Nearly eight months after discovering the hack of multiple employee email accounts, UMass Memorial Health is notifying about 209,000 patients that their personal and health information was potentially compromised.
First discovered in January 2021, an authorized user gained access to various email accounts. The subsequent investigation determined the threat actor first hacked the accounts for more than six months between June 24, 2020, and Jan. 7, 2021. Officials said they could not determine whether the actor viewed the emails or attached patient information in the accounts.
The review determined the accounts contained a range of information from patient and health plan participants that included names, medical record numbers, health insurance details, clinical data, treatments, dates of birth, diagnoses, subscriber IDs, benefits election information, and procedures, among other data.
For some individuals, Social Security numbers and or driver’s license numbers were also included in the compromised data.
The notice attributes the delay in notifying patients to the “timely and labor intensive” forensic review. Under The Health Insurance Portability and Accountability Act, covered entities are required to report breaches of protected health information within 60 days of discovery, not at the close of the investigation.
Although email breaches historically involve challenging forensic reviews, several providers have successfully enabled patients to take early action before the completion of the breach analysis and within the 60-day timeframe.
In March 2019, the Oregon Department of Human Services began notifying 350,000 patients that their data was potentially breached during a massive phishing campaign in early January of that year. The transparent notification revealed the security team would have to analyze more than 2 million emails to determine who and what data was impacted.
After releasing the initial notice, the provider continued its investigation and released a follow-up notice to an additional 300,000 patients of the potential impact to their data, as well as the measures they’d taken to prevent a recurrence.
Researchers find vulnerability in Docket COVID-19 health app
A vulnerability in the health app Docket potentially exposed COVID-19 vaccine records of residents of New Jersey and Utah, according to TechCrunch research. Docket's app enables individuals to download and carry digital copies of their vaccine records. The security bug was found on Oct. 26 and closed several hours after TechCrunch notified Docket.
The vulnerability was caused by the QR code request function, created on the server in a SMART Health Card format, which is the accepted standard for validation of an individual’s vaccination status.
The generated QR code is tied to a user ID. Although it’s not visible from the app, the ID can be found within network traffic via “off-the-shelf software like Burp Suite or Charles Proxy.” The trouble was that the Docket servers did not verify whether the individual requesting a QR code had permission to do so.
As a result, any user could change their ID and request the QR code of other users. Further, the user IDs were sequential, which enabled the new QR codes to be enumerated by changing a single digit of the user ID.
Docket leadership is in the process of reviewing logs to make that determination and whether any data was compromised, while working to notify state health departments of the potential exposure.
For Tim Mackey, principal security strategist at Synopsys, the discovered Docket bug may point to a larger, ongoing trend as many similar vaccine apps were developed with timeliness as the main goal. Previous reports have also shown mobile health apps are notoriously targeted and may have similar flaws.
“Even if the medical data is limited to a simple statement of vaccination, the nature of the pandemic makes even that data rather valuable,” said Mackey. “Technology is far from foolproof. … We need only look back at the challenges faced with contact tracing applications to recognize that a technologically acceptable solution might not address privacy concerns.”
“Building confidence around this process requires some of the transparency seen within open source software development where skilled practitioners are able to review the implementation and configuration of the proposed solution,” he added. “Missteps along this path could easily tarnish the reputation of digital health passports and form a setback to the return of pre-COVID-19 conditions.”
Lavaca Medical Center systems hack
A five-day systems hack at Texas-based Lavaca Medical Center in August potentially compromised the data belonging to 48,705 patients.
Unusual activity on the network was discovered on Aug. 22, which prompted the security team to secure the network and launch an investigation with support from a computer forensics firm. An initial review determined an attacker accessed the network between Aug. 17 and Aug. 22, when it was discovered.
Lavaca Medical could not determine whether the actor accessed any information on the impacted systems, but it’s possible patient information was viewed during the intrusion. The data could include names, dates of birth, SSNs, and medical record or patient account numbers.
The electronic medical record was not involved in the incident, nor was it accessed during the hack. Officials said they’ve since implemented enhanced network monitoring tools.
Vendor’s ransomware attack leads to PHI breach
The protected health information of current and former employees of Tech Etch was potentially accessed or stolen during a ransomware-related incident in August. Tech Etch is a third-party vendor that specializes in manufacturing precision-engineered components, circuits, and shielding for a range of industries, including the medical sector.
On Aug. 25, a ransomware attack was discovered on the Tech Etch computer network, which included the encryption of some files. An investigation found the incident began five days earlier. Leveraging previously implemented security protocols and backup procedures, the vendor was able to restore operations and access to the data.
The investigators couldn’t identify any direct evidence of data staging or exfiltration.
“While the attackers did not appear to have accessed Tech Etch's human resources server, and while Tech Etch had its own encryption on the backups for that server that the attackers did try to access, the cybersecurity experts could not determine whether the attackers could have copied any current or former employees' personal information,” according to the notice.
The impacted data could include names, SSNs, dates of birth, contact information, and personal health information found in some email records stored on various servers. Officials said they’ve not found the data posted on any public leak sites.
Tech Etch officials said they’ve reported the incident to the Department of Health and Human Services, but the incident is not yet recorded on the breach reporting tool. The vendor has since enhanced its security systems.
