The 4.5 million people who had their health and financial records potentially exposed in a hack of the UCLA Health provider system were not the only victims of the breach, which UCLA officials said they first started looking into nearly a year ago.
Apparently, so was the full intent of the HIPAA breach notification rule that clearly states that breaches must be reported to people who have been affected no later than two months after discovery of the incident.
According to the letter of the rule:
- HIPAA-covered entities such as healthcare providers and their business associates must notify affected people “no later than 60 days following the discovery of a breach” either individually or with “substitute notice” on the organization’s Web site or in the media
- Likewise, media notice must also be given no later than 60 days after discovery of a breach
- Breaches must also be reported to the Department of Health and Human Services (whose Office for Civil Rights enforces HIPAA) within 60 days for breaches involving more than 500 people and, for breaches involving fewer than 500 people, no later than 60 days after the end of the calendar year in which the breach was discovered
Leaving aside the question of whether UCLA should have reported the breach back in the fall or early winter of 2015 after the provider detected suspicious activity in October 2014, the Los Angeles-based health system was at least 10 days late in telling the world about it in a release on July 17, 70 days after UCLA says it confirmed the incursion.
Any lack of promptness or less than full disclosure doesn’t serve health providers or companies hit by breaches well at all, says Stephen Cobb, a senior security researcher with ESET, a Slovakia-based data security firm with a U.S. office in San Diego.
UCLA also said it wasn’t sure whether people’s records were accessed in the breach or whether hackers acquired people’s personal information.
“It appears that the cyberattacker accessed parts of the UCLA Health network that contained personal information, such as names, addresses, dates of birth, Social Security numbers, medical record numbers, Medicare or health plan ID numbers and some medical information (e.g., medical condition, medications, procedures, and test results),” UCLA’s FAQ list on the breach states. “At this time we have no evidence that the cyberattacker actually accessed or acquired any individual’s personal or medical information. Our investigation is ongoing.”
But Cobb said hacked organizations should assume that if their systems were penetrated, then data was likely taken as well.
“I don’t think downplaying it does you any good,” Cobb told SearchHealthIT. “Organizations don’t get that it’s a safe assumption that if someone sees the information, they’ve got the information … that if an intruder is on a system with sensitive information in it, and nothing is between the intruder and the information, you have to assume it’s been compromised.”
A UCLA media spokeswoman declined comment and referred SearchHealthIT to the release and official breach substitute notice. UCLA also directed patients and others possibly affected to three major credit reporting agencies for free credit reports.
Meanwhile, Cobb counsels organizations to be as forthcoming as possible after a breach.
“If you have had a breach, everything you say and do about it affects your brand,” he said.
In its disclosures of the breach, UCLA said it started working with the FBI early in the health system’s investigation in the fall of last year.
Cobb said it is understandable that hacked organizations may want to keep quiet about a suspected breach of their network, and may even be counseled by law enforcement authorities to do so.
Prompt breach notification may not be such a big issue if organizations, including healthcare systems, put more thought, money, training, technology and staff into security and especially security risk analysis, Cobb said.
“If you do it right, you have much less chance of having a breach,” he said. “Healthcare as a sector is playing catch-up on security.”
Referring to the nearly $30 billion providers have received under the meaningful use program since 2009 for digitizing health records, Cobb said: “Some health providers got money from the government, and some of that money should have been spent on security.”