Signify Health notifies covered entities’ patients of possible access to their PHI
Signify Health, LLC is a business associate to entities covered under HIPAA. On October 12, 2020, they discovered that an employee had published his login credentials to a subscription-based job board. The employee, described as a low-level IT Support Specialist, was seeking a coding specialist to help him write a job-related script. He would later claim that he did not realize he had uploaded his login credentials.
From a notification to New Hampshire by Signify’s external counsel:
Signify did not know, consent to, or condone this action; moreover, the employee violated Signify’s established policy and Code of Conduct. Signify has since terminated this employee.
The good news (if there was good news) is that the employee’s job was to receive, log, triage , and track IT support requests in Jira. His login credentials only gave him access to Jira. The other good news was that Signify learned of the exposed credentials in approximately three hours.
The bad news was that every ticket in the Jira support ticket system had to be manually checked to determine whether it contained any protected health information:
To discover any Protected Data, a user must manually open each ticket to determine whether the ticket contains any attachments. If it does, the user must then click on the attachment to determine whether it contains Protected Data.
Despite Kroll’s efforts, they could neither prove nor rule out unauthorized access to any PHI attached to tickets. Those notified were offered identity monitory and credit restoration services through Kroll.
So for a three-hour window of exposure, I wonder what this now-former employee’s mistake cost Signify in terms of incident response. As a result of the incident, they have made several changes, including implementing two-factor authentication for all its technology systems.
Note that their report to New Hampshire and to patients was in March, and since we have not seen anything from Signify on HHS’s public breach tool, we may not see this one on that list.