Compromising Healthcare Data

True Health Diagnostics

True Health Diagnostics, a health services company (based in DFW – Frisco specifically) specializes in “comprehensive testing for early detection of chronic diseases.” True Health produces medical reports that contain a deep look into the personal health of patients.

In 2017, there was a serious flaw in their website that allowed users to view virtually anyone else’s detailed health records and blood tests by simply changing a single digit in a URL.

While logged into True Health’s website, a user could download their medical files right from their dashboard into a PDF format for ease of use. However, by changing the URL on the link to your personal PDF, you could download someone else’s personal information.

In other words, there was no authorization needed to access the medical records because they were being stored sequentially as a PDF file and they all sat in the same folder that patients access with a Web browser. This is a basic form of exploitation known as HTTP Parameter Pollution where an attack can bypass authorization by simply changing a hyperlinks parameter. For more information on this form of attack, see my previous post on HTTP Parameter Pollution.

Catholic Health Care Services

In the summer of 2016, The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to settle HIPAA violations with the Department of Health and Human Services’ Office for Civil Rights (OCR). In doing so, CHCS agreed to implement a Corrective Action Plan and paid a financial penalty $650,000.

What led to the HIPAA violation was essentially from the theft of an employee’s company issued iPhone. Because CHCS provided management and IT services as a business associate to six skilled nursing facilities, the phone theft compromised the protected health information (PHI) of over 400 nursing home residents. OCR also found that CHCS did not have an effective risk analysis and risk management plan.

The employee’s phone was initially stolen in 2014 and was neither encrypted nor password protected. The information stored on the iPhone was extensive: social security numbers, medical procedures, information regarding diagnosis and treatment, etc. At the time of this incident, CHCS lacked a formal policy which addressed removing company issued mobile devices away from facilities.

Feinstein Institute for Medical Research

In one of the largest settlement amounts agreed with the OCR, Feinstein Institute for Medical Research agreed to pay $3.9 million over HIPAA violations. The Feinstein Institute is a non-profit biomedical research institute based in New York. This settlement stems from a large investigation into a data breach of 13,000 research participants data in 2012.

Similar to the CHCS breach above, this too was from theft. The laptop was stolen from an employee’s vehicle (which was left in the back seat of a car in full view) and was also unencrypted without password protection. It stored a large amount of data including study participant’s full names, social security numbers, medical diagnoses, prescribed medications, and other medical data relating to the research study. The OCR levied a heavy financial penalty on the Feinstein Institute over violations such as:

  • Impermissible disclosure of EPHI of 13,000 individuals
  • Inaccurate and incomplete risk analysis
  • Failure to implement policies and procedures governing access to EPHI by its workforce members
  • Lack of physical safeguards to prevent theft of data or accessing of EPHI by unauthorized individuals
  • Lack of policies and procedures governing the removal of equipment used to store EPHI from its facilities
  • Failure to encrypt data or use another reasonable security measure which safeguards EPHI

Verity Health System

Verity Health System is a healthcare organization based in Redwood City, California, that operates four hospitals throughout the state.

In January, Verity reported a breach of their patient data after multiple targeted phishing attacks (beginning in November of 2018 until mid-January of 2019) gave a hacker access to three employee e-mail accounts.

During the incident, the attacker sent e-mails containing malicious links to a wide range of internal and external accounts. Officials have confirmed that no additional Verity employee e-mail accounts, networks, or servers were compromised. The hacker’s access was terminated within hours, all unauthorized e-mails were deleted, and all e-mail accounts where the user clicked on the malicious links were disabled.

Despite Verity’s prompt response, the hacker had access to e-mails and attachments for several hours. An investigation into the hack determined that one or more of those attachments included PHI for about 15,000 patients, containing vast amounts of sensitive information (from health information, SSN, billing information, etc.).

In response to the attack, Verity notified potentially affected individuals to provide additional information and guidance, reported the incidents to all appropriate regulatory bodies, and is deploying a new mandatory training module for all employees. Verity has initiated a project to enhance their security which includes mandating password resets for all employees and the disabling of all unknown URLs.  

The data that was potentially exposed in this breach contained extremely sensitive and detailed patient health information and is thus relevant data to both HIPAA and the state of California’s regulations. Verity has publicly posted their notifications of the breach, which includes their steps toward remediation as well as the extent and scope of the unauthorized access.

Closing Thoughts

The number of people in the U.S. who have had their health information exposed is only going up – breaches have continued to get worse.

There has been a significant increase in e-mail breaches in recent years. Since 2017, e-mail has become the primary avenue through which PHI is exposed. In previous years, healthcare organizations were mostly focused on containing breaches that were occurring via theft of company owned devices (like laptops) or paper records.

E-mail breaches largely stem from targeted phishing attacks and in order to combat these techniques, healthcare organizations must shift their focus on regularly educating their personnel to identify threats and bolster organization wide confidence by creating a cyber-secure culture.