On April 10, 2014, a threat actor compromised CHSPSC administrative credentials and remotely accessed the information system through its virtual private network (VPN). The group then launched a malware payload. RELATED: DHS Warns of VPN Vulnerabilities and Email Cyberattacks On April 18, 2014, the Federal Bureau of Investigation (FBI) notified CHSPSC about the breach and the advanced persistent threat (APT). The threat group, APT18, also known as Dynamite Panda and TG-0146, has operated since at least 2009. Officials believe APT18 is sponsored by China. According to OCR, “the hackers continued to access and exfiltrate the PHI of 6,121,158 individuals until August [18,] 2014.” That's four months after the FBI notified the business associate of the threat. In total, the breach affected 237 covered entities (CEs) serviced by CHSPSC. Exposed PHI included name, sex, date of birth, phone number, social security number, email, ethnicity, and emergency contact information. RELATED: Personally Identifiable Information: HIPAA Compliance Key Facts CHSPSC reported the breach to OCR on August 21, 2014.
Lacking access/review controls and adequate ePHI security
Not responding to a known security incident and mitigating its harmful effects
Failing to use security incident procedures
Not conducting a risk analysis
As part of the resolution agreement, CHSPSC agreed to pay $2.3 million and put an agreed-upon corrective action plan into place within a given amount of time. As stated in the corrective action plan, it is necessary for CHSPSC to:
This settlement demonstrates that HHS has no plans to stop holding CEs and BAs accountable for HIPAA noncompliance, even if this isn’t the largest OCR settlement to date. RELATED: Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History Especially when CEs such as CHSPSC do not adequately safeguard ePHI before, during, and/or after a breach. According to OCR Director Roger Severino, “The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.” Several key learnings here are obvious: 1) Perform due diligence to be HIPAA compliant. 2) Take the necessary steps to adopt strong policies and procedures. 3) Safeguard ePHI, and if a breach happens, cut access to the utilized threat vector immediately. 3) Perform risk assessments and develop an action plan to mitigate risks and vulnerabilities. 4) Utilize continuous and up-to-date employee awareness training. 5) If utilizing BAs, know who they are, and ensure their compliance. Failure to follow and comply with HIPAA creates unnecessary threats to patients and healthcare organizations. Therefore, carefully review the HIPAA Security Rule to ensure that ePHI is always safe and secure.