In this episode of the HIPAA Vault Podcast, we address a recently reported on data breach, and focus on risk management and vendor collaboration for protecting patient data. We’ll discuss proactive strategies to identify vulnerabilities and enforce HIPAA compliance, while analyzing the breach’s impact on over 9.4 million records and its financial implications. Join us for essential insights on securing patient health information. PJ&A Data breach
Transcript
Adam
Hello, welcome to the HIPAA Vault show, our first one of 2024. This is episode 38, joined, as always, by Gil Vidals. How’s it going, Gil?
Gil
Hey, happy New year to you, Adam. Hopefully you had a safe one.
Adam
Yeah, happy New year. Happy New year. Yeah, had a. Had a great one. Got to. Got to go away for a week. Went on a cruise to the western caribbean cancun area.
Gil
Yeah, sounds terrific. Sounds like a wonderful few days off. Well, I heard you had a breach that you found in the news that might be kind of interesting to review.
Adam
Yeah. So breach reported today, and this is through the HIPAA journal, Stephen Alder writing. And it’s PGNA data breach. Total grows as Kansas City hospital confirms 502K record breach. So this is actually an existing breach. So North Kansas City Hospital and its subsidiary, Meritus Health Corporation, have recently announced that they were affected by a massive data breach at Perry Johnson and Associates. PGNA. PGNA, a provider of medical transcription services, discovered the cyberattack on July 21, 2023, initially, and in November reported the breach to HHS as affecting 8,952,212 individuals. However, some of its affected clients have chosen to report the breach themselves, and those clients include North Kansas City Hospital. The Missouri hospital said the protected health information of 502,438 individuals compromised between March 27 and May 2, 2023, when hackers had access to PGNA systems.
Adam
So now, at least 9.4 million individuals are known to have had their data compromised in the PGNA data breach. The hospital and meritas worked with PGNA to determine which individuals have been affected and the types of data involved, and that process was completed on November 7. During the analysis, North Kansas City Hospital also identified data belonging to the Clay County Public Health center. The types of data involved were limited to demographic information, such as name, date of birth, gender, phone number and address, health insurance information, and some clinical information. No Social Security numbers were compromised. I guess that’s a good thing, but there’s a lot of data there that has been compromised. There’s more on this, but, yeah, essentially, originally, the breach was seen to affect 8.9 million individuals, and recently that number has gone up since clients of this BAA have started to self report. So that’s gone up to 9.4 million there, Gil, what are your thoughts on this?
Gil
Well, yeah, this is important to talk about, and this is a serious situation, but the lawsuit claims negligence. So when there’s a data breach, there’s going to be a lawsuit. But the question the attorneys look at is, was there negligence? By negligence, they mean was there proper best practices followed to secure the environment and protect the data? And if the answer is no, they weren’t even doing what they were supposed to be doing, then it’s negligence. And so that means the judge and the ruling is going to be more serious than the other scenario, which is no, this company did a good job. They were securing things properly, using all the right tools, but still, the hacker was innovative and still got in.
Gil
But maybe in that case, let’s say they didn’t take almost 10 million records, maybe they only get 1 million records. So it kind of changes the size. Unfortunately, it’s all bad news. I mean, whether they were using best practices or whether they had negligence, either way, it’s a very costly to recover from this, both from the reputation point of view and from a monetary point of view. So I just wanted to just quickly give the audience an idea. How do you know what you’re going to be paying for if something happens? So the rule of thumb I’ve used is $250 per patient record for two years. So what do I mean by that?
Gil
Well, the $250 would be the cost, and part of that cost would be to get some kind of a, what do they call that identity tracking service where you can find out if somebody is trying to use your phone number, your driver’s license or whatever they’re trying to pretend they’re you, and Social Security number, all that stuff. It’s id protection, I think is what it’s called. So if you do that, including those prices, but you have to do it for two years to protect those customers that lost their data or not lost it, but whose data was abused and is out on the Internet somewhere. So that’s $500. And I asked Chat GPT the other day and it came up with the same number. It says, take $500 times the number of patient records.
Gil
So if you have 1 million records that were leaked out times $500, that’s $500 million. It’s just insane. Yeah, that’s a lot.
Adam
Digging deeper into the article as well, it says PG and a made no mention of whether credit monitoring and identity theft protection services were being offered to the affected individuals, although some affected clients have said that those services have been made available. So, yeah, this is part of the cost, right?
Gil
Yeah. Not to go too crazy on the number, but you basically take $500 times the number of patient records. In this case it was millions. Just to be clear, if the volume is that huge, if there’s millions and millions of patient records, then comes down. Yeah. The identity tracking service that normally costs, say, a couple of year, you can get it down to $4 per patient because the seller of that service, they’re going to say, oh my gosh, they’re going to buy a million of these and they’re going to give you a really low price. You could buy basically wholesale. But anyway, it’s a ton of money and of course that’s going to hurt the hospital and they’re probably going to lose their insurance or have to tap into their insurance in a big way to help cover all those costs.
