Kansas Addiction Treatment Organization’s Email Hack Leads To Data Breach

When people go to their doctors, they assume their information is protected. They freely and willingly provide personal information, like social security numbers. Their primary concern is their health and so they literally trust their lives in the hands of medical professionals and providers. This assumption that patient data is protected may be derived from the assumption that medical facilities are all aligned and in compliance with Health Insurance Portability and Accountability (HIPAA). Everyone signs the HIPAA forms and so everyone assumes — even without thinking it — that they are protected and that the medical facility and/or medical providers are in compliance. Indeed, medical providers may believe they are in compliance and their patient data is protected until it happens: the data breach. Instantly, hundreds and thousands and even millions of patients’ information is compromised. Not to mention: the medical entity where the breach occurred may be held liable for it.

Breach of Patient Data Already Making Waves in 2019: The Example of Valley Hope Association

Just recently, a data breach was investigated and confirmed at Valley Hope Association. It’s a Kansas-based nonprofit organization that treats patients with drug and alcohol addictions. They have 16 facilities located in seven states:

1. Arizona
2. Colorado
3. Kansas
4. Missouri
5. Nebraska
6. Oklahoma
7. Texas.

Patients number in the thousands across these seven states. As of the last week of January 2019, the organization has been notifying these patients — former and current — that there was a data breach and their information may have been accessed.

It all started in October 2018. An employee’s email account had suspicious activity. The investigation commenced with this employee’s email account. On November 23, 2018, it was confirmed: a cybercriminal hacked into the employee’s email account, and from there, was able to access patient information. The information compromised includes:

• Social security numbers
• Dates of birth
• Financial account information
• Patient claim or billing information
• Driver’s license or state identification card numbers
• Health insurance
• Medical records
• Medications, and
• More.

These kinds of breaches are the beginning of identity theft. When it happens in medical facilities, it is all the more stressful because these are patients dealing with health issues. Identity theft is not a matter they want to deal with on top of their health issues. Following the breach, Valley Hope has taken two steps:

1. It has provided its patients with free credit monitoring and identity protection services; and
2. It has added additional security measures designed to secure patient data.

Unfortunately, the Valley Hope Association’s breach of patient data is not an isolated event. Many other medical facilities across the country have experienced data breaches. Examples of patient data breaches that occurred in 2018 include:

• Catawba Valley patient records were breached by three phishing hacks.
• Centers for Medicare & Medicaid Services (CMS) confirmed 75,000 people were affected by a data breach in the ACA portal.
• Minnesota Department of Human Services was the victim of two phishing attacks affecting 21,000 patient records.
• Fetal Diagnostic Institute in Hawaii was the victim of ransomware attacks resulting in data breaches of 40,800 patient records.
• Legacy Health, an Oregon-based health system, experienced phishing attacks that led to 38,000 patient record breaches.
• Augusta University Health confirmed in 2018 that 417,000 patient records had been breached.
• UnityPoint Health experienced two large data breaches in 2018, exposing 1.4 million patient accounts to hackers.
• LabCorp confirmed millions of records have been compromised and are at risk due to the hacking that forced a network shutdown.
• A Missouri-based Blue Spring Family Care facility was the victim of ransomware malware, which put 45,000 patient records at risk.
• Banner Health breach in Arizona compromised around 3.7 million patient records.

These are just a few of the many security breaches of patient data that occurred in 2018. As can be understood from these examples, healthcare is a lucrative target for hackers, and as technology advances, so do the hackers’ capabilities. That’s why it is imperative that medical facilities, providers, and professionals take steps to ensure their outsourced IT services providers offer all the latest technology to secure patient information.

What does HIPAA say about patient data protection, responsibility, and consequences?

The HIPAA Privacy Rule sets out to protect “individually identifiable health information” in the possession of a covered entity or its business association regardless if this health information is in electronic or paper form or transmitted orally. Covered entities include:

• Health plans
• Health care clearinghouses
• Health care providers “who electronically transmit any health information in connection with transactions for which the [U.S. Department of Health and Human Services (HHS)] has adopted standards.”

The individually identifiable health information is known as protected health information or PHI. According to HHS, PHI includes demographic information relating to:

• “an individual’s past, present, or future physical or mental health or condition
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”

Covered entities must take measures to protect PHI. Traditionally, a covered entity breached HIPAA regulations when PHI was accessed by an unauthorized person due to unsecured PHI. When this happens, the covered entity is responsible for a breach in HIPAA regulations. But this responsibility is not as straightforward when the breach is made by ransomware or other malware activity. If the covered entity is found to be in violation of HIPAA due to these data breaches, then heavy financial fines may be imposed along with other required corrective action. Depending on the size of the entity and the amount of the fine and other imposed penalties, a data breach could be detrimental not only to the patients whose information was compromised but to the survival and existence of the facility, provider, or professional.

What can medical facilities do to safeguard their patient data?

Medical facilities or any covered entity and their business associates have options when safeguarding their patient data. These options should be interpreted into a plan of action.

• First and foremost, these facilities must comply with HIPAA regulations.
• Second, they must comply with HIPAA regulations by ensuring they are using the most advanced technologies to safeguard patient data. New technologies develop on a regular basis. You should hire an IT team or outsource your IT needs to an IT services provider who regularly keeps up to date with advancements in technology and consistently implements the technology into their services. If you hire such a team, you can rest assured that data is being protected to the best of technologies’ capabilities.
• Third, covered entities and their business associates must thoroughly vet their IT Team and/or third-party IT services provider. There have been cases in 2018 where breaches were made by tech vendors and other third-party IT services providers, e.g., the case of MedCall Advisors in North Carolina.
• Fourth, policies and procedures should be in place to ensure that on an ongoing basis, best practices are honored to safeguard PHI. These policies and procedures should apply to all staff, employees, medical professionals, and the IT team — even if IT services are outsourced.

Ultimately the responsibility comes down to the party in possession of the patient data and covered by HIPAA regulations. Don’t let what happened to Valley Hope Association happen to you. Start the new year off right: make sure your PHI is secure and safe.