Cyber Security for Small businesses

Misconfigured Webpage Exposed Patient Data

We previously wrote an article about the ransomware attack striking a Michigan doctor’s office, leaving their patients with no medical records and leading the practice to closure. This article is intended to provide professional insight into the liability of the practice despite its decision to close its doors.

The following blog was written by Matthew Fisher, Chair of Health Law Group and a Partner at the law firm of Mirick O’Connell where Matt focuses on guiding practices and companies through the labyrinth of healthcare regulations.

A two physician practice in Michigan recently drew significant attention for deciding to unexpectedly close after losing all of its patient and billing records. In brief, the practice suffered a ransomware attack that blocked access to all files. The attackers demanded a ransom of $6,500 to restore access. The physicians refused to pay the ransom (a response that in isolation is not a bad one). The publicly stated reason for not paying is that the physicians could not receive a guarantee that the attackers would actually restore access. When the ransom was not paid the attackers deleted all of the files.

The expected next step would be for the practice to pull out one of hopefully many backups, restore all files up to the point of the backup, and then continue on its way. Since this particular practice made the headlines, that usual course outcome did not happen. In this particular instance, the physician practice did not have a backup (or at least none that has been reported) and declared that all of its files were lost. As a result of not having any files and not wanting to take the time to restore the practice, the physicians provided roughly thirty days notice of the practice shutting down entirely.

Will closure of the practice be the end of the story? Unfortunately, the physicians likely may only hope that closure ends the entire story. In all likelihood, this practice could help set precedent for future claims in the event of a catastrophic outcome from a ransomware attack.

Finding one silver lining may be a good way to approach the assessment of potential liability. Instead of shutting down immediately, as noted above, the practice provided slightly over thirty days advance notice of the closure. Giving patients thirty days to find a new physician is consistent with the suggested course of action contained in model ethical guidelines. The ethical guidelines look to provide a patient with sufficient or reasonable time to transition and that the physician terminating the relationship continue to provide care during the transition period. The thirty days here may be enough for that to happen.

Now for the potential liabilities. If all records have been lost, then the practice will clearly not be able to respond to any patient’s request for access under HIPAA. Failure to respond to a request for access is one of, if not the, most common types of non-compliance with HIPAA. When access is denied, many individuals will submit a complaint to the Office for Civil Rights. In this case, the entire patient population of the practice could theoretically submit such a complaint. Given the total breakdown, could the loss of all records be the spur for OCR to issue the first fine for a denial of access? It is possible, especially since OCR has used settlements in the past to provide lessons about key issues of HIPAA compliance. For example, OCR could point not only to the need to fully respond to a request for access, but fault the practice for not having a disaster recovery and backup plan, and very likely for not having done a risk analysis.

A second area of potential is malpractice related claims. A patient could assert an adverse outcome from a procedure or service and the physicians would be without records to defend against the claim. Malpractice claims can rely heavily upon pouring through medical records to piece together exactly how care was provided and to assess the quality of care provided by the physician(s) who are the subject of the claim. If no records exist, then how can services be assessed? Unless some supporting records could be found from another facility, it could leave the physicians severely handicapped in their ability to produce any sort of defense.

A third potential liability could arise from claims brought by patients in repeat care is not covered by insurance and/or a patient is forced to pay out of pocket due to being in a deductible range. Since all of the records are gone, tests will very likely need to be repeated to obtain relevant and needed information. While the practice may not have the records, each patient’s health insurance company will certainly have a record of a claim being submitted for the service and in all probability the claim being paid. While the health insurance company may be made aware of the record loss, a natural response from insurance would be that it will not cover the service again because it will then be forced to pay for the failure of the physician practice. Alternatively, even if insurance is willing to cover the service again, a patient could have a high deductible health plan or other form of coverage where that patient will need to pay out of pocket for the service. In either scenario, whoever pays for the service could look to the physicians who lost the records and seek to make them pay for the unnecessary repetitive services. The argument would flow that the loss of records was the direct cause of the repeat service being needed and that any financial harm should fall on the causative actor.

While those are only three potential liabilities, each possibility could easily occur. A natural response could be for the physicians to seek liability insurance carriers for the practice to cover any damages. Without being able to get into the exact specifics of the case, the insurance carriers could seek to deny coverage. If the practice was negligent in protecting its records, was not fully accurate in filling out an insurance application, or took other steps not called for by the insurance policy, then coverage could be denied. As such, the physicians could easily be fully on the hook for any resulting damages.

