Another ransomware attack reveals why hackers target business associates. One intrusion gave the cyber criminals access to the protected health information (PHI) of more than 130,000 individuals.
Carolina Behavioral Health Alliance LLC (CBHA) is a business associate that provides behavioral and mental health services to plan members throughout North Carolina. It is provider-owned and operated by three not-for-profit medical schools, Wake Forest Baptist Health, UNC Health Care, and East Carolina University.
The health plans affected include LiveWELL Health Plan, Wake Forest University Baptist Medical Center and Affiliates Employee Benefits Plan, and Wake Forest University Health and Welfare Benefit Plan.
The CBHA website contains a message to members:
“Your coverage for mental health and substance abuse services is coordinated through Carolina Behavioral Health Alliance, LLC. If you or a covered family member are seeking professional help or information on mental health or substance abuse issues, contact CBHA for a confidential assessment and triage.”
CBHA Breach Notice
According to CBHA’s breach notice, it detected and stopped a ransomware attack in which an unauthorized party accessed and disabled some of its systems. Although CBHA was able to stop the attack, the forensic investigation of the incident confirmed the attackers had access to its systems for two days on March 19 and March 20, and may have viewed or obtained the sensitive data of 130,922 health plan members and their dependents. The information accessed included names, birth dates, addresses, provider names, health plan ID numbers, dates of service, level of care and Social Security numbers.
Missing from the Breach Notice
Medical identity theft is not primarily a financial risk, but a health risk, because medical identity can be used to commit insurance fraud and obtain prescriptions. Stolen medical identity can alter an individual’s medical record.
The breach notice advises that affected individuals should monitor their financial accounts and credit reports, but unfortunately does not mention the importance of monitoring explanations of benefits (EOBs) to catch medical identity fraud. HIPAA requires that the breach notification should include warnings about all potential harm not just financial harm.
Three Highlights from this Ransomware Event
Ransomware is Rampant
Healthcare organizations continue to be targeted by cyber criminals who often use ransomware to increase pressure on their victims, and their profits. Attackers are becoming more sophisticated and aggressive.
A recent survey reveals that nearly two-thirds (66%) of healthcare organizations experienced a ransomware attack in 2021, almost double the number who said the same thing (34%) in 2020. For more see: The State of Ransomware in Healthcare 2022.
Minors’ PHI is High Value
Because this attack targeted information about health plan members, whole families’ PHI was exposed in some instances. Any covered dependent who had received treatment would have been in the CBHA database.
We’ve written before about how profitable children’s PHI can be. Minors’ personal information is the most valuable because it is a clean slate for criminals to start fresh and obtain credit or commit insurance fraud, then escape before being discovered. Since children don’t typically have a credit record, the danger for them is not an immediate credit card or financial loss, but is much more sinister, and may not be revealed until years later when they become adults and discover their identity has been used by someone else for years. This late discovery is much harder to undo.
Follow HIPAA to Prevent Ransomware
Similar to nearly every breach notice published by ransomware victims, the CBHA notice says:
“Data security is one of CBHA’s highest priorities. Since the incident, CBHA wiped and rebuilt affected systems and has taken steps to bolster its network security. CBHA also reviewed and altered its policies, procedures and network security software relating to the security of systems and servers, as well as how data is stored and managed.”
Although details about CBHA’s practices and policies are not yet known, this statement implies that they needed improvement. The Office for Civil Rights (OCR) investigates all breaches affecting 500 or more, so OCR will learn more, and if CBHA did not comply with HIPAA, they are liable for substantial civil money penalties. They also face the growing risk of private class action lawsuits.
HIPAA policies and practices should not be allowed to become routine and outdated. All covered entities and business associates should review and refresh their security practices and conduct an annual Risk Analysis to ensure they’re doing everything possible to safeguard PHI.
Prevention is much less expensive than managing the damage after a massive breach.