Law Firm Says Year-Old Hack Affected PHI of 255,000 PeopleBesides a Lag in Reporting, Some of the Compromised Data Was a Decade-Old
A Michigan law firm recently told regulators about a hacking incident discovered nearly a year ago that has affected the protected health information of more than 255,000 individuals, including members of a Michigan health plan.
Warner Norcross & Judd LLP on Aug. 24 reported to the U.S. Department of Health and Human Services a hacking/IT incident involving a network server and affecting the PHI of 255,160 individuals.
The law firm also reported the incident to the state of Maine's attorney general twice - first on July 11 as a hacking incident affecting about 19,000 individuals, including seven Maine residents, and then again in an updated report on Aug. 17, stating that the incident affected more than 214,000 individuals, including 131 Maine residents.
In July, a WNJ client, health plan Priority Health in Michigan, issued a breach notification saying that 120,000 of its members had been affected by WNJ's data security incident.
Priority Health in its breach notification statement about the WNJ incident says some of the data compromised - including member drug claim information - was a decade old. A Priority Health spokesperson says the legacy data was being used by WNJ for a project the law firm was working on for the health plan.
While the number of individuals that WNJ has reported to regulators as being affected by the incident has more than doubled in recent weeks, the number of Priority Health members affected is still 120,000, Priority Health says in a statement to Information Security Media Group.
"WNJ provides legal services to Priority Health and may hold data in connection with the services provided," the Priority Health statement says.
"Priority Health is pleased that WNJ has further strengthened the security of its digital environment," the health plan tells ISMG. "Priority Health is committed to continuing to work with WNJ and all of our vendor partners to protect the privacy of our members and ensure the security of their sensitive personal information."
WNJ did not immediately respond to ISMG's request for comment and for additional details about the incident, including the potential impact of the breach on other healthcare sector clients affected.
A breach notification statement posted on WNJ's website on Aug. 4 says the law firm learned on Oct. 22, 2021, that "unauthorized activity" involving some of its systems had been reported.
WNJ says it immediately took steps to secure its network and engaged a digital forensics firm to investigate the cause and scope of the incident.
The firm confirmed the breach of health information "through data mining and manual review" and then took steps to identify current mailing addresses and, as addresses have become available, notified the affected individuals, the statement says.
Information potentially compromised in the incident includes individuals' name, date of birth, Social Security number, driver's license number, government-issued ID, annual compensation amounts, benefit contribution information, credit card or debit card number, credit card or debit card PIN, financial account or routing number, passport number, patient account number, health information, and life insurance policy information, WNJ's notice says.
Priority Health's breach notice says some of the data elements affected include Priority Health patients' first and last names and pharmacy claim information for some prescriptions filled in 2012, including drug name, date the prescription was filled and name of the insurance provider.
WNJ says so far there is no evidence of misuse of the information.
Kate Borten, president of privacy and security consulting firm The Marblehead Group, says the WNJ incident raises the issue of whether the law firm actually needed the level of PHI detail involved in this breach. "A further question is why PHI from 2012 was accessible after 10 years. Even if there were legal requirements for data retention, such data should have been archived very securely, for example, offline and encrypted," she says.
Keith Fricke, principal consultant at privacy and security consultancy tw-Security, offers a similar assessment. "What is concerning about the incident is the amount of PHI involved, Fricke says "It makes you take pause and ask how many other law firms store, process or transmit such large amounts of PHI and how well protected it is."
Although HIPAA requires health data breaches affecting 500 or more individuals to be reported to HHS by or within 60 days of discovery, the WNJ incident illustrates some of the challenges many organizations face in uncovering details during the incident response, some experts say.
"Forensic investigations of breaches take a lot of time, unlike how television shows portray that process," Fricke says. Nonetheless, the apparent nine-month lag between WNJ discovering the data security incident in October 2021 and first reporting it to state regulators in July 2002 "does seem like an unusually long time before notifying affected individuals," he says.
"Any business associate should be aligning its practices with HIPAA requirements. The fact this breach involves a law firm doesn't make it any different from any other BA's obligations," he says.
Even if an organization has difficulty in providing all the details, such as a precise count of the number of individuals affected, the HIPAA breach notification rule is explicit about prompt notification to HHS and patients, Borten says.
"There does not appear to be a valid reason or explanation for the lengthy delay in this case. When clear noncompliance could affect patient privacy, it is important for HHS to respond and send a signal to the industry that it will hold violators accountable."
Lessons to Learn
One lesson emerging from the WNJ breach is to minimize PHI accessed and acquired, Borten says. Review past and future engagements along with the firm's policies and procedures to ensure that excess PHI is not obtained from the outset, she adds.
PHI that is no longer needed should be destroyed, according to the National Institute of Standards and Technology's Special Publication 800-88. "And in case PHI must be retained for legal purposes, it should be securely archived," she says.
Law firms should also take note of this incident, Fricke says. "This is yet another example of criminals not being discriminant about their targets. Criminals may see them as targets of intent rather than the target of opportunity."