6 Questions About the Partners BreachBreach Notification Comes Five Months After Phishing Attack
The number of online attacks that result in the theft of personal health information continues to rise.
On April 30, the integrated health delivery network - which operates several hospitals, including Massachusetts General - said in a statement that "a group of Partners HealthCare workforce members" received - and responded - to phishing emails, resulting in the exposure of about 3,300 patients' Social Security numbers and clinical details, amongst other information.
Here are six significant questions relating to this breach:
1. Why A Five-Month Wait?
Partners says one or more employees responded to a phishing email attack on Nov. 25, 2014, after which it brought in digital forensics experts to investigate. The organization then waited until April 30 to begin mailing breach notifications to what it says are 3,300 "affected patients."
Under the HIPAA breach notification rule, if a breach affects 500 or more individuals, covered entities must notify the Department of Health and Human Services "without unreasonable delay and in no case later than 60 days" following a breach. Individual notifications must be provided "without unreasonable delay and in no case later than 60 days following the discovery of a breach."
Partners did not immediately respond to Information Security Media Group's inquiry about why it took five months for the organization to notify individuals. As of May 1, the Partners incident also did not appear on the HHS "wall of shame," which tracks HIPAA breaches that have impacted 500 or more individuals.
While a five-month delay might seem onerous, it isn't illegal in most other sectors. "There are no clear federal guidelines or rules for the timeliness of breach notifications," says Philip Lieberman, president of identity management vendor Lieberman Software. Congress, however, does continue to discuss creating a federal data breach notification bill to replace the patchwork of state laws that are now in place. If Congress were to pass such a law, it might include a deadline for organizations to report breaches after they get detected.
It's worth noting that in 2011, Massachusetts General Hospital and its physicians organization - both part of Partners HealthCare - were slapped with a $1 million HIPAA penalty as part of a resolution agreement with HHS. The case involved the loss of documents containing data on 192 patients in 2009 by a hospital employee on a subway train. The lost documents included information on patients with HIV/AIDS (see Mass General HIPAA Penalty: $1 Million).
2. Why Send PII Via Email?
What's not clear from the Partners breach notification is why employees' email accounts contained people's personally identifiable information - or personal health information (PHI). "This is a reminder that all the database encryption in the world is not going to keep PHI secret if someone's email account is taken over, and their inbox contains: 'names, addresses, dates of birth, telephone numbers, and in some instances, Social Security numbers, and some of its patients' clinical information, such as diagnosis, treatment received, medical record information, medical diagnosis codes, or health insurance information,'" says Stephen Cobb, a senior security researcher at antivirus firm ESET, quoting from the Partners breach notification.
3. Network Intrusion Prelude?
Partners has also said that "to date, we have no evidence that any patient information in the emails has been misused." But Cobb says that caveat is "really just a word game," since it's possible that such misuse either hasn't yet come to light, or will happen in the future.
Indeed, phishing attacks are often a prelude to a more serious network intrusion, warns management consultant and information assurance trainer William Hugh Murray, although Partners says this wasn't the case. "They seem to think that the only thing compromised was the e-mail. It's possible, but when one takes the bait, this usually results in a compromise of the desktop, escalation of privileges, and compromises of applications and servers," Murray says.
4. Why Steal Health Data?
As noted, Partners is not the only healthcare organization to have been recently targeted via online attacks. "We are seeing an uptick in the targeting of the healthcare industry - soft targets, marketable data," Murray says.
Other recent healthcare breach victims include health insurer Anthem, at which accounts for 78.8 million consumers were exposed, as well as Baltimore's St. Agnes Health Care, which suffered a phishing attack that led to personal information about almost 25,000 people being exposed.
But TK Keanini, CTO of security firm Lancope, notes that the Partners breach appears to be "very different" from the massive Anthem breach. "The Anthem data, remember, [involved] no medical information, from what was reported. This [Partners] breach, however, did [involve] medical information," he says.
5. Espionage Impetus?
Medical information may be getting stolen for financially driven cybercrime purposes. But it could also be getting targeted for espionage and intelligence purposes. "It is unlikely that a phishing criminal attack would be specializing in medical patient data as a practice - too narrow," Lieberman says. "Nation states have been known to operate in this area to gain access to broad populations where social graphs and health data may be valuable for broader nation-state economic objectives."
Some security experts have warned that health data could also be used in an attempt to gather intelligence on government and defense-sector workers. "What makes medical information valuable is that it cannot be easily changed," Lancope's Keanini says. "A credit card, for example, when stolen and disclosed, can be reissued and changed; this is not the case with your DNA or medical history."
6. Cure for Phishing?
Security experts say that the Partners breach should also be a reminder for all organizations of the danger that phishing attacks continue to pose. In fact, the healthcare sector appears to be a growing target for phishing attacks, with a spike in healthcare organizations and health plans reporting large incidents to HHS in recent months (see Phishing Leads to Healthcare Breach).
In the past, of course, such attacks have been used to breach a variety of organizations, including security firm RSA as well as technology giant Microsoft. Phishing also remains a favored technique of groups such as the Syrian Electronic Army, which often uses such attacks to seize and deface news organizations' Twitter feeds.
In other words, healthcare organizations are not unique when it comes to being targeted - and exploited - via phishing attacks. "This scenario is very common and successful phishing is guaranteed," Lieberman says, since attackers can just keep trying until they succeed. "Statistically, attacks will be successful no matter how well-educated that staff and no matter how many firewalls and perimeter protections are in place," he says. As a result, "the best organizations now focus on interior protection technologies," to try and prevent sensitive or regulated data from being stolen, or communicated via insecure means to unauthorized recipients.
Executive Editor Marianne McGee also contributed to this story.