Adam
Yeah, I think there’s online tools as well. If the listeners are interested, they can just go to Google and say, search for something like breach cost calculator or something along those lines and there’s a bunch of free tools that will show what the cost would be. But I think that’s a good benchmark, the 500.
Gil
Yeah, it’s something that. So the question is, well, that’s great to calculate how much the damage is. But really the more important thing is how could they have prevented this? Now in this case, we’re not given the details of like, technically speaking, all it says is negligence and the staff wasn’t trained properly. It said one more thing and, oh, yeah, it said they weren’t following the cybersecurity best practices. And number two, their staff wasn’t trained. So let’s unpack that allegedly, just in case. Yeah, allegedly. But let’s unpack that a little bit.
Gil
So let’s say that the way this breach happened, which is becoming more and more common, is that somebody in the organization opened an email and clicked on a link that was contained in the email and they go to some site and then that site infects their windows system, and then from that window system it now infects the whole organization because it is kind of like a virus can infect and spread. And so lack of training, what they mean by that is that, well, you have 3000 employees and one of your 3000 employees clicked on this link.
Gil
They should have known better and they started asking for training logs. They say, well, show me all your training logs. When was Betty sue and Joe Smith last trained? And you better be in the record somewhere. Oh, they were trained last month or two months ago. And so if they don’t have any training records, they say, well, we don’t have any records of when these people were trained or if they ever were trained, then they consider that negligence, like, oh, you weren’t training your staff. But to me this is a very precarious situation because even if you trained everybody perfectly. Think about it. You have 3000 people, or even 300 people that work for you. What are the chances that somebody, I mean, we’re curious. As human beings, people are so curious. If they get an email and they’re supposed to do something, they look at it, they just click. And that’s all it takes. So it’s very difficult to just say.
Gil
Well, training in and of itself would have thwarted that kind of attack. I don’t think that’s really very practical. So how do you protect from these things and why are these happening? I mean, I question, I look at this and I say, my goodness, every time we open the news, there is a multimillion record leak or unauthorized access. And it’s like, how come we can’t stop these bad boys? It looks like it’s a rampage. And this thing is just getting worse and worse. But all I can tell is from a high level, anyone that reads these things can see that we’re in trouble, right? We don’t have the tools available today to stop these things. And even if we do have a lot of the tools, they’re not being used. Some of these guys, these it directors, they don’t even know about these tools. Or if they do, they’re too expensive. And it’s just really not a good model. The model itself is broken. We don’t have a good model for protection, I don’t think.
Adam
Yeah, and just on that point as well. This article is great as well. There’s a chart of the total number of records exposed annually. And this is as of towards the end of 2023. But it was getting close to the worst year on record. It looks like there was in 2015, I think it was blue clock anthem had a really big hack, and that was kind of an outlier in terms of the number of records for that year. But 2023 is pretty confident that it passed that threshold. So it’s getting worse by the year.
Gil
Yeah. I just want to make a general comment because, of course, what we’re contributing in this podcast isn’t necessarily, oh, just go to this XYZ vendor and buy this magic software and all your problems are solved. It doesn’t really work that way. But one thing I can tell the audience that I think would be a big benefit is that if you’re in the business side of things, you’re a business manager, business owner, business leader, and you’ve hired a department, a cybersecurity department, and that’s their job to do that. But the problem with that mentality is that if you assign it to them, you hire these experts. You have a vp of cybersecurity and all that. Yeah, they’re supposed to be experts. I get it. But you’ve hired them. Everything is responsible of the c suite, the executive suite, and they’ve hired this team.
Gil
So I think it’s a strategic mistake, Adam, that the C suite team that goes and hires a vp of cybersecurity, and then they have a budget of a million dollars a month or whatever, then they just cross their fingers and they just hope, well, I hope I have a good team. I hope they’re doing a good job. I don’t think that’s a good strategy. I think instead what should happen is the c suite people, that may not be technical, they should be interfacing with that team and say, let me see the reports. I want to see. When’s the last time that just randomly imagine this? Just randomly pick one of your employees. Doesn’t matter who you say, okay, just show me the record of when Sue Beth was last trained. And they’re know they’re scrambling. Oh, I can’t find it.
Gil
Well, then, as a manager, you’ve done an excellent thing. You’re like, well, guys, we got a problem here. We’re supposed to train everybody and have a record. Why don’t we have a record for this person? So there you now. Now all of a sudden, you’ve done something, and you’ve rattled their cages, and they’ve got to get on it. And then you can do the same thing yourself. Think about it. As a savvy business manager, you might say, hey, let me use this phishing training software that you turn on stealthily, and you send an email to 50 of your staff members, and you see how many click on that link that they shouldn’t click on. And nothing bad happens because it’s just simulation.
Gil
And then, lo and behold, two or three of them click on it, and you’re like, oh, my gosh, I can’t believe it. Right? And so now you tell your vp of cybersecurity, hey, these people. I don’t want to sound overly harsh, but there are cases where people are so curious, they can’t keep themselves from clicking these links, and they always will, no matter how much you train. Know, you as a manager, have to make a know Joe here. We’ve trained him and trained him, and every time we send a phishing test, he always clicks on it. Well, maybe he shouldn’t be working there. I mean, I’m sorry, but you know what? What do you do? You have to start making some decisions.
