Beacon Health System Learns of Cyberattack Spanning 14 Months

Beacon Health System (BHS) has announced it has discovered it is the victim of a sophisticated cyberattack. A hacker first infiltrated some of the company’s mailboxes in November, 2013 with the last known access attempt taking place on January 26, 2015.

The hacker reportedly gained access to email accounts after BHS employees were fooled into disclosing their login credentials in an email phishing campaign.

The unauthorized access was discovered on March 25, 2015 and an investigation into the data breach was immediately launched. The affected patients have now been identified and breach notification letters started to be mailed on May 22, with the data breach understood to involve over 220,000 patients. However, the incident has now been reported to the Office for Civil Rights indicating 306,789 individuals have been affected.

Social Security, Numbers, Driver’s License Numbers and Health Data Exposed

The email accounts contained a limited amount of information on patients, which mostly was limited to patient names, the name of the patients’ doctors, internal patient ID numbers and patient status. The data accessible through the email accounts also included some individuals’ dates of birth, Social Security numbers, driver’s license numbers, diagnosis information, dates of service and medical treatment information.

BHS has provided information on how patients can start monitoring their credit and the letters detail steps that can be taken to prevent – and quickly identify – fraud, such as placing credit alerts and security freezes and obtaining free credit reports. Patients have not been offered credit monitoring and protection services at this stage.

While the investigation clearly showed that an individual had gained access to certain email accounts on numerous occasions, the hospital did not discover any evidence that Protected Health Information (PHI) had been accessed, viewed, copied or used inappropriately.

The investigation is ongoing and BHS is in the process of notifying the relevant authorities. The FBI has already been informed about the incident.

A Long Time for Hackers to be Accessing PHI

Even with the most robust security systems it is difficult to prevent a highly determined and skilled hacker from obtaining access to network servers and email accounts. Hackers often exploit the weakest link, which is often the employees that work for HIPAA-covered entities.

Phishing campaigns are often successful because they have been designed to mimic emails from “legitimate sources”, and employees can be easily fooled into divulging their login information and security keys. There is a high risk of exposure of PHI from phishing campaigns, which are often able to bypass security controls undetected, as was the case with the BHS hack.

However, in this instance it took 14 months for BHS to discover the breach, indicating that a full scan of the network and email system had not been performed in at least 420 days. Questions are likely to be asked as to why inappropriate access to email accounts was not identified sooner.

If the Department of Health and Human Services’ Office for Civil Rights decides to investigate and deems the lack of intrusion monitoring to be a HIPAA violation, BHS could be forced to pay a substantial penalty. The maximum fine for willful neglect of HIPAA Rules is $1.5 million, per violation, per year that violation has been allowed to persist. In this case a fine of up to $3 million could potentially be issued.

Updated: 06.07.15

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.