Last month, CareFirst Administrators notified impacted individuals about a business associate breach. The phishing scam occurred at Conifer Revenue Cycle Solutions, a provider of revenue cycle management (RCM) services to healthcare organizations.
Phishing emails continue to plague the healthcare industry. According to the FBI, phishing attacks may increase by as much as 400% year-over-year. Alarming especially when considering phishing attacks on business associates since they affect a larger number of healthcare organizations.
How do healthcare organizations and their business associates avoid such debilitating breaches? By using strong email security and a HIPAA compliant email provider to ensure protected health information (PHI) remains protected.
What happened?
CareFirst Administrators is a third-party healthcare administrator in Maryland, Washington, D.C., and Northern Virginia. It specializes in administering health benefits locally through CareFirst BlueCross BlueShield and nationally through the Blue Cross Blue Shield Association.
The healthcare provider announced on November 22 that its vendor Conifer Value-Based Care LLC was targeted by a phishing scam. Conifer is a subcontractor providing RCM services for CareFirst and other healthcare organizations.
Conifer discovered that a cyberattacker accessed certain email accounts between March 17 and March 22. The business associate acted immediately to prevent further activity and to hire a security firm to perform an investigation. At the end of June, Conifer notified CareFirst about the breach.
CareFirst then performed “additional data enrichment and validation efforts,” completed on September 1. At the end of the month, the organization notified impacted group health plans. PHI involved in the incident included:
- Names
- Addresses
- Health insurance information
- Dates of birth
- Medical information
- Billing and claims information
Regrettably, some also included Social Security numbers. On November 18, the U.S. Office for Civil Rights (OCR) Breach Portal listed the breach as impacting 14,538 individuals.
HIPAA business associates and third-party breaches
A HIPAA business associate is a person or entity that performs certain functions or activities that involves PHI. Like Conifer Value-Based Care for CareFirst Administrators and other healthcare organizations. Under the HIPAA Privacy Rule, business associates must be HIPAA compliant and must help covered entities comply as well.
Generally, the Privacy Rule allows healthcare providers to disclose PHI. But they must receive assurance that the vendor is protecting PHI through a signed business associate agreement (BAA).
Unfortunately, business associate breaches are known to cause massive disruptions. Business associates were at the center of nearly 40% of 2022’s reported breaches on OCR’s portal. More than 30 organizations were impacted by a single business associate breach at Ciox Health.
The Conifer breach confirms how third-party vendor cyberattacks can be problematic. Especially when threat actors find a way into a system with something as simple as a phishing email.
Phishing woes and other tales of big breaches
According to Conifer, an unauthorized party gained access to certain Microsoft Office 365-hosted business email accounts via a phishing scam. Email phishing is a malicious attempt to trick victims into giving up personal and online account information. Over 80% of cybersecurity professionals recently surveyed state that phishing attacks represent a top security concern.
The goal is to capture that data or access and exploit more valuable and sensitive systems. Such attacks can be targeted (e.g., spear phishing) or widely distributed (e.g., spam). No matter the type, the point is to take advantage of tired or unaware staff using social engineering techniques.
Phishing emails typically ask recipients to send confidential information or open an attachment containing malware. Cyberattackers disguise these emails as legitimate messages from reputable entities such as financial institutions, government agencies, or major retailers. Today, phishing messages are so well crafted, they sometimes trick even skeptical, security-conscious users.
While anti-phishing training is important to educate staff, human error is unavoidable. And one inadvertent click can disrupt and shut down even the most secure system.
Ensure business associates use strong cybersecurity
Given the headache involved with phishing and business associate breaches, it is important to guarantee vendors utilize strong cybersecurity. First, as stated by HIPAA, covered entities and business associates must sign a BAA. This ensures that vendors remain vigilant when working with PHI.
And before a covered entity signs an agreement with a business associate, it is necessary to:
- Understand employed security measures
- Require similar features to its own
- Control the type of information available
- Identify all users and devices with access
Finally, healthcare organizations must continually review their contracts and the state of their PHI. Continuous reviews are needed to ensure organizations remain up to date with protective measures. Blame may fall on a covered entity that knowingly skips a BAA or fails to do due diligence.
What about phishing? How do you stop an inadvertent click?
Conifer Value-Based Care assured CareFirst Administrators that it “has and continues to enhance its security controls and monitoring practices as appropriate to minimize the risk of any similar incident in the future.” But what does this mean when it comes to phishing? What does stronger protection mean?
Covered entities and vendors must utilize HIPAA compliant technical, administrative, and physical safeguards when dealing with PHI. Unfortunately, anti-phishing training is not standardized, consistent, or always followed up. Even if training is adequate, organizations should not rely on their employees as front-line defenders.
Email is the most utilized threat vector (or entry point) into any system, which is why layered email security is vital. A comprehensive security approach should include training as well as:
- Storage policies
- Access controls (e.g., password policies)
- Technical safeguards (e.g., encryption)
- Separate offline backup
- Patched and up-to-date devices
- VPNs and/or firewalls
Enabling HIPAA compliant email, like Paubox Email Suite, is crucial to safeguarding all data accessible through email.
Kapua Iao