While no data breach is good, when extreme outlier cases arise the outcomes become even worse. While it is too late for the particular practice in Michigan to change the outcome, the total loss of data should be a wake up call to other practices and organizations that good, comprehensive security is essential.

Metrocare Services, a mental health service provider in North Texas, has notified the Department of Health & Human Services (HHS) of a data breach affecting 5,290 patients.

The Breach Discovery

The breach was the result of a phishing attack and was discovered on February 6, 2019, when Metrocare found that an unauthorized third-party accessed some of their employees’ email accounts. According to Metrocare, immediately after learning of the breach, the affected email accounts were secured, and an investigation was launched. The investigation found that the compromised email addresses were first accessed in January 2019.

Potentially Accessed Information

The investigation revealed that some patient data was in the affected email accounts, including individuals’ names, dates of birth, driver’s license information, health insurance information, health information related to services received at Metrocare, as well as some Social Security numbers.

Patient notification began on April 5, 2019. At this time, Metrocare does not have reason to believe that any of the affected patient information has been misused as a result of the incident. Those individuals who may have had their Social Security numbers exposed are eligible for one year of complimentary identify protection and credit monitoring.

In their notice, Metrocare writes:

We regret any inconvenience or concern this incident may cause our community. To help prevent something like this from happening in the future, we are taking steps to add additional security measures to our current information technology infrastructure, including strengthening the security of our e-mail system and have implemented multi-factor authentication on its system systems.

Not Their First Offense

What sounds like a sincere apology to the community regarding the incident may not be taken as such. This data breach was reported just 5 months after Metrocare reported a previous breach in November 2018. Even worse, this breach was almost identical to the previous, a phishing attack that compromised the PHI of 1,800 patients.

Following the November phishing attack, Metrocare stated they would be strengthening their security measures, including their email system and providing additional training to their employees.

Considering they encountered a very similar breach just months after their first one, it is clear that whatever security/training may have been implemented was not enough. Multi-factor authentication had not been enabled following the first attack, which could have very likely prevented the second from occurring.

The November phishing attack on Metrocare does not have a closing listed on HHS’ public breach website, meaning that first attack may still be under investigation.

Patient data exposed

Inmediata Health Team, Corp., a provider of clearinghouse services, software, and business digesting solutions to health plans, hospitals, IPAs, and independent physicians recently introduced a security incident affecting some consumer data.

The occurrence was discovered in January 2019 whenever Inmediata found a misconfigured web page was allowing some electronic information about health to be viewed publicly. The web page was allowing search engines to catalog Inmediata’s internal webpages that were employed for business operations and not intended for general public view.

The thing that was exposed?

The information involved in this incident consists of patients’ names, dates of delivery, genders, and medical claims info, with some affected individuals, potentially having their particular Social Security numbers exposed.

There is currently no info available on how many individuals were impacted and how long the webpage has been publicly accessible.

Inmediata’s next steps

Once Inmediata became conscious of the incident, the misconfigured web page was deactivated, and a computer forensics company was engaged to assist with all the investigation.

At this time, there is absolutely no evidence to suggest the shown information was subjected to unauthorized accessibility or misuse, however , the possibility could hardly be ruled out.

Inmediata began notifying affected individuals by postal mail on April 22, 2019. The particular notification letters included information about the particular incident and steps the individuals should take to monitor and secure their personal information.

Verify you’re working with HIPAA up to date vendors

This particular breach serves as an important reminder that will it’s not always the Covered Organization that causes a data breach.

It is critical to ensure you are working along with vendors who are taking the appropriate procedures to protect your patient data, which you have a Business Associate Agreement in position with those vendors from the start of the contract with them.

Additionally , you should verify your Business Associates (BAs) are ensuring their own HIPAA conformity on an annual basis. One way of carrying this out is by sending your BAs a compliance check. If you’re dealing with compliant vendors, they should be happy to react to your request.

If you discover you’re working with a non-compliant supplier, it may be time to rethink your romantic relationship with them. After all, a data infringement caused by them has a direct effect on you.

The publish Misconfigured Webpage Uncovered Patient Data made an appearance first on HIPAA Secure Now! .

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

YES, I WANT THE SCAN