[author: Jane Anderson]

Report on Patient Privacy 24, no. 1 (January, 2024)

◆ New York has released proposed cybersecurity regulations for hospitals. The regulations, which were published in The State Register on Dec. 6 and will undergo a 60-day public comment period ending on Feb. 5, are designed to help hospitals protect critical systems from cyber threats, state officials said. Under the proposed regulations, hospitals will be required to establish a cybersecurity program and take steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts and take actions to prevent cybersecurity events before they happen, according to the state. In addition, the proposed regulations will require that hospitals develop response plans for a potential cybersecurity incident, including notification “to appropriate parties,” and to run tests of their response plans to ensure that patient care continues while systems are restored. Once the regulations are finalized, hospitals will have one year to comply. New York Gov. Kathy Hochul’s 2024 budget includes $500 million in funding for health care facilities to upgrade their technology systems to comply with the proposed regulations.^[1]

◆ Some patients of Oklahoma City-based Integris Health were contacted in December by apparent hackers who claimed to have stolen their personal information and threatened to post it on the dark web. An email shared on social media, allegedly from the hackers, stated that the attackers obtained names, contact information, work and insurance information, plus Social Security numbers. “We have contacted Integris Health, but they refuse to resolve this issue,” the email stated. The alleged hackers also said that if the email recipient did not pay a ransom of $50 in Bitcoin, their information would be sold to data brokers on the dark web. In a privacy notice dated Dec. 24, Integris Health said that it became aware of the breach on Nov. 28. The hospital system said that names, dates of birth, contact information, demographic information and Social Security numbers were included in the breach. Payment information, such as credit card numbers, usernames or passwords and driver’s license numbers or other government-issued identification were not included in the breach, Integris said. The hospital system urged patients not to respond to emails from the apparent hackers or to “follow any of the instructions, including accessing any links.”^[2]

◆ Business associate HealthEC LLC (HEC), a population health technology company that provides services to various provider groups and health systems, said an unknown actor had accessed its systems for 10 days in July 2023, leading to a breach impacting more than 4.45 million patients. HEC’s investigation determined that files were copied that included names, addresses, dates of birth, Social Security numbers, taxpayer identification numbers, medical record numbers, medical information such as diagnoses, mental/physical condition, prescription information, provider’s name and location, health insurance information and billing and claims information. Impacted HEC business partners include Corewell Health, TennCare, the University Medical Center of Princeton Physicians’ Organization, Long Island Select Healthcare, East Georgia Healthcare Center and Hudson Valley Regional Community Health Centers, among others.^[3]

◆ Following the HealthEC breach, Michigan Attorney General Dana Nessel called on state lawmakers to tighten state laws regarding data breaches. More than 1 million patients of Corewell Health, an integrated health system based in Grand Rapids, Mich., were impacted by that breach. “We’re asking the legislature to create laws to put laws on the books to ensure that these companies are taking the steps to protect our information and that they’re letting us know when there’s been a data breach so that people can best protect themselves,” Nessel said.^[4]

◆ The Cybersecurity & Infrastructure Security Agency (CISA) has published health sector-specific guidance based on the findings from a two-week external and internal risk and vulnerability assessment of a large health care organization. The penetration test—conducted at the request of the organization involved web application, phishing, penetration, database and wireless assessments. “During the one-week external assessment, the assessment team did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network,” the CISA analysis said. “Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing. However, during internal penetration testing, the team exploited misconfigurations, weak passwords and other issues through multiple attack paths to compromise the organization’s domain.” CISA offered three recommendations for that health care organization and others: (1) use phishing-resistant, multi-factor authentication for all administrative access; (2) verify the implementation of appropriate hardening measures, and change, remove, or deactivate all default credentials; and (3) implement network segregation controls.^[5]

