Victim Total Soars in County Health Data BreachMinnesota County Says Tally is 118,000, Not 600 as Originally Reported
This article has been updated.
A Minnesota county that originally reported last last December that a hacking incident affected about 600 individuals now says about 118,000 may have had healthcare data exposed.
In a public statement Tuesday, Ramsey County says an "ongoing investigation" into an incident discovered in August 2018 and first reported in December 2018 has confirmed the broader scope.
"As of this update, the total number of individuals who may have had their individually identifiable health information compromised is now 117,905; the total number of notices mailed is now 116,255," the county says.
Ramsey County first reported the "hacking/IT incident" on Dec. 11, 2018 as involving email and impacting 599 individuals, according to the U.S. Department of Health and Human Services HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Ramsey County's original notification last December noted that the county became aware of unauthorized access to email accounts of 26 employees "in an apparent scheme by an unknown outside party to divert employees' paychecks."
Following the incident, Ramsey County said it took immediate steps to stop the intrusion and secure employees' email accounts. The county then retained a data security firm to conduct further investigation, the statement notes.
"The firm's initial assessment was delivered on Oct. 12, 2018. It found that the hackers may have been able to see information about Ramsey County clients through the employee email accounts, including Social Security numbers, dates of birth, addresses and limited amounts of medical information. However, the county does not know whether any of this information was actually viewed during the attack."
But the updated statement issued Tuesday notes that "during the course of the ongoing internal investigation, on or about May 21, 2019, the county learned that limited amounts of health-related information had been identified in the email accounts of two employees related to services the county provides to various government agencies, such as administrative services to the Minnesota Department of Human Services in support of the Child & Teen Checkups program and administrative support to the St. Paul-Ramsey County Public Health Department."
The information that may have been exposed via those email accounts includes names, addresses, dates of birth, and other identifiers of some program participants, as well as appointment dates and appointment types, patient master index numbers, household identification numbers, and names of authorized representatives, the statement says.
The county does not know whether any of this information was actually viewed during the attack and is unaware of any misuse of the information, the statement adds.
Ramsey County Statement
In a statement provided to Information Security Medial Group on Wednesday, Ramsey County says it has been periodically updating its breach reports to regulators as it discovers more individuals were potentially affected by the phishing incident.
"The initial response focused on what we know the hackers were trying to do - steal employee's paychecks. ... That attempt was thwarted. Ramsey County reported the breach to [HHS'] Office for Civil Rights within 60 days of receiving the first forensic report from [an independent data security firm] on Oct. 11, 2018."
Ramsey County says that several of the employees whose email accounts were compromised provide services to multiple department within the county, making it difficult to fully evaluate all information contained in those email accounts.
"We retained a document review firm to assist us in this work. In late May 2019, we learned that limited amounts of health-related information had been identified in two employees' email related to services that the county provides to various government agencies," the statement says.
"The affected employees worked in 11 different county departments, some which were HIPAA-covered, and some which were not. Even within the HIPAA covered departments, some programs and services were HIPAA-covered and some were not."
Additionally, some of the employee email accounts contained data potentially going back nearly 20 years, the county says. "These were complicating factors for both technical and legal review," the statement says.
"A team made up of information systems, legal, compliance, risk management and communications staff have met nearly weekly for the past year to ensure we understand the full scope of possible impacts from this data breach, implement safeguards to protect against future attacks and raise awareness among employees of the risks," the statement says.
The county says it has made a number of modifications and improvements in technical, policy, communication and training areas. "This coordinated work will continue through a new compliance office, which we have accelerated the creation into 2019. We are currently hiring a chief compliance officer."
The incident was reported to the FBI last August, and the FBI followed up with the county with additional questions in June 2019. "That is the most recent contact the FBI has made with us," the statement says.
Like the Ramsey County case, the scope of some other health data breaches has grown after follow-up investigations.
For instance, in January, the Alaska Department of Health and Social Services disclosed that the state was notifying up to 700,000 individuals of a health data breach that originally was reported to federal regulators in June 2018 as affecting only 501 people.
Final breach victim counts can sometimes jump significantly because preliminary investigations "may be too narrow in scope or not performed with sufficient expertise," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"It is not uncommon at all to find that the number of victims impacted by a breach grows over time," says former healthcare CIO David Finn, executive vice president at security consulting firm CynergisTek. Attackers can penetrate a target and remain invisible to the organization for weeks, months or even years, he adds.
"The hunt for records breached can expand exponentially when you've hit email systems and may be looking through millions of emails for PHI included in the message or in attached files."
—David Finn, CynergisTek
"A thorough cyber investigation can take that long to fully unravel the attacker's methods and targets, so, over time, it is likely that additional systems and records will be discovered to have been impacted."
Occasionally the number of impacted individuals is actually lower than original estimates, Finn notes.
"In at least one case I'm aware of, the number decreased - I'm certain because the breached organization took a quick look at the systems impacted the potential and declared a number before the investigation was complete," Finn says.
Expanding Breach Scope
After organizations discover a breach and launch an investigation, they sometimes discover additional breach vectors, Finn says.
For instance, what might initially appear to be "a simple attack" on a particular system with files taken can sometimes later be determined to be a widespread phishing attack resulting in many users being tricked into giving away their credentials. In those circumstance, hackers may now have access to email, attachments or other systems containing more electronic protected health information than first realized, Finn says.
"The hunt for records breached can expand exponentially when you've hit email systems and may be looking through millions of emails for PHI included in the message or in attached files," he says. "All of that takes more time and can certainly reveal more issues."
When the victim count in a health data breach changes substantially from the time it was first reported to HHS, entities need to provide government agencies and individuals affected with updated reports.
"Especially if the victim count exceeds 500, HIPAA breaches require public notice, and a significantly larger number could mean media notices need to be more widespread," Borten says.
"If significant details change, then covered entities must update HHS with that information. And, of course, newly identified victims must be notified individually - typically through the mail - no later than 60 days from discovery."
Sometimes there are "legitimate challenges" in meeting the 60-day reporting time limit under HIPAA for breaches affecting 500 or more individuals, Borten says. "But often it appears that some organizations treat the reporting timeframe as a desirable goal, but [one that is] not enforced."