Sometimes you think you did a good job — and sometimes you actually did do a good job compared to everyone else — but someone comes along and says what you did wasn’t satisfactory at all. And when that “someone” is the U.S. Department of Health and Human Services Office of Civil Rights (HHS OCR), people are likely to read their criticisms of you and accept them uncritically.
When HHS announced its first settlement arising out of a ransomware case, DataBreaches was genuinely surprised and didn’t recognize the entity’s name. With all the outrageous breaches DataBreaches has reported over the years and even filed watchdog complaints about with HHS, why had OCR pursued one DataBreaches couldn’t even recall?
A search of this site’s archives did not find any report on the incident. A search of non-public worksheets DataBreaches creates and maintains did, however, contain an entry for Doctors’ Management Service (DMS). The entry recorded that a breach affecting 206,695 patients occurred on April 1, 2017, but was first discovered in December 2018. DMS disclosed the incident on April 22, 2019, in a notice on DMS’s website and via notification to HHS.
DataBreaches had read the website notice in 2019 and didn’t find anything outrageous. Their system had been breached in April 2017, but the access had not been detected until GandCrab ransomware was deployed in December 2018. Okay, that wasn’t great, but it was not particularly unusual in 2017 and 2018 to find initial access not being detected until something else happened. HHS’s findings claimed, “DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” Was DMS doing those things at all, or was it just not doing those things as often as HHS thinks it should have? Did they get alerts that were ignored, or were there no alerts?
To its credit, DMS appeared to have responded appropriately and effectively to the incident, and they wrote a clear notification letter to those affected.
OCR started investigating this incident in April 2019 and pursued it, eventually claiming that they had found:
- DMS failed to conduct an accurate and thorough risk analysis that assesses technical, physical, and environmental risks and vulnerabilities associated with handling ePHI. See 45 C.F.R. § 164.308(A)(1)(i);
- DMS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. See 45 C.F.R. § 164.308(a)(1)(ii)(D); and
- DMS failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule. See 45 C.F.R. § 164.316(b).
As with all settlements, there was no admission of guilt by DMS. In reading commentary by attorney Matt Fisher on this case, DataBreaches noted that he seems to see OCR’s findings and decisions as reasonable, opining, in part:
The other key takeaway is that systems have to be monitored. Even though the conduct in the settlement is from a few years ago, letting an intruder wander through systems for over a year and a half is highly problematic. That suggests data were continually exposed and not just data from a point in time were subject to the violation of privacy. Further, only finding the intrusion because ransomware was finally deployed makes it worse. The timing of the ransomware deployment suggests that the attacker extracted a lot of value from the data and then took the final step to see if it could get another payday out of the situation.
But was there any “wandering” or data exfiltration going on during that period that might have been detected? This was before the period of the double-extortion model. Did the attackers exfiltrate any data first and then lock the system, or did they only lock the system? ‘ In a recent interview with Theresa Defino, DMS’s CEO explained that the threat actors gained access through a remote desktop connection. In 2018, before they even knew about the breach, DMS had already improved their security to prevent that kind of attack but did not know the attacker was already in their system:
“We had already cancelled the VPN [virtual private network], but they had already started jumping from computer to computer. It took them [time], but once they got to our server, that’s when they shut everything down,” DiBona said, relaying what forensic investigators told him.
Could DMS have detected that “jumping?” If so, why didn’t they?
DMS’s statement in April 2019 noted that there was no evidence that any protected health information had been accessed or exfiltrated, but that because their investigation couldn’t totally rule it out, they were providing notification. Data from the incident has never shown up on any of the forums or dark web leak sites DataBreaches has checked over the past four years.
DMS not only doesn’t admit guilt in the settlement with OCR, but they separately express shock and distress that OCR ever pursued any formal enforcement action at all.
Did OCR over-reach in this case? Is there anything in OCR’s findings above that wouldn’t have applied to most business associates at the time? Did HHS randomly pick DMS in 2019 because they wanted to make an example of one case or did they truly believe that DMS had really fallen below common security practices by business associates at that time? DataBreaches does not know, but it’s not obvious to DataBreaches why OCR would have undertaken this particular enforcement action against DMS when there were so many other breaches to investigate (in April 2019 alone, there were 50 breaches reported to HHS).
DMS’s website notification from April 2019 is still available, linked from its website (it is a .docx file that will automatically download). Their disclosure could serve as a useful model for the all-too-many entities that fail to be transparent in their notifications. They forthrightly gave the dates and a clear description of what happened, what they found, and what they couldn’t rule out. Kudos to them. We need more companies to be as transparent.
But then, did their transparency and honesty result in years of stress and problems? Will this settlement discourage other entities from being so forthright about what happened? DMS went through 4+ years of stress and compliance inquiries from OCR stemming from a breach where there has never been any report of harm to the patients or misuse of the data, and where the entity disclosed the breach less than four months after they discovered the ransomware attack. And let’s recall that they did not pay any ransom and had been able to restore quickly from backups. They did so much right — and so much better than a lot of incidents we have seen in the past few years. And yet they became the first settlement over a ransomware incident.
When HHS announced the settlement, DataBreaches never thought to really question their claims and decision. Thankfully, though, Theresa Defino dug into this case for the latest issue of Report on Patient Privacy. In BA Depicted by OCR as Example of Ransomware Dangers Recovered Quickly, Didn’t Expect Fine, Defino interviewed Tim DiBona, CEO of DMS. DiBona’s description of his firm’s experience needs to be read and considered. Did OCR go too far in their enforcement in this case? Were the findings valid, but using an enforcement sledgehammer instead of just education heavy-handed and unfair?
In mid-2018, DataBreaches filed a watchdog complaint with HHS about a covered entity in Michigan that apparently knowingly covered up a breach affecting more than 40,000 patients for more than two years. That entity did not notify patients and they did not notify HHS until DataBreaches learned of the breach from the threat actor and told the entity that this site would be reporting on it. The entity then rushed to disclose the breach, but lied in its disclosure to patients and to HHS about when they discovered the breach. DataBreach sent HHS a watchdog complaint in mid-2018 that included copies of the police reports the entity had filed at the time of the breach in 2016 that proved the entity knew they had been hacked, that they had received an extortion demand, and that the threat actor had shown them proof of claims.
What has OCR done in that case of a willful cover-up of a breach? Wouldn’t that have been a good case to use to set an example that entities will not get away with covering up breaches? DataBreaches is still waiting to see OCR hit that covered entity with a serious monetary penalty and corrective action plan. Instead, it’s been five years of crickets while OCR apparently spent some of its limited resources in 2019 pursuing a business entity that for its time, seemed to have security that was no worse than most entities at the time and whose incident response appeared to be a real cut above the rest.