Data Under Siege: Strategies for Preparing for, Reacting to Health Care Data Breaches

Over 31 million Americans have been affected by the 10 largest health care data breaches this year, but the damage does not stop there.¹

There are 390 health care data breaches under investigation by the HHS Office for Civil Rights as of August 1, in which millions were affected. The HHS Office of Civil Rights (OCR) requires organizations to report any health data breach that involves more than 500 individuals, which it then records in its database.

The largest reported data breach impacted Kaiser Permanente, a California-based health care provider and hospital system that offers integrated coverage and care for its members²; it operates 40 hospitals and 616 medical offices, and its health plan, Kaiser Foundation Health Plan, Inc., serves 12.6 million members.

In a statement, Kaiser Permanente explained that, on October 25, 2023, online technologies known as cookies or pixels may have transmitted personal member and patient information to third-party vendors Bing, Google, and X while they accessed the organization’s websites and mobile applications.³

The information potentially involved included their names, IP addresses, indicators they were signed into a Kaiser Permanente account, and how they navigated different websites or applications. Conversely, account credentials, Social Security numbers, credit card numbers, and financial account information were not compromised.

While Kaiser Permanente has since removed these technologies and implemented extra cybersecurity measures, the information of 13.4 million members and patients was compromised.¹ Although the company is unaware of any information misuse, it advised those affected to remain vigilant against identity theft or fraud attempts.³

The impact of other breaches is less clear, including high-profile cyberattacks on Change Healthcare, a UnitedHealthcare Group subsidiary, and the Ascension health system.

In a statement, Change Healthcare explained that it became aware of ransomware deployed in its computer system on February 21, 2024.⁴ On March 7, it confirmed that data was exfiltrated from possibly a “substantial proportion of people in America.”

Despite this finding, Change Healthcare’s breach report to OCR identified 500 individuals as the approximate number affected.⁵ OCR noted that the exact number is still to be determined, and the breach database will be amended once Change Healthcare confirms the total number of individuals affected.

The information compromised included health insurance details and medical records⁴; it also included Social Security numbers, along with billing, claims, and payment information. However, Change Healthcare said the breached information will not be the same for all those impacted.

The cyberattack resulted in a Change Healthcare outage, causing widespread disruptions for hospitals and other providers, who relied on the organization for various business functions, like prescriptions and processing claims.⁶ According to an American Medical Association (AMA) survey, 78% lost revenue from claims they could not submit, 80% of respondents lost revenue from unpaid claims, and 85% had to commit additional staff time or resources to complete revenue cycle tasks.⁷

Similarly, Ascension, a faith-based health care organization that operates over 2600 health care sites, including 140 hospitals, detected a ransomware attack on May 8.⁸ Shortly after the attack, Ascension’s electronic health record system, patient portal, some phone systems, and various systems to order certain tests, medications, and procedures went offline.

Consequently, some hospitals diverted ambulances, and some non-emergency surgeries were postponed. Currently, Ascension does not know what data or which individuals were affected as they need to review the potentially impacted files.

As exemplified by these cases, threat actors carry out health care data breaches using various methods, including ransomware attacks.

In an interview with The American Journal of Managed Care^® (AJMC^®) Shawn Tuma, JD, CIPP/US, partner and head of the cybersecurity and data privacy practice at law firm Spencer Fane LLP, explained that ransomware attacks involve threat actors finding a way into the network and stealing patient and employee data. After extracting the data, they encrypt the network, shutting down operations and later using it for extortion.

Another method he highlighted was email account breaches, which threat actors conduct by using phishing techniques or stolen credentials. After successfully logging into an employee's email, they search for patient data, extract the information, and use it for leverage or threats.

However, Tuma noted that attacks on individual providers and business associates are not “terribly sophisticated” as the threat actors often capitalize on organizations overlooking fundamentals, like a lack of multifactor authentication or other factors that affect security settings and configuration.

“It’s just a failure of basic fundamentals most days,” Tuma said. “While that sounds discouraging at first, it’s really a cause for a lot of hope because there are things that can be and could have been remedied if only the proper risk management processes would have been followed.”

To react efficiently to data breaches, Tuma said health systems and insurance providers must understand the difference between incident response and critical incident response. He described an incident response as a binder with tabs you must flip through to figure out the correct response, while a clinical incident response is like "you're in a building that just caught on fire, and you have to make decisions on the fly as you're running for the stairwells."

Although it is beneficial to have an incident response, he advised that organizations also have a simplified critical incident response plan that allows them to take action immediately. Therefore, Tuma suggested having a quick reaction sheet that contains key team members to rely on in critical instances. It should also detail what to do in various worst-case scenarios, like if the computer networks go down, so organizations know how to react in a stressful, chaotic environment.

To create an effective plan, he noted that every health care organization and insurance provider should first understand their unique set of risks, which differs based on the type of work they do, the data they possess, and the jurisdictions they are under. Therefore, organizations must conduct thorough risk assessments to understand their operational risks and the data they must protect.

Once they perform these risk assessments, Tuma said organizations should build their strategic plan to protect against their largest vulnerabilities. After creating this plan, it must be executed by deploying security tools and involving service providers that assist with different cybersecurity aspects, like their cyber counsel, cyber forensics firm, and insurance provider. Then, organizations should train employees on the plan and thoroughly test it; the plan should be revised as necessary.

Lastly, Tuma said that organizations must check on their fundamentals, ensuring that backups, passwords, and multifactor authentication are part of their plan. He also suggested that organizations segment their network as much as possible.

“…there is no tool out there that solves this problem completely,” Tuma said. “It’s warfare, which means we have to be engaged in the battle, the warfare against the active adversary. Every time we do something to protect ourselves, they find a new way to attack us. So, we must be engaged and use the cyber risk management process to keep defending and protecting against their attacks.”

References

1. Breach portal: Notice to the secretary of HHS breach of unsecured protected health information. HHS. Accessed August 1, 2024. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
2. Fast facts. Kaiser Permanente. Accessed August 1, 2024. https://about.kaiserpermanente.org/who-we-are/fast-facts
3. Information notice about a privacy matter. Kaiser Permanente. Accessed August 1, 2024. https://healthy.kaiserpermanente.org/washington/alerts/p3/privacy-matter
4. HIPAA website substitute notice. Change Healthcare. June 20, 2024. Accessed August 1, 2024. https://www.changehealthcare.com/hipaa-substitute-notice
5. Change Healthcare cybersecurity incident frequently asked questions. HHS. July 30, 2024. Accessed August 1, 2024. https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
6. Alder S. Change Healthcare reports ransomware data breach to HHS. HIPAA journal. July 31, 2024. Accessed August 1, 2024. https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/#:~:text=The%20initial%20analysis%20revealed%20that,at%20more%20than%20110%20million
7. Change Healthcare cyberattack. American Medical Association. May 20, 2024. Accessed August 1, 2024. https://www.ama-assn.org/practice-management/sustainability/change-healthcare-cyberattack
8. Cybersecurity event update. Ascension. June 14, 2024. Accessed August 1, 2024. https://about.ascension.org/cybersecurity-event