Three months after ransomware attack and two months after data was dumped, UHC has yet to notify patients in writing
On September 25, DataBreaches.net reported on a ransomware attack suffered by United Health Centers of San Joaquin Valley (UHC). BleepingComputer had also reported on the incident the day before. Neither this site nor BleepingComputer had been able to get a statement from UHC at the time, but it was clear from the data dumped by threat actors known as “Vice Society” that there was protected health information acquired and dumped.
Two months later, patients have still not received any individual notifications, it seems. In an update on its website dated November 19, UHC writes:
On August 28, 2021, UHC experienced technical difficulties resulting in a disruption to certain computer systems. We promptly took steps to secure our systems and commenced an investigation into the nature and scope of the incident. UHC’s investigation determined on August 29, 2021, that the disruption was caused by an encryption event. UHC worked expeditiously to restore our systems from available backups to avoid an interruption to patient care. UHC’s electronic health record system was not impacted by the event.
On September 22, 2021, UHC learned that the unauthorized actor who conducted the encryption event posted certain UHC data to an unindexed internet website, which contains information relating to some UHC patients, including demographic information. UHC is currently working diligently, with the assistance of third-party subject matter experts, to confirm the type and scope of information affected, and the patients to whom the information relates. This effort is currently ongoing.
Further down in the notification, they write (emphasis added by this site):
The security, confidentiality, and integrity of information within UHC’s care is one of our highest priorities. Upon learning of the event, UHC immediately took steps to further secure our systems and investigate the event, restore from available backups so we could continue treating patients, and investigate the full scope of the incident. UHC will also be providing written notice directly to impacted individuals once UHC has completed our investigation and determined the full scope of impacted individuals and the information related to said individuals that may have been affected.
So patients have had their personal and protected health data publicly available on the dark web since September but haven’t been individually notified at all? What if patients don’t read UHC’s website?
What about California’s law requiring faster notification than this? What about HHS’s notification rule about no later than 60 days from discovery?
The system isn’t working well, even when entities are in good faith and are trying to comply. Should they be penalized for failure to notify timely? Perhaps not. But perhaps HHS can meaningfully look at whether entities had adequate protections in place so that at least old data — such as we saw in this case — is either offline or encrypted and segmented so that it isn’t needlessly connected to the internet and compromised.