Nonprofit Group Hit 3 Times in 3 Weeks in 2018, Affecting PHI of 85,000 Patients
Federal regulators have hit a Southern California physician services organization with a $240,000 HIPAA civil monetary penalty following an investigation into three ransomware attacks that occurred within a three-week span in early 2018 and compromised the sensitive information of 85,000 patients.
See Also: Identity Security Trailblazers - Health First
The Department of Health and Human Services' Office for Civil Rights' penalty against Providence Medical Institute announced Thursday is the agency's fifth ransomware HIPAA enforcement action to date, and its second in recent weeks (see: Texas Hospital Diverting Ambulances in Wake of Attack).
PMI is a nonprofit physician services organization with 200 providers across 32 medical offices, including seven urgent care centers, in southern California.
HHS OCR's investigation into a breach reported in April 2018 found that servers containing electronic protected health information were accessed and encrypted with ransomware by attackers three times between February and March 2018.
The compromised servers hosted an eClinicalWorks electronic medical record system used by Center for Orthopedic Specialists, a medical practice that PMI had acquired in 2016.
At the time of the attacks, the orthopedic group's IT systems had not yet been fully integrated into PMI's network and were supported by a third-party IT vendor, Creative Solutions in Computers.
HHS OCR's investigation into the matter identified two violations of the HIPAA Security Rule, including failure of PMI to have a business associate agreement in place with Creative Solutions in Computers and failure to implement policies and procedures to allow only authorized persons or software programs access to ePHI.
The ransomware attacks occurred on three consecutive Sundays through February and March 2018, HHS OCR said in a document outlining its investigation.
The first of the three ransomware attacks involving ePHI encryption occurred on Feb. 18, after a worker clicked on a phishing email.
The second incident on Feb. 25 that also encrypted ePHI maintained on COS's system, rendering the data inaccessible and unavailable to the Center for Orthopedic Specialists until it was restored a few days later through backups.
The wave of ransomware assaults on the Center for Orthopedic Specialists' systems hit on March 4, 2018.
"PMI determined that the third attack was perpetrated by the same attacker, but that the attacker was able to gain remote desktop access to COS's systems through administrator credentials that had been compromised during one of the first two attacks," HHS OCR said.
The orthopedic group managed to restore its systems using backups within days of each attack.
Patient ePHI compromised in the attacks included names, addresses, dates of birth, driver's license numbers, Social Security numbers, lab results, medications, treatment information, credit card information, bank account numbers and other financial information.
While three breaches in three weeks is extreme, multiple attacks on entities are not uncommon, said regulatory attorney Rachel Rose.
"As cybercriminals have become more sophisticated and pernicious, they often deploy more than one strand of ransomware at once. The ability to trigger one attack while the others lie dormant for later deployment is common," she said.
This also often occurs when a victim pays the ransom, she said.
"It is imperative to have a forensic analysis run to detect any remaining ransomware, as well as sophisticated professionals who appreciate when a new infrastructure or component of an infrastructure may be needed versus just deploying backups."
About three months after the last ransomware attack, PMI performed a post-incident assessment on the orthopedic group's ePHI environment.
"The assessment found that at the time of the attacks, COS utilized unsupported and obsolete operating systems to host its ePHI data," HHS OCR said. The group also did not have a demilitarized zone network enabled or configured to separate its private network from the public internet and untrusted networks, HHS OCR said.
The post-incident assessment also found that the Center for Orthopedic Specialists' firewall was not properly configured to monitor and track access or changes to its network, and it had remote desktop protocols enabled, which allowed insecure remote access to its workstations from external sources, HHS OCR said.
"The assessment also found that, at the time of the attacks, COS workforce members were sharing generic credentials with administrator access to log into COS's workstations, which allowed all users logging into COS's workstations to have unrestricted administrator access," HHS OCR said.
"The evidence collected during OCR's investigation indicates that the ePHI was accessible and viewable to the attackers because encryption was not deployed on COS's servers or workstations prior to the attacks," HHS OCR said.
Rose said the ransomware incidents also showcase issues that can arise in healthcare sector consolidation.
"Mergers and acquisitions of companies and the subsequent integration of IT infrastructure and electronic health record mergers is fertile ground to vulnerabilities to emerge," she said.
"It is imperative that HIPAA compliance and cybersecurity safeguards are assessed during the due diligence period. Unfortunately, in a number of cases, this is an area that is not given the attention needed," she said.
An integration may be delayed, patching updates may be missed, and a new vulnerability may arise if certain components are not compatible, she said. "A detailed transition plan should be implemented and a HIPAA risk analysis should be done involving both companies to identify any gaps."
HHS OCR's civil monetary penalty against PMI is the latest of only a handful of HIPAA enforcement action cases taken by the agency since 2009 that did not include a corrective action plan to resolve "potential" HIPAA violations.
HHS OCR said it notified PMI in March 2024 about seeking to impose a civil money penalty of $240,000 in the wake of the agency's investigation, but the group waived its right to a hearing and did not contest OCR's findings.
PMI did not immediately respond to Information Security Media Group's request for comment on HHS OCR's enforcement action or the steps that PMI has taken to help avoid similar incidents moving forward.
Since 2018, HHS OCR said it has seen a 264% increase in large HIPAA breaches reported to the agency involving ransomware attacks.
"Failures to fully implement all of the HIPAA Security Rule requirements leaves HIPAA covered entities and business associates vulnerable to cyberattacks at the expense of the privacy and security of patients' health information," said Melanie Fontes Rainer, director of HHS OCR in a statement.
"The healthcare sector needs to get serious about cybersecurity and complying with HIPAA," she said.