After Ransomware Attack, When Must Patients Be Notified?Eskenazi Health Says It's Still Assessing Whether Individual Notifications Are Required
Indianapolis, Indiana-based Eskenazi Health, which operates a public healthcare system, has acknowledged that hackers stole some data and posted it on the darkweb after a recent ransomware attack. But the organization says it's not yet determined if patients and employees need to be notified individually about the incident because its investigation is still underway.
In an updated statement posted this week, Eskenazi said its investigation revealed that "some data that we maintain was obtained by bad actors and released online."
The statement also notes: "We have identified files that the hackers obtained, and we have begun the painstaking process of examining those files for any personal patient or employee information. If we find such information, we will notify the affected individuals in accordance with law and offer identity protection and credit monitoring services."
Privacy attorney David Holtzman of the consultancy HITprivacy LLC, says: "Healthcare organizations recovering from a cybersecurity attack face a number of issues when considering how and when to notify patients and regulators with details about the data that was compromised and those who were affected.
"The process to conduct a full forensic analysis to identify with precision the data accessed by unauthorized third-parties can take weeks or even months. However, state and federal breach notification laws can force healthcare organizations to assume the worst case scenario in their assessment of the scope and breadth of data that was compromised."
Eskenazi Health Update
In its updated statement posted Tuesday about a cyber incident discovered on Aug. 4, Eskenazi Health notes it "quickly acted in accordance with our information security protocols to maintain the safety and integrity of our patient care."
Eskenazi Health tells Information Security Media Group that the "attempted attack" involved ransomware and that the healthcare entity had brought its systems offline while remediating the incident.
Local news site Indy Star had reported that Eskenazi had diverted ambulances and other patient care for several days upon discovery of the incident and during recovery.
The statement says the organization has no evidence "that any of our files were ever encrypted, and we will not make any payment to the bad actors. Our system worked as it should, and the quick action by staff, in accordance with our information security protocols, enabled us to maintain the safety and integrity of our patient care."
Eskenazi declined ISMG's request for additional comment about the incident and the entity's plans for notifying individuals and reporting a breach to federal and state regulators.
"Our statement from this week stands. The investigation is underway to learn the facts," an Eskenazi Health spokesman tells ISMG.
Exfiltration of Data
Threat analyst Brett Callow of security firm Emsisoft says ransomware group Vice Society lists an Eskenazi Health data dump on its darknet site.
The blog Databreaches.net reports viewing employee and patient data from the Eskenazi hack posted on Vice Society's darkweb site. It reports that Vice Society confirmed it was responsible for the Eskenazi Health attack.
"There have been numerous incidents in which organizations claimed to have ’no evidence’ of data being exfiltrated only for the gang to prove that it had indeed been exfiltrated by publishing it," Callow says.
"In other words, the organizations got it wrong. Absence of evidence is not, of course, evidence of absence. How often this happens in the healthcare sector is impossible to say."
Vice Society was also apparently responsible for the May attack on New Zealand’s Waikato District Health Board, "which had a significant impact as well as some unexpected consequences," Callow notes.
Regulator Offers Reminder
Meanwhile, some U.S. regulators are expressing impatience with healthcare entities that fail to provide timely and appropriate breach notification to affected individuals and enforcement agencies following ransomware incidents.
On Tuesday, Rob Bonta, California's attorney general, issued an advisory to healthcare entities reminding them of their legal duty to comply with state and federal health data privacy regulations.
Similar to breach notification obligations under HIPAA, California law requires entities to notify the state's Department of Justice when health data of more than 500 California residents have been breached, the bulletin say.
Under HIPAA, once a breach involving protected health information is discovered, covered entities must notify affected individuals within 60 days.
The advisory notes it "comes on the heels of multiple unreported ransomware attacks against California healthcare facilities."
In a statement, Bonta notes: “Entities entrusted with private and deeply personal data, like hospitals and other healthcare providers, must secure information against evolving threats. Timely breach notification helps affected consumers mitigate the potential losses that could result from the fraudulent use of their personal information obtained from a breach of health data.”
Holtzman, the attorney, points out: "The HIPAA Breach Notification Rule 60-day clock begins to tick when the breach involving compromise to protected health information is discovered or 'through exercising reasonable diligence' would have been known."
Indiana, where Eskenazi is based, has its own breach notification law that's triggered when personally identifiable information is compromised, he adds.
"OCR has at times taken the view that the HIPAA requirements for breach notification are triggered when a healthcare organization provides a notice designed to comply with state law requirements. It is not yet clear if Eskenazi’s public notification on its website was released because of a determination that the personal information compromised through the cyberattack was protected under the Indiana breach notification requirements."