PHI of 9,800 Patients of Atlanta Allergy and Asthma Exposed in Cyberattack
The digitized world of today has brought with it many benefits. For example, you're connected to everyone you know and love 24/7. You have instant access to unlimited information. You can even make a nice living from the comfort of your own home. And all this is available to you at your fingertips. But that doesn't mean it comes without its drawbacks. Because the unfortunate truth is criminals, crooks, and hackers fill the virtual space. And this was exemplified in an article published by the HIPAA (Health Insurance Portability and Accountability Act), where over 9800 patients became the victims of a cyberattack. Keep reading for the full story, as well as to learn how to prevent a similar occurrence from happening to your institution.
Atlanta Allergy and Asthma (AAA) Hacked
In January 2021, 9851 patients' sensitive information got breached due to a cyberattack at Atlanta Allergy and Asthma. The company's response was quick and immediate. According to sources, the hackers had gained entry to the AAA network from January 5 to January 13, 2021. Upon noticing the breach, the company took swift steps to remove the hackers from the network. But patients' protected health information (PHI) became exposed and, as a result, compromised. Atlanta Allergy and Asthma recruited cybersecurity professionals to uncover the extent of the hack. The inspection ascertained that the hackers gained entry to a part of the network that hosted sensitive data. Information such as documents, files, reports, and other delicate records became infringed upon. AAA conducted a detailed review of those files. This led them to announce on July 8, 2021, that the ensuing types of information were unfortunately compromised: Names, dates of birth, SIN numbers, financial numbers, location of treatment, service dates, and health insurance data.
AAA's Response to the Hack
AAA is currently unaware of any attempt to use the patient information due to the hack. Beginning on August 20, 2021, letters got mailed to the affected individuals to notify them of the breach and the exposure of their sensitive data. The victims were all encouraged to take corrective steps to defend themselves against identity theft and fraud. AAA has reiterated that it consistently examines its cybersecurity customs, central controls and is taking steps to improve the safety and privacy of patient information. Starting August 20th, victims can take steps to protect themselves by signing up for complimentary credit monitoring services. This applies if the notification shows that the SIN number was affected. As a result, it will place a fraud alert and security freeze on their credit records. This will check the files, watching for any fraudulent and suspicious activities consistently.
The Fallout
Boasting 17 different sites around the Atlanta, GA, area, AAA is the largest group in the region. In the healthcare field, information hackings such as this are becoming all too commonplace. In fact, it's almost become a normal, everyday occurrence. The pandemic caused the healthcare field to go through a notable sweep of data breaches.
Early Warnings Neglected?
While AAA said it initially noticed the breach on July 8, and it is now alerting the patients, it was actually disclosed to the company in March. Unnamed healthcare privacy site Databreaches.net noticed the information on the dark web, published by the Nefilim ransomware group, also referred to as Nempty. It reported that a 1.3GB compressed archive was drawn out to 2.5GB of data comprising about 597 records of PHI (Protected Health Information) on what seems to be thousands of named victims. The records were not only current or recent billing records either. Spreadsheets sorted by the category of health insurance, including files on incomplete claims between 2017 and 2018, were also tossed in the folders, as well as more than 100 audits. Databreachers.net claims it got no notification or acknowledgment of its report from AAA. But it went ahead and informed the Department of Health and Human Services (HHS) on the 5th of April.
HIPAA Cyber Attack Response Checklist
The debacle that occurred with AAA is a reminder that healthcare systems must prepare themselves. There must be methods in place to deal with these kinds of situations. Here is the cyberattack checklist issued by the HIPAA for healthcare institutions to be ready for any virtual assaults.
The Outline
Within the Health Insurance Portability and Accountability Act (HIPPA), an insured organization that goes through a cyberattack must take swift action to minimize any Protected Health Information loss. The Department of Health and Human Services, along with the Office for Civil Rights (OCR), has provided a checklist. This list is to assist HIPAA-insured institutions to uncover the actions they must take if a cyberattack were to happen. The file illustrates the steps and supplies data in regards to which establishments are bound by the HIPAA.
The Action Steps
Employers subject to HIPAA should know the OCR's checklist for avoiding or reacting to a breach of privacy by a cyberattack. These employers should have plans and procedures to effectively handle the situation.
OCR Response Checklist
If your institution undergoes a cyberattack, certain action steps are required. This checklist will provide you with the correct ways to proceed after such an event. Insured institutions must: Perform a response procedure Immediately handle any and all high-tech or engineering issues to stop the problem from becoming worse. This may be done by the company's staff or by external professionals. Report the crime to law enforcement It could be local or state law enforcement or even the FBI or Secret Service. But just be sure to notify the authorities. Report to ISAOs (Information-Sharing and Analysis Organizations) These establishments include the Department of Homeland Security, the Assistant Secretary for Preparedness and Response, etc. Proactivity is key to getting the incident under control. Announce the breach to the impacted individuals as well as OCR If the cyberattack impacts 500 or more people, the insured institution must inform the affected people as well as the OCR within 60 days of the incident. There may be severe consequences if this is ignored.
HIPPA Insured Institutions
HIPAA is a national law appointed to safeguard the privacy of healthcare information. Generally speaking, the HIPAA rules pertain to all health plans that supply or cover the cost of medical treatment. These include but are not limited to employer-sponsored health plans, government sponsored-health plans, etc. The HIPAA security rules affect business associates of HIPAA insured-institutions. A business associate is any merchant that produces, receives, or passes on for or on behalf of an insured institution. This also includes merchants that have access to PHI to supply data technology services to an insured institution.
Protected Health Information (PHI)
PHI includes all individually known health data held by insured institutions. Data is "known" if there is a logical premise to believe that it can be used to properly identify someone. For instance, PHI includes the following:
- Medical care treatment information
- Payment information
- Insurance coverage information
- SIN numbers, etc
Staff Member Education
Hackers do have the ability to access your data on their own accord. But, oftentimes, breaches of privacy occur because of a lack of education on behalf of staff. All it takes is one click on the wrong link or downloading a single compromised file for everything to go sideways. You can have the most efficient software safeguarding your network, but it can all be thwarted by a crafty hacker and an uneducated workforce. And the truth is, hackers are becoming more refined by the day with their infected emails and spoiled links. But there are ways to expose these hackers' attempts. And this is why staff education on these matters is so important. Without knowing what to look for and how to respond, you're leaving your staff in the dark. That's when accidents happen. Be sure to set up regular meetings with your staff members. Go over hacker strategies while providing useful tips on how to combat them.
HIPAA Guide Professionals
If the situation with the AAA cyber attack has had delivered any lesson, it should be that you need the right people in your corner. The whole debacle could have been avoided had the right people been present. Having a team on your side is paramount. You need a group that knows the instructions of the HIPAA guide. This is invaluable in the event that a cyberattack occurs in your network. In the digital age, preventing hackers from violating your practice should be a top priority. And the silver lining in all of this is that you don't have to do it all on your own. There are people and resources that can help, be sure to look around for what assets are available to you.
Learning From Atlanta Allergy and Asthma
The hapless situation that occurred with AAA provides a lesson for all healthcare institutions. Be prepared. Familiarize your staff and yourself with the guidelines of the HIPAA. The digital age has brought about many changes. And with that comes the responsibility of arming yourself with the right knowledge to contend with those changes. Learn from the mistakes of AAA, so you don't repeat similar ones going forward into the future.
