The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is meant to prevent the disclosure of sensitive patient health information without the patient’s consent or knowledge. We all know that “disclosure” happens anyway if there is a successful ransomware attack on a healthcare organization. When this happens the HIPAA notification rules come into play, and for the most part the entities covered by HIPAA do their best to follow the rules and make the proper notifications. But what happens when an entity doesn't realize that there has been a data breach?
The Arizona Asthma and Allergy Institute seems to have found itself in this situation. The Institute is currently in the news for a 2020 data breach that was said to have affected 50,000 patients who received services between October 1, 2015 and June 15, 2020. The breach was reported to authorities on May 3, 2021, and was updated last week when the Institute confirmed that an additional 20,000+ patients had been compromised. The Institute was made aware of the breach when researchers at DataBreaches.net informed them that Institute data was found on the Maze ransomware site.
Double extortion and beyond
The Maze ransomware operators were the first to use the ‘double extortion’ ransomware scheme, in which the attackers threaten to publish the victim’s data if the ransom isn’t paid. When their ransom demands were unsuccessful, Maze attackers would publish some or all of the data on the Maze ransomware website. Researchers found the Institute data on the Maze site in 2020 but incorrectly attributed it to data from Medical Management Inc:
At some point (date unknown to DataBreaches.net), Maze added Medical Management, Inc. to their site. On inspection, the files involved electronics claims processing with ePHI that includes health insurance information. DataBreaches.net cannot find any media coverage of this attack, nor any notification to HHS. On November 3, more than four months after the exfiltration likely occurred, DataBreaches.net reached out to MedMan to inquire about their incident response and any notifications but received no response.
Sometime after this article was published in November 2020, the researchers at DataBreaches.net were informed that the data belonged to the Institute, not MedMan. DataBreaches.net informed the Institute of the data breach on January 5, 2021. On March 8, 2021, the Institute confirmed the leak of the following data:
… individuals’ first and last name in combination with their patient identification number, provider name, health insurance information, and treatment cost information.
Once data’s exposed, it’s exposed forever
It’s not unusual for months or years to pass before a data breach is recognized, fully investigated, and disclosed to the individuals. Data can be exposed on the dark web for a long time before a company even knows that the data was stolen. This is why it’s so important to remember that once data is exposed, it’s exposed forever.
The Maze ransomware team shut down late last year, but who knows where their stolen data is? We have no way of knowing if it has been published on another site, sold privately to another criminal, or if it will show up in some future combination breach like this one. What we do know for sure is that paying a ransom will not un-breach your data.
The most important takeaway from this incident is that you must secure your data. You can do that by 1) protecting your credentials, 2) securing your web applications, and 3) backing up your data to a location that ransomware cannot reach. Barracuda can help you with all of this. Visit our website to see how.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.