21 months after a ransomware attack, a business associate breach first shows up on HHS’s breach tool. Here’s why.
HIPAA Journal reports on an incident that is illustrative of the challenges entities may face in the wake of a ransomware attack — determining whether a breach is a reportable incident or not. It also illustrates what may happen if an entity decides something is not a reportable breach but further investigation by the U.S. Department of Health & Human Services Office for Civil Rights (OCR) suggests otherwise.
In this case, Metro Presort in Oregon experienced a ransomware attack in May, 2019. They reportedly contained it relatively quickly and recovered from it, reportedly refusing to pay the ransom demanded by Ryuk threat actors. Metro did not report it as a reportable breach under HIPAA because the ePHI on their system was already encrypted (by them) prior to the attack, so the threat actors should not have been able to access any unencrypted ePHI.
Their investigation had found no evidence that any ePHI had been accessed, exfiltrated, or misused. But reinvestigation in October 2020 raised some doubts that the ePHI had been encrypted before the attack. In its November 2020 web notice, Metro Presort does not explain why they reinvestigated in October 2020, but an update in that statement suggests that they reinvestigated at OCR’s instigation:
The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), which is the federal agency responsible for enforcing the federal health information privacy law known as HIPAA, investigated the incident, MPI’s response, and MPI’s data privacy and security practices. On December 31, 2020, OCR issued a ruling finding no violations of HIPAA and closing its investigation.
HIPAA Journal reports:
The incident has recently appeared on the HHS’ Office for Civil Rights website stating the PHI of up to 38,387 individuals may have been compromised.
But what does that number represent? In January of this year, two of Metro Presort’s clients had disclosed the number of their patients who had been impacted: Salem Clinic reported 20,908 patients were affected, and Oregon Heart Center reported 3,172 patients were impacted. Did Metro Presort’s report to HHS include those approximately 24,000 patients, or is their reported number in addition to them? At the time of the Ryuk ransomware incident, Metro Presort was reportedly providing business associate mailing services to 21 healthcare organizations.
DataBreaches.net sent an inquiry to Metro Presort asking for clarification on the number reported to HHS, i.e., whether it was all inclusive, but has received no reply by the time of this publication. This post will be updated when a reply is received.