Woesnotgone (Woes-not-gone) Meadow
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. Today in the meadow we had a bit of excitement. Aunt Marjie, who really isn’t anyone’s aunt, had a visit to the town’s doctor. Although the doctor only accepts the local insurance, there are the usual patient files. A hospital outside of the Meadow had a little problem with this.
Valley Health is the parent company of a number of hospitals, including the Winchester Medical Center and five other regional hospitals. Valley Health had the opportunity to mail notifications to 857 patients of these medical facilities. This was to let them know their private, confidential data may have been compromised. The data included the patient’s name, address, date of birth, social security number, the medical record number, and patient identification number.
This issue is related to a third party Valley Health contacted with to host the electronic medical records (EMR). The hospitals initiated a contract with Inova Health Systems in 2013 for a seven-year term. On October 24, 2018, Inova notified Valley Health that they had been notified by law enforcement of the underlying issue.
On September 5, 2018, an unauthorized person had accessed a portion of the patient records. After Inova had received the notice, the business initiated its own forensic review. Valley Health followed the course of action and launched their own forensic review. Valley Health’s investigations indicated 12,331 patient files were accessed.
The compromise was possible due to the unauthorized party using the credentials of an employee who no longer was with the business. The access was to the Inova billing system along with Valley Health’s electronic medical records in January 2017 and from July to November 2017. This unauthorized person had a relationship with the former Inova employee.
The circumstances of this lead to at least two germane questions. Did the former Inova employee write down and allow a third party, with whom there was a relationship, to see their credentials? In this junction, the employees and former employees should not do this, especially when password managers are readily available. Also, the unauthorized party accessed the system during two separate periods. The other person had to be logged in at suspicious times or while the authorized person was logged. Either way, the logs would have indicated an issue which should have been noted by the security team or SIEM. How was this missed by the humans and programs? Inova had to be warned by law enforcement after the second compromise.
With these and other issues, the situation certainly indicates an opportunity for growth and improvement with InfoSec.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
Merod, a. (2018, November 23). Valley health sending letters to 857 patients possibly affected by security breach. Retrieved from http://www.winchesterstar.com/winchester_star/valley-health-sending-letters-to-patitients-possibly-affected-by-security/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.