Illinois Clinic Says Nearly 503,000 Affected in Email BreachIncident Involved a Single User's Compromised Email Account
A breach involving the compromise of a single user's email account at an Illinois-based multispecialty clinic has affected nearly 503,000 individuals - one of the largest breaches reported so far this year to federal regulators.
Champaign, Illinois-based Christie Clinic in a breach notification statement posted on its website says the "purpose" of the unauthorized access incident was to intercept a business transaction between the clinic and a third party vendor.
The U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals, shows that Christie Business Holdings Company, P.C. - which operates Christie Clinic - on March 25 reported the hacking/IT incident as involving email and affecting 502,869 individuals..
The Christie Clinic incident is the third largest health data breach posted on the HHS Office for Civil Rights' website so far in 2022.
The only two larger breaches posted on the federal tally so far in 2022 include a data exfiltration incident affecting 1.3 million individuals reported on Jan. 2 by Florida-based public health system Broward Health; and a ransomware incident, affecting more than 521,000 individuals, reported on Feb. 1 by Michigan-based Morley Companies Inc., a vendor that provides business processing services to health plans.
As of Tuesday, out of the 4,584 major breaches affecting about 318.7 million individuals posted on the HHS OCR website since 2009, some 1,090 incidents affecting more than 31.7 million individuals were reported as involving email as the "location" of the breach.
In its March 24 breach statement, Christie Clinic says it "recently" discovered suspicious activity related to a single business email account.
Christie Clinic says it promptly launched an internal investigation to determine the nature and scope of the incident, and contacted federal law enforcement to mitigate the impact of the unauthorized access.
The clinic's investigation confirmed that there was unauthorized access to the affected email account from July 14 to Aug. 19, 2021, and that intent of the unauthorized access was to intercept a business transaction between Christie Clinic and a long-standing, third-party vendor.
"This investigation was unable to determine to what extent email messages in the account were actually viewed or accessed by an unauthorized actor."
On March 10, Christie Clinic’s review of the incident determined that the compromised email account contained "certain information related to certain individuals."
Information potentially contained in the affected email account included individuals' names, addresses, Social Security numbers, medical information and health insurance information, the statement says.
"The unauthorized actor did not have access to the electronic medical record, MyChristie patient portal, or Christie Clinic’s network," the statement adds.
Christie Clinic in a statement to Information Security Media Group, says the incident involved a single administrative email account. Affected individuals are being offering 12 months of complimentary credit monitoring.
"To date, Christie Clinic does not have any evidence of misuse of any patient information, but we have notified all individuals who have potential to be affected and notified all necessary regulators," the statement says. Affected individuals include current and past Christie Clinic patients or users of any Christie Clinic services including lab, radiology, convenient care, or flu clinics - even if this was a one-time visit, the statement says.
Business Email Compromises
The Christie Clinic incident spotlights some of the common security challenges faced by healthcare sector entities and other organizations involving email.
For instance, healthcare entities and other organizations have been frequent targets of business email compromise and related scams, including those involving attempts for fraudulent payments, some experts say.
"In some cases, hackers are trying to have an employee’s direct deposit for payroll to be re-directed to an offshore bank," says Tom Walsh, president of privacy and security consulting firm tw-Security. "For example, if an email account gets compromised, the hacker can send an email from that account - requesting a bank change for their payroll deposit," he says.
"Most organizations do not have an email retention policy or schedule. Some people like to keep everything, which is not good."
—Tom Walsh, tw-Security
Hackers are also taking advantage of users' tendencies to re-use passwords, he notes. "If the email account is hacked, chances are the same password that is used for their email account is also being used for the employee portal. In that case, the hacker can log in directly to the employee portal and change the bank information for payroll deposit themselves," he says. For most portals, the user ID is the individual’s email address, he says.
Once an email account has been compromised, a malicious actor often has access to a treasure trove of sensitive patient information, Walsh notes. While there is often a large volume of emails in compromised email accounts and attachments, "using a keyword search can often quickly reveal the important business emails from general communications," he says.
In the case of the Christie Clinic breach, one compromised email account potentially affected the protected health information of more than a half-million individuals. That's a reminder for other entities of how the volume of sensitive information contained in a single email account can grow quickly if not managed properly, Walsh says.
"The user may want to keep the email as proof of a communication, but do they also need to keep an attachment within the email system? For example, Microsoft allows email users to retain an email while removing the attachment … once the attachment is downloaded and stored in a secure location."
Enhancing mail Security
In the Christie Clinic incident, Walsh suspects that there were likely some large files - including perhaps spreadsheets - routinely capturing patient data and being sent via email.
"There are more secure ways of electronically transferring large amounts of data rather than using emails. Once the emails were sent and successfully received, these emails should have been deleted or the attachments removed from the emails, if the organization wanted to retain the email itself," he says.
Additionally, outbound email needs to be monitored for "data leakage," he says.
To protect data in transit, many healthcare organizations automatically encrypt outbound emails if a message or an attachment contains confidential information, he says.
However, the sent email will usually be retained in an unencrypted email system - readily accessible to the user of the email account once they are authenticated, he adds.
"Most organizations do not have an email retention policy or schedule. Some people like to keep everything, which is not good for several reasons," he says.
For instance, the more email that is retained, the greater the impact becomes if an email account is compromised. Also, eDiscovery rules require organizations to produce all emails, going as far back as the organization retains the email, based on the organization’s internal policies/schedule, he says.
"Purging old emails reduces the liability and the costs associated with having to examine every email in a user’s account. I suggest purging old emails after two to three years - set a policy and then be consistent in its enforcement."
Too often, organizations don’t realize the limitations of their email audit logging, Walsh says. "For example, the granularity of the audit logs may not be able to distinguish if/when an email was only viewed or not viewed/opened."
To avoid email breaches like the one experienced by Christie Clinic, Walsh suggests covered entities and business associates implement several critical security controls and best practices. That includes implementing multifactor authentication for gaining access to email; reminding staff to not reuse or recycle passwords, requiring that passwords are unique; and using secure password managers, when needed.
"Identify which users in the organization may be more likely to be dealing with large volumes of patient data being sent/received via email. Determine if there are more secure ways of transmitting the data instead of using email as the delivery method," he says.
Walsh also suggests that entities examine the audit capability of user access/audit logs within their email system - and to update their email version/licensing to obtain more robust security controls and features.