Late last week, Conifer Health Solutions posted a notice of a data security incident at their organization that potentially impacted patients at five healthcare organizations. According to the notice, an unauthorized third party accessed an email account on the Microsoft Office 365 hosted system. They reported the breach to have occurred January 20, 2022. Here are the 5 organizations that could have had patients involved:
- Baptist Health System
- Resolute Health Hospital
- The Hospitals of Providence Memorial Campus
- Valley Baptist Medical Center – Brownsville
- Valley Baptist Medical Center – Harlingen
Looks like the review of the breach happened from June 13, 2022 and August 3, 2022 which seems like a long time to wait to notify patients of a potential breach of their information. Like most investigations, they weren’t able to tell conclusively if personal information was accessed or not and of course they don’t know of any misuse of the data. They did say the following information may have been accessed by the unauthorized third party:
Personal information involved in this incident may have included one or more of the following elements: (1) information to identify the individual (such as full name, date of birth, and address); (2) Social Security number, driver’s license/state ID number, and/or financial account information; (3) medical and/or treatment information (such as medical record number, dates of service, provider and facility, diagnosis or symptom information, and prescription/medication); (4) health insurance information (such as payor name and subscriber/Medicare/Medicaid number); and (5) billing and claims information. Please note that not all data elements were involved for all individuals.
As has become standard in breach notifications like this, they have done all the work necessary to secure their systems from future breaches, have setup a hotline where people can call for help, and will do credit monitoring for those whose financial info may have been accessed.
Lots of lessons to learn from this incident.
First, if the hacker has access to a person’s credentials, then they essentially have a key to access whatever they want. That’s why many hackers are focusing on credentials now rather than hacking systems. It’s much easier to get access to credentials than it is to find a whole in a system’s security.
Second, two factor authentication may be slightly painful, but it would have likely prevented this incident. Conifer has accelerated their implementation of 2 factor authentication and so should most others in healthcare.
Third, it’s amazing how much PHI is being stored in non clinical systems. In this case it was Microsoft Office 365. Don’t forget about security on these ancillary systems that may not seem like clinical systems.
Fourth, for provider organizations, you’re only as secure as your third party vendors. What are you doing to ensure they’re secure as possible?
Fifth, we all have firewalls and other network security implemented, but it’s just as important to roll out security applications on top of things like email systems.
