Legislation Agency Hack Compromises Well being System’s Affected person Information

A hacking incident at Thompson Coburn, a Missouri-based national law firm that specializes in data breach law and other types of legal cases, has been breached itself.

See Also: 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries

The regulation agency says the info breach has affected an unspecified variety of sufferers of a healthcare sector shopper, Presbyterian Healthcare Companies in New Mexico, which has now suffered at the very least 4 breaches in 5 years. However an enormous unanswered query is whether or not different shoppers had been affected.

Thompson Coburn, in a breach discover posted on Presbyterian Healthcare Companies’ web site, said the incident was first detected on Could 29 when the regulation agency grew to become conscious of suspicious exercise inside its community.

Presbyterian Healthcare Companies operates greater than 100 doctor and specialty clinics and 9 full-service hospitals throughout New Mexico. The group additionally gives particular person, household, Medicare Benefit and state Medicaid well being plans.

Thompson Coburn mentioned an unauthorized actor stole some information between Could 28 and Could 29.

“An in depth evaluate of the affected information was undertaken and thru that evaluate, we decided that sure protected well being info associated to sure sufferers of PHS was contained inside these information,” the regulation agency mentioned.

Doubtlessly compromised info contains Presbyterian Healthcare Companies affected person title, Social Safety quantity, date of delivery, medical document quantity, affected person account quantity, prescription and remedy info, scientific info, medical supplier info, and medical insurance info.

As of Thursday, the incident had not been posted to the U.S. Division of Well being and Human Companies’ HIPAA Breach Reporting Tool web site itemizing well being information breaches affecting 500 or extra people.

Thompson Coburn mentioned to this point there is no such thing as a indication of id theft or fraud stemming from the breach. “Upon changing into conscious of this incident, Thompson Coburn promptly took steps to research the incident and carried out further safety enhancements to additional defend towards related incidents,” the discover mentioned.

Neither Thompson Coburn nor Presbyterian Healthcare Companies instantly responded to Info Safety Media Group’s request for extra particulars concerning the incident, together with the variety of people affected, the kind of authorized companies the regulation agency supplied, and whether or not another Thompson Coburn shoppers had been affected by the hack.

Had been Different Purchasers Affected?

To this point, Thompson Coburn – which gives a protracted record of authorized companies, together with information breach litigation in an array of industries moreover healthcare – has not publicly disclosed whether or not different shoppers’ info was additionally doubtlessly compromised within the incident.

However some consultants not concerned within the Thompson Coburn hack suspect that may very well be the case.

“If the menace actor was inside their community, because it seems was the case right here, it’s actually doable and even perhaps probably that they gained entry to information of different Thompson Coburn shoppers,” mentioned Jon Moore, chief danger officer at privateness and consulting agency Clearwater. “At a minimal, a forensic evaluation can be required and even that may not have the ability to decide with certainty what information or information the menace actor accessed.”

Within the meantime, there are just a few the reason why this incident won’t but have resulted in further breach notifications, Moore mentioned.

“For instance, the first duty for notification of people whose digital PHI is breached resides with the lined entity. A enterprise affiliate who suffers a breach of ePHI is often solely required to inform the lined entity whose info was impacted,” he mentioned.

“Usually, that is how notification is dealt with. The exception is when the enterprise affiliate has agreed contractually to deal with or help the notifications. On this case, different shoppers could have been notified and both we’re unaware of particular person notices they’ve despatched out or they haven’t performed it but,” he mentioned.

One other chance is that Thompson Coburn remains to be working by the investigation of the incident to find out what different shoppers and people could have been impacted, Moore added.

After all, Thompson Coburn is just not the one regulation agency to expertise an information breach that ends in a compromise of protected well being info belonging to healthcare shoppers’ sufferers.

In July 2023, world regulation agency Orrick, Herrington & Sutcliffe, which additionally supplies information breach litigation companies, reported to state and federal regulators a hacking incident affecting a number of healthcare sector shoppers and a complete of about 638,000 people.

Orrick in April agreed to an $8 million settlement to resolve a consolidated proposed class motion lawsuit filed towards the agency within the wake of the info breach, which affected shoppers together with imaginative and prescient advantages plan EyeMed and dental insurance coverage plan Delta Dental of California (see: Law Firm to Pay $8M to Settle Health Data Hack).

“PHI information breaches are a healthcare regulation agency’s largest nightmare. They’re pricey and embarrassing and invite class motion lawsuits,” mentioned regulatory legal professional Paul Hales of the Hales Legislation Group, which isn’t concerned within the Presbyterian Healthcare Companies incident.

Just like the state of affairs within the Orrick information breach, Thompson Coburn is a enterprise affiliate chargeable for HIPAA compliance when a healthcare shopper discloses protected well being info to it within the efficiency of authorized companies, Hales mentioned.

“At this stage, the character and extent of the Thompson Coburn information breach is just not publicly identified. Nevertheless, an digital path preserves crucial particulars,” he mentioned. Regulators and plaintiffs ultimately will learn the way the breach occurred, he added. “Additionally they will dissect the regulation agency’s HIPAA compliance program,” he mentioned.

Legislation companies ought to be handled like another third social gathering that handles ePHI and should be topic to due diligence, Moore mentioned.

“They need to be required to signal a enterprise affiliate settlement and endure common danger analyses. Earlier than sharing ePHI, organizations ought to consider the regulation agency’s safety posture,” he mentioned.

Healthcare shoppers additionally ought to restrict their regulation agency’s entry to PHI to the minimal essential, he mentioned.

“They need to confirm that the agency has an incident response plan in place and is ready to reply and notify the group in a well timed method if their information is breached. Organizations must also periodically evaluate that the agency is sustaining acceptable safety safeguards and compliance with HIPAA,” he mentioned.

“These measures assist be certain that regulation companies uphold the identical stage of knowledge safety as another vendor dealing with delicate healthcare information,” Moore mentioned.

The Presbyterian Healthcare Companies breach involving Thompson Corburn “is a cautionary story for different regulation companies who’re properly suggested to make use of it as a studying expertise,” Hales mentioned.

As for Presbyterian Healthcare Companies, the incident involving Thompson Coburn joins a listing of a number of different breaches the healthcare group has reported to federal regulators since 2019.

The most important such incident was an e mail phishing breach Presbyterian Healthcare Companies initially reported to HHS’ Workplace for Civil Rights in August 2019 as affecting about 183,400 well being plan members. That determine was later revised upward to greater than 1.1 million affected people (see: 2 Phishing Attacks Affect Presbyterian Health Plan Members).