Sharecare Health Data Services (SHDS) offers a secure method for electronic exchanges of data. The organization also manages healthcare business medical records. The organization is located in San Diego, CA.
Compromise
The attack began with the usual activity detected on June 26, 2018. The detected data was abnormal when compared to the normal baseline. This red-flag began their investigation. The initial analysis was the attackers had breached the defenses. The attackers had gained access to the systems which contained protected health information (PHI). This access may have started at the earliest on May 21, 2018. This unauthorized access includes 18,416 insurance members of Blue Shield of California. AltaMed patients, approximately 5,767 each, were also affected. The data included a buffet of data the attackers would use and sell. This included the name, address, birth date, unique patient number, address where the health services were provided, internal SHDS processing notes, and medical record numbers. The attackers had unfettered access from May 21, 2018, to June 26, 2018, or over a month. On June 26, 2018, the attackers accessed the data and exfiltrated this to sites overseas. This was reported to the other healthcare organizations directly affected by this on December 31, 2018. Fortunately, the patient’s social security number, financial information, and detailed clinical information were not accessed.
Notification
The unauthorized access occurred on at least May 21, 2018, and was detected on June 26, 2018. The reporting to the other affected healthcare organizations was December 31, 2018. The notice to the affected patients occurred on February 15, 2019. In addition to the client, the FBI was also notified.
The notification for the other healthcare organizations was for the breach and potential for the data to have been accessed by these unauthorized parties. From the timeline, the extended period, over five months, for the other healthcare organizations to be notified was odd. There was no reason given for the five-month + reporting period. One of these affected healthcare organizations was AltaMed, with 5,500 of its patients being included in the compromised records pool. Oddly, to add confusion to the rationale, the patients affected by the breach were notified an additional 2.5 months later.
Mitigation
After this was detected SHDS contacted with Mandiant, the cybersecurity consultant, to help SHDS with the forensic analysis and review. On a positive note, once this was detected immediate steps were put in place to cease the unauthorized access. SHDS enhanced its security to minimize the potential for further successful attacks. They also revised their data retention policies. The business contracted with a third party to monitor its data systems 24 hours a day, seven days a week. SHDS offered the affected patient’s a year of free credit monitoring and identity theft protection services through AllClear ID.
Questions/Lessons Learned
With a breach and compromise, time is of the essence. In most cases, it is not prudent to wait for extended periods to report a breach. In this instance, it took over five months to report this to the other healthcare organizations, whose patients were affected by this SHDS issue. Overall, it took nearly eight months to notify the affected patients. This is simply unacceptable. The organization had the list of affected parties and still elected not to inform them in even a remotely timely manner.
It is difficult to imagine how their InfoSec team did not detect unauthorized access for over a month. It seems as though their SIEM would have detected this well before the mass amount of data was exfiltrated. The issue begs the question, was the SIEM fully integrated into the system, or the filters/scripts not fully utilized?
Resources
Davis, J. (2019, February 19). Blue shield, altamed patient data breached in business associate hack. Retrieved from https://healthitsecurity.com/news/blue-sheild-altamed-patient-dta-breached-in-business-associate-hack
Dissent. (2019, February 16). AltaMed, blue shield of california notify patients and regulators after breach at sharecare health data systems. Retrieved from https://www.databreaches.net/altamed-blueshield-of-california-notify-patients-and-regulators-after-breach-at-sharecare-health-data-services/
Garrity, M. (2019, April 29). AltaMed alerts 5,500 patients of data breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/altamed-alerts-5-500-patients-of-data-breach.html
HIPAA Journal. (2019, February 19). Patients receive notification of PHI theft 8 months after business associate data breach was detected. Retrieved from https://www.hipaa.journal.com/patients-receive-notification-of-phi-theft-8-months-after-business-associate-data-breach-was-detected/
No comments:
Post a Comment