Rainbow Children’s Clinic Data Loss
At MEDX, we are constantly trying to understand the concerns and challenges faced by our customers. Over the last few years, two concerns have been cited most frequently.
DECREASING reimbursements for procedures
INCREASING frequency and dollar amounts of fines
The reality is that clinics of ALL sizes seem susceptible to these challenges. Fines are often due to either clinical errors or data breaches. Fines for not using HIPAA-compliant technologies can single-handedly cripple the finances of a clinic. And the rising use of mobile devices in healthcare creates even greater risk of breaches for clinics.
The reality is that both of these concerns impact each other. Clinics, facing decreasing reimbursements, find it financially difficult to afford dedicated IT staff or out-of-the box solutions that maintain HIPAA compliance. As a result, their risk increases dramatically.
Here is an example of a small to mid-size clinic experiencing a technological breach courtesy of the HIPAA Journal:
RAINBOW CHILDREN’S CLINIC RANSOMWARE ATTACK RESULTED IN DATA LOSS
Another day, another healthcare ransomware attack. This time it was the Rainbow Children’s Clinic – a team of dedicated pediatricians providing medical services to children in the Grand Prairie/Arlington area of Texas.
On August 3, 2016, a hacker gained access to the clinic’s computer system and encrypted a range of data stored on its servers including the protected health information of patients. The ransomware prevented critical patient files from being accessed, which naturally had a direct impact on patients.
However, in addition to encrypting records, an investigation of the security breach by an independent computer forensics expert revealed that some patient data were deleted and have been irrevocably lost.
The data that were encrypted or deleted include names, dates of birth, addresses, Social Security numbers, medical information, medical payment information, and guarantors’ names, addresses, and Social Security numbers.
Patients affected by the security incident have been notified of the breach by mail. All have been offered credit monitoring and identity theft resolution services for a period of one year without charge out of an abundance of caution. It is unclear whether the attacker copied any data from the servers.
The attack prompted Rainbow Children’s Clinic to conduct a thorough review of network and data security measures and security is being enhanced to prevent similar attacks from occurring in the future. The breach report issued to the Department of Health and Human Services’ Office for Civil Rights indicates 33,698 patients have been impacted by the ransomware attack.
The incident highlights how important it is for healthcare organizations to ensure regular backups of patient health information are performed. Data backups should be stored off-site or in the cloud. If portable storage media are used, they should be disconnected once backups have been performed. The latest ransomware variants are capable of encrypting data on networks and backup devices or even deleting backup files.
It is also essential to test backups to ensure that data can be restored. Recently, Marin Medical Practices Concepts, Inc., – a vendor of California’s Marin Healthcare District – discovered a backup had been corrupted, preventing the recovery of patient data. In that case, the ransom was paid and the attackers supplied a viable key to unlock the encryption. Paying a ransom for keys to decrypt data may be a last resort, but there is no guarantee that viable keys can or will be supplied by the attackers.
Speaking with various practice managers and security experts across the country, it seems that the most common technologies that SHOULD be in compliance with HIPAA are:
Mobile devices used for text messaging, photos, and videos.