Eskenazi Health in Indiana began notifying patients last month about an August 4 data breach. The public hospital is part of the Health & Hospital Corporation of Marion County.
Such cyberattacks have become a continuous and increasing problem for the healthcare industry. Given the HIPAA Act, covered entities should properly safeguard patients’ protected health information (PHI) at all times, including when sending HIPAA compliant email.
Nevertheless, hackers frequently breach healthcare providers, which is why HIPAA includes guidelines that address what to do after a breach.
The initial breach
The breach occurred on August 4 when Eskenazi’s IT team became aware of suspicious activity. The team immediately initiated the hospital’s downtime procedures.
This included taking the network offline and implementing paper and pen record-keeping. All electronic health records (EHR) were inaccessible, and ambulances were diverted for almost a week.
Eskenazi remained open and continued its COVID-19 treatments and vaccination efforts. The hospital added a breach notification to its website on August 24 stating that it had learned personally identifiable information (PII) and PHI was obtained and released online.
There was no evidence that files were encrypted and Eskenazi emphasized that the hospital would not pay a ransom. Eskenazi conducted its investigation following the initial breach.
The subsequent investigation discovered that the cyberattacker first gained access on or about May 19 using IP spoofing. The hacker disabled Eskenazi’s security protections, making it difficult to detect suspicious activity.
On October 1, Eskenazi confirmed the breach was due to a ransomware attack reiterating that the hospital would not pay a ransom.
Victims typically download ransomware through phishing emails that include malicious attachments or fraudulent links. In this instance, an Eskenazi employee may have inadvertently clicked on a link within a phishing email that contained the spoofed IP address.
The cyberattacker stole and posted PII/PHI on the dark web including:
|Names||Birthdates||Addresses||Phone numbers||Email addresses|
|Medical record numbers||Diagnoses||Clinical information||Prescription information||Driver’s license numbers|
|Passport numbers||Full-face photos||Social Security numbers||Credit card information||Insurance information|
Eskenazi notified the FBI and HHS’ Office for Civil Rights (OCR), which regulates and enforces HIPAA.
After the investigation: notification
The HIPAA Breach Notification Rule sets the guidelines for reporting breaches. Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation).
SEE ALSO: What to do after you violate HIPAA
Eskenazi reported the breach to OCR on October 1 within 60 days of the initial breach. The breach is listed on OCR’s Breach Notification Portal as a hacking/IT incident affecting 1,515,918.
Eskenazi states that the number of individuals includes all patients and employees of the hospital.
Impacted individuals are in the process of receiving a breach letter detailing the breach and PII/PHI involved. It also provides credit monitoring and identity theft protection. The hospital posted a “Substitute Notice for Affected Individuals” on its homepage.
The public won’t know more about possible HIPAA violations, fines, and HIPAA compliance until OCR completes its investigation.
Eskenazi’s breach is the largest reported healthcare data breach of 2021.
Best practice: avoid a breach with strong cybersecurity
According to the October 1 post,
Eskenazi Health is constantly evaluating its security systems and will continue to make improvements as necessary to protect the privacy and security of information on an ongoing basis.
Continuous evaluation is necessary under HIPAA, but the best way to avoid a breach is by employing a strong, layered cybersecurity program. Regrettably, healthcare organizations are known for their numerous open attack surfaces and lax cybersecurity.
Policies and employee awareness training must remain consistent and up to date. Employees remain the weakest link of an organization, so it is necessary to stop them from inadvertently sharing information or clicking on a malicious link.
And in conjunction with this, organizations must also ensure strong technical and physical access controls.
Access management includes password controls and multifactor authentication, encryption at rest and in transit, and antivirus software. Moreover, separate offline backup and separate storage systems could stop hackers from taking and exposing PII/PHI.
Paubox Email Suite Plus—strong email security
Email is the most accessible threat vector (or entry point) into any system, which is why email security is also vital. Employing HIPAA compliant email with strong inbound and outbound email security is crucial to safeguarding PHI.
Paubox Email Suite Plus automatically encrypts all outgoing emails and delivers them directly to an inbox. Our HITRUST CSF certified solution requires no change in email behavior and is operational from any existing email platform (e.g., Microsoft 365 and Google Workspace).
No need for extra passwords, logins, or patient portals for safe communication.
And Paubox Email Suite Plus comes with Zero Trust Email, which adds a layer of verification even before an email gets delivered, protecting from threats such as malware, phishing, and domain name spoofing.
Such strong protections are vital for organizations that must protect their patients, such as Eskenazi Health, which may even be hit with a HIPAA violation if there was any negligence on their part.