[author: Jane Anderson]

Report on Patient Privacy 21, no. 4 (April 2021)

◆ A Texas Medicaid subcontractor has been terminated after a data breach caused by a ransomware attack originating from Russia exposed the personal information of tens of thousands of low-income residents. A spokesperson for the Texas Health and Human Services Commission also said that the agency did not learn about the extent of the attack, which occurred last April, until it received questions about the incident from The Dallas Morning News.^[1] According to news reports, the initial communications to the state agency from the contractor, Accenture, described a multistate incident involving health care providers and insurance billing and collections for health plans. That mirrors other notifications that Accenture’s collections subcontractor, Houston-based Benefit Recovery Specialists Inc. (BRSI), made to the federal government and the public last summer, the reports said. Notices the company posted on its website and sent to national news media did not mention Texas Medicaid as the main affected entity, according to news reports. Accenture used BRSI to collect payments from other health insurance plans for pharmacy services provided to Medicaid patients. Accenture told The Dallas Morning News that BRSI mailed letters to 130,706 Medicaid recipients to alert them of the breach, but BRSI was unable to mail letters to some breach victims because the stolen data couldn’t be traced to specific individuals.

◆ The FBI’s Internet Crime Complaint Center (IC3) received a record number of complaints from the public in 2020: 791,790, with reported losses exceeding $4.1 billion. The agency said in its 2020 annual report that this represents a 69% increase in total complaints from 2019. Business email compromise schemes “continued to be the costliest: 19,369 complaints with an adjusted loss of approximately $1.8 billion. Phishing scams were also prominent: 241,342 complaints, with adjusted losses of over $54 million,” IC3 said in its report. Finally, the number of ransomware incidents also continued to rise, with 2,474 incidents reported in 2020, the report said. In response to these incidents, IC3 said it continues to strengthen its relationships with industry and others in the law enforcement community to reduce financial losses. “Through the Recovery Asset Team, IC3 worked with its partners to successfully freeze approximately $380 million of the $462 million in reported losses in 2020, representing a success rate of nearly 82%,” the annual report said. “In addition, IC3 has a Recovery and Investigative Development Team which assists financial and law enforcement investigators in dismantling organizations that move and transfer funds obtained illicitly.”^[2]

◆ The annual Protenus Breach Barometer found health care data breaches rose to the rate of two per day in 2020. Overall, breaches were up 30% in 2020 compared to 2019, the security firm found. The latest Breach Barometer is based on 758 health data breaches reported to HHS, the media or some other source in 2020, which represented an increase from the 572 breaches reported in 2019. Data on patient impact was available for 609 of the incidents in 2020, which compromised more than 40.7 million records. “Hacking incidents increased for the fifth year in a row, with the number of public reports rising 42% from 2019,” according to the report. “Criminals flagrantly exploited healthcare vulnerabilities as these organizations weathered massive pandemic-related challenges, including sudden spikes in telehealth use and remote work, culminating in 470 hacking breaches reported throughout 2020, or 62% of all breaches for the year,” Protenus said. Insider breaches were the second-most common type of breach, representing 20% of all events in 2020. Finally, Protenus noted that “HHS only requires reporting of breaches that affect more than 500 patients. Therefore, the full picture is likely much more grim.”^[3]

◆ Utah-based COVID-19 testing service Premier Diagnostics has exposed thousands of ID document scans, including driver’s licenses, medical insurance cards, passports and other IDs, on the web without a password or any other authentication requirement, according to researchers from consumer privacy watchdog firm Comparitech. The firm said it discovered the publicly accessible data Feb. 22. “Affected persons are mostly from Utah, Nevada, and Colorado, based on samples of the data obtained by Comparitech. In total, over 200,000 images of ID scans were exposed,” the firm said.^[4] Premier Diagnostics acknowledged the incident and secured the data March 1. Comparitech said it did not know how long the data was accessible prior to its own discovery. The company said the first of two databases was indexed by a search engine Jan. 25. When a Comparitech researcher first discovered it, he couldn’t immediately identify the owner, so he sent an alert to Amazon Web Services security team. The researcher then was able to identify Premier Diagnostics as the likely owner, and notified Premier on Feb. 25. On March 1, “after several days with no response, Comparitech’s editorial team was able to make contact with Premier Diagnostics. The data was secured later in the day.” In total, the data was exposed for at least a week, if not longer, Comparitech reported. The exposed data was stored in two large Amazon S3 buckets, one of which—named “patient-images”—contained 207,524 images of patients’ photo IDs. Premier Diagnostics told Comparitech that each patient was associated with four images, meaning that roughly 52,000 patients were affected. The second Amazon S3 bucket—called “paper-records”—contained a database of names, dates of birth, and test sample IDs from patients who underwent COVID-19 tests. The data exposed did not include test results.

◆ Sutter Buttes Imaging (SBI) in California is notifying patients that some of their personal information may have been disclosed during an 18-month-long breach. “In December 2020, we learned that third party IT [information technology] hardware utilized by SBI demonstrated vulnerabilities which allowed unauthorized penetration for a period of time between July 2019 and December 2020,” the medical imaging group said.^[5] “After thorough investigation, SBI determined that, due to these IT vulnerabilities, certain SBI patient information may have been accessed by unauthorized parties during that time.” Information potentially accessed included imaging dates, patient names, dates of birth, types of imaging procedure, and patient and study number, the practice said. The information disclosed did not include Social Security numbers; credit card numbers; or any medical diagnoses, medical images, or medical reports and notes. SBI said it closed “certain firewall ports to prevent future access, and also engaged third party IT consultants to perform a thorough analysis and bolster our security controls going forward.”

◆ Firelands Regional Health System in Ohio said one of its former IT vendors was hacked Christmas Day, resulting in a possible data breach of mental health treatment records. A billing record for around 1,000 people treated by Firelands Counseling and Recovery Services may have been accessed, and the record included patient names, dates of birth, addresses and Social Security numbers. No medical information was involved, according to Firelands, which added that the incident apparently occurred because the former vendor, ProComp Software Consultants Inc., committed a security breach that violated its contract. ProComp notified Firelands about the incident Jan. 19.^[6]

1 Robert T. Garrett, “Terminated: Texas Medicaid subcontractor dumped after data breach in ransomware attack from Russia,” The Dallas Morning News, March 5, 2021, https://bit.ly/3rJEeBH.
2 Internet Crime Complaint Center, Internet Crime Report 2020, FBI, accessed April 5, 2021, https://bit.ly/3m5bwcZ.
3 Angie Stewart, “Key Takeaways from the 2021 Breach Barometer,” Protenus, March 15, 2021, https://bit.ly/3u4PpGw.
4 Paul Bischoff, “Utah COVID-19 testing service exposes 50,000 patients’ photo IDs, personal info on the web,” Comparitech, March 10, 2021, https://bit.ly/3m6WyDf.
5 Sutter Buttes Imaging, “Re: Notice of Potential Data Breach,” letter, accessed April 5, 2021, https://bit.ly/2R3UnF7.
6 Tom Jackson, “Firelands reveals hacking incident,” Sandusky Register, March 16, 2021, https://bit.ly/3sBTim7.

[View source.]