◆ Cybercriminals successfully encrypted data in ransomware attacks on nearly 75% of health care organizations surveyed by security firm Sophos, the firm revealed. Only 24% of health care organizations were able to disrupt a ransomware attack before attackers encrypted their data, the lowest rate of disruption in three years, the security firm reported in its latest sector survey report. “What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in process,” said Chester Wisniewski, director and field chief technology officer at Sophos. “Part of the problem is that ransomware attacks continue to grow in sophistication, and the attackers are speeding up their attack timelines.” Sophos found that the median time from the start of a ransomware attack to detection was only five days, and 90% of ransomware attacks took place after regular business hours. The report also found that, in 37% of ransomware attacks where data was successfully encrypted, data also was stolen. In addition, health care organizations are taking longer to recover, with 47% recovering in a week, compared to 54% last year, Sophos said. Compromised credentials were the number one root cause of ransomware attacks against health care organizations in the survey, which also found that the number of health care organizations that paid ransom payments declined from 61% last year to 42% this year, slightly lower than the average of all sectors, Sophos said.^[6]

◆ A former vice president at Med Center Health in Kentucky was placed on probation for two years and ordered to pay $140,000 in restitution after admitting to illegally disclosing the health information of thousands of patients. Mark Kevin Robison was sentenced in U.S. District Court in Bowling Green, where he pleaded guilty in September to a count of wrongful disclosure of individually identifiable health information. A plea agreement filed in court records said that as a vice president for Med Center Health, formerly known as Commonwealth Health Corporation (CHC), Robison worked with another person on software they intended to market to health care companies. The illegal disclosure of health information was said to have occurred in 2014 and 2015, when Robison shared protected health information (PHI) with that other person in an effort to test the software. Assistant U.S. Attorney David Weiser said that while CHC incurred expenses investigating the matter and notifying patients of the breach, there is no evidence showing that any PHI was shared beyond the person working to develop the software.^[7]

◆ Sutter Health became the latest casualty of the breaches associated with the MOVEit file transfer protocol, with an estimated 845,441 patients of the northern Californian health system impacted. A vendor called Welltok Inc.—a Virgin Pulse subsidiary that operates an online contact management platform that enables Sutter Health to provide patients and members with important notices and communications—notified Sutter Health in late September that it had been impacted by the ransomware attack targeting the file transfer tool called MOVEit. According to Sutter Health’s breach notification, Virgin Pulse told Sutter Health that its investigation determined an unknown actor exploited vulnerabilities, accessed the MOVEit Transfer server between May 30 and May 31, 2023, and exfiltrated data from the server. Virgin Pulse provided Sutter Health with a final report on its investigation on Oct. 24, Sutter Health said. Social Security numbers and financial information were not impacted, the health system said.^[8]

1 Department of State, Division of Administrative Rules, The New York State Register 49, vol. XLV, December 6, 2023, https://bit.ly/48NPov5.

2 Dale Denwalt, “Hackers in an Integris Health data breach are emailing victims. What to do if you receive one,” The Oklahoman, December 26, 2023, https://bit.ly/48Fwpma.

3 HealthEC, “Notice of the HealthEC LLC Cyber Security Event,” December 22, 2023, https://bit.ly/48sakI8.

4 Courtney Bennett, “Michigan AG calls for laws following Corewell Health data breach affecting 1M,” News Channel 3, December 28, 2023, https://bit.ly/48w4iXa.

5 Cybersecurity & Infrastructure Security Agency, “Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment,” Cybersecurity Advisory, Product ID: AA23-349A, December 15, 2023, https://bit.ly/3HbSoW8.

6 Sophos, “Cybercriminals Successfully Encrypted Data in Ransomware Attacks on Nearly 75% of Healthcare Organizations That Sophos Surveyed,” news release, November 1, 2023, https://bit.ly/4aNwwxW.

7 Justin Story, “Former hospital exec put on probation for HIPAA violation,” Bowling Green Daily News, December 22, 2023, https://bit.ly/3S7Lh7x.

8 Sutter Health, “Sutter Health Vendor Reports Patient Information Incident,” news release, November 3, 2023, https://bit.ly/3H7fIVb.

[View source.]