Peter A Clarke

The health industry is a prime target for cyber attack.  The volume of data collected by health services providers is enormous.  A person is required to provide a detailed history, including name, address, date of birth, health insurance details as well as information about one’s physical and mental condition.  A hacker’s nirvana. KordaMentha raised this point, which I have made for years, in Why healthcare is a red-hot cybercrime target.

Not surprising that it has been reported  in Hack of Medical Imaging Provider Affects Data of 2 Million that Shields Health Care Group in the Massachusetts has had a data breach involving access topersonal information of 2 million persons.  That makes it the biggest health data breach this year in the United States.

It provides:

A hacking incident involving data theft from a prominent provider of medical imaging services in Massachusetts has affected 2 million individuals, making it the largest health data breach reported to federal regulators so far this year.

Quincy, Massachusetts-based Shields Health Care Group – which touts itself as the “official” provider of MRIs and related medical imaging services to several professional sports teams, including the New England Patriots, Boston Celtics and the Boston Bruins – reported the hacking incident involving a network server to the U.S. Department of Health and Human Services on May 27.

The incident, which Shields reported to HHS’ Office for Civil Rights as a business associate, affected the protected health information of 2 million individuals who are patients of at least 56 Shields clients, ranging from area hospitals to various regional Shields-operated facilities located throughout the state.

Shields provides management and imaging services on behalf of those healthcare facilities, the company explains in a data security incident notice posted on its website.

“Imaging is a heavily used diagnostic tool, so the large number of affected facilities and patients is not a surprise,” says Kate Borten, president of privacy and security consulting firm The Marblehead Group.

Breach Details

Shields in its notice says that on March 28, it was alerted to suspicious activity on its network. “Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event,” the company says.

Shields’ investigation into the incident determined that an “unknown actor” had gained access to Shields’ systems for two weeks, from March 7 to March 21, acquiring “certain data,” the notice says.

“Although Shields had identified and investigated a security alert on or around March 18, data theft was not confirmed at that time,” the notice says.

The type of information potentially compromised includes patient full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.

Shields says its review of the affected data is ongoing. So far, the company has no evidence to indicate that any information affected in the incident was used to commit identity theft or fraud, the notice says.

Shields says that upon discovery of the incident, it took steps to secure its systems, including rebuilding certain systems. “Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security,” the company says.

In addition to reporting the breach to federal and state regulators, Shields says it notified federal law enforcement authorities about the incident.

Shields did not immediately respond to Information Security Media Group’s request for additional details pertaining to the breach.

Other Incidents

As of Tuesday, the Shields incident was the largest of the 265 incidents posted in 2022 to the HHS OCR HIPAA Breach Reporting Tool website, which lists health data breaches affecting 500 or more individuals.

The second-largest breach posted to the HHS OCR website so far in 2022 is the hacking incident reported on Jan. 2 by Fort Lauderdale, Florida-based Broward Health as affecting 1.3 million individuals.

The Florida public hospital system says the incident detected in October 2021 involved data exfiltration affecting the personal information of patients and employees.

In its notification statement, Broward Health says an “intruder” gained entry to its network “through the office of a third-party medical provider permitted to access the system to provide healthcare services.”

Biggest Targets

Cybercriminals will always go for the biggest targets, says Susan Lucci, senior privacy and security consultant at consultancy tw-Security. “The more data they can exfiltrate, the more they profit. When a covered entity serves as a business associate to hospitals, it is important for the hospitals to be certain that the data is protected by taking additional steps beyond the business associate agreement,” she says.

Hospital privacy and security officers often ask for validation of certain security rule compliance evidence before they will negotiate contracts, she says. “However, some are still not doing that. Compliance with the security rule doesn’t mean a data breach cannot happen, but it may make it more difficult for the hackers to get into the network,” she says.

