Sacred Heart Health Services, down with 14,000 PHI records

The ink is barely dry on the Premera Blue Cross security breach and we’re at it again - analyzing another brazen healthcare industry hack. This time it was against Sacred Heart Health Services, a provider in Florida that counts about 700 primary care and specialty physicians on its roster.

This attack differs from the Anthem and Premera attacks of the last 6 weeks, where Advanced Persistent Threats (APT) were identified infecting their networks for months before the breach was detected. Two main things stand out in this incident:

1)     This attack doesn’t seem to be that sophisticated. There was no cutting-edge technology, no zero-day exploits, no APTs or State-sponsored complex attack vectors to their applications or infrastructure layers. This was an attack on the weakest of the computer system layers not typically listed in the technology books, but tremendously important: the human layer.

2)     The deceived employee who caused the breach was not part of the Sacred Hearth Health Services organization, but was part of an organization Sacred Heart hired to help with the client billing process.

We can’t tell if Sacred Heart is implementing the correct security measures in their infrastructure and processes. What we do know now is that this vendor was not paying enough attention to their social engineering prevention practices, which led to a breach of their client’s data.

What’s the lesson here?

a)  Personnel training should be prioritized, and it should be a continuous effort.

b)  Your company and your clients’ information are not secure if the third parties with whom you share information are not doing their part.

This time there were “only” 14,000 compromised records (not millions as in previous breaches). However, we cannot forget the potential financial penalty that could be imposed by the Centers for Medicare & Medicaid Services (CMS) if this data in fact contained personal healthcare information (PHI), and the loss was deemed a negligent act.  In addition, as most of you know, breaches that affect over 500 patients are publicly reported by the Office for Civil Rights (OCR), and I doubt any company wants to end up on that list.

Against this risk there is a process commonly known as Vendor Management that deals with performing security audits and ensuring that all parties handling confidential information follow the correct security standards and procedures. It also ensures they are in compliance with applicable laws and regulations. You must ensure your service providers treat the information you share with the same care you do, at the very least.