Health Data Breach Not Reported for Seven MonthsPhishing Incident Affected Nearly 200,000
A California healthcare provider took nearly seven months to report to regulators a phishing incident that exposed information on 200,000 patients. Security experts are analyzing whether the delay could be justifiable.
PIH Health, a regional healthcare network based in Whittier, California, says that it discovered in June 2019 a phishing incident that it eventually reported to the Department of Health and Human Services on Jan. 10, 2020.
HHS Office for Civil Rights' HIPAA Breach Reporting Tool website shows the hacking/IT incident involving email impacted nearly 200,000 individuals. As of Monday, the PIH Health incident is the largest breach added to the federal website so far in 2020.
Under HIPAA, covered entities are required to report breaches impacting protected health information within 60 days of discovering the breach.
PIH Health Breach Timeline
In its breach notification statement, PIH Health says that on June 18, 2019, it learned that certain PIH Health employee email accounts had potentially been accessed without authorization as a result of a targeted phishing campaign.
"Upon learning of this information, PIH Health took steps to secure its email system and network, including resetting the passwords required to access potentially affected employee email accounts. PIH Health also immediately launched an investigation and engaged leading, independent cybersecurity experts to provide assistance," the statement notes.
PIH Health says that as a result of its investigation, on Oct. 2, 2019, it determined that certain employee email accounts were accessed without authorization between June 11 and June 18, 2019 as a result of the phishing campaign.
"Just establishing whether or not PHI was potentially affected, let alone the specific individuals who may have been affected, can be extremely difficult."
—Iliana Peters, Polsinelli
On Nov. 12, 2019, PIH Health determined that information belonging to certain current and former patients was contained within the accessed email accounts. "PIH Health then worked diligently to identify contact information for all potentially affected individuals in order to provide them with notice of the incident." The incident was then reported to HHS nearly two months later.
"PIH Health is not aware, and the independent forensic investigation did not result in the identification of, any evidence that information involved in this incident has been misused," the statement notes
The organization did not describe the kind of PHI contained in the compromised email accounts. PIH Health did not immediately respond to an Information Security Media Group request for additional information about the incident.
"We don't yet know why PIH Health took four months to understand the June attack was a breach of unsecured PHI, or took almost two more months to report the breach to OCR," notes independent HIPAA attorney Paul Hales. "But we do know PIH Health is in trouble. OCR automatically investigates breaches of this size."
The HITECH Act mandates that covered entities notify individuals of a health data breach without unreasonable delay but in no case later than 60 days from the discovery of the breach, except where law enforcement has requested a delay.
"In adopting the regulations implementing the breach notification requirements, HHS considered arguments for extending the timeframe for notification," says privacy attorney David Holtzman of the security consulting firm CynergisTek, who formerly worked at HHS' OCR, which enforces HIPAA. "But in the final analysis, it determined that the interests of consumers whose information had been disclosed could be adversely affected by a longer delay and lose the ability to mitigate adverse consequences caused by the compromise of their PHI."
Meanwhile, California law requires breach notification within 15 business days from date of discovery, Holtzman notes.
"While it is possible that [PIH Health] had discussions with OCR and the California Department of Public Health to request exercise of enforcement discretion, in my experience these extensions are rarely given," he says. Is there was no such extension, federal and state enforcement agencies "will conduct an exhaustive compliance review into why the organization was unable to comply with the rules," he predicts.
But privacy attorney Iliana Peters of the law firm Polsinelli, who was also a former senior adviser at OCR, notes that forensic investigations "can take a significant amount of time, and just establishing whether or not PHI was potentially affected, let alone the specific individuals who may have been affected, can be extremely difficult. It's very important to understand that the definition of a 'security incident' under the HIPAA Security Rule is different from a 'breach' under the HIPAA Breach Notification Rule."
While HIPAA covered entities and business associates are required to investigate all security incidents, a '"breach" is not determined until the entities confirm that "acquisition, access, use or disclosure of PHI in a manner not permitted [under the regulations] which compromises the security or privacy of the PHI" occurred, she notes.
"It is crucial that HIPAA covered entities - or their business associates, on their behalf - determine what PHI, if any, was accessed or acquired in any security incident, and ... determine whether a breach actually occurred."
The 60-day reporting timeline starts when the HIPAA covered entity confirms that PHI was accessed or acquired in a way that compromises the security or privacy of the PHI, she says.
For example, in email compromise incidents, it may not be immediately known which email accounts were affected and how - and there may be many thousands of emails potentially impacted, she notes. On top of that, it takes time to determine whether the compromised email accounts contain PHI, "given that not all employees of an entity have access to PHI or use email to transmit PHI," she says.
HIPAA covered entities and business associate should engage with their cyber insurers, counsel and forensic investigators as quickly as possible after discovery of a security incident to ensure that they are working reasonably and diligently to understand the scope of any particular attack, including the individuals whose PHI may be affected, Peters says.
Covered entities should "consider working with forensic investigation firms that engage in programmatic data mining efforts to understand which individuals may be affected more efficiently than having to manually review all documents involved, which is incredibly resource-intensive, although manual review of some documents in these incidents is always necessary, given the limitations of programmatic datamining," she adds.
Holtzman notes that timely breach notification to individuals whose PHI has been compromised enables victims to make decisions on what action to take to mitigate adverse consequences from the disclosure of their information.
"The disclosed information may have contained financial or credit card information," he says. "Or the PHI may have contained sensitive information about their health status or treatment, which might expose them to harm of their reputation or the status of their employment or a personal relationship. The point is, the consumer has a right to know when their PHI has been disclosed, and it is their decision on what appropriate measures should be taken to protect themselves."
In those cases where an investigation takes a long time, "the covered entity can make substitute notification through announcement of the breach with the information it does know ... through the media and on its own website to be followed later with individual notification once the investigation allows for identification of those patients whose PHI has been compromised," he points out.
HHS OCR has issued at least one HIPAA enforcement action citing a delayed breach response by an organization.
Last May, OCR announced a $3 million HIPAA settlement with Franklin, Tennessee-based Touchstone Medical Imaging stemming from a 2014 breach that affected 307,000 individuals. In that case, OCR alleged that the medical imaging services provider delayed investigating and mitigating the breach involving patient information leaking onto the internet via a web server - and also delayed notification of victims.