Einstein Health Network, a Pennsylvania-based company operating medical rehab, outpatient and primary care centers, announced a breach of its employee email system, which exposed patient personal and medical information.
The company waited more than five months to make the compromise public.
Einstein said its email system was compromised by an “unauthorized person” on Aug. 5, according to the statement, and persisted through Aug. 17. Einstein added it wasn’t able to figure out whether the contents of patient-related emails were stolen but is taking steps to alert patients who might have had everything from their name, date of birth and even diagnoses and prescriptions exposed to criminals.
Einstein said it has known about suspicious activity in employee email accounts since Aug. 10.
“While this review is ongoing, we have identified emails and/or attachments in the accounts that contained patient information, which may have included some patients’ names, dates of birth, medical record or patient account numbers, and/or treatment or clinical information, such as diagnoses, medications, providers, types of treatment, or treatment locations,” Einstein said. “In some instances, patients’ health insurance information and/or Social Security numbers were also included in the accounts.”
Einstein Broke HHS Breach Notification Rule
Einstein emphasized the breach didn’t affect all patients, just those contained within employee email accounts.
The company has opened a helpline and is offering one year of credit monitoring for patients whose Social Security Numbers were compromised.
But why did the company wait five months after the breach to notify their patients that their most sensitive data was potentially in the wrong hands? The statement said “we are mailing letters,” so presumably malicious actors have had a hefty head start on any potential mitigation efforts.
Threatpost contacted Einstein Healthcare Network for comment but has not yet heard back.
The five-month lag in reporting the attack puts Einstein Health Network in clear violation of the Health and Human Services HIPPA Breach Notification Rule, which mandates individuals be notified “without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).”
Lack of Enforcement
While the violation is clear, Ben Pick, senior application security consultant at nVisium told Threatpost penalties levied against the healthcare organization are likely to be light.
“The end result against the company may only be minor penalties, such as credit monitoring or similar services for those impacted,” Pick said.
Pick explained a lack of tough enforcement of healthcare security could be behind the decision Einstein’s delay in reporting.
“As for why Einstein Healthcare failed to notify its end users within a reasonable time period, that was likely a business decision to be further removed from the time of the incident. Without more serious penalties, there is not a strong incentive to report these breaches,” he said.
Healthcare has come under increased attack from cybercriminals as entire hospital systems are strained to their limits trying to combat the pandemic.
Dirk Schrader, global vice president of New Net Technologies agrees Einstein isn’t likely to get more than a warning.
“Whether the HHS will lecture Einstein about the 60 days notification period mandated in HIPAA is one thing,” Schrader said. “Drastic fines will most likely not be imposed.”
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!