Florida Digestive Health Specialists recently notified 212,509 patients that their data was potentially compromised one year ago, during the hack of multiple employee email accounts.
First discovered on Dec. 16 2020, an employee reported suspicious activity within their FDHS email account, stemming from a number of emails being sent that were not generated by the user. Five days later, FDHS company funds were rerouted to an unknown bank account, which prompted an investigation.
The investigators found that multiple employee email accounts were accessed during the email hack and began a forensic analysis to determine what information was stored in the accounts. The electronic health record system was not affected by the incident.
The compromised health information included full names, Social Security numbers, financial information, contact details, medical data, health insurance information and individual policy numbers, diagnoses, and Medicare or Medicaid data. Investigators found no evidence any health information was accessed or downloaded, but it could not be ruled out.
All impacted individuals will receive a year of free credit monitoring and identity restoration services. FDHS has since reset all user passwords, enabled multi-factor authentication for its IT systems, deployed additional security controls, bolstered password protocols, and reconfigured the firewall.
The concern with the FDHS notice is that the initial access to the email accounts occurred more than a year ago.
Under The Health Insurance Portability and Accountability Act, covered entities and relevant business associates are required to notify patients of protected health information breaches impacting more than 500 patients within 60 days of discovery — not at the close of an investigation.
While forensic analyses of email compromises are notoriously time consuming, numerous providers have demonstrated effective ways of remaining compliant with the HIPAA-required timeline during ongoing investigations. Most commonly, the initial breach can be reported as impacting 500 within 60 days, then a secondary notice can provide the updated information.
The FDHS notice is not clear as to whether the data compromise was discovered until the close of the investigation, which could account for the timing issue. Officials noted the investigation into the account contents “took a considerable amount of time and only concluded on Nov. 19, 2021.
Online U.S. pharmacy Ravkoo has confirmed earlier reports of a hack of its Amazon Web Services portal, informing an undisclosed number of patients that their data may have been accessed during a cyberattack. Ravkoo is a digital SaaS platform for prescription fulfillment that provides home delivery of prescriptions.
In September, the Intercept was sent hundreds of thousands of prescription records allegedly exfiltrated from Ravkoo. The report focused more on the COVID-19 drug angle, but noted that the hackers gained access through a hidden admin panel that allowed users to log into the system and view all data.
The Jan. 3 notice from Ravkoo reveals the “cybersecurity incident” occurred on or around Sept. 27, where an attacker attempted to “infiltrate” the AWS-hosted cloud prescription portal. The hack potentially exposed limited prescription and health information stored on the portal. Social Security numbers are not maintained on the platform and, as such, were not impacted.
On Oct. 27, the investigation, led with support from a third-party forensic specialist, confirmed the exposed information included individuals’ names, contact information, prescription details, and limited medical information. All affected individuals will receive a year of online identity monitoring services.
Ravkoo has been monitoring for reports of identity theft since the incident occurred, and there have been no reports of misuse at the time of the disclosure. The vendor is continuing to assess possible cybersecurity improvements and has since enhanced its policies and procedures for its prescription portal and its information life cycle management.
For Aimei Wei, Stellar Cyber founder and chief technology officer, the incident serves as a reminder that security considerations are a “mandatory part of application developments in today’s digital environment.”
“Unfortunately, not every developer is a security expert,” she explained. “Using security scanning and pen testing before the application is released is an absolute necessity for every application. However, having a continuous monitoring, threat detection and response system is your best line of defense.”
Approximately 80,000 Fertility Centers of Illinois patients were recently notified that their data was accessed nearly one year ago, after a systems hack in February 2021. The FCI notice does not explain the delay in reporting the breach.
On Feb. 1, 2021, suspicious activity was detected on FCI’s internal systems. An independent forensic investigation team found that an attacker gained access to a number of administrative files and folders containing a range of FCI data. The hack did not impact the EHR.
FCI confirmed patient information was included in the compromised data sets in August 2021. The exposed data included troves of sensitive information including patient names, SSNs, financial account details, medical record numbers, prescriptions, health insurance group numbers, employee identification numbers, passport numbers, diagnoses, and other health-related information.
FCI has since implemented enterprise identity verification software and provided further security training to all employees. Officials explained that FCI has “invested considerable resources to ensure that such a vulnerability does not exist in the future.”
To Jake Williams, BreachQuest co-founder and CTO, the description of the incident appears to show patient data was stored outside of the EHR, which is not uncommon with medical entities.
“It wouldn’t surprise me to learn that the EMR enforces MFA or doesn’t use domain authentication,” said Williams. “Organizations should take inventory of where they may have regulated data that may fall outside of normal monitoring and audit controls.”
“Those who don’t perform regular data inventory searches almost certainly have regulated data in their file shares — a location where it is just one phishing email away from compromise,” he added.