TriHealth confirms third-party data breach

TriHealth released a statement in April 2021 that confirms a recent third-party data breach. TriHealth provides a wide range of clinical, educational, preventive, and social programs throughout the greater Cincinnati area. In January 2021, TriHealth's business associate, Bricker & Eckler LLP, a law firm in Columbus, Ohio, found itself the victim of a ransomware attack. Ransomware attacks on healthcare companies have risen over the past year. This is why it's especially important to ensure you have a comprehensive email security plan.

RELATED: FBI Investigating Recent Ransomware Attacks Against Healthcare Providers

What happened?

On January 31, 2021, Bricker learned it was a victim of a ransomware attack. Once detected, Bricker took immediate measures to contain the breach then launched a third-party investigation. The initial review for this investigation was finalized around March 12 and determined that hackers gained access between January 14 and January 31 through the company’s email server. The law firm notified TriHealth straightaway and took immediate measures, as the breach resulted in the theft of personally identifiable information (PII) and protected health information (PHI). TriHealth employees and patients have both been affected. The PII/PHI taken includes names and addresses, and in some instances, medical-related and/or education-related information, driver’s license number, and Social Security numbers.

RELATED: Is a Name PHI?

Bricker was able to retrieve the stolen data and does not believe the information was further copied or retained. It is unknown if Bricker paid a ransom.

RELATED: To Pay or to Not Pay for Stolen Data

Healthcare business associates

According to HIPAA, a business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI. Healthcare organizations must utilize third-party vendors (i.e., business associates) for many functions, including legal needs. Bricker is a business associate of TriHealth. Business associate agreements protect healthcare organizations and their patients. Such an agreement ensures that a business associate is HIPAA compliant and utilizes appropriate cybersecurity safeguards to minimize the likelihood of a HIPAA violation.

RELATED: Business Associate Pays $2.3 Million for HIPAA Noncompliance

The subsequent U.S. Health and Human Services Office for Civil Rights (OCR) investigation may find that Bricker committed a HIPAA violation. For now, the law firm is following all of the required reporting steps under HIPAA.

RELATED: OCR HIPAA Enforcement Continues During Pandemic

Bricker notified the 420,532 impacted individuals about the breach and offered 12 months of identity theft and credit monitoring. The law firm also enhanced its cybersecurity and will evaluate further defensive steps to stop data from being stolen.

Ransomware and healthcare organizations

Stolen PHI and ransomware attacks are continuously problematic. Recent research indicates that healthcare was the most targeted industry in the U.S. (and globally) in October 2020. Ransomware is malware (or malicious software) used to deny a victim access to a system until a ransom is paid. Such malware is normally delivered through phishing emails that take advantage of tired or unaware staff, demanding money for the return of stolen data. Some attacks are disastrous to healthcare organizations, beyond data loss and/or monetary damages. Ransomware attacks may hinder a hospital’s ability to deliver timely medical services. Patient care can pause, and a patient may even indirectly die. Thankfully, TriHealth did not have to shut down its network or halt patient care. However, this is not always the case, which is why HIPAA compliance and cybersecurity must be sturdy from the start.

How Paubox can help prevent cyberattacks

Within its statement, TriHealth emphasized that it “takes the privacy of its employees and patients seriously and expects every third party with whom [it engages with] to follow similar security protocols.” OCR’s investigation will confirm if this is true or not. This is why it is important for anyone who handles PHI to ensure complete protection from the beginning. Not only for the organization itself but for all patients and their PHI. As in the case with the TriHealth/Bricker breach, email is consistently one of the most vulnerable threat vectors for cyberattacks. Any organization that handles PHI must utilize a combination of access controls, employee awareness training, and email security to ensure email communication remain defended.

RELATED: How to Make Your Email HIPAA Compliant

This is where Paubox comes in. Paubox Email Suite Plus enables employees to send HIPAA compliant email while blocking any incoming phishing messages. It requires no change in behavior for the sender or recipient. No extra logins, passwords, or portals to wade through. Just protected email communication.

RELATED: Why Email Is Better than Patient Portals

With our HITRUST CSF certified solution, all outbound emails are encrypted and sent directly from an existing email platform (such as  Microsoft 365 and  Google Workspace). Given the increase in ransomware attacks, guarantee the safeguards are in place before a cyberattacker cripples you. Protect yourself and your employees today so that you can continue to provide solid patient care.