264,000 and counting: Hack of EHR/EMR vendor leaves clients scrambling

What data security incident currently holds the undesirable status of 2016’s largest incident involving patient data that has been reported to HHS?*  There’s a good chance you’ve never heard about it because the company has remained publicly mute.

prognocisSan Jose-based Bizmatics, Inc. designs and markets electronic health record and electronic medical records practice management software solutions for healthcare providers. Its PrognoCIS product is a cloud-based platform that includes practice management services and an online patient portal through which patients can request appointments, communicate with their doctors, and access their records.

By its best guess, sometime in January, 2015, Bizmatics fell victim to a cyberattack. They became aware of the attack in late December, 2015, and in January, 2016, they began notifying clients that there had been an incident. A letter Bizmatics sent to one client in March indicates that malware was involved:

“cyber intruders may have installed malware in January 2015 and, through credential theft, accessed certain systems in the Bizmatics environment. Bizmatics did not become aware of the incident until late 2015.”

Did an employee fall for a phishing attack and thereby give the attackers access to login credentials to the server(s) with patient records? It’s not totally clear from their statement.

Some clients were notified that Bizmatics could not determine conclusively whether their patients’ records had been accessed at all. Other clients were notified that their patients’ information had been accessed, but Bizmatics could not determine conclusively whether the data had been copied or stolen.  

Bizmatics, it seems, was unable to answer crucial questions such as “What happened, when, and who was affected?”  As one provider wrote to his patients in notifying them of the incident:

Bizmatics, law enforcement, and CrowdStrike were unable to pinpoint the precise date on which the attack began. Bizmatics believes the incident may have occurred in early 2015. Since that time and during their investigation into the breach, Bizmatics has never informed Family Medicine of Weston as to which patients were affected. According to a Bizmatics representative, CrowdStrike could not find a sufficient log of evidence to determine all of the information accessed or viewed by the hackers.  

If Bizmatics did not have adequate or complete logging, there is likely nothing CrowdStrike can do to nail down when an event occurred or whether, when, and which data may have been exfiltrated. Why they didn’t have sufficient logs is a question regulators may well ask them.

Bizmatics hastened to assure its clients that based on an investigation by the independent forensics firm they had hired and a criminal investigation conducted by law enforcement, investigators had found

“… no reason to believe patient files were the target of the attack. Further, investigators could not conclusively determine if there was, in fact, a [Protected Health Information] breach at all,” as one client informed its patients.

Some clients were notified in January, but other clients were first notified at the end of March, as Bizmatics’ investigation has been ongoing.  Some patients of clients notified in March are first receiving notification letters this month. 

One client informed DataBreaches.net that when they first received a notification letter dated March 30th on April 30th, they were dismayed to learn that Bizmatics had still been storing their patients’ information on the server as  they had stopped using Bizmatics in 2014. 

Patients at Risk

The types of patient information in the records included standard clinical information about appointments, diagnoses, and treatments, as well as patient identity information such as name, address, telephone number, marital status, and date of birth. In some cases, Social Security numbers were also included. Health insurance information, including account information, was also in many clients’ records. Financial and credit card data were generally not included, according to some of the letters seen by this reporter.

Bizmatics made no mention of encryption in any of its notifications, so it would appear that if these records are in the hands of criminals, they would have enough information to engage in identity theft or medical identify theft.  

Sit down, because we have something sad to tell you

Although there reportedly was no evidence for some clients that their patient information had definitely been accessed or stolen, under federal regulations, and because Bizmatics could not be sure in many cases that the data hadn’t been accessed or stolen, clients who are covered by the federal HIPAA regulations should have determined that they were required to report the incident to the U.S. Department of Health and Human Services (HHS) and to their patients.  Others may have determined that they were not obligated, but that they would err on the side of caution and report. How many may have determined that they had no obligation to report or disclose is not known to DataBreaches.net.

So far, DataBreaches.net has been able to track down more than one dozen notification reports linked to the Bizmatics incident. The following Bizmatics clients all notified their patients:

The numbers compiled above do not include one other report highly likely to be  linked to the Bizmatics incident:  

More than one dozen down, but how many to go?

Bizmatics claims to have over 15,000 clients. It appears that at least 264,208 patients from just 17 of those clients have been notified of this incident. How many more clients and patients are there who have yet to be notified? And how many clients may have decided that they did not need to disclose at all?  Bizmatics does not appear to have directly reported this breach to HHS itself, and their name appears nowhere in HHS’s public breach tool.  

Related to that last point: not all of the reports DataBreaches.net tracked down appear in HHS’s public breach tool. And, disturbingly to those who try to analyze breach reports, in the majority of cases that are reported, the field that asks whether a business associate was involved indicates “No.”  As one client explained to DataBreaches.net, HHS’s reporting form does not have a clearly worded option that indicates that the entity is reporting as a covered entity but the breach was the business associate’s breach. Hopefully, the breach tool team will tweak their wording to provide clearer instructions and options. Because of this confusion, HHS’s public breach tool is not a reliable source of information as to how extensive the Bizmatics breach has been.  

Mum’s the word?

Bizmatics has made no public statements about the incident, although it immediately reported the incident to law enforcement, and brought in CrowdStrike to help them investigate. CrowdStrike did not respond to an email inquiry from this journalist asking for clarification on the incident.  Nor has Bizmatics responded to any inquiries from this reporter.  

Are there lessons to be learned here? Undoubtedly. But what those exact lessons are remain to be determined once CrowdStrike’s report is shared with HHS/OCR or the public. Of course, Bizmatics could release the report themselves. Or perhaps some state attorneys general will decide to investigate and will share more information with the public.  Or maybe the Federal Trade Commission will investigate whether Bizmatics’ data security was “unreasonable” under Section 5 of the FTC Act. 

All this reporter/privacy advocate knows is that some regulator should be investigating how this happened and why Bizmatics was unable to determine exactly what happened, when, and to whom.  

If Bizmatics, Inc. or CrowdStrike provides some answers or details, DataBreaches.net will update this story.

—-

*In another story by this reporter on the Daily Dot, there is an even larger incident involving an Atlanta entity allegedly hacked by TheDarkOverlord, but that incident does not appear to have been reported (yet) to HHS. Nor has an incident allegedly involving a hacked health insurer’s database with 9.3 million records been reported to HHS (yet).  In light of what TheDarkOverlord told this reporter, by the time 2016 is done, we may see more compromised records with PHI than any previous year. 

CORRECTION: Stamford Podiatry Group was not a Bizmatics client affected by their breach; SPG reported an unrelated hack. DataBreaches.net apologizes for the error.

About the author: Dissent