2 Vendors at Center of Breaches Affecting 3 MillionWide Impact on Clients by Clinical Guidance Firm, EMR Vendor Incidents
Two business associates are at the center of recently reported health data breaches affecting more than 3 million individuals and counting.
The breaches include an 2020 incident affecting 1.1 million individuals reported on June 6 to the state of Maine attorney general's office by Seattle, Washington-based MCG Health LLP, a HIPAA business associate that provides clinical guidelines to healthcare providers and health plans.
The other incident involves a growing list of ophthalmology practices and other healthcare providers who have reported to federal regulators in recent days and weeks HIPAA breaches involving a 2021 hacking incident at their cloud-based electronic medical records, Eye Care Leaders. So far, reported breaches involving the incident at the ophthalmology-specific electronic health record provider have affected about 2 million individuals.
Scope of Impact
The incidents involving MCG Health and Eye Care Leaders serve as important reminders of the wide impact that cybersecurity incidents involving critical vendors can have on healthcare sector entities that depend upon their products and services.
"The types of incidents that involve vendors providing data management services to a broad swath of leading healthcare organizations are the scariest of incidents," says attorney David Holtzman of the consulting firm HITprivacy LLC.
"The breadth and sheer volume of the data they could be handling exposes consumers and all segments of the healthcare industry to significant risk of additional cybercrime."
Incidents like these should drive home the message that every healthcare organization needs to seriously recognize they are at risk when a critical vendor is compromised by a cyberattack or ransomware event, he adds.
"Prepare for the eventuality that one of your vendors is going to suffer a cybersecurity incident," he adds.
Regulatory attorney Rachel Rose advises that covered entities and business associates should be guided by the continuous cybersecurity management functions identified by the National Institute of Standards and Technology's Cybersecurity Framework. Those include protection, detection and recovery.
"Knowing who you do business with is also critical," she says.
MCG Health Incident
MCG Health says the company on March 25 determined "that an unauthorized party previously obtained certain personal information of its customers' patients and members that matched data stored on MCG's systems."
Third-party analysis of the data suggests the data may have been acquired by an unauthorized party on or around Feb. 25-26, 2020.
Affected patient or member data included names, Social Security numbers, medical codes, postal addresses, telephone numbers, email addresses, dates of birth and gender.
The company says it has retained a forensic investigation firm and notified the FBI, with whom it is coordinating. It has pledged to enhance the security of its systems.
MCG Health did not immediately respond to Information Security Media Group's request for additional details about the incident, including how many covered entity clients were affected and the circumstances surrounding how MCG discovered that an unauthorized party had obtained information on its systems.
Affected individuals will receive complementary identity protection and credit monitoring services for two years.
Based on the information about the incident disclosed so far, "MCG was apparently not aware of the unauthorized activity that had compromised the data stored on its enterprise information systems," Holtzman says.
"From our vantage point, we can only surmise that they learned that a criminal was offering their data for sale."
Growing ECL Breach Victim List
Since mid-May, at least a dozen more medical practices have reported major breaches to the Department of Health and Human Services' Office for Civil Rights concerning a hacking incident involving ophthalmology practice electronic health record provider Eye Care Leaders.
That brings the tally of covered entities' clients affected by the ECL hack to nearly two dozen - and the total number of individuals affected to about 2 million so far, according to HHS OCR's HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.
The largest of those ECL-related breaches was reported to HHS OCR on June 7 by Texas Tech University Health Sciences Center as affecting 1.3 million individuals. That ELC-related report by Texas Tech alone ranks as the second-largest breach posted on the HHS OCR site so far in 2022.
Similar to the breach notification statements issued by many of ECL's affected clients, Texas Tech in its statement says the incident affecting ECL's databases and files occurred on Dec. 4. 2021. "ECL reported that it detected the incident in less than 24 hours, disabled the compromised system, and initiated an investigation," the statement says.
Texas Tech says no evidence that records were exfiltrated or used by unauthorized individuals was found, but "the possibility could not be definitively ruled out due to insufficient log files."
ECL's compromised databases and files potentially contained information including patient name, address, phone numbers, driver's license number, email address, gender, date of birth, medical record number, health insurance information, appointment information, Social Security number, and medical information related to ophthalmology services received at Texas Tech.
Some notification statements issued by other affected ECL clients, including Michigan-based Northern Eye Care Associates PC, say that they were told attackers had accessed the ECL myCare Integrity cloud back-end hosted on AWS and deleted databases and system configuration files.
Some of the deleted ECL databases were unable to be restored, according to NECA's statement.
ECL did not immediately respond to ISMG's request for comment.