COVID-19 Leak in Wyoming Leads to Massive HIPAA Breach

COVID-19 Leak in Wyoming Leads to Massive HIPAA Breach
20 Jul

COVID-19 Leak in Wyoming Leads to Massive HIPAA Breach

By HIPAA Exams

Between 2010 and 2019, almost 4,000 incidents of a HIPAA breach have occurred in the United States. These are very serious situations and the authorities must investigate them to completion. If you do not know much about breaches like these, read on to find out more. This article will discuss a recent breach of the Health Insurance Portability and Accountability Act (HIPAA). It will talk about the incident as it unfolded, as well as discuss them moving forward. Finally, we will talk about how to avoid them yourself and the steps you can take to secure your organization's data.

Wolfe Eye Clinic

On the 8th of February 2021, Wolfe Eye Clinic announced that it had been the victim of a ransomware attack. The clinic received a ransom demand, stating that the hackers had the keys to decrypt their patient files. But that they would only hand them over when the clinic paid the hackers an undisclosed amount of money. The clinic refused to pay, and as such the clinic lost the files. Lucky for the clinic, they had already made a recent backup and used that to recover all their files, albeit old versions. Unfortunately, the hackers also accessed and downloaded a significant amount of patient data. So much so that almost half a million individuals suffered from the data breach. That makes this one of the largest ransomware attacks in American history targeted at a healthcare service. Because of the level of this attack, it received investigation for the potential of being a significant HIPAA breach.

What Was the Security Breach?

An investigation into the Wolfe security breach took place by law enforcement authorities. After the investigation, they concluded that the cyber hackers had managed to access the data of the facility. In particular, the individuals had accessed the data involving current and former clinic patients. Not only that but that the criminals had downloaded copies of the data before encrypting the files currently on the server. The stolen data was from a wide range of private pieces of information. It included the names and addresses of the patients, as well as their birthdays and social security number. For some patients, it even included medical records and private health data that hackers could use for several purposes. Later on, Wolfe Eye Clinic would announce the breach and share information on what had occurred. They stated that as soon as they discovered the breach, they worked to secure their internal network. Wolfe also announced that they had engaged with IT security to investigate. The hijacking of Wolfe's system was very extensive. So much so that it was not until late May 2021 that they were able to determine the full extent of the data breach. After this, they released data informing people of how much information the hackers had compromised. Wolfe Eye Clinic started sending notification letters by mail to the affected people. They also offered identity theft protection and credit monitoring. Wolfe worked with an external company in this regard to help safeguard customers' information.

How Can Cyber Hackers Continue to Work?

Cyber hackers continue to work in the world to victimize and steal from others for their own gain. Many of these people are after one of two things: Control, or money. If they know they have control over an individual, it can be a thrill, whereas money is its own reward to criminals such as these. Unfortunately, any computer system that connects to the Internet has the potential to be a victim to a hacker. Computer systems develop new security protocols and methods of data protection. But at the same time, hackers work to undo these and breach them in faster and faster times. This game of cat and mouse means that we may never be completely free from the danger of Internet hacking. They will always be looking to exploit any vulnerabilities that appear in the network technology we use. This means we must be vigilant in how we use computers at all times.

How Does Ransomware Affect Me?

Ransomware does not only affect businesses such as Wolfe Eye Clinic. Systems owned by individuals can also fall victim to these attacks. Although, healthcare systems are particularly tempting targets to hackers. This is due to the amount of personal information they contain. If a healthcare system falls victim to a ransomware attack, it can suffer several negative consequences. These can include:

  • The encrypting of their sensitive information
  • Permanent loss of any or all records
  • Theft of proprietary information or the release of this information to the public
  • Requests for money in exchange for the restoration of the system
  • Disruption to the normal operations of the healthcare practice
  • Significant harm to the reputation of the healthcare institution

You should note that even if the practice pays the ransom for its data, this does not always guarantee the hackers will restore it. If anything, it then gives the hackers information on the healthcare practice's bank details. This allows them to attempt to steal even more. Finally, if the hackers return the files, this does not mean the practice is safe. The original security breach is still in effect, and the ransom could occur again at any time. The practice should make every effort to secure itself moving forward after such a breach.

Why Was This a HIPAA Breach?

HIPAA, or the Health Insurance Portability and Accountability Act, makes what a breach is very clear. HIPAA defines a breach as: "The acquisition, access, use, or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information." Hackers accessed the data at the Wolfe Eye Clinic of almost half a million people without permission. This means it was a significant breach according to HIPAA. Following this breach, the Iowa medical facility would have followed all of HIPAA's guidance. They would do this to ensure the safe and legal protection of patient data. They should have also ensured their employees were all up-to-date on HIPAA training.

HIPAA Training

You may be asking yourself, "What is HIPAA Training?" Knowledge of HIPAA is not only mandatory for IT security technicians. All employees must have a working understanding of HIPAA. This is so that they can have a full understanding of their responsibilities as employees. This can then ensure that the organization they belong to maintains its obligations. Especially when it comes to patient data security and safety. Several companies exist that will allow individuals to learn how to follow the HIPAA regulations. These regulations are often requirements. Thus, it is the responsibility of a company to ensure that its employees follow these rules. As there are so many different kinds of companies, HIPAA rules are flexible and scalable enough to allow for this range in scope. A company can follow the rules while also maintaining a very different process than others even in their own industry. The government provides several resources as a primer to ensure people understand the basics of IT security. This includes HIPAA information and other areas of IT security. HealthIT.gov is one location that offers tools and educational documents. These help companies work to integrate HIPAA requirements into their practice. But this is still not a replacement for employee training.