May 142019

Equitas Health, Inc. (“Equitas Health”) learned that it was the victim of a data incident and is notifying individuals whose information may have been affected.  On January 8, 2019, Equitas Health became aware of unusual activity within an employee’s email account.  Equitas Health conducted an internal investigation which revealed that an unauthorized individual had access to two enterprise email accounts.

Equitas Health immediately took steps to remediate the situation and also to investigate the incident.  In that process Equitas Health retained a forensics firm and legal and cybersecurity experts.  As a result of the investigation and after an extensive review,  Equitas Health was able to determine on April 15, 2019 that the information of up to 569 affiliated members may have been affected.  The incident may have involved members’ names, dates of birth, medical history, treatment or diagnosis information, prescription information, medical record numbers, health provider and health insurance information, and/or health insurance policy numbers. For a limited number of members, Social Security numbers and driver’s license numbers may also have been affected.

Out of an abundance of caution, Equitas Health is notifying those members whose information may have been affected, and has reported the incident to appropriate authorities.  Equitas Health is also providing notified individuals with 12 months of free identity monitoring services, as well as informing individuals about steps they can take to further protect their information.  Individuals who receive a letter about this incident are encouraged to enroll in these free identity monitoring services, and should read their letter carefully and follow the instructions provided.

Affected individuals who have questions or need assistance may contact our dedicated call center at 1-833-568-5578, Monday through Friday from 9:00 a.m. to 6:30 p.m. Eastern Time.

SOURCE Equitas Health

May 132019

I realize that some will fault the entity for making early notification before they have all the facts, but my hat is off to the Oregon Health Authority (OHA).  On May 6, they suffered – and quickly stopped – a successful spear-phishing attack that gave the attacker access to one employee’s mail account. That account held protected health information on patients in the state psychiatric hospital (Oregon State Hospital).

Uncertain as to exactly who had ePHI in that account and unsure whether any of the data was even accessed or copied, OHA notified state attorneys general and provided a media notice to let people know what had happened and that they would be bringing in experts to help them determine exactly who had ePHI in the mail account and whether it was accessed.

According to their media notice, the compromised emails contained patients’:

first and last names, dates of birth, medical record numbers, diagnoses, treatment care plans and other information used to provide treatment for patients at the psychiatric hospital.

OHA indicates that they will provide additional information and follow up with affected individuals.

While there is no indication that any protected health information was copied from its email system or used inappropriately, Oregon State Hospital is notifying all patients that their information was potentially compromised. Once the review is complete, OHA will send individual notices to patients whose information was confirmed to be in the compromised emails.

According to its site, OSH serves 1,400 people per year.

Their notification really does impress me.  They caught the unauthorized access quickly and stopped it quickly, and within 4 days, had notified states and issued a media release.  Yes, there’s a lot we don’t know yet, but this is some great transparency that they are demonstrating.

Oregon State Hospital

As a trivia side note:  the film “One Flew Over the Cuckoo’s Nest” was filmed at the Oregon State Hospital in the 1970’s.

May 132019

OS, Inc. provides revenue management (billing) services to covered entities. I recently reported on a phishing-related breach they experienced in 2018 that was first disclosed this month. As I noted in that post, their notification specifically mentioned a number of their affected clients. Their disclosure did not, however, provide a total number of patients affected, nor name clients who probably wanted to make the disclosure to their patients themselves.

So here’s what we know so far, and there’s likely a lot more to come:

  • Spectrum Health Lakeland: they disclosed the breach to 1,100 St. Joseph’s patients
  • Tahoe Forest Health District – mentioned in OS’s notice, but no release or numbers from them yet.
  • Sparta Community Hospital – mentioned in OS’s notice, but no release or numbers from them yet.
  • Sauk Prairie Healthcare, Inc. – mentioned in OS’s notice, but no release or numbers from them yet.
  • Idaho Department of Health and Welfare – mentioned in OS’ notice. A media report reveals that  2,060 were notified.
  • Fort Healthcare in Wisconsin – mentioned in OS’s notice. A media report reveals that they are  reportedly notifying 19,000 patients.
  • Midwest Medical Center – not mentioned in OS’s notice, but media reports that they are notifying 8,000 patients.

I’ll try to update this post as I find more details. Feel free to let me know of any updates if you find them.

May 132019

Bob Diachenko reports that he found an unprotected and publicly available Elasticsearch cluster containing what appears to be 3,427,396 records of Panamanian citizens.

Screenshot from unsecured elasticsearch. Credit: SecurityDiscovery.

According to Diachenko, each record in tables labeled “patient” contained the following info:

  • full name
  • date of birth
  • national ID number (cedula)
  • medical insurance number (poliza seguro medico)
  • phone
  • email
  • address
  • other info

Screenshot showing data fields in unsecured elasticsearch database. Image credit: SecurityDiscovery.

Some additional details  about what Diachenko found are reported by Sergiu Gatlan on BleepingComputer. From what was reported, it’s fortunate that the exposure was found by a whitehat who reached out to Panama CERT when he was unable to determine who owned the exposed data.

Based on inspection of the screenshots, reached out to Panama’s Ministry of Health to inquire if this was their database.  Healthcare in Panama generally comes from two sources:  publicly managed health insurance and the private sector. The public component provides the health clinics called “Salud,” which have a yellow and green logo.  The first screenshot Diachenko provided refers to yellow and green, which may be a clue that these relate to the government provider and clinics. Then again, it might not be a clue.

This post will be updated if Panama’s government responds to this site’s inquiry.

May 112019

We’ve seen a record number of incidents reported in the first quarter of 2019, and it’s not getting any better in the healthcare sector.

Whether you use HHS’s public breach tool, as Modern Healthcare does,  or the system and Protenus, Inc. use to track U.S. breaches involving medical or health data, April set a new record for number of breaches or incidents disclosed during the month.

Using HHS’s breach tool, Modern Healthcare notes that there were 42 breaches each impacting or potentially impacting more than 500 patients that were reported to the federal regulator last month. Those breaches, they report, affected 686,953 people.

Although is still compiling and analyzing incidents disclosed in April, so far, we have 55 incidents, for which we have numbers on 49 50 incidents. Those 50 incidents affected 962,400 2,262,400 people. The number affected is nowhere near any kind of record high, but the number of incidents recorded is approximately 25% higher than monthly figures for the first quarter of this year, and a tad higher than some monthly figures from 2017, where we occasionally saw our frequency counter hit 50 or above.