Gil
So anyway, my point is that management can stay very involved in testing their team, that they’ve hired the VP and all the millions of dollars they’re spending on these tools. I don’t think they should just consider it a black box, say, well, I’m not technical. I don’t know what they’re doing. It’s like, no, you don’t have to be technical to get involved as a manager and start asking for proof that they’re doing a good job and that they’re doing what they need to do. And I think management is so busy with their own world and their own problem that they can’t imagine getting interfacing with the technical department, an area that they, quote, unquote, have no expertise in. So they just sort of cross their fingers and hope that team is great.
Gil
And obviously from the record, from the number of breaches that are happening at large companies, we know they’re not doing a great job. We know that there’s big holes there.
Adam
Yeah. And I think with this breach in particular, obviously it’s one thing that the healthcare organization itself is doing everything they can to make sure that they internally are monitoring and making sure they’re actively identifying potential threats. But then in this case, it was a business associate, right? So it’s this transcription company that’s taking audio files, transcribing them on behalf of its clients that got accessed. And I know we’ve talked in the past about making sure that you always have a business associate agreement in place, and that’s going to, in this case, probably a fair amount of the fault is going to lie with the business associate. However, I’m seeing from the article that lawsuits are also going towards the actual clients because presumably there’ll be some inquiry into how much detail was gone into when recruiting or selecting the vendor.
Adam
So on that point, other than just do you have a baa? What advice would you give to any healthcare company looking to bring on a new vendor for a particular service that is going to handle Phi and patient information?
Gil
To me, that’s a can of worms. Those vendors, each vendor that you hire, and believe me, in the US, and I guess the world at large, we rely on our relationships. We have vendors take care of certain aspects and those vendors are important. And the question is, well, how do you know if the vendor themselves are minding their own shop properly and crossing their t’s and dotting their I’s and doing things the way they should be doing? You’re just struggling with your own team, let alone now you got ten vendors like, oh, my gosh, how are you going to keep all ten vendors in line? And that’s a real serious concern. I think that this transcription company, they were obviously transcribing, and then they have these audio files and they’re probably re uploading them somewhere. So that’s a very technical thing.
Gil
A lot of these scenarios with these vendors, you can mitigate some of the issues by what’s called isolation. So Google uses a zero trust paradigm, or zero trust security model, where they kind of assume that bad things are going to happen. That’s the beautiful part about zero trust. They just assume that bad things are going to happen, viruses are going to happen, people are going to hack in. But the zero trust, what it does is it starts to isolate and segment certain things. So if somebody gets into the organization, they isolate it to just one little piece of it. It doesn’t get everywhere. And I think that mindset in dealing with vendors is probably important.
Gil
So as an example, with these audio files, when they uploaded, it probably should have been uploaded to a secure area that didn’t have any privilege anywhere else, just that one area. And then you run a scan, a virus scan, and maybe a malware scan and maybe something else, maybe a third or fourth option that you really cleanse and data scrub and make sure it’s good. And then only after that, then you release those audio files to other departments that it needs to go to. But by isolating it in this specific example with PGNA, they may have isolated it and may not have been in this situation had they had that zero trust isolation mentality they may have avoided. I think. I think that’s a good paradigm to follow that good model.
Adam
Yeah, absolutely. And do check out hippajournal.com. They write some really great articles, and Steve and Arthur’s been doing great work as editor in chief there for a while. So shout out to Steve there. Okay. Gil, was there anything else that you wanted to.
Gil
No, I think we covered this one pretty well, and I’m glad that we had a chance to discuss it, because we do need to figure out what we can do as an industry to prevent these things, as it’s just happening too often. And guess what, the effect of this, too. The insurance companies are raising the insurance premiums at an alarming rate. By that, I mean they’re not going up to 10%, 20%. No, they’re going up 400, 500%. Imagine your bill was 8000 last year for cyber insurance. And this year they go, it’s going to be 24,000. And you’re like, wait a minute. How could that be? Well, they have to do that because they are losing so much money trying to cover these breaches that they are in a position now to say, well, we have to raise the premiums dramatically.
Gil
So we’re all kind of paying for this, right? These breaches are causing us a lot of pain and it’s affecting our pocketbook. Even if you didn’t have a breach, right. We’re all paying for it.
Adam
Seems like an area very much open to disruption. It’ll be exciting to see what happens with it in this.
Gil
I hope so. Well, great talking with you, Adam, and love to catch up with you again later.
Adam
Absolutely.
Gil
Thanks.
Adam
Thanks as always. Well, that’s it for this episode of the HIPAA Vault show. Please do like and subscribe. It really helps. Makes a difference. If you would like to ask us any questions, feel free to reach out to us at podcast@HIPAAVault.com. Or just visit HIPAA Vault.com and reach out to us there. And that’s it for this episode. Stay compliant and informed, and we’ll see you next time. Bye.