Shields released a notice providing:

Shields Health Care Group, Inc. (“Shields”) recently became aware of suspicious activity on its network.  Shields provides management and imaging services on behalf of the health care facilities (“Facility Partners”) listed below.  With the assistance of third-party forensic specialists, we took immediate steps to contain the incident and to investigate the nature and scope of the incident. Shields is issuing this notice on behalf of itself and the Facility Partners to communicate what is known about the incident, our response, and steps impacted individuals can take, if deemed appropriate. Certain patients of these Facility Partners may be impacted.

What Happened? On March 28, 2022, Shields was alerted to suspicious activity that may have involved data compromise. Shields immediately launched an investigation into this issue and worked with subject matter specialists to determine the full nature and scope of the event.

This investigation determined that an unknown actor gained access to certain Shields systems from March 7, 2022 to March 21, 2022.  Furthermore, the investigation revealed that certain data was acquired by the unknown actor within that time frame. Although Shields had identified and investigated a security alert on or around March 18, 2022, data theft was not confirmed at that time.

What Information Was Involved? To date, we have no evidence to indicate that any information from this incident was used to commit identity theft or fraud.  However, the type of information that was or may have been impacted could include one or more of the following: Full name, Social Security number, date of birth, home address, provider information, diagnosis, billing information, insurance number and information, medical record number, patient ID, and other medical or treatment information.  Shields review of the impacted data is ongoing.

What Are We Doing? Shields takes the confidentiality, privacy, and security of information in our care seriously.  Upon discovery, we took steps to secure our systems, including rebuilding certain systems, and conducted a thorough  investigation to confirm the nature and scope of the activity and to determine who may be affected. Additionally, while we have safeguards in place to protect data in our care, we continue to review and further enhance these protections as part of our ongoing commitment to data security.

We have notified federal law enforcement, and will be reporting this incident to relevant state and federal regulators. Further, once we complete the review of the impacted data, we will directly notify impacted individuals where possible so that they may take further steps to help protect their information, should they feel it is appropriate to do so.

What Can Affected Individuals Do? While we have no evidence to indicate identity theft or fraud occurred as a result of this incident, we encourage impacted individuals to review Steps You Can Take to Help Protect Your Information, which is included below.

For More Information. We understand you may have additional questions concerning this incident. Individuals can direct questions to (855) 503-3386.  The call center hours will be 8:00am-5:30pm Central Time, Monday through Friday, excluding major U.S. holidays.

Steps You Can Take to Help Protect Your Information

Monitor Your Accounts

Under U.S. law, a consumer is entitled to one free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also directly contact the three major credit reporting bureaus listed below to request a free copy of your credit report.

Consumers have the right to place an initial or extended “fraud alert” on a credit file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Should you wish to place a fraud alert, please contact any one of the three major credit reporting bureaus listed below.

As an alternative to a fraud alert, consumers have the right to place a “credit freeze” on a credit report, which will prohibit a credit bureau from releasing information in the credit report without the consumer’s express authorization. The credit freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a credit freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. To request a security freeze, you will need to provide the following information:

1. 1. Full name (including middle initial as well as Jr., Sr., II, III, etc.);
   2. Social Security number;
   3. Date of birth;
   4. Addresses for the prior two to five years;
   5. Proof of current address, such as a current utility bill or telephone bill;
   6. A legible photocopy of a government-issued identification card (state driver’s license or ID card, etc.); and
   7. A copy of either the police report, investigative report, or complaint to a law enforcement agency concerning identity theft if you are a victim of identity theft.

Should you wish to place a credit freeze, please contact the three major credit reporting bureaus listed below:

But Shields is not alone.  Far from it.  Other recent data breaches include that of the Cooper University Health Care, in the United States which had a data breach involving current and former Cooper patients.  Across the border in Toronto there was a breach of a Toronto health network, Scarborough Health Network. The Washington University School of Medicine had a data breach in the form of unauthorised access to employee email accounts.

In the Australian context the WA Auditor General has been quite critical of WA Health for only using encryption in its test environment and was not able to tell if malicious activity was occuring.  And there is no surprises that the contract tracing app lacks appropriate security.  The focus is always on the functionality of the app and privacy and security is an afterthought.