DNA Diagnostics Center has agreed to pay the states of Pennsylvania and Ohio $400,000 and improve its security practices to resolve claims it failed to use reasonable security measures to protect patient data, following a 2021 breach that impacted 2.1 million people.
After the breach was disclosed in October 2021, the Pennsylvania and Ohio attorneys general launched an investigation that confirmed DDC had failed to employ adequate security measures that would have prevented the unauthorized access and enabled faster detection.
Just 45,000 Ohio and Pennsylvania residents were impacted by the incident, which stemmed from a systems hack reported in 2021. As SC Media reported at the time, patients’ data was potentially accessed and/or stolen after the unauthorized access enabled the attacker to acquire an archived database containing information collected between 2004 and 2012.
The database initially belonged to a national genetic testing system acquired by DDC in 2012 and never operated by DDC. The report findings show that the impacted databases “were inadvertently transferred to DDC without its knowledge,” and the company was unaware the “legacy databases existed in its systems at the time of the breach.”
The initial breach investigation confirmed that certain files and folders were removed from portions of the DDC network beginning on May 24 through July 28, 2021, when the access was discovered by DDC. An outside cybersecurity firm helped DDC retrieve the stolen data. The impacted patients were told the potentially stolen data included Social Security numbers and payment data.
DDC breach discovered nine years after acquisition of Orchid Cellmark
DDC did not discover the access until July 28, 2021. The breach occurred over nine years after the acquisition of the company tied to the server. Although DDC performed an inventory assessment and pen test of its systems before the breach, the impacted databases that stored patient data “in plain text were not identified” during the tests, as “the assessments only focused on active customer data
The report findings also determined that DDC was notified of suspicious activity in its network “several times over a two-month period” beginning in May 2021.” However, the company failed to activate an incident response plan until August 2021, when its service provider notified DDC there were indications of Cobalt Strike malware on the network.
To gain access, “the threat actor logged into a VPN on May 24, 2021, using a DDC user account,” then “harvested Active Directory credentials from a Domain Controller that provided password information for each account in the network.”
The report blasts DDC’s inaction, noting that “DDC had migrated to a different VPN and no users should have been using the VPN the threat actor used for remote access.” The attacker’s network persistence enabled them to execute the Cobalt Strike throughout the environment.
“To make matters worse, DNA Diagnostics Center was unaware that the stolen databases, which were part of a 2012 acquisition of Orchid Cellmark, contained the SSNs of Pennsylvanians who were subject to genetic testing from as early as 2004,” according to the findings.
“Negligence is not an excuse for letting consumer data get stolen,” said Ohio Attorney General Dave Yost, in the release. These failures violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law.
In addition to paying $200,000 to each state, DDC is required to develop and implement a cybersecurity program that meets industry standards. The program must be assessed by a “certified third party and must comply with the Consumer Sales Practices Act, for the collection, use, and protection of consumer data.
DDC is required to designate an employee to coordinate and supervise its security program, conduct annual security risk assessments of its networks that store personal data, and maintain an updated asset inventory. The security program must include adequate measures for protecting and storing patient data, including implementing of reasonable access controls.
Notably, these measures are required by The Health Insurance Portability and Accountability Act and should have already been in place as a covered entity.
Further, the provider must disable and/or remove any identified assets deemed unnecessary “for any legitimate business purpose,” apply timely software updates, employ pen-testing on its networks, and implement multi-factor authentication, in addition to “ detecting and responding to suspicious network activity within its network within reasonable means.”
The state enforcement joins a host of other state- and federal-level regulatory actions that have become common in recent years. While the Department of Health and Human Services' Office for Civil Rights has concentrated on HIPAA Right of Access, it’s applied only a handful of actions tied to breach violations in the last year. New Jersey has been the most active in cracking down on consumer data violations.