On February 18, 2019, Columbia Surgical Specialists of Spokane notified HHS of a breach impacting 400,000 patients. The incident was coded as a network/IT incident involving data on the network server. DataBreaches.net reached out to the entity for additional details concerning what we hypothesized was a ransomware attack. But despite two phone calls to the provider (one yesterday, one today), they did not return calls, and their site remains devoid of any substitute notice or notification about the breach.
An information systems manager apparently did respond to Information Security Media Group, though, telling them that there was a ransomware incident on January 7. According to the report by Marianne Kolbasuk McGee on CareersInfoSecurity:
The practice worked with a security firm to unlock its systems and recover its data without paying a ransom within a few days of the attack. Some of the impacted patient files are more than 20 years old, and the practice is still assessing how to notify various individuals, the manager says.
With data more than 20 years old, it’s likely that at least some patients moved or are deceased, but notifications may still be required – if this is a reportable breach. But was this really a reportable breach requiring notification? And is there any evidence concerning data exfiltration? Because Columbia Surgical Specialists of Spokane has not responded to this site’s inquiries, we do not know.
In DataBreaches.net’s opinion, HHS should investigate and consider enforcement action about the old data that was still online and could potentially have been exfiltrated. Why was it necessary for the practice to keep old ePHI connected to the internet and hence, vulnerable? Were the files that were more than 20 years old the files of still-active patients or were the files that were more than 20 years old all inactive or terminated patients? It matters.
This past year has made at least two risks fairly obvious:
- ePHI stored in employees’ email accounts is at significant risk of being compromised by phishing attacks. So why are employees storing so much unencrypted ePHI in their email accounts and what could/should covered entities due to minimize the risk to emailed ePHI? This does not appear to be an issue in this case, but it is the kind of known risk that entities should be including in their risk assessments and addressing; and, of relevance to this case:
- Old data that is stored unsecurely and left connected to the internet may wind up exfiltrated and/or misused. Why are entities not moving ePHI offline after a year or two of inactivity? If an entity is sued for failure to adequately protect data by leaving it exposed to hackers when there was no need to keep it connected to the internet, would their insurance policy cover them? Do their HIPAA-mandated risk assessments even reflect this risk? Why should data more than 20 years old still be connected to the internet if the patient is not a current patient?
I would love to see OCR investigate and take enforcement action on these issues – if not with Columbia for the second issue, but then with another entity that has stored vast quantities of old ePHI that gets stolen or locked up in an attack.
Update: DataBreaches.net received a statement from the entity. Read more here.