On April 7, RS Medical disclosed an incident that had the potential to compromise patient information. A copy of the notification from the Vancouver, Washington entity, obtained by DataBreaches.net, indicates that the attacker may not have been particularly interested in patient information, though:
The primary purpose of the breach, as determined by internal investigation, was to obtain an Outlook account from which to launch 10,000 phishing emails.
This incident, which occurred February 11 – February 12, 2019, does not appear to be related in any way to the breach Microsoft has confirmed to TechCrunch. It appears to be due to just one more instance of an employee falling for a phishing attack.
The pain-relief device manufacturer says that after obtaining the employee credentials and testing the login o make sure it worked, the attacker launched a phishing attack. Ten thousand emails were reportedly sent out from the compromised account before the attack was detected and the password to the account was changed to lock out the attacker.
“The time the U.P. [unauthorized person] had access to the account totaled less than 2 hours. The likelihood that any PHI was acquired or viewed is low but cannot be disproven,” RS Medical’s Privacy Officer Joseph Basham writes.
But because access could not be disproved, RS Medical notified approximately 250 patients whose health information was potentially accessible in that employee’s mailbox. The PHI included name, home address, phone number, and date of birth, as well as either diagnosis codes and/or type and quantity of medical equipment/supplies prescribed that RS Medical documented.
The RS Medical incident is just the latest in a slew of incidents where access to PHI may be highly unlikely but because an entity cannot definitively prove no access, entities have had to — or decided to — to make notifications. It is also just the latest in a slew of incidents where if employees didn’t keep unencrypted PHI in their email accounts, no notifications might be required.
So why, when phishing accounts for approximately 1/3 of all attacks these days and when the costs of incident response may run into the millions of dollars, are people still retaining unencrypted PHI in email accounts? And how can a covered entity justify to OCR, “Yes, we knew that having employees retain PHI in their email accounts contributed to a significant risk of a reportable breach even with providing training on recognizing phishing emails, but we let them store PHI anyway and didn’t even limit for how long it could remain in their email inboxes.”
RS Medical is regulated by the FDA. They did nothing unusual, and I do not mean to suggest in any way that they should be singled out for any enforcement action. But maybe it’s time for HHS to send out a guidance about storing PHI in employee email accounts and how OCR views incidents of this kind — whether allowing such unencrypted storage is consistent with the Security Rule or not. Then again, maybe I’m not seeing something that others with actual security expertise would see.