ information was potentially compromised in the attack.
Targeting Valuable Data
Cybercriminals go after any data they perceive to be valuable, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
“Payroll data contains a wide range of really valuable data that cybercrooks can sell to other crooks for high amounts,” she says. “With the growing number of pathways into healthcare systems and networks … that are being established through employee-owned devices, through third parties/BAs, and through IoT devices, I believe that such fraud is increasing because of the many more opportunities that crooks have now to commit these types of crimes.”
The recent attacks on Blue Cross of Idaho and Palmetto Health spotlight the importance for healthcare entities to diligently safeguard all data, says former healthcare CISO Mark Johnson of the consultancy LBMC Information Security.
The attacks “underscore for me that the healthcare industry needs to protect the entire environment, not just their large systems like the EMR,” he says. “Anything that connects to a network needs to be secure. This novel approach of redirecting funds is just another example of the need to protect everything, from the EMR, to medical devices to physician portals.”
Still, data contained in EMRs is also at great risk of being used for financial crimes if they’re breached, he notes. “If you think about the data in a medical record, i.e. name, data of birth, Social Security numbers, address, etc., this would be a natural place for hackers to get that information to do all kinds of things, including tax fraud,” he says.
Attorney Greene says hackers trying to steer financial payments to themselves is a widespread form of attack. He notes that the Federal Trade Commission’s Red Flags Rule requires many businesses and organizations to implement a written identity theft prevention program designed to detect the warning signs of identity theft in their day-to-day operations.
“While most healthcare entities are not subject to the FTC’s Red Flags Rule, they should nevertheless consider establishing systems that monitor for red flags that indicate a possible identity thief or someone seeking to fraudulently reroute payments,” he says. “For example, requests to change addresses should be carefully monitored, with the covered entity or BA looking for associated suspicious account activity.”
Date: April 29, 2019
Source: Healthcare Info Security