The most common method of entry for criminal hackers, phishing, succeeded two years ago against a large sophisticated hospital system. Hundreds of thousands of patients were affected and the hospital is still paying costs and fees.
In 2020, a phishing attack on three BJC HealthCare (BJC) employee email accounts ended up costing the healthcare company millions. BJC has agreed to put $2.7 million toward implementing multi-factor authentication (MFA) and other email security measures under the terms of a data breach settlement. Add that to the cost of payouts to claimants, costs of investigation, breach notification costs, and legal fees.
BJC, based in Missouri, is one of the largest nonprofit integrated academic health care systems in the United States, providing services to residents primarily in the St. Louis region, southern Illinois and southeast Missouri. BJC has net revenues of $6 billion and employs more than 30,000 people, operating fifteen hospitals and multiple community health organizations.
The phishing attack happened in March, 2020 when an unauthorized party gained access to three email accounts for one day. The email accounts contained medical record and patient account numbers, provider names, health insurance information, Social Security numbers, and other protected health information (PHI). BJC notified the approximately 288,000 affected patients about the incident in May 2020.
After the phishing incident, five separate class action lawsuits were filed against BJC. Although HIPAA does not provide a private right of action to sue, the plaintiffs pointed to HIPAA as a standard, alleging that BJC failed to safeguard PHI as HIPAA would require, and that it failed to employ adequate security measures to prevent unauthorized access.
Although not mentioned in recent news accounts, BJC also faces investigation by the Office for Civil Rights (OCR) for this breach, since OCR investigates all breaches that affect 500 or more individuals. The status of that investigation is not known.
Multiple Cyber Incidents over Several Years
BJC has experienced cybersecurity incidents before and since the 2020 phishing attack. In March 2018, a data server misconfiguration exposed the data of 33,420 patients for almost one year. In December 2018, an unauthorized party hacked BJC HealthCare’s patient portal and potentially accessed the credit and debit card numbers of 5,850 individuals for one month. Most recently, in March, 2022 BJC reported that patient data at 12 of its hospitals were exposed due to an outsider obtaining unauthorized access to some BJC physician emails.
Terms of the Class Action Settlement
The settlement agreement provides that “class members” (those affected by the breach) are eligible to receive up to $250 for ordinary out-of-pocket expenses, including credit report fees, late fees, postage, mileage, bank and credit card fees, and other costs. Those who experienced extraordinary out-of-pocket losses, including costs relating to documented or attempted identity theft and fraud, are eligible for up to $5,000.
BJC will also take four corrective actions to improve the security and privacy of its patients’ information. BJC agreed to:
- maintain a written security policy that must be available to all employees;
- conduct mandatory annual cybersecurity training classes, periodic training updates as new security issues come up, and a new hire orientation;
- maintain a written password policy with specific password complexity requirements; and
- implement multi-factor authentication for remote access to email.
HIPAA is a Blueprint for Defense Against Cybercrime
Each of the corrective actions BJC is taking to settle these claims are covered in the Security Rule Checklist of The HIPAA E-Tool®. If you carefully follow HIPAA, conduct a risk analysis every year, and don’t take shortcuts, you can greatly reduce the chance of a major breach and all the costs that come with it. Prevention is less much less expensive.