Apr 192019

Laura Hautala reports:

It’s some of the most sensitive medical information a person could have. Records for potentially thousands of patients seeking treatment at several addiction rehabilitation centers were exposed in an unsecured online database, an independent researcher revealed Friday [link corrected by DataBreaches.net].

The records included patients’ names, as well as details of the treatment they received, Justin Paine, the researcher, says. Each patient had multiple records in the database, and Paine estimates there could be about 145,000 patients total in the database.

Paine notified the main treatment center, as well as the website hosting company, when he discovered the database. The data has since been made unavailable to the public. Paine found the data by typing keywords into the Shodan search engine that indexes servers and other devices that connect to the internet.

Read more on CNET.

Apr 192019

Breaches that involve health data generally will cost you more. Asia Fields reports:

Washington State University learned a costly lesson after a hard drive containing the personal information of more than a million people was stolen from a self-storage locker in 2017. Now, the university is going to have to pay even more.

In a settlement approved in King County Superior Court on Thursday, the university agreed to pay up to $4.7 million in cash reimbursements, attorneys fees and administrative expenses. On top of that, the university will pay for two years of credit monitoring and insurance services for up to 1,193,190 people, according to the settlement agreement.

Read more on Seattle Times.

Apr 182019

Callie Ferguson reports:

A communications official at Northern Light Acadia Hospital in Bangor mistakenly emailed the confidential names of 300 patients with prescriptions for Suboxone, a medication used to treat opioid use disorder, to an editor at the Bangor Daily News last week.

In addition to their names, the list also contained the identities of the patients’ medical providers, all of which is protected under federal privacy laws that prohibit health care organizations from disclosing personal patient information to the public without permission. Disclosing that a person takes Suboxone effectively outs him or her for seeking treatment for opioid addiction.

Read more on Bangor Daily News.

Apr 182019

An article by William Maruca of FoxRothschild is headlined, “Ransomware Claims A Victim.” It discusses the case of  Brookside ENT, whose doctors decided to shutter their practice and retire a year early after a ransomware attack that encrypted their patient data, billing information, scheduling information, and even their backups. In other words, the attacker successfully crippled the practice and any chance it stood of restoring from the backups it had. Under the circumstances, I’m a bit surprised that the attacker only demanded $6,500.00.

In any event after reading more about the incident and mulling it over for the past two weeks, I’m going to politely disagree with the assessment that ransomware claimed a victim, because although ransomware was involved, the doctors., Dr. William Scalf and Dr. John Bizon, made a decision to sacrifice any chance of recovering files their patients needed for what? To save maybe $6500? Maruca writes:

Facing the expense and uncertainty of recovering from this attack, the two physicians, Dr. William Scalf, 64, and Dr. John Bizon, 66 (who also serves as a Republican Michigan state senator), decided to close their practice and accelerate their planned retirement by a year.  Unfortunately, with all their records wiped clean, they did not even have a list of patients and their contact information to allow them to communicate the closure of the practice.  Instead, Dr. Scalf said, “… what I did was just sort of sat in the office and saw whoever showed up. For the next couple of weeks.”  Patients were given referrals to other otolaryngologists in the area, but their records, including test results, remained unavailable.

In explaining their decision not to pay the ransom, Maruca’s article cites a statistic from a cybersecurity firm that only 1/3 of victims who pay ransom get the decryption key. That percentage is significantly less than what the BakerHostetler law firm reports.  They report that in their experience handling hundreds of cases last year, the decryption key was provided in 94% of cases when  ransom was paid.  And these were not all small ransoms. The firm notes that already in 2019, they have had a few clients make ransom payments of more than $1 million — although they inform me that none of these are healthcare entities.

As other reports note, the likelihood of being able to recover data, even with a decryption key, is in no small part a function of what type of ransomware was involved. In the Brookside case, we haven’t been told that piece of information, but the doctors do not mention that as one of the factors that led to their decision not to pay the ransom.

Suppose the doctors had paid the decryption ransom of $6500.00 and gotten access to their data. They could have still decided to close the practice and retire early rather than rebuild their entire infrastructure and network, but at least they would have been able to contact patients and offer patients the ability to obtain copies of their medical records.

And if the doctors paid the ransom and got stiffed, then at least they could say they tried their best.

Over the past few years, I’ve often stated publicly that even though none of us want to reward criminals or encourage more ransom demands, I would never condemn a healthcare entity who decided to pay ransom because patient care or patient safety was being compromised.  I never anticipated that the day might come when I might actually criticize a healthcare entity for not paying a ransom demand, but this situation comes close.

So did the doctors make a decision in their own best interest that was also in the patients’ best interests at this point, or did they just do what was easiest for them, even though other options might have been better for the patients?

Yes, we can talk about how this all might have been prevented in a perfect world where the doctors had a copy of their updated patient roster with contact info printed out daily or where they had a different backup system that could not be corrupted by the ransomware, but that ship already sailed.  Let’s just look at the decisions that had to be made at that point. Did the doctors do the right thing? What do YOU think?  Either way, I want to be clear that I still do feel badly for the doctors, but right now, I’m just focused on the patients and whether this decision was appropriate given that it left patients definitely without access to their medical records.



Apr 182019

From their notice:

ANOKA, MINNESOTA – April 11, 2019 – Riverplace Counseling Center has become aware of a potential data security incident that may have resulted in the unauthorized access to personal information, including health information. Although at this time, there is no evidence of any attempted or actual misuse of anyone’s information as a result of this incident, we have taken steps to notify all potentially impacted individuals and to provide resources to assist them.

On January 20, 2019, we discovered that we had been victim of a cybersecurity incident. We engaged a computer technology firm to assist in removing the malware and restoring our systems from backup. We also engaged independent computer forensics experts to determine how the incident occurred and whether any information had been accessed by the unauthorized intruder. On February 18, 2019, the investigation concluded. Although the investigation did not identify any evidence of access to your information, we unfortunately could not completely rule out the possibility that your personal information, including your name, address, date of birth, Social Security number, health insurance information, and treatment information, may have been accessible.

We take the privacy and security of all information in our control very seriously, and we want to assure you that we are taking steps to prevent a similar event from occurring in the future. These steps include implementing additional technical safeguards including additional spam filters, firewalls and antivirus software system-wide; providing additional staff training on identifying unauthorized access; and securing a specialized cybersecurity firm to further assist us in implementing system-wide policies and procedures to help prevent a similar incident from occurring in the future.

We mailed letters to individuals potentially impacted by this event, which include information about the incident and steps potentially impacted individuals can take to monitor and protect their personal information. We have established a toll-free call center to answer questions about the incident and related concerns. The call center is available Monday through Friday from 8:00 a.m. to 5:30 p.m., Central Time, and can be reached at (833) 231-3359. In addition, out of an abundance of caution, we are offering complimentary identity monitoring services through Kroll to potentially impacted individuals at no cost to them.

The privacy and protection of personal information is a top priority, and we sincerely regret any inconvenience or concern this incident may cause.