Healthcare is in a difficult position during these times. In between the pandemic, budgetary constraints, union negotiations, and other issues, their road is, to say the least, tough. Now add in cybersecurity issues, and the risks increase exponentially. All it takes is one person in the right department to click on the right link or icon, and BAM, a compromise is just around the corner. Goshen Health was unfortunate enough to learn this from their own experience. In this example from late last year, Goshen Health had the opportunity to personally test out their incident response (IR) plans.
Healthcare facilities hold so much data, which is valuable for numerous reasons. This is especially the case for the attackers. This is sold on the dark web without an issue. In this case, 9,160 patients had their protected health information (PHI) stolen from Goshen Health. The data could have included many different points for each person. In this instance, the data exfiltrated included the names, dates of birth, location, driver’s license number, social security number, healthcare insurance details, names of doctors providing care, and certain clinical information. This really would be beneficial for the attackers or the person/organization purchasing this. All of this fantastic data could be used for credit card fraud, fraud over the phone, utility fraud, bank fraud, government, and medical identity fraud. The truly enterprising attacker could use this data for years to come.
After the InfoSec department and administrators had understood the compromise had happened, the facility notified the 9,160 patients potentially affected with communication on September 30, 2019. Since this was a phishing attack, Goshen Health secured the compromised email accounts. Without this action in place, the breach would have kept open, and the attackers would continue to leverage this as much as possible. After the notification, the incident investigation began immediately. At first, Goshen Health believed they would not need to issue patient notifications. This sounds counter-intuitive given there was a breach of a medical facility. The team, however, believed there was no PHI involved. This was a rather significant oversight. As of August 1st, the compromised email accounts actually had the patient PHI included. This has been noted in several successful attacks in recent memory. Instead of leaving the PHI on the servers or in the cloud, the data is emailed about. If the PHI was not in the compromised emails, the organization would not have had to notify the government and staff. To reduce the potential for this to occur again, the facility has improved the security protection and added more forensic resources and technology, just in case they were to be targeted again. For the investigation, they did contract with third-party forensic personnel to research the breach in November 2018. The subject matter experts (SMEs) did not find evidence of PHI being involved initially. It took them a year to identify the compromised email accounts, which held the PHI. The organization filed the breach report with HHS Office for Civil Rights on September 30, 2019. For those affected with their social security numbers, the facility is offering free credit monitoring and identity theft protection for one year. The organization had its employees attend email security and phishing awareness training. The facility is recommending the patients monitor their accounts for any irregularities.
Phishing strikes again. The phishing attack was in August 2018, from the 2nd to the 13th. For all of the patients affected and the additional expenses to the facility, this was due to a simple phishing email. This is another example of how far-reaching a simple click can affect a large hospital, along with the expenses involved with the investigation, and directly with the patients. The access was from an unknown, unauthorized party.
There seems to be a rather significant time lag with the organization in more than one area. It took approximately a year to discover the emails had PHI in them. This seems like this task would not have taken this long to accomplish. There are logs and other resources available to review this. This portion is especially curious.
Blankenship, F. (2019, October 4). Goshen health data breach potentially exposes 9,160 patients’ sensitive records. Retrieved from https://4classaction.com/2019/10/04/goshen-health-data-breach-potentially-exposes-9160-patients-sensitive-records/
Dissent. (2019, October 2). IN:Goshen health notifies patients potentially impacted by 2018 data security breach. Retrieved from https://www.databreaches.net/in-goshen-health-notifies-patients-potentially-impacted-by-2018-data-security-breach/
Garrity, M. (2019, October 3). Indiana hospital alerts 9,100 patients of breach. Retrieved from https://www.beckershospitalreview.com/cybersecurity/indiana-hospital-alerts-9-100-patients-of-data-breach.html
HIPAA Editor. (2019, October 8). 9,160 goshen health patients affected by phishing-related email breach. Retrieved from https://www.hipaaanswers.com/9160-goshen-health-patients-affected-by-phishing-related-email-breach
HIPAA Journal. (2019, October 3). Goshen health notifies 9,160 patients of historic PHI breach. Retrieved from https://www.hipaajournal.com/goshen-health-notifies-9160-patients-of-historic-phi-breach/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!