Paubox blog: HIPAA compliant email made easy

Eskenazi Health notifies patients of data breach

Written by Kapua Iao | December 10, 2021

Eskenazi Health in Indiana began notifying patients last month about an August 4 data breach. The public hospital is part of the Health & Hospital Corporation of Marion County. Such cyberattacks have become a continuous and increasing problem for the healthcare industry.

Given the HIPAA Act, covered entities should properly safeguard patients’ protected health information (PHI) at all times, including when sending HIPAA compliant email. Nevertheless, hackers frequently breach healthcare providers, which is why HIPAA includes guidelines that address what to do after a breach.

 

The initial breach

The breach occurred on August 4 when Eskenazi’s IT team became aware of suspicious activity. The team immediately initiated the hospital’s downtime procedures. This included taking the network offline and implementing paper and pen record-keeping. All electronic health records (EHR) were inaccessible, and ambulances were diverted for almost a week.

RELATED: Healthcare ransomware attack leads to EHR downtime in IN

Eskenazi remained open and continued its COVID-19 treatments and vaccination efforts. The hospital added a breach notification to its website on August 24 stating that it had learned personally identifiable information (PII) and PHI was obtained and released online. There was no evidence that files were encrypted and Eskenazi emphasized that the hospital would not pay a ransom. Eskenazi conducted its investigation following the initial breach.

 

The investigation

The subsequent investigation discovered that the cyberattacker first gained access on or about May 19 using IP spoofing. The hacker disabled Eskenazi’s security protections, making it difficult to detect suspicious activity. On October 1, Eskenazi confirmed the breach was due to a ransomware attack reiterating that the hospital would not pay a ransom.

SEE ALSO: Ransomware is more common in healthcare than you think

Victims typically download ransomware through  phishing emails that include malicious attachments or fraudulent links. In this instance, an Eskenazi employee may have inadvertently clicked on a link within a phishing email that contained the spoofed IP address. The cyberattacker stole and posted PII/PHI on the dark web including:

 

Names Birthdates Addresses Phone numbers Email addresses
Medical record numbers Diagnoses Clinical information Prescription information Driver’s license numbers
Passport numbers Full-face photos Social Security numbers Credit card information Insurance information

 

Eskenazi notified the FBI and HHS’ Office for Civil Rights (OCR), which regulates and enforces HIPAA.

 

After the investigation: notification

The HIPAA Breach Notification Rule sets the guidelines for reporting breaches. Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).

SEE ALSO: What to do after you violate HIPAA

Eskenazi reported the breach to OCR on October 1 within 60 days of the initial breach. The breach is listed on OCR’s Breach Notification Portal as a hacking/IT incident affecting 1,515,918. Eskenazi states that the number of individuals includes all patients and employees of the hospital. Impacted individuals are in the process of receiving a breach letter detailing the breach and PII/PHI involved. It also provides credit monitoring and identity theft protection. The hospital posted a "Substitute Notice for Affected Individuals" on its homepage.

The public won’t know more about possible HIPAA violations, fines, and HIPAA compliance until OCR completes its investigation. Eskenazi’s breach is the largest reported healthcare data breach of 2021.

 

Best practice: avoid a breach with strong cybersecurity

According to the October 1 post,
Eskenazi Health is constantly evaluating its security systems and will continue to make improvements as necessary to protect the privacy and security of information on an ongoing basis.

Continuous evaluation is necessary under HIPAA, but the best way to avoid a breach is by employing a strong, layered cybersecurity program. Regrettably, healthcare organizations are known for their numerous open attack surfaces and lax cybersecurity.

RELATED: Your cybersecurity strategy is probably lacking

Policies and employee awareness training must remain consistent and up to date. Employees remain the weakest link of an organization, so it is necessary to stop them from inadvertently sharing information or clicking on a malicious link. And in conjunction with this, organizations must also ensure strong technical and physical access controls.

RELATED: Why anti-phishing training isn’t enough

Access management includes password controls and multifactor authentication, encryption at rest and  in transit, and  antivirus software. Moreover, separate offline backup and separate storage systems could stop hackers from taking and exposing PII/PHI.

 

Paubox Email Suite Plus—strong email security

Email is the most accessible  threat vector (or entry point) into any system, which is why email security is also vital. Employing HIPAA compliant email with strong inbound and outbound email security is crucial to safeguarding PHI.

RELATEDWhy healthcare providers should use HIPAA compliant email

Paubox Email Suite Plus automatically encrypts all outgoing emails and delivers them directly to an inbox. Our  HITRUST CSF certified solution requires no change in email behavior and is operational from any existing email platform (e.g., Microsoft 365 and  Google Workspace). No need for extra passwords, logins, or patient portals for safe communication. And Paubox Email Suite Plus comes with  Zero Trust Email, which adds a layer of verification even before an email gets delivered, protecting from threats such as malware, phishing, and domain name spoofing.

RELATED: Catching ransomware before it catches you

Such strong protections are vital for organizations that must protect their patients, such as Eskenazi Health, which may even be hit with a HIPAA violation if there was any negligence on their part.

 
Try Paubox Email Suite Plus for FREE today.