[author: Jane Anderson]
Report on Patient Privacy 24, no. 10 (October, 2024)
◆ 23andMe agreed to pay $30 million and provide three years of security monitoring to settle a lawsuit accusing the genetics testing company of failing to protect the privacy of 6.9 million customers whose personal information was exposed in a 2023 data breach. The settlement also resolves accusations that 23andMe did not tell customers with Chinese and Ashkenazi Jewish ancestry that the hacker appeared to have targeted them specifically and posted their information for sale on the dark web. The settlement—filed in September in federal court in San Francisco and which requires a judge’s approval—includes cash payments for customers whose data was compromised and lets customers enroll for three years in a program known as Privacy & Medical Shield + Genetic Monitoring. In a court filing, 23andMe called the settlement fair, adequate and reasonable. Citing its “extremely uncertain financial condition,” 23andMe also asked the judge to halt arbitrations by tens of thousands of class members until the settlement is approved or those class members decide not to participate. In a statement, 23andMe said it believes the settlement is in its customers’ best interest. It is also expected that about $25 million of the cost will be covered by cyber insurance. The breach began around April 2023 and lasted about five months, affecting nearly half of the 14.1 million customers in 23andMe’s database at the time. It was disclosed by 23andMe in an October 2023 blog post.[1]
◆ Tri-County Medical Supply & Respiratory Services, based in Salem, Ark., has notified patients about a recent theft and breach of paper medical records containing personal information. The organization said it became aware in mid-August that filing cabinets were missing and apparently had been stolen. “This breach was not of our own doing, as the medical records were stolen from our storage facilities without our knowledge or permission,” the company said in its breach notification letter to patients. “Even the filing cabinets containing the medical records were taken from our storage facilities. We believe we know the perpetrators, who are former employees of the organization, and are diligently working to recover the medical records as quickly as possible…[T]he individuals we believe took part in stealing the medical records have already been discovered to have stolen from our organization, and they have applied for credit under the name of our organization.” Tri-County Medical Supply said the theft could have occurred at any point in the past two years, adding, “those records were believed to be securely in storage inaccessible by the public.” Any of the records could contain full names, dates of birth, and Social Security numbers, the organization said. The breach notification did not include how many patients’ records were involved, and the notification does not yet appear on the HHS Office for Civil Rights (OCR) website.[2]
◆ Global cyberattacks in the second quarter of 2024 increased by 30% year-over-year, and health care was one of the three most-attacked industries, according to a study from Check Point Research, which said the cyberattack numbers were driven by a variety of reasons, ranging from the continued increase in digital transformation and “the growing sophistication of cybercriminals using advanced techniques like AI [artificial intelligence] and machine learning. Economic motivation for income from attacks like ransomware and phishing and attacks fueled by geopolitical tensions and supply chain vulnerabilities continues to heavily impact this rise in the numbers.” Hackers became particularly interested in the education and research segment in 2024’s second quarter, and that sector showed the largest increase in cyberattacks, the report said. The top three most-attacked industries were education and research, government and military and health care. North America accounted for 58% of publicly extorted ransomware attack victims, the report said, adding, “with an average of 1,636 attacks per organization per week, the relentless onslaught of attacks underscores the growing sophistication and persistence of threat actors.”[3]
◆ Atrium Health—a 40-hospital chain based in Charlotte, N.C.—said it suffered a phishing attack on or around April 29 that resulted in unauthorized access to some employee email accounts for up to two days. Information that may have been accessible to the hacker included names and addresses, email addresses, phone numbers, Social Security numbers, dates of birth, medical record numbers, bank or financial account numbers or information, driver’s license numbers and medical and health insurance information. The information also may have included access credentials and/or digital signatures, Atrium Health said. According to the breach report filed with OCR on Sept. 13, the breach impacted 32,120 individuals.[4]
◆ Michigan Medicine has reported two data breaches impacting nearly 114,000 patients in total. The first breach, which occurred in late May, compromised emails that included attachments with patient and insurance information and job-related communications for payment and billing. That breach impacted approximately 56,000 employees and patients. The second breach occurred on July 30, when an employee accepted an unsolicited prompt, allowing hackers access to their email account and its content. A review of the compromised information took place in late August, and Michigan Medicine notified 57,891 people on Sept. 26. The hospital chain apologized for the incident and said it was implementing more safeguards in its email system to make sure similar cases don’t occur in the future.[5]
◆ Hospital group Ascension—which suffered a major cyberattack in early May that impacted many of its 136 hospitals in 18 states—reported in its most recent financial filing that the attack contributed significantly to its $1.1 billion net loss for fiscal year 2024. Still, that $1.1 billion loss “represents a $1.6 billion turnaround from the prior year,” when Ascension lost $3 billion, according to the hospital system. For the 10 months ending April 30, Ascension reported a 5.2% increase in total operating revenue, driven by net patient service revenue, while total operating expenses were contained to net growth of 0.5% over the comparable prior year period, Ascension said. However, when May and June—the breach months—were included, operating revenue increased by 0.7% while operating expenses increased by 0.4%, the hospital system said. The May cyberattack shut down services and forced ambulances to divert while driving some of the hospitals’ systems offline for more than a month.[6]
◆ Georgia Institute of Technology and Georgia Tech Research Corp. “knowingly failed to meet cybersecurity requirements in connection with the Department of Defense (DoD) contracts,” the Department of Justice (DOJ) said in announcing that it had joined a whistleblower suit and filed a complaint-in-intervention against the two organizations. Whistleblowers are current and former members of Georgia Tech’s cybersecurity workforce. A lab that failed to comply with DoD cybersecurity requirements was researching cybersecurity, DOJ alleged. Georgia Tech officials “approved the lab’s refusal to install antivirus software – in violation of both federal cybersecurity requirements and Georgia Tech’s own policies – to satisfy the demands of the professor who headed the lab,” the government said. When the lab “finally implemented a system security plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly scope that plan to include all covered laptops, desktops, and servers,” the statement said. The announcement also claimed the institutions “submitted a false cybersecurity assessment score to DoD for the Georgia Tech campus.” Without required security protections, Georgia Tech’s invoices to DoD from May 2019 to December 2021 amounted to violations of the False Claims Act, according to the 99-page complaint accompanying the announcement. This is the first case brought under DOJ’s Civil Cyber-Fraud Initiative that has proceeded to this stage; others were resolved through settlements and dealt information breaches, unlike this case, Federal News Network reported. It also quoted a Georgia Tech spokesperson who called the suit “misguided” and said that the “government told Georgia Tech that it was conducting research that did not require cybersecurity restrictions.”[8]
1 Jonathan Stempel, “23andMe settles data breach lawsuit for $30 million,” Reuters, September 13, 2024, https://bit.ly/4dBGra9.
2 Tri-County Medical & Respiratory Services Inc., “RE: HIPAA Breach Notice Letter,” September 2024, https://bit.ly/4eTig7U.
3 Check Point Team, “Check Point Research Reports Highest Increase of Global Cyber Attacks seen in last two years – a 30% Increase in Q2 Global Cyber Attacks,” news release, July 16, 2024, https://bit.ly/3zZTDYt.
4 Atrium Health, “A Notice to Our Patients,” breach notification, September 2024, https://bit.ly/3TXZnZy.
5 Jack Nissen, “Michigan Medicine reports year’s second data breach impacting 57k people,” Fox2Live, September 26, 2024, https://bit.ly/4dxm3Xv.
6 Ascension, “Ascension releases Q4 FY24 financial results: $1.2B of Operational Improvements Year-over-Year,” press release, September 17, 2024, https://bit.ly/3YdQPAm.
7 U.S. Department of Justice, Office of Public Affairs, “United States Files Suit Against the Georgia Institute of Technology and Georgia Tech Research Corporation Alleging Cybersecurity Violations,” news release, August 22, 2024, https://bit.ly/3BzP8o6.
8 Justin Doubleday, “DOJ’s Georgia Tech lawsuit a ‘warning’ to contractors on cyber compliance,” Federal News Network, August 28, 2024, https://bit.ly/3Yfl9KM.
[View source.]
