264,000 and counting: Hack of EHR/EMR vendor leaves clients scrambling

What data security incident currently holds the undesirable status of 2016’s largest incident involving patient data that has been reported to HHS?*  There’s a good chance you’ve never heard about it because the company has remained publicly mute.

prognocisSan Jose-based Bizmatics, Inc. designs and markets electronic health record and electronic medical records practice management software solutions for healthcare providers. Its PrognoCIS product is a cloud-based platform that includes practice management services and an online patient portal through which patients can request appointments, communicate with their doctors, and access their records.

By its best guess, sometime in January, 2015, Bizmatics fell victim to a cyberattack. They became aware of the attack in late December, 2015, and in January, 2016, they began notifying clients that there had been an incident. A letter Bizmatics sent to one client in March indicates that malware was involved:

“cyber intruders may have installed malware in January 2015 and, through credential theft, accessed certain systems in the Bizmatics environment. Bizmatics did not become aware of the incident until late 2015.”

Did an employee fall for a phishing attack and thereby give the attackers access to login credentials to the server(s) with patient records? It’s not totally clear from their statement.

Some clients were notified that Bizmatics could not determine conclusively whether their patients’ records had been accessed at all. Other clients were notified that their patients’ information had been accessed, but Bizmatics could not determine conclusively whether the data had been copied or stolen.  

Bizmatics, it seems, was unable to answer crucial questions such as “What happened, when, and who was affected?”  As one provider wrote to his patients in notifying them of the incident:

Bizmatics, law enforcement, and CrowdStrike were unable to pinpoint the precise date on which the attack began. Bizmatics believes the incident may have occurred in early 2015. Since that time and during their investigation into the breach, Bizmatics has never informed Family Medicine of Weston as to which patients were affected. According to a Bizmatics representative, CrowdStrike could not find a sufficient log of evidence to determine all of the information accessed or viewed by the hackers.  

If Bizmatics did not have adequate or complete logging, there is likely nothing CrowdStrike can do to nail down when an event occurred or whether, when, and which data may have been exfiltrated. Why they didn’t have sufficient logs is a question regulators may well ask them.

Bizmatics hastened to assure its clients that based on an investigation by the independent forensics firm they had hired and a criminal investigation conducted by law enforcement, investigators had found

“… no reason to believe patient files were the target of the attack. Further, investigators could not conclusively determine if there was, in fact, a [Protected Health Information] breach at all,” as one client informed its patients.

Some clients were notified in January, but other clients were first notified at the end of March, as Bizmatics’ investigation has been ongoing.  Some patients of clients notified in March are first receiving notification letters this month. 

One client informed DataBreaches.net that when they first received a notification letter dated March 30th on April 30th, they were dismayed to learn that Bizmatics had still been storing their patients’ information on the server as  they had stopped using Bizmatics in 2014. 

Patients at Risk

The types of patient information in the records included standard clinical information about appointments, diagnoses, and treatments, as well as patient identity information such as name, address, telephone number, marital status, and date of birth. In some cases, Social Security numbers were also included. Health insurance information, including account information, was also in many clients’ records. Financial and credit card data were generally not included, according to some of the letters seen by this reporter.

Bizmatics made no mention of encryption in any of its notifications, so it would appear that if these records are in the hands of criminals, they would have enough information to engage in identity theft or medical identify theft.  

Sit down, because we have something sad to tell you

Although there reportedly was no evidence for some clients that their patient information had definitely been accessed or stolen, under federal regulations, and because Bizmatics could not be sure in many cases that the data hadn’t been accessed or stolen, clients who are covered by the federal HIPAA regulations should have determined that they were required to report the incident to the U.S. Department of Health and Human Services (HHS) and to their patients.  Others may have determined that they were not obligated, but that they would err on the side of caution and report. How many may have determined that they had no obligation to report or disclose is not known to DataBreaches.net.

So far, DataBreaches.net has been able to track down more than one dozen notification reports linked to the Bizmatics incident. The following Bizmatics clients all notified their patients:

The numbers compiled above do not include one other report highly likely to be  linked to the Bizmatics incident:  

More than one dozen down, but how many to go?

Bizmatics claims to have over 15,000 clients. It appears that at least 264,208 patients from just 17 of those clients have been notified of this incident. How many more clients and patients are there who have yet to be notified? And how many clients may have decided that they did not need to disclose at all?  Bizmatics does not appear to have directly reported this breach to HHS itself, and their name appears nowhere in HHS’s public breach tool.  

Related to that last point: not all of the reports DataBreaches.net tracked down appear in HHS’s public breach tool. And, disturbingly to those who try to analyze breach reports, in the majority of cases that are reported, the field that asks whether a business associate was involved indicates “No.”  As one client explained to DataBreaches.net, HHS’s reporting form does not have a clearly worded option that indicates that the entity is reporting as a covered entity but the breach was the business associate’s breach. Hopefully, the breach tool team will tweak their wording to provide clearer instructions and options. Because of this confusion, HHS’s public breach tool is not a reliable source of information as to how extensive the Bizmatics breach has been.  

Mum’s the word?

Bizmatics has made no public statements about the incident, although it immediately reported the incident to law enforcement, and brought in CrowdStrike to help them investigate. CrowdStrike did not respond to an email inquiry from this journalist asking for clarification on the incident.  Nor has Bizmatics responded to any inquiries from this reporter.  

Are there lessons to be learned here? Undoubtedly. But what those exact lessons are remain to be determined once CrowdStrike’s report is shared with HHS/OCR or the public. Of course, Bizmatics could release the report themselves. Or perhaps some state attorneys general will decide to investigate and will share more information with the public.  Or maybe the Federal Trade Commission will investigate whether Bizmatics’ data security was “unreasonable” under Section 5 of the FTC Act. 

All this reporter/privacy advocate knows is that some regulator should be investigating how this happened and why Bizmatics was unable to determine exactly what happened, when, and to whom.  

If Bizmatics, Inc. or CrowdStrike provides some answers or details, DataBreaches.net will update this story.


*In another story by this reporter on the Daily Dot, there is an even larger incident involving an Atlanta entity allegedly hacked by TheDarkOverlord, but that incident does not appear to have been reported (yet) to HHS. Nor has an incident allegedly involving a hacked health insurer’s database with 9.3 million records been reported to HHS (yet).  In light of what TheDarkOverlord told this reporter, by the time 2016 is done, we may see more compromised records with PHI than any previous year. 

CORRECTION: Stamford Podiatry Group was not a Bizmatics client affected by their breach; SPG reported an unrelated hack. DataBreaches.net apologizes for the error.

About the author: Dissent

7 comments to “264,000 and counting: Hack of EHR/EMR vendor leaves clients scrambling”

You can leave a reply or Trackback this post.
  1. Justin Shafer - June 29, 2016

    Sounds like our government just doesn’t want to enforce the congressional mandated HIPAA laws, especially notification.

    Unless they claim it is in the interest of national security.

    I wonder if anyone on the ES FTP Server has been notified.

    • Justin Shafer - June 29, 2016

      50 bucks said they thought the risk was low, and only had to report to HHS.

      Sounds…. familiar.

    • Dissent - June 29, 2016

      I think you may misunderstand the notification requirements. It would be in the BAA whether the business associate does the notifications to HHS and patients (or both) or if the covered entity will do the notifications. But at the very least, the BAA has to timely notify the covered entity.

      So in my BAA with a contractor, it says, in part, that it is their obligation to

      (c) Report to Covered Entity any use or disclosure of PHI protected health information not provided for by the Agreement of which it becomes aware, including breaches of unsecured protected health information as required at 45 CFR 164.410, and any security incident of which it becomes aware; The Business Associate, will report these immediately or not more than 5 business days after such a discovery.

      The Business Associate will handle breach notifications to individuals, the HHS Office for Civil Rights (OCR), and potentially the media, on behalf of the Covered Entity as its own breach

      • Justin Shafer - June 29, 2016

        Ahhhh…. Very smart. Most doctors don’t really have a choice when it comes to the wording in the BAA. I can’t see you putting patient data on the cloud, or even a computer. =)

        Lets assume a breach risk assessment was performed, I wonder if it was low, medium or high. And I wonder if the secretary at OCRHHS agreed with whatever answer they decided to go with.

        If it was low, then only OCRHHS gets to hear about it, but if it was medium or high, patients have to be alerted.

        Is someone having access to that network for a brief period without all the logs.. low, medium.. or high. =)

        • Dissent - June 29, 2016

          You might check with very knowledgeable Jeff Drummond on this, as he’s actually a lawyer, but I’d think that if you don’t KNOW what happened, then the risk is not “low” but rather, “unknown,” and under those circumstances, notification is required.

          • Anonymous - July 7, 2016

            I think a lawyer, generically speaking can assume anything they want. Now it is up to the rest to prove him right or wrong.

  2. Anonymous - July 7, 2016

    all i want to add to this is, its somewhat simple to reconstruct dates.

    There are a lot of variables in that statement I made, but it can be done. Typically, no logging means probably no backups and probably not a lot of documentation as well. Some corporations ride on previously taught procedures and little is documented in a way that is useful.

    With the shortage of IT talent out there, a company would rather hire a person rather consider paying a consultant to come in and offer a road map to compliance. It would cost less to bring in a security consultant who is highly trained in an area the company needs, both sign a NDA and the consultant can offer an option to show how all this can be fixed to a IT tech thats willing to learn.

Comments